It took less than two days for Apple’s famed Touch ID system to be hacked following the release of its iPhone 5s. The hack was immediately posted online by a group known as the Chaos Computer Club, with a brief video showing how the exploit was achieved. The news immediately had iPhone users worried – if Apple’s fingerprint security could be bypassed so quickly, surely that meant that the technology was dangerously insecure, right?
Well, according to a new video and interview made for ARS Technica by the German hacker responsible for defeating Touch ID, that isn’t really the case. The hacker, who goes by the nickname Starbug, described his attack as being “straightforward and trivial”, yet the latest video he shares reveals that it required more than 30 hours of delicate work, plus a whole bunch of hi-tech equipment including a high resolution laser printer, a scanner and a printed circuit board etching kit – in other words, it’s not something your average iPhone thief is likely to be able to do.
As Starbug explains:
“It took me nearly 30 hours from unpacking the iPhone to a [bypass] that worked reliably. With better preparation it would have taken approximately half an hour. I spent significantly more time trying to find out information on the technical specification of the sensor than I actually spent bypassing it.”
“I was very disappointed, as I hoped to hack on it for a week or two. There was no challenge at all; the attack was very straightforward and trivial.”
So do iPhone 5s owners need to worry that their own devices could also be hacked, now that the exploit is widely known? According to Starbug, that depends, but in most cases they’re probably going to be safe.
The thing is, this hack just isn’t that simple. Unlike silly pranks like setting your friend’s iPhone’s language to Chinese or Arabic, or even hacking a simple PIN code (something that could be done if you watch your friend opening his phone), bypassing the fingerprint scanner just isn’t that easy. This technique requires being able to work on the device for some time, and thanks to apps like Track My iPhone, that’s the one thing thieves often don’t have.
Another reason not to worry, as I mentioned above, is that Starbug’s exploit is likely to be well beyond the capabilities of most thieves, even if they watch the video. The necessary equipment isn’t something that most people just have lying around, even though Starbug claims it was “trivial”. And even if the hacker does get past Touch ID, that alone isn’t enough to reset and sell the phone – he also needs to know your Apple ID password as well, to get past the Activation Lock feature.
Hacking Touch ID requires a significant amount of time, skill, effort and equipment. For many people, it’s unlikely that the data they have on their iPhone is worth all of that effort. Those working for government agencies and corporations might believe it is, but for the average Joe it almost certai nly isn’t.
Touch ID was never going to be unhackable – what kind of security system can truly say that? However, it’s fair to say that Touch ID is in most cases, fit for the purpose – it’s easy to use, and it’s hard enough to crack that 99% of all thieves will be deterred.