Apple’s TouchID “Hacked”

POTSDAM, NY – September 26, 2013 – Apple’s introduction of the iPhone 5S has thrust biometric-based mobile device security square into the media lime light. Unfortunately, it didn’t take long for hackers to spoof the biometric sensor used to unlock the 5S, (see http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid). Chaos Computer Club’s “breaking” of Apple’s TouchID has ignited a debate over the feasibility of using biometric authentication for high security activities on mobile devices, such as financial transactions, mobile purchases, and access to confidential information. Although it should be noted that the 5S does not allow such activities to be performed via TouchID, as it is restricted to unlocking the phone and making purchases of iTunes and other Apple Store items.

Just as other methods of authentication have vulnerabilities, a fingerprint authentication platform is vulnerable to some degree of spoofing attack. And while examples of this are periodically mentioned in the news media, Apple’s introduction of TouchID has certainly heightened the attention now given to this inherent attribute of fingerprint authentication. Like most biometric modalities, fingerprints are not secret, and can be acquired (lifted) from a variety of surfaces by a determined individual. Once a latent print is acquired a mold and spoof can be produced from a variety of common materials, and used to spoof the target device into authenticating the unauthorized user. Other biometric modalities such as face, iris, voice and palm have their own vulnerabilities to spoofing attacks.

Does this suggest biometrics are not useful for securing mobile devices from unauthorized use? No. While the technique used by CCC to spoof the Apple 5S is fairly straightforward (photo of fingerprint image laser printed onto transparency film to make the mold), and the materials used for their spoofs are readily available (white wood glue and latex mold-making material), these are just two examples of the numerous technique and material combinations NexID Biometrics uses to test the vulnerability of various fingerprint sensors currently on the market. From these tests NexID is able to produce and continually improve its anti-spoofing software to effectively thwart spoofing attacks such as CCC’s toward the Apple 5S. NexID licenses this technology to fingerprint sensors of varying technologies, applications, and markets, including those embedded on mobile devices.

The value proposition of biometric authentication is highly attractive from several standpoints, including convenience and productivity. And when combined with appropriate anti-spoofing technology such as that available from NexID Biometrics, it also includes the benefit of enhanced security.

About NexID Biometrics

NexID Biometrics is a leading software and technology supplier to the biometric authentication industry. The company develops and licenses liveness detection software that enables fingerprint-scanning technologies to more accurately, and with greater confidence, authenticate scanned images by mitigating spoof-related risks. The company also provides testing and analysis of fingerprint scanning devices to identify existing vulnerabilities to known spoofing strategies. The company’s founders represent some of the world’s leading authorities on biometric spoof mitigation and liveness detection.