iPhone 6 Touch ID has already been hacked

TouchID-logo

That was quick. Marc Rogers, Principal Security Researcher at Lookout, has managed to break the iPhone 6 Touch ID feature, and posted how he did it. Marc is the guy who did the same thing on the iPhone 5s when it came out about a year ago. What isn't so good is, despite a few noted improvements in the new version (a higher-resolution sensor, for example), Marc used the exact same procedure to hack the iPhone 6 Touch ID as he did with the iPhone 5s version - basically with a bit of  fingerprint powder and super glue.

While I don't see this as a show stopper for Apple Pay, it doesn't look good, and comes at a time when Apple is already on the defensive about security because of the recent iCloud hacking incident involving nude celebrity photos. Marc does note that the hack is hard to do, but I can see someone developing the necessary skill set when the stakes are high (for example, to break into some VIP's iPhone).

I've thought for a long time that fingerprint biometrics work better as a usability feature than as a security feature. For something like mobile payments, both usability and security are paramount. The technology offers a measure of security (just like the lock on your front door offers a measure of security ... if someone really wants to break it, and has the skills, time, and patience, they will do it). The security flaws of fingerprint biometrics - vulnerability to spoofing, etc. - have been widely discussed for years and are well known. Apple even acknowledged that they're aware of these flaws in their patent filing for the Touch ID technology.

A vulnerability in a given security control doesn't mean that it shouldn't be used: it just means that when it is used, it should be part of a well-conceived, defense-in-depth strategy, with additional security layers in place for when the control fails. Apple has provided additional layers - for example, the kill switch feature available for all IOS 8 devices, and the use of card number tokenization in Apple Pay. But I still think there's room for improvement with Touch ID.

(Via The Official Lookout Blog)