iphone fingerprint hack burke_00014908.jpg
How to hack an iPhone fingerprint sensor
03:25 - Source: CNN

Story highlights

Hackers in Germany say they have successfully hacked the new iPhone 5S

They photographed a fingerprint and used image to create a fake "finger" to unlock the phone

Spokesman: "Fingerprints should not be used to secure anything"

Website has offered cash bounty for first person to hack the phone's Touch ID system

CNN  — 

A group of hackers in Germany says it has found a way to bypass the fingerprint-sensor security system on the new iPhone 5S.

The hackers claim they fooled the Touch ID biometric security of the iPhone 5S by photographing a fingerprint left on a glass surface and using the resulting image to create a fake “finger” which unlocked the phone. They demonstrated their exploits in a video posted Sunday to YouTube.

“We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token,” said Frank Rieger, a spokesman for the group, the Chaos Computer Club, in a post online.

In the post, the hackers said they snapped a high-resolution photo of a fingerprint, inverted it and laser-printed it with extra toner onto a transparent sheet. Then they smeared pink latex milk or white woodglue into the fingerprint pattern, lifted a thin latex sheet from it and placed it onto the sensor to unlock the phone.

“As we have said now for … years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints,” said a hacker, who goes by the nickname Starbug, on the Chaos Computer Club’s site.

Apple marketing director Phil Schiller explains Touch ID, the iPhone 5S's fingerprint-reading security tool.

Apple did not respond to a request from CNN for comment.

Starbug and the Chaos Computer Club are being rewarded for their efforts. They were named the winners of an online contest offering a bounty of cash and other prizes to the first person or group to successfully hack the new iPhone’s Touch ID system.

The contest, IsTouchIDHackedYet, was created by Nick DePetrillo, an independent computer security researcher known for demonstrating hacks of smartphones, and Robert David Graham, owner of Errata Security, a cybersecurity firm. It invites donors to contribute to the bounty, which so far includes an assortment of cash, bitcoins (a form of digital currency), several bottles of booze and “a dirty sex book.”

“It’s official. Starbug of the CCC has been declared the winner of #istouchidhackedyet Congrats! Video to come soon,” DePetrillo posted on Twitter Monday afternoon.

The total cash bounty topped $16,000 at one point, although one donor has since reneged on a promised $10,000 donation, according to the site.

According to terms DePetrillo posted on Twitter, to collect the bounty a hacker had to lift a fingerprint from the phone or elsewhere and reproduce it in such a way that will allow the hacker to unlock an iPhone 5S in less than five tries. All the steps had to be documented on video.

“The whole point of #istouchidhackedyet was to put up or shut up with regards to criticisms of Apple’s Touch ID security and implementation,” DePetrillo said Saturday on Twitter.

The iPhone 5S, which went on sale Friday, has a fingerprint sensor in its Home button for added security. Apple calls the new security system Touch ID. Phone owners must “register” their print with the device, after which they can unlock the phone by placing a finger or thumb on the button. Other users’ fingerprints will not unlock the phone, which protects it from thieves.

How secure is your iPhone 5S fingerprint?

The Touch ID system is meant for human fingerprints, of course, but it apparently works with animals, too. A Minnesota man posted a video Friday to CNN iReport that showed him using the paw of his pet Chihuahua to unlock his new iPhone.

DePetrillo and Graham are so-called “white hat” hackers who investigate and expose security holes that have yet to be plugged by makers of new computer systems. Tech companies generally appreciate being alerted to such security issues, which they can then patch before users’ personal information is compromised.