German hacker Starbug tells Ars how he bypassed the fingerprint lock on new iPhones.
by Dan Goodin – Sept 24 2013, 10:03pm +0300
Ars expressed surprise on Monday that a hacker was able to bypass fingerprint protection less than 48 hours after its debut in Apple’s newest iPhone, but not everyone felt the same way. The hack, carried out by well-known German hacker Starbug, required too much expertise and pricey equipment to make it practical, according to critics.
Marc Rogers, a security expert at smartphone security firm Lookout, was among the skeptics. After independently devising his own bypass of Apple’s Touch ID, he concluded that it was anything but easy. “Hacking Touch ID relies upon a combination of skills, existing academic research, and the patience of a Crime Scene Technician,” he wrote. Rogers went on to say that no one would know just how feasible Starbug’s hack was until he released a step-by-step video and we learned more technical details.
We now have both. Heise Online has posted the video here, and it was enough to satisfy Rob Graham, a security expert who donated $500 to the first person to hack Touch ID. Ars has also heard directly from Starbug, who (like us and several security experts) was surprised by how little time and effort his bypass required.
It “was way easier than expected,” he wrote in an e-mail. “I thought it would take at least a week and some fancy chip/bus hacking.” It didn’t require either.
What follows are his answers to questions Ars sent shortly after news of his hack broke Sunday night. The last question is a follow-up inquiry that came later. Because Starbug’s first language is German and not English, some of his answers have been lightly edited for grammar and usage.
Was there something you wanted to prove by going after Touch ID? If yes, what was it, and how exactly does the hack go about proving it?
Like for the last 10 years, what I wanted to show is that there are no fingerprint systems that could not be fooled. But mostly I did it for the fun. Or in other words, because I can.
In the past, you’ve been critical of the way many people attempt to use fingerprints and other biometrics. Is that still the case? Why would you be critical of Apple? Touch ID isn’t mandatory, and the fingerprint is just a substitute for a four-digit PIN.