It didn’t take long.
Apple’s new iPhone 6 can end up spoofed with the same fake fingerprints that tricked its older sibling, the iPhone 5S.
It is possible to create a fake fingerprint capable of fooling the TouchID fingerprint sensor of the latest iPhones (6 and 6 Plus are apparently equally vulnerable), said researchers at mobile security firm Lookout.
Despite the addition of secure payment app Apple Pay to the iPhone 6, the built-in security hasn’t evolved enough over the last year, the researchers said. iPhone users are still vulnerable to the exact same security flaw as a year ago. The main difference is that now, with Apple Pay, the bad guys have more incentive to abuse access to an iPhone.
The central problem is the iTouch fingerprint scanner on the iPhone 5S and iPhone 6 can end up fooled with a cloned fingerprint lifted from a shiny surface and recreated using glue.
Germany’s Chaos Computer Club was the first to crack Apple’s TouchID fingerprint lock, a trick replicated by Lookout last September and replicated this week on newly released iPhone 6s.
“Sadly there has been little in the way of measurable improvement in the sensor between these two devices,” explains Lookout researcher Marc Rogers in a blog post. “Fake fingerprints created using my previous technique were able to readily fool both devices.”
“Furthermore there are no additional settings to help users tighten the security, such as the ability to set a timeout for TouchID after which a passcode must be entered. In fact, it appears that the biggest change to the sensor is that it seems to be much more sensitive, which is made possible by a higher resolution scanning part.”
Lookout said it would be best to use a passphrase or PIN code in conjunction with fingerprint recognition, in order to add two-factor authentication.
Apple may be right to say people are looking for convenient payment methods, but that cannot come at the cost of security, the mobile security firm said.
“Just like its predecessor – the iPhone 5S – the iPhone 6’s TouchID sensor can be hacked,” Rogers said. “However, the sky isn’t falling. The attack requires skill, patience, and a really good copy of someone’s fingerprint – any old smudge won’t work. Furthermore, the process to turn that print into a useable copy is sufficiently complex that it’s highly unlikely to be a threat for anything other than a targeted attack by a sophisticated individual.”