German hacker group claims to have cracked Apple’s Touch ID fingerprint scanner

“A group of German hackers claimed to have cracked the iPhone fingerprint scanner on Sunday, just two days after Apple Inc launched the technology that it promises will better protect devices from criminals and snoopers seeking access,” Jim Finkle reports for Reuters. “If the claim is verified, it will be embarrassing for Apple which is betting on the scanner to set its smartphone apart from new models of Samsung Electronics Co Ltd and others running the Android operating system of Google Inc.”

“Two prominent iPhone security experts told Reuters that they believed the German group, known as the Chaos Computing Club, or CCC, had succeeded in defeating Apple’s Touch ID, though they had not personally replicated the work,” Finkle reports. “One of them, Charlie Miller, co-author of the iOS Hacker’s Handbook, described the work as ‘a complete break’ of Touch ID security. ‘It certainly opens up a new possibility for attackers.'”

“CCC, one the world’s largest and most respected hacking groups, posted a video on its website that appeared to show somebody accessing an iPhone 5S with a fabricated print. The site described how members of its biometrics team had cracked the new fingerprint reader, one of the few major high-tech features added to the latest version of the iPhone,” Finkle reports. “The group said they targeted Touch ID to knock down reports about its ‘marvels,’ which suggested it would be difficult to crack.”

“The group said it defeated Touch ID by photographing the fingerprint of an iPhone’s user, then printing it on to a transparent sheet, which it used to create a mold for a ‘fake finger,'” Finkle reports. “CCC said similar processes have been used to crack ‘the vast majority’ of fingerprint sensors on the market. ‘I think it’s legit,’ said Dino Dai Zovi,” another co-author of the iOS Hacker’s Handbook. ‘The CCC doesn’t fool around or over-hype, especially when they are trying to make a political point.'”

Finkle reports, “Two security experts who sponsored an impromptu competition offering cash and other prizes to the first hackers who cracked the iPhone said they had reviewed the information posted on the CCC website, but wanted more documentation.”

Read more in the full article here.

[Thanks to MacDailyNews readers too numerous to mention individually for the heads up.]

Related articles:
Apple iPhone 5s’ Touch ID works with more than just your fingers… (with video) – September 22, 2013
Cracker of Apple’s Touch ID fingerprint recognition to win booze, cash, and bitcoins – September 21, 2013
How soon until Apple’s Touch ID comes to iPad and Mac? – September 21, 2013
U.S. Senate Democrat Al Franken demands answers from Apple CEO Tim Cook over iPhone 5s’ Touch ID – September 20, 2013
Hackers eager to try cracking iPhone 5s Touch ID fingerprint recognition – September 19, 2013
Security researcher: Apple iPhone 5s Touch ID is truly better security – September 19, 2013
Apple’s new iPhone 5s and iPhone 5c arrive in stores on Friday, September 20th – September 17, 2013
Engadget reviews Apple iPhone 5c: A breath of fresh air that will be wildly popular this holiday season – September 18, 2013
Apple’s 64-bit iPhone 5s is by far the fastest smartphone in the world – September 18, 2013
Ben Bajarin: Apple’s new iOS 7 will cause consumers to discover their iPhones all over again – September 18, 2013
John Gruber reviews Apple iPhone 5s: ‘This is what innovation, real innovation, looks like’ – September 18, 2013
AnandTech reviews iPhone 5s: Apple’s 64-bit A7 is seriously impressive – September 18, 2013
TechCrunch reviews Apple iPhone 5s: The best smartphone available – September 18, 2013
Apple’s new iPhone 5S likely to be in exceptionally short supply – September 18, 2013
USA Today’s Baig reviews Apple iPhone 5s: ‘Makes the best smartphone even better’ – September 18, 2013
Mossberg reviews Apple iPhone 5s: ‘The best smartphone on the market’ – September 18, 2013
iPhone 5s pre-orders quickly sell out in China; gold iPhone 5s sells out quickest of all – September 17, 2013
Apple’s new iPhone 5s and iPhone 5c arrive in stores on Friday, September 20th – September 17, 2013
Apple’s Touch ID is revolutionary, paradigm-altering technology; Steve Jobs would be quite proud – September 17, 2013
The wizard behind the curtain for the iPhone 5s: Apple’s M7 motion co-processor – September 16, 2013
Apple’s iPhone 5s with Touch ID seen as protection against U.S. NSA – September 16, 2013
Apple’s new iPhone 5s is the world’s first and only 64-bit smartphone – and it will be king of the hill for quite some time – September 13, 2013
Professional photographer on Apple iPhone 5s’ True Tone dual-LED flash: The sheer engineering prowess here is insane – September 13, 2013
Apple iPhone 5s camera leaps two years ahead of entire camera industry – all cameras, not just smartphone cameras – September 13, 2013
Apple changes the world again, propels biometrics into the mainstream with iPhone 5s’ Touch ID – September 12, 2013
iPhone 5s: Once again Apple leaps ahead with Touch ID fingerprint recognition; a big enterprise win for Apple – September 10, 2013
Apple reveals flagship iPhone 5s with Touch ID, the world’s first and only 64-bit smartphone – September 10, 2013


  1. This is as much of a “hack” as looking over someone’s shoulder as they type in their password and writing it down, except for requiring much, MUCH more work, in addition to having physical access to the device. Let me know when someone hacks the “secure enclave” in the A7 processor.

      1. What level of reset? Do you mean factory reset?

        No crook stealing an iPhone to resell it is likely to have access to someone’s fingerprint. That’s a reasonable point.

        But anyone wanting the DATA on an iPhone can now trivially capture the target’s fingerprint, blahblahblah, to grab the goods.

        1. Easy fix:
          Scan first
          Opens screen with 12 photos, have to click designated photo.

          Photos randomly shift with each opening so you can’t track smudges.

          Only adds a split second to process

      2. More important issue is that CCC does not tell how they cheated TouchID to scan this film or whatever they used — as sensor is not supposed to read picture of non-living materials — this is why Apple wrote TouchID scans subepidermal layers, not epidermis itself.

        So, for now, I consider claims of TouchID hacked to be doubtful.

        Lets wait for more details how they did it — if they did — or for this PR trick to be exposed.

    1. Sorry, but if someone is out to crack your iPhone, the process required to acquire your fingerprint, cast it into plastic then fake log into it is TRIVIAL. Anyone, literally ANYONE can do it with a simple set of instructions and access to a 3-D printer. Again: ANYONE could do this.

      Ticked off that your ex? Crack into here iPhone.

      Want to see the secret formula your rival has on his phone? Steal it, and that fingerprint he left on his water glass, blahblahblah.

      There are thousands of mystery books about motivations for stealing information. The point all along has been how ANYONE can capture a fingerprint. Now we know that a very simply made cast of it is all one needs to crack into the iPhone 5S.

      PLEASE don’t trivialize this folks. This is an era of heightened security awareness around the planet. Making it even EASIER to get into an iPhone than throwing a dictionary attack at its password protection (and faking a fingerprint really IS incredibly EASIER than a dictionary attack) is really, really BAD. It makes using Touch ID instead of a decent password a STEP BACKWARDS in security.

      Sorry I’m such a rant hog on this subject. But I am incredibly concerned, as one might expect considering my Mac-Security blog.

        1. It’s just chatter. I point that out just about every day.

          I think a better point is that you’re SHOUTING your insecurities to the world. So do something about them!

          And no, I could not care less if someone finds my chatter intimidating. Get over it and find your OWN best self, and express it! That’s how it all works. We all share our individuality with the whole. NO ONE gets to shut us up because they’re all intimidated. Therefore, get over being intimidated and just get into the sharing and helping other good people with good stuff!

          Oh and, ENJOY beating up BULLIES. I sure do! You’ll oddly find its a great way to help them respect you. Weird eh? But it’s a language they understand.

          And yeah, the point of me blethering on has nothing to do with me needing attention, or being arrogant, or having to be better than anyone. I’m only being my best me. You do the same.

          And stop being anonymous.

          1. Derek, you are the one that is frequently SHOUTING! You post some decent stuff but, in this case, you are coming across as insecure and insulting. You assume that a lot of people are trivializing this potential crack of TouchID. And you leap to a flawed assumption that this alleged crack of TouchID “really IS incredibly EASIER than a dictionary attack.”

            Chill out. If MDN doesn’t block Freek and his ilk, then they won’t block your posts. No one is forcing you to shut up. IT was just one anonymous person with an abbreviation in their “name.”

          2. Derek, I read the rest of this thread and it really sounds like you have gone off your meds. You actually sound kind of scary, dude. I hope that you don’t go any further with your paranoia than just ranting on MDN.

      1. By the time the phone is stolen, a fingerprint is copied and a cast is made. It is highly likely the phone would have been remotely wiped by the owner. Faking a finger print may or may not be easy. But it isn’t fast.

        “This is an era of heightened security awareness” what? really? Nothing that is being heard in the news should be a surprise to anyone. People nearly their whole lives on Facebook and now all of a sudden they care who sees it. oh please!

        Protecting your information/ data/ devices etc is one thing but how far are people really willing to go for their security?

        1. 1) I agree about your point of fingerprint faking not being anything a random crook would consider. Ideally the owner would think of wiping the phone. Ideally.

          2) What are you going on about ‘oh please!’ about? I’ve been working with the local PC user group (seeing as the Mac UG here self-destructed due to crap leadership). The #1 thing they want me to teach them is computer security, and I do, and I get (not bragging) a large turn out every time I do. And all I teach them is INTERNET security, seeing as I loathe anything Windows and swore off teaching it or repairing it for others.

          IOW: You are way wrong about people being INCREDIBLY concerned about security right this very moment. Wake the hell up! Here in the USA we’ve had the 4th Amendment to the US Constitution RIPPED AWAY from us with NO consequences. We’re SCREWED in the USA if we expect any government respect for citizen privacy. That’s PRECISELY the crap that cause the colonies to break away from King George and his corrupt Great Britain. IOW: We’re moving BACKWARDS.

          And people aren’t concerned? ‘1984’ the book isn’t being pointed to every single day in the press as what we are becoming? Again: Wake the hell up. This is not acceptable and never will be.

          1. If police or government officials want someones information they have ways of getting it. Legally or not. I resigned myself to this fact year and years ago. Also people freely give out so much of their personal info in various places often times you just have to ask for it and people will give it out willingly. I am just on small person I am not that important. In this day and age how much privacy and anonymity can we truly expect? AS I SAID BEFORE HOW FAR ARE PEOPLE WILLING TO GO FOR THEIR SECURITY AND PRIVACY?

          2. 1) I agree about your point of fingerprint faking not being anything a random crook would consider.

            Well, IMO that should end the discussion right there. Touch ID is security on a consumer device. I sincerely doubt anyone buying an iPhone believes that they can stop the government or a multi-million dollar intelligence firm from cracking their phone if that agency can get their hands on it.

            Security on a consumer device is about protecting your information from common criminals, as well as scumbag acquaintances and relatives. Touch ID is going to make that a lot easier.

            If you truly need to keep your your information secure from everyone, including governments and those with government-like resources, you’re not going to settle for the stock security on the device, no matter what device it is.


          3. Derek Currie writes:

            “I agree about your point of fingerprint faking not being anything a random crook would consider. Ideally the owner would think of wiping the phone. Ideally.”

            after writing…

            “Literally, ANYONE can do it.”


            “ANYONE can do this.”

            Methinks one Derek Currie is the major local distributor of crapola.

      2. Get off your high horse. As mentioned this isn’t hacking the sensor. The method specifically says they took a picture of the iphone users finger. They didn’t lift a random print from somewhere. This means is someone wants to steal your info you’ll have to be nice enough to allow them to take a picture of your finger. That’s the equivalent of giving the thief your password because he asks.

        1. See, this is what being anonymous accomplishes: TOTAL COWARDICE.

          You know who I am. Who the hell are you, insecure fellow? You can’t quote me correctly and you don’t care. You’re merely here to be ANGRY and ANNOYING. Have fun! When I get ticked off you damned well know why. Meanwhile, you’re just ranting for the sake of pissing off someone, whoever you are, coward. Now get real and have a REAL conversation.

          1. What’s with the all caps Derek? Stephen made a very valid point. I seriously doubt it is possible to pull a 2,400dpi finger print off a beer bottle or anywhere else for that matter. A thief would have to get a print directly from the iPhone owner in which case it would be much simpler to swipe the owner’s finger. Besides a thief is after the phone not the data, unless this a James Bond movie.

            1. There were not ‘all caps’. Having a bad evening? Takeit out on no one please, except of course yourself.

              Oh, and read the SOURCE (see the emphasis provided by occasional caps?) article to understand that yes you damned well CAN use a fingerprint off a beer bottle. That is essentially what the hackers used.

              And get some sleep. That might help.

              Lots of vague and grumpy people here tonight, and they aren’t me.

          2. Blethering on, as you say, doesn’t seem to be making you any friends here, or likely customers… Aggressive language is likely to prove unhelpful also. Your critic makes good points and you might be wise to consider your posts more carefully before you hit the “post comment” button.

          3. If not for Derek Currie’s ever homorous and razor wit that ever graces MDN’s feedback pages for many years, this place would long have gone the dogs of dogma, defeat and intelectual phobia.

            Derek, thank you for perspective, reason, logic and factual input that brightens up the roffy raffy gloom – no matter how much we agree or disagree, (everyone’s shit smells) I hope you forever “rant”.

            Your input always adds humor and a thoughtful perspective, even when we don’t agree.

          4. If your are really of the mind that someone else is a coward while you are not, rather than BRAVELY calling them a coward from behind the safety of your computer keyboard, it would be rather more instructive to call them a coward to their face.

      3. A more sensible writer on security matters might wait until the full details of this “hack” are released. Thus far, however, it appears that a 2400dpi photograph is required – quite how any hacker or thief would obtain that is open for debate…

      4. Derek, the cracking of TouchID is currently only a claim, not established fact. You also make it sound far easier than it appears. Contrary to your assertion, I would assert that it is much easier to grab a cracking algorithm off of the internet and “throw a dictionary attack” against a target than it is to lift a valid fingerprint (quality version of the one used for TouchID), print it onto a transparent film, and use that to create a mold for a fake finger. Which is more credible? And that even assumes that the fake finger works as advertised, which contradicts what I have heard so far regarding the TouchID technology.

        I have to admit that I will be more than a bit disappointed if even an elite hacker group has managed to accomplished the feat so quickly. But, I have no doubt that someone or some group will eventually find a way around TouchID. It has always been easier to break than to make. But making it very difficult to get around a security feature is much better than the status quo. Even if CCC has cracked TouchID, the feature still improves security and utility for the iPhone 5s. Show me anything better.

        1. Yes this is a good point,
          We have a german hacker club making sweeping (and unverified) claims. Well they have Charlie Miller jumping on the FUD train, the same man who made the huge and vocal proclamation he could he could hack a macbook in 30 seconds via wifi, he just “forgot” to mention that he had to use a third party wifi adaptor and third party wifi drivers (for which you would have had to had the admin password to install), yeah details, details…. particularly when MacBooks all come with wifi (it is not a BTO option) so none would use this “third party device he had to use to get his hack to work.) This hack of millers was just another stupid pet trick, absolutely unworkable in the real world but the “headline” was echo’d in the tech media (desperate to prop up windows sagging security reputation ) again and again.

          The devil is in the details, and I dubious they are giving complete and accurate ones.

      5. Derek,

        Thanks for providing us with information and as always your polite and week-phrased arguments. I am amazed at how much flaming you get for writing this.

        Sure, most people will be fine because no one will go through the trouble of getting your print to open the phone, but that does not mean that we do not need Apple to further investigate and improve. Coming from Apple this needs to be state of the art and nearly uncrackable.

        I guess it is much the same as public cameras. Many people will argue that if you have nothing to hide, there is nothing wrong with the cameras. But times may change and system can get hacked into and maybe one day you will be confronted by a not so decent power who wants to know why you went there and there….we have seen it before and it might happen again. If the Nazis of midway the last century had had today’s technology…….

        1. Thanks for a nice post.

          I could go off on the effect of psychopathic behavior on society for hours. But it’s a lot more than than, including people with the best of intentions ending up in the middle of thorough oppression of others for what are easily perceived as the best of reasons. IOW: All of we humans are severely limited in our perspectives and comprehension of the real world in which we live. It’s a default. I enjoy when people attempt to break down our walls and provide useful and important other perspectives. I do my best to attempt the same.

    2. If the best the “hackers” can do is “photographing the fingerprint” and “molding a fake finger,” Apple has succeeded. Typical iPhone users don’t even set a pass code. Touch ID is like Time Machine on a Mac. Once it is set up, the user forgets about it (until it is needed).

      That’s why Touch ID will have a major impact on security, because MOST iPhone users will want to it. And (after stealing the iPhone) MOST criminals will not have the desire, time, skill, or resources to create a precision fake finger, even if they somehow also had a photograph of the owner’s fingerprint.

  2. I watch the video. I call bs on this as well, the touch id sensor is a capacitive touch sensor and reads the layer of skin below the dermis (living tissue below the surface of dead skin). Notice the same person using the same finger with a very thin piece of plastic between his finger and the scanner. The touch id is reading his fingerprint below the dermis like it is supposed to. I want to see him try this with someone else’s finger with his print. If anyone has taken the time to actually read how this sensor works, they would know that one of the benefits of this sensor is that it can be put behind an lcd display and still read. Because it is capacitive touch not optical. Only an optical sensor would be fooled by a high resolution fingerprint copy. The only thing to say here is that the sensor is reading the persons real fingerprint through the tape on the end of his same finger.
    Also even if he is using his middle finger for the test how do we know he did not train it before hand as you can train more than one finger to unlock the phone.

    1. They posted another video with a completely different person unlocking it with the “fake” finger mold. But my point above still remains.

      The one thing I’m curious about (and will check once I get my 5s) is, can you enable both touch ID and password? That would give you two-factor authentication. Would be nice to have in some circumstances.

    1. Is it a system-wide setting, or can it be turned on for certain types of transactions?

      I know you can have a longer passcode…which I might now enable if I don’t have to type it in all the time. Which is kind of the point of Touch ID. More secure on multiple levels.

  3. So just use another part of the body. Others have reported using their nose, their cat’s paw and even their schwanstoggle. Like to see the replicate someone’s schwanstoggle! I think these Krauts are full of hackbraten!

    1. Schwanstoggle… that’s funny.

      Nevertheless, I don’t consider this a crisis. You have to have the phone in hand. You have to know which finger was used. You have to lift a very good copy of its print somewhere (good luck, if your target used his meat whistle or other turgid appurtenance). And then you have to hope you can clean up the print and copy it well enough to work. All before your target bricks the phone using Find My iPhone.


    1. Making a latex cast of a fingerprint is TRIVIAL! You can use a fingerprint taken off a glass, toss it into the freeware 3-D app Blender, keep the 3-D version as thin as possible, then toss the 3-D image to a 3-D printer, whip out your 3-D fingerprint, toss it on your finger, and PWNed is that guy’s iPhone!

      There is NOTHING new here at all except the recent ease with which anyone can make a 3-D cast of any captured fingerprint. A diabolical password would be HELLA-safer! Or best yet would be using BOTH a password AND a fingerprint scan.

      Anyone remember the VOICE login you could use in old Mac OS 8? Remember what a JOKE that was? Trivially record someone voice logging into their Mac, play it back to the Mac, oops you PWNed their Mac? Same trivial PWNing as fingerprints.

      Not good.

      1. Derek,

        Yes, of course this is an issue. There have been too many movies that have defeated fingerprint scanners for people to really put complete trust in them.
        I think the average target for touch Id is the person who (like myself) doesn’t put ANY pass code on their phone, not the person who is protecting valuable information.
        And the average attacker is unlikely to go to the effort of collecting the fingerprint in the first place.

        Overall security for the platform is increased because it is now harder to pick the “low hanging fruit. “

        1. There IS that point, and I understand.

          However, Touch ID cannot be called, at this point, an actual improvement in iPhone security, UNLESS it is coupled with also using a password. Comparing fingerprint to a diabolical password, fingerprint LOSES. And yes, I am obsessed about the subject. That’s typical me.

      2. How many people actually have access to 3D printers? My understanding is that it is not inexpensive to print something in 3D. Now you’re talking about a thief who acquires a 2400 dpi copy of your fingerprint, your iPhone 5S, AND had a 3D printer. All in the hopes that you left a balance on your Starbucks account, and all before you remotely wipe your iPhone.

      3. I am unaware of the procedure for how to TOSS a file into a software app, and for how to TOSS a file to a printer, and for how to TOSS the printer output into my finger. Would simply importing, printing, and placing these things work? Or must they be TOSSED? Also, if I TOSS, does this make me cooler.

        At any rate, I hope you will post a video showing the entire procedure that you learned from watching Mission Impossible. Start with the fingerprint on the glass, and then commence to TOSSING, until which time you have unlocked someone else’s iPhone 5s. I would interested to watch this simple procedure that literally ANYONE can do.

        I shall be eagerly waiting.

  4. In the film the nervous guy is using the same finger to open the phone as he is using to present the micro-thin latex replica. The iPhone is reading through the semi transparent latex! Maybe the chap is nervous because he knows he is lying ?

    1. Yes, really, who cares? Maybe a ‘live’ finger really IS required! And look at how we living humans all have living fingers and can put a latex cast of any captured fingerprint onto our living finger and fool the Touch ID scanner! As Matty pointed out to me earlier: PWNed!

      1. Except the latex cast wouldn’t be living tissue, and so, presumably, wouldn’t register with the capacitance Touch ID system.

        Long story short, if you can’t use an object as a stylus on an iPhone, you shouldn’t be able to use it on Touch ID.


  5. As Matty shared with me earlier:

    This is really, really BAD.

    Abbreviating one of my previous rants: If Apple FORCED users to fingerprint scan AND use a diabolical password then I’d be smiling with glee! Otherwise, I’m rather horrified at the moment. 👿

    Maybe iOS 7.0.2 will rectify this LUSER capitulation rubbish from Apple and impress the world. It could happen!

      1. In this video, the user trains the phone with his index finger. He then used his middle finger to pick up a piece of tape and unlocks the phone.

        What, exactly, is this video intending to show?

        What print is on the piece of tape?

        IPhone 5s allows several fingerprints to be used. It is impossible to state that this video shows anything other than a middle finger, previously registered with the phone, can still be read through a piece of tape.

        Perhaps other videos of this supposed hack are more persuasive, but this one doesn’t pass muster…

      2. Based on that Im unsure of weather the scanner is reading his (authenticated) sub dermal fingerprint through the tape or if this is supposed to demonstrate that it is reading somthing off the tape.
        It just makes no sense. And typically when hackers “demos” make no sense, I go from dubious to full on skeptical.

    1. Somebody steals my iPhone off the bar. Assuming this vid is legit, where the fsck is he going to get a nice clean fingerprint? How will he know it’s the correct finger? Is he going to dust my Martini glass and get a nice tidy tape lift?

      This isn’t even up there with antennagate.

      If it’s the NSA you’re worried about, they don’t need to open your phone to nail you.

      1. I think I’ve agreed with this scenario three times now. Valid point already!

        But clearly you aren’t taking MY point seriously. It really is TRIVIAL to grab the fingerprint of a targeted person and break into their iPhone. I think what we’re refining here is: How often does someone have data worth stealing off an iPhone? There are probably more valid scenarios for that situation than I could count. But for average people, this isn’t remotely a likely concern. I get that.

        I’m aiming for SERIOUS security. Touch ID is NOT serious security. That is, unless it as used in addition to a diabolical password. I think I’ve made that statement here about a dozen times. Maybe pay attention to what I’m saying and actually go read the link I’ve posted several times, which is THIS:

        1. Exactly right.

          Unless your an international celebrity, mber of government or some other important person no one is gonna give a damn about jacking your phone!

          Why would they bother to do it?

          To see your holiday photos, find out who your connected to on social networks???

          They are not bothered.

          I’m a business owner and have all my meetings notes, business strategy and confidential data on my phone. It’s stored in an ecrypted app.

          When I get my iPhone 5s I will have touch id and pass code activated.

          Good luck anyone getting anyone out of my phone they will have to go through 3 layers of security.

          By the time they do that, I will know where they are on maps, would have wiped the phone, sent them a message and called the police.

          They can’t win.

  6. For this approach to work, Apple’s technology can’t work the way they said it did. As another poster said, this is a capacitive scanner, not optical, so how can a latex fingerprint copy possibly work? This just doesn’t pass the smell test. Specific details to allow the replication of the technique by a third party are clearly necessary. The scanner should completely ignore any thin film between it and an actual finger.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.