Show of hands: Who hasn’t hacked Apple’s Touch ID?

Forget twerking. Forget celebrity photobombing, toddlers performing “Blurred Lines,” or even grumpy cat GIFs. The hot new craze is figuring out which body parts can be used to unlock Apple’s iPhone 5s.

Let’s start with fake fingers. Less than two days after a pair of hackers challenged the world to successfully spoof a fingerprint and gain illicit access via Apple’s Touch ID biometric, a researcher in Germany named Starbug did just that.

[ Why hacking the iPhone 5s fingerprint reader is no big deal. | See the iPhone 5s fingerprint scanner hack in action. ]

After news of Starbug’s Touch ID hack became public, Lookout Security’s principal researcher Marc Rogers decided to see if he could duplicate Starburg’s feat. Of course, he could.

Gold fingers

Both of them went through a series of CSI-like steps, carefully lifting a fingerprint from the iPhone’s glass surface, reproducing a high-res image of it, and using that to create a fake fingerprint from latexlike material and applying it to the Touch ID sensor. The process is either surprisingly easy or extremely difficult, depending on which guy you believe. According to Rogers:

Hacking Touch ID relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician…. Practically, an attack is still a little bit in the realm of a John le Carré novel. It is certainly not something your average street thief would be able to do, and even then, they would have to get lucky.

Starbug had a rather different take on the matter, as he told Ars Technica:

It took me nearly 30 hours from unpacking the iPhone to a [bypass] that worked reliably. With better preparation it would have taken approximately half an hour. I spent significantly more time trying to find out information on the technical specification of the sensor than I actually spent bypassing it.

I was very disappointed, as I hoped to hack on it for a week or two. There was no challenge at all; the attack was very straightforward and trivial.

Despite Apple’s claims that Touch ID provides a “very high level of security,” both Rogers and Starbug note that Touch ID is not a “strong” security control, merely a “convenient” one. Rogers adds, correctly, that Touch ID would be a lot more secure as part of a two-factor authentication system involving a passcode or password.

Still, the speed and relative ease of the hack took many people off guard. As Ars Technica’s Dan Goodin writes:

Many security researchers and writers, yours truly included, predicted that the ability of the high-definition scanner included in the iPhone 5s wouldn’t be fooled by attacks using scanned fingerprint smudges to impersonate an already enrolled thumb or finger. It’s now clear we were wrong.

Body of evidence

But wait there’s more. We already know that fake fingers and feline appendages can unlock an iPhone 5s. How about your nose? You bet. Also, your toes.

One intrepid iPhone user in Japan with clearly too much time on his hands even used his nipples to unlock his phone. (Why not? He wasn’t using them for anything else.) I hope he warmed up the phone first.

What could possibly be next? Yep, you guessed it. I’m not going there. There are boundaries even I will not cross. But I can already see a market for live iPhone-unlocking Webcam shows.

What conclusions can we draw from this? The first is obvious and well known: By now most of us realize all know no solution is truly “secure” — at least, not for long. Whatever seems secure today inevitably turns out to more porous down the road, whether because some clever hacker figured out its flaws or because the NSA engineered its own backdoor.

Second conclusion: Touch ID is a gimmick designed to give the iPhone 5s more of a “wow” factor, kind of like Siri was for the iPhone 4S. It’s a fun gimmick, but a gimmick just the same.

Odds that your average mugger will steal your iPhone and go to this amount of trouble to get at your personal data are slim. But as Robert Graham, CEO of penetration-testing firm Errata Security and co-sponsor of the Is Touch ID Hacked Yet site, writes:

Many people claim this hack is “too much trouble”. This is profoundly wrong. Just because it’s too much trouble for you doesn’t mean it’s too much trouble for a private investigator hired by your former husband. Or the neighbor’s kid. Or an FBI agent. As a kid, I attended science fiction conventions in costume, and had latex around the house to get those Vulcan ears to look just right. As a kid, I etched circuit boards. This sort of stuff is easy, easy, easy — you just need to try.

Graham adds that bad security is better than no security at all, which is true. Also true: An iPhone with a whizzy but ultimately flawed gimmick is better than one without, if only because it’s easier to poke fun at.

That still leaves the question: Can Touch ID be hacked by a pair of Spock ears? No doubt somebody somewhere is trying to find out.

This article, “Show of hands: Who hasn’t hacked Apple’s Touch ID?,” was originally published at InfoWorld.com.