Researcher Hacks Apple TouchID, Questions Apple Pay Security

The Apple TouchID fingerprint security scanner on the new iPhone 6, a key part of Apple's upcoming mobile payment service, can be hacked and may not be an adequate security control for the service, according to a researcher at mobile security vendor Lookout Security, who exploited the same weaknesses in previous versions of the smartphone.

Lookout principal security researcher Marc Rogers created a fake set of fingerprints to fool the scanner using the same technique he used when exploiting the fingerprint sensor last year in the iPhone 5s. Like its predecessors, the iPhone 6 lacks the ability to set a timeout for TouchID, which would force the user to enter a passcode as a secondary measure. The lack of the key security feature opens the device up to brute-forcing, giving an attacker multiple attempts to defeat the sensor.

"I had little expectation that the TouchID sensor would be completely secure, but I hoped at least that there would have been some improvements," said Rogers in a blog post Tuesday.

[Related: Apple Bets Security Will Drive Mobile Payments Adoption]

Creating a fingerprint that will work is the hardest part of the hack. Rogers used superglue and fingerprint powder to lift a print using special fingerprint tape. Defeating the fingerprint sensor in the new iPhones was much more difficult, Rogers said of his latest attempt. He also noted that in his tests, the sensor appeared to scan fingerprints entered into the device at a higher resolution and a much wider area, giving the built-in sensor better reliability and fewer false negatives when a legitimate user attempts to access the device.

The fingerprint sensor is a critical component in Apple Pay, which was unveiled Sept. 9 at Apple's annual event. The company's mobile payment service is slated to go live next month for users of the new iPhone 6 and iPhone 6 Plus. It eliminates credit card numbers, enabling iPhone users to wave their phone to pay for a transaction. So far more than 200,000 merchants are signed on to support the payment service, as are some major credit-card brands and card-issuing banks. Some security experts warn that while it may reduce fraud by eliminating the credit card number from retail payment systems, it could increase the risk of attacks targeting users of the Apple Pay service.

Rogers concluded that while the fingerprint sensor is an adequate security control to unlock the iPhone, it may not be a strong enough security control for authenticating mobile payments. CRN reached out to Apple for comment, but it did not respond in time for this story.

"I can’t help but be a little disappointed that Apple didn’t take this chance to really tighten up the security of TouchID, especially when you consider their clear intention to widen its usage beyond simply unlocking your phone into the realm of payments," Rogers said.

Solution providers and industry analysts say the rollout of Apple Pay has potential to transform the payment industry by eliminating credit card numbers altogether. The process needs adoption from a broader array of merchants and ultimately needs to be embraced by iPhone users who see the convenience and trust in the security and privacy of paying with their smartphone, said Avivah Litan, a vice president and distinguished analyst at research firm Gartner.

"This long line of breaches has made merchants look for alternatives, but until now no one wants to gamble with investing in technology that may not be used by consumers," Litan said.

While a host of big names, including Walgreens and Disney, have signed on to adopt the terminals needed to support Apple Pay, widespread adoption depends on a number of factors, experts say.

"Top-tier merchants will be more likely get on board and move the ball, but there are millions of small-business merchants and it's unclear that they will have same level of motivation to get behind the movement," said Kevin Grieve, a payment industry veteran and partner in consulting firm Strategy& who leads the firm’s payments business.

Grieve said payment processors likely will push small and midsize merchants into adopting payment terminals that support near field communications, the protocol used by Apple and Google to transmit data from iPhone and Android devices to the merchant to pay for goods or services. Adoption needs to grow to levels where it makes financial sense to replace or bolt on additional payment mechanisms, Grieve said.

PUBLISHED SEPT. 23, 2014