Apple's just-released iPhone 6 is vulnerable to the same TouchID fingerprint sensor attack as its iPhone 5s predecessor, a researcher who detailed the first security hole has found.
Principal researcher from security firm Lookout, Marc Rogers, followed the Chaos Computer Club biometrics hacking team late last year to demonstrate how the TouchID sensor in the iPhone 5s could be fooled by a fake set of fingerprints created by using household items.
Rogers this week decided to check whether Apple had attempted to improve the security of the TouchID sensor in the release of two new iPhone models.
"Sadly there has been little in the way of measurable improvement in the sensor between these two devices," Rogers wrote in a blog post.
"Fake fingerprints created using my previous technique were able to readily fool both devices."
No additional settings to tighten security had been included with the updated TouchID - such as a timeout for fingerprint log-in attempts to trigger a passcode, in order to address the current opportunity for brute forcing, Rogers said.
He did however note that Apple had improved the sensitivity of the sensor, making defeating it more difficult.
" ... Slightly 'dodgy' fake fingerprints that fooled the iPhone 5s did not fool the iPhone 6. To fool the iPhone 6 you need to make sure your fingerprint clone is clear, correctly proportioned, correctly positioned, and thick enough to prevent your real fingerprint coming through to confuse it," Rogers wrote.
"None of these are challenging details for a researcher in the lab, but are likely to make it a little bit harder for a criminal to just “lift your fingerprint” from the phone’s glossy surface and unlock the device."
Despite this, the vulnerability of the sensor remains concerning in the new models especially given TouchID's role in authenticating in Apple's new Apple Pay service - in which a user approves a mobile transaction by entering their fingerprint on TouchID.
Rogers said while the sensor remained adequate for its purpose - unlocking an iPhone - its security might not be strong enough for authenticating mobile payments.
He advocated for Apple to introduce two-factor authentication and use a passcode or PIN code alongside the fingerprint sensor.
However, Rogers did say he was not concerned about mass exploitation of the vulnerability given how complicated the process to bypass TouchID was.
"The attack requires skill, patience, and a really good copy of someone’s fingerprint — any old smudge won’t work," he said.
"Furthermore, the process to turn that print into a useable copy is sufficiently complex that it’s highly unlikely to be a threat for anything other than a targeted attack by a sophisticated individual.
"That said, I can’t help but be a little disappointed that Apple didn’t take this chance to really tighten up the security of TouchID. Especially when you consider their clear intention to widen its usage beyond simply unlocking your phone into the realm of payments."