In this short blog post, I will present to you why the alphanumeric password is much more secure than using biometrics. At my home, as a total n00b, I was able to clone my finger that bypassed TouchID. To be honest in my case, effectiveness was about 10%-15% - but like I wrote before, it was my first time, and I didn’t have any professional tools. Before I start, I want to credit Łukasz Bobrek & Paweł Kuryłowicz from SecuRing that showed me their research. These guys compiled the knowledge from iPhone 5s Touch ID hack in detail and much of the time spent on trials and failures, to create the Half-blood Prince’s textbook. 😉

1. Scan your fingerprint

(that is a fake finger, not mine - dont’ worry ;-)) fingerprint1

2. Revert it and remove the noise

fingerprint_invert

3. Print the finger on the tracing paper

IMG_5487

4. Cut some PCB

IMG_5485

5. Expose the printed fingerprint to PCB

IMG_5489

6. Immerse the PCB in a photo etcher

… and wait for about 1 hour IMG_5492

7. Dry it and immerse in the Na2S2O8 solution

IMG_5496

8. Dry the PCB again and apply the graphite coating

10

9. Apply wood glue

IMG_5506

10. Wait 24h and peel the fake finger!

IMG_5513

Results

Update #1

The story was also featured in: https://portswigger.net/daily-swig/how-can-people-use-google-and-not-expect-to-be-hacked