Apple did not immediately respond to a request for comment. On its company Web site, the firm says that fingerprint security is strong because the chances that another fingerprint may contain a section similar enough to unlock a user’s phone is 1 in 50,0000.
But the group claiming to have cracked Apple’s security feature, the Chaos Computer Club, said that all it had to do to trick the sensor was to make a “higher resolution” phony finger, which could be done by pulling a print off glass.
“As we have said now for more than [sic] years, fingerprints should not be used to secure anything, one of the group’s members said in a blog post. “You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.”
The group also posted a video showing someone programming an iPhone 5s to recognize one finger, and then using a cover over a different finger that does not appear to be programmed into the phone to unlock the device.
Sen. Al Franken (D-Minn.) had already asked the company for more information on how the device stores information on users’ fingerprints, using some of that same arguments for caution.
“If someone hacks your password, you can change it, as many times as you want. You can’t change your fingerprints,” Franken wrote in a letter to Apple. “You have only ten of them. And you leave them on everything you touch; they are definitely not a secret.”
The fingerprint scanner is not the only security feature on the iPhone, but it can be used to replace the standard four-digit pin in many cases. Users who opt to use the fingerprint scanner will still have to use a pin when they restart their phones if they haven’t unlocked their phones for more than 48 hours or when they want to open or change settings on the “passcode and fingerprint setting” menu.
In another security issue, outside researchers have identified a bug on Apple’s new operating system, iOS 7. They said people can bypass the lockscreen and to send messages, make calls and see some contact information on users’ phones by using the Siri voice assistant from the lock screen.
Cenzic, a security firm based in California, said Friday that it had uncovered the flaw and that it found that the Siri issued also affected some functions in iOS 6.
“This vulnerability indicates that there is a thin line between security and convenience,” wrote Cenzic’s vice president of engineering, Tyler Rorabaugh. “Functionality like calling phone numbers, sending messages and sending emails, even if the phone is locked, can be debated as security over convenience, but there is no setting that can control this if Siri is enabled. A user might need to disable SIRI completely to stop this.”
In a statement, an Apple spokeswoman confirmed that the company was aware of the Siri bug and investigating the issue.
“Apple takes user security very seriously. We are aware of this issue, and will deliver a fix in a future software update,” she said in a statement.