My iPhone got hacked at MWC. I’m not even mad, I’m actually impressed
We have all heard the stories about smartphones being hacked one way or another, and seen in films how people lift fingerprints from objects to circumvent scanners, but do those techniques actually work?
Well, I can attest to the fact that yes, yes they do – and very much so. But before you freak out, let me explain: at Mobile World Congress, my iPhone 6 was accessed through the fingerprint scanner without my hand being anywhere near it.
But – and this part is important – it was done in a controlled environment and with my knowledge, as part of a demonstration on the vulnerabilities of popular fingerprint scanning technology. Even though it was done to show me how easy it is to access someone’s phone, that doesn’t make the threat any less worrying.
The company that could have theoretically stolen all of my data is Vkansee – a US-based security company that manufactures fingerprint readers and sensors.
First, I was asked to sit with the finger I use to unlock my iPhone in regular dental paste for five minutes. It might seem like a long time and nobody would willingly sit there so you can steal their info, but dental paste works the best for these kind of tests and just takes some time to harden.
Making a clone
After the dental paste has set, a child’s toy – Playdoh – was used to create a copy of my fingerprint from the mould. The dough was rolled into a small ball, pressed into the mould and spread out so that it caught all the ridges of my finger.
Well, did it work? Watch the video below and see for yourself.
It’s pretty frightening to watch someone access your phone using only dental paste and Play-Doh at a trade fair, but doubly so knowing that real hackers are likely using something similar to do the same thing outside of these controlled circumstances. Vkansee’s MWC 2016 demo may also be interesting to authorities in the US, since they’re currently at loggerheads with Apple and some of Silicon Valley’s other major players regarding the iPhone’s encryption mechanisms.
Vkansee President Jason Chaikin said the demonstration was not about showing people how to hack an iPhone, but to help point out the vulnerabilities inherent to the technology – and not coincidentally, to also show that Vkansee can help prevent it from happening.
Vkansee is in the fingerprint sensor business, and it has developed a scanner that takes a 2000 pixels per inch (ppi) photo of your finger, with a device that’s a fraction of the size of traditional optical scanners. Those scanners typically scan and store your fingerprint data at a resolution of 500 ppi, making Vkansee’s scans far more detailed and giving the software far more to work with.
There is so much detail captured in each scan, in fact, that Vkansee’s system can detect if the finger being presented is living or not. For that, it measures the difference in size in the sweat glands in the finger: a living appendage will have open pores, whereas a dead finger will have much smaller, closed ones.
“The fingerprint scanners that are used in phones today are 10-year old technology, as are the ones are used in some laptops. Why did they fail in laptops but survive in mobile? Well, because of Apple,” said Chaikin, referencing Apple’s inclusion of a fingerprint scanner in their phones since the iPhone 5S. It’s been used to validate identities for things like online purchases and Apple’s own Apple Pay transaction system.
He explained that you have to make people an integral part of mobile transactions, because if you can circumvent the security surrounding them in an easy way, phones will be much more vulnerable. “You need to have a third factor (biometric) to close the vulnerabilities that can be exploited.”
Vkansee is obviously pushing their technology to be used in mobile phones throughout the world. Their sensor is a fraction of the size of traditional optical scanners, but perhaps more importantly they can be embedded under glass, so phone makers don’t have to cut special holes in their phones’ design to accommodate them.
“We use pinhole technology, the same as the very first cameras, to eliminate the prism in optical scanners. Ours is only 1.5mm thick and it has one job – to take pictures of your finger.”
The technology also has another benefit, in the sense that it doesn’t need a static electric charge to work. Because it takes a photo, your finger can be wet and it will still work. In iPhones right now, if a finger has moisture on it, chances are it won’t unlock the device.
For Chaikin, that is where the major appeal of the technology lies – in the fact that it is super thin, can be used wherever biometrics need to be captured and records more detail than a regular fingerprint scanner.
Naturally the idea is to make smartphones more secure, as Vkansee’s scanner tech can be incorporated into any design – all it needs is light to operate (as all cameras do).
But it also has industrial uses. Take, for example, the US Department of Defense’s Office of Personnel Management: in September last year the agency admitted that among the personal and highly sensitive private information hijacked in a massive data breach, the hackers also made off with nearly 5.6 million federal employee fingerprints. While Vkansee wouldn’t be able to stop the breach from happening, if its fingerprint scanner technology became the de facto standard, stolen fingerprints would be useless.
*Note: The test from Vkansee doesn’t work on a Samsung device, as your finger needs to be swiped across the scanner, and that damages the Play-Doh.