Improve the security of Touch ID on the iPhone 5s

As every year, I was at the SingTel iPhone launch event in Singapore, on September 20. I had been playing with iOS 7 for some months already, but I was really thrilled about getting my hands on the Touch ID. After one week of use, it went beyond my best expectations: I never used a simple 4-digit code, and not having to type a long code to unlock the phone is a huge, huge time saver.

Of course, a couple of days after release, all tech blogs and papers around the world have started screaming that Touch ID had been hacked. I have read the details of the hack, and no matter what people say, it does not seem that simple to me. In order to get access to your phone, the attacker needs a high definition camera or scanner, a laser printer able to print with a thick layer of toner, silicone glue, and quite some time. This seems harder than peeking over your shoulder while you are typing your code, but anyway...

Now, this is what I do to minimize inconvenience, while at the same time making it harder to hack my phone:

  • I have disabled Control Center from the Lock Screen. With Touch ID, I can unlock the phone instantly, so I do not need access to the Control Center while the phone is locked. This makes it impossible for the attacker to put the phone in flight mode before unlocking it: given the amount of time needed to lift and reproduce a fingerprint, I will likely have the time to wipe my iPhone remotely (this can be done instantly from the web or any other iOS device with the Find My iPhone utility).

  • I have not scanned my thumbs, but only other fingers. The hack is based on lifting the fingerprint from the home button itself. Now, in 99% of cases the home button will have my thumbprint on it, as I use it with my thumb once the phone is unlocked. Good luck in finding the correct fingerprint in other parts of the phone, especially if you have little experience with fingerprints. This of course is just a strategy to delay the attacker, but the longer they take to perform the hack, the longer I have to wipe my phone remotely. This is especially effective using the little finger, whose print might not even be on the phone.

  • I use a fingerprint-unfriendly case, like the official leather case from Apple. I don't think you can lift a fingerprint with a simple high resolution camera from this kind of surface.

  • I use a fingerprint-unfriendly screen cover (most anti-glare covers seem quite resistant to fingerprints): same reasoning as for the case.

To be honest, the only measure among these that I really consider useful is the first one: the time required to lift and reproduce a fingerprint is more than sufficient to remotely reset it. And if anybody has nothing better to do than hack my data, I'm pretty sure my iPhone is not the only weak link.