iPhone’s Touch ID hacked with Play-Doh

BY Killian Bell

Published 29 Feb 2016

Touch ID Play-Doh hack

Touch ID is supposedly the most secure method of locking your iOS devices, because it’s much harder to hack than a passcode. But is it? At Mobile World Congress last week, a Chinese startup showed it’s possible to unlock an iPhone using children’s Play-Doh.

In the video embedded in the tweet below from tech reporter Arjun Kharpal, Jason Chaikin, president of mobile security firm Vkansee, shows it’s possible to unlock one of Apple’s latest iPhones using a blob of Play-Doh. It takes a couple of tries, but it works.

While we’ve seen Touch ID being operated by toes and other body parts, and even a cat’s paws, this is definitely the sneakiest, most primitive solution yet. Theoretically, a thief could use the same trick to unlock your iPhone or iPad, and gain access to all of your data.

But don’t be too concerned just yet, because it’s nowhere near as worrying as it looks. What this video doesn’t show is that Vkansee made that Play-Doh fingertip from a cast of a finger made in dental paste. Without that, the hack doesn’t work.

So, in order to gain entry to your iPhone using this method, a hacker would first need to create their own dental paste cast of your fingerprint, which would obviously be incredibly difficult without your knowledge.

Nevertheless, Chaikin was demonstrating this hack to highlight the “lack of sophistication in current biometric solutions,” explains MarketWatch“His company, incidentally, is marketing its own fingerprint sensor, but this isn’t the first time current biometric authenticators has been called into question.”

Apple did not respond to a request for comment on this, but the company did point Kharpal to its website, where it states “every fingerprint is unique, so it is rare that even a small section of two separate fingerprints are alike enough to register as a match for Touch ID.”

“The probability of this happening is 1-in-50,000 for one enrolled finger. This is much better than the 1-in-10,000 odds of guessing a typical 4-digit passcode.”