SRL, which has also disclosed a major security flaw in SIM card technology that affected mobile systems around the globe, said it has shared its research with Apple's security team.
According to SRL, using fingerprints as credentials for local user authentication has two shortcomings when compared to passwords. Once a fingerprint gets stolen, there is no way to change it. To offset this high compromise penalty, fingerprints would need to be very hard to steal. However, users leave copies of their fingerprints everywhere; including on the devices they protect. Fingerprints are not fit for secure local user authentication as long as spoofs ("fake fingers") can be produced from these pervasive copies.
"The iPhone 5s?s fingerprint sensor does not only appear to provide no additional protection, its use even undermines other security mechanisms," SRL said.
The iPhone 5s has moved slightly beyond the capabilities of earlier touch sensors: It provides a higher resolution image of the users' fingerpints and according SRL, it uses this higher resolution to match based on finer structures. However, SRL claims that even these finer structures can be spoofed, for example based on an equally high resolution smartphone camera image, showing that some defense strategies only improve at the pace of the corresponding attack technique.
"Fingerprint spoof prevention would better be based on intrinsic errors in the spoof-creation process or on fingerprint features not present in latent prints (and become much harder to steal)," SRL added.
The iPhone 5s, on the other hand, was defeated by techniques widely published years ago.
The researhcers also identified vulnerability that could potentially give criminals time to break into the phones, gain complete control of data, access email accounts and then potentially take over the user's bank accounts.
In this video SRL demonstrated how other flaws in iOS and iCloud are exposed that ? when combined with Touch ID?s vulnerability to fingerprint spoofing ? allow for online identity theft.