Can you really hack a smartphone with Play-Doh?

February 26, 2016 | Arjun Kharpal from CNBC

If you think your phones are super-secure, you’re probably wrong. A Chinese start-up demonstrated this week how it could unlock an Apple iPhone via the fingerprint sensor using Play-Doh.

President of mobile security firm Vkansee, Jason Chaikin, created a mold of his fingerprint. He then took the modeling clay Play-Doh, pressed it on to the mold and created a replica. Chaikin touched the Play-Doh on an iPhone’s fingerprint scanner and the device unlocked.

It’s not expected that we’re going to see a rise of criminals creating moulds of people’s fingerprints, but Chaikin did the demonstration to highlight the lack of sophistication in today’s biometric solutions, not just on iPhones, but on other devices too.

Apple did not respond with an official comment but pointed to the security section of its website.

“Every fingerprint is unique, so it is rare that even a small section of two separate fingerprints are alike enough to register as a match for Touch ID. The probability of this happening is 1 in 50,000 for one enrolled finger,” the website read.

“Touch ID only allows five unsuccessful fingerprint match attempts before you must enter your passcode, and you can’t proceed until doing so.”
The Vkansee president showed off the firm’s patented fingerprint sensor that sits under the glass of a phone. Currently manufacturers have to cut a hole in the device to put in the sensor.
“The demand for under glass scanning that’s resistant to hacking is the number one thing that we hear from the device makers,” Chaikin told CNBC during an interview at the Mobile World Congress (MWC) in Barcelona on Wednesday.

Vkansee’s solution picks up “third level details” on a person’s finger such as the thickness of the ridges on a person’s finger or the pores of the skin. The product also allows fingers to be read when wet, which is currently an issue with such sensors.

The problem at the moment, according to Chaikin, is that the biometrics are too simple. He cited an example from 2014 of a hacker who managed to take a high resolution picture of German Defense Minister Ursula von der Leyen’s finger, and reverse engineer that to unlock her phone.

Manufacturers are looking at new biometric methods to authenticate users as consumers use their mobile devices for an increasing number of tasks including banking and shopping. Mastercard told CNBC that it’s going to start using “selfies” to authenticate users for its services.

And the eyeprint is another method of authentication which can be done using a smartphone’s front-facing camera.

EyeVerify is one company producing software that can recognize tiny details in a person’s eye such as blood vessels. Toby Rush, the chief executive of the U.S. company said that the eye’s features are stable.

“We look at micro features just outside the eye, the strongest being the blood vessels in the eye. They are stable, they work really well,” Rush told CNBC in a phone interview.

So with selfies and eye scanning coming into play, is the fingerprint dead? Not according to Rush who said that there’ll be an increasing number of authentication methods available to users.

“I think fingerprints are great and not going anywhere, fingers and eyes will win the day. Anyone in biometrics will agree that multiple options provide the best security in the most robust manner and best user experience,” Rush said.