image from digital trends.com
Apple just released its iPhone 5s and one of the main features is the fingerprint reader. Being a security guy I was curious about the tolerance this system has for unexpected finger states, so I decided to test out the fingerprint reader in the following scenarios:
A moist finger
A wet finger
A dirty finger
An engorged finger
A scored (surface damaged) finger
Through thin, transparent plastic
A jellied finger
A toe
In most cases I tested with my right thumb.
Here I replicated sitting in a bath for a while (I soaked my thumb in near-hot water for 15 minutes), where your finger would soak up tons of water but you’d get the chance to wipe it off before trying to unlock your phone.
Pass. 9/10 successes.
It seemed to deal with the plumpness of moisture really well.
In this case I actually had water on the surface of my finger, so this would be like just washing your hands and trying to unlock your device before drying them at all.
Fail. 8/10 failures.
A clearly wet finger is a show-stopper.
Here I used "regular outside dirt" (whatever that means). I’m from San Francisco and there is a hill nearby, so I just used some of that dirt to rub into my dry thumb. The amount of dirt really made a difference, hence the result in my opinion.
Fail. 7/10 failures.
If your hands are just not clean, it probably won’t matter, but if you have an actual layer of dirt then it does cause issues.
Because the claim for the reader is that it reads beneath the top levels of skin, I was curious how it would handle a finger that was overly full with blood. So I applied a quick tourniquet to my thumb and got it nice and plump, plus applied major pressure to force blood into the contact area.
Pass. 10/10 successes.
Like moisture, this didn’t seem to phase the sensor at all.
For this one I did a couple of things. First, I ran the tip of a scissor both vertically and horizontally across my thumb’s contact area with the sensor. I did this around 100 times (50 each). I did it hard enough for it to be uncomfortable, but not enough to cause extreme pain. The key was to make (perhaps non-visible) changes to the surface of the skin.
I then went outside to the wall of our building, which is made of a coarse, sandpaper-like surface. I ran my thumb’s contact area vigorously along that surface perhaps 25 times, until it was pretty unhappy with me. My thought was that if the sensor was reading purely off of the surface, I could have made at least some moderate changes (but I know virtually nothing about fingerprint science, so take that for its worth).
Pass. 8/10 successes.
I did get it to fail a couple of times doing this, but overall it was fairly ineffective at tripping up the sensor. My thoughts are that more significant damage to the thumbprint would be a better test, but I’ll leave that to someone more high speed than this guy.
Get a weekly breakdown of what's happening in security and tech—and why it matters.
This one surprised me. I used the plastic that sometimes comes wrapped around shipped packages–the super thin stuff, like saran-wrap, but even thinner perhaps.
Pass. 9/10 successes.
Huh. I was pretty sure the plastic was going to cause trouble–similar to water. But I pulled the plastic tight (no wrinkles), and I think the lack of variation in the depth might have made it work. But again, I’m just randomly assembling words when I say that.
Ok, use case here is pretty simple. You have some sticky stuff on your finger and you want to unlock your phone. Test case was strawberry jelly (perhaps the color/transparency matters?). I used only a small amount of jelly for this–i.e. a pretty thin layer.
Fail. 7/10 failures.
No sir, it doesn’t like jelly.
Finally, I was curious what would happen if I tried to enroll a toe instead of a finger. I enrolled my right second toe, and it absolutely worked!
Pass. 10/10 successes.
After enrolling a toe I tried a few other surfaces, and in fact the scanner works with any fleshy surface on your body. I confirmed this with the tip of my nose and several other parts of the body. In all cases I was able to get both successful enrollments and successful authentications afterwards.
This is interesting from a security perspective, as the unconscious unlock attack requires that they know what you use, so if you were to have/use an alternative method you wouldn’t be vulnerable to that, e.g. the side of your thumb knuckle, or the bottom of your fist.
Anyway, my major takeaways were that it works through plastic, and that it works with any fleshy human surface.