Apple's Touch ID sensor has been defeated. What does this mean?
First of all, it means Nick Depetrillo and I were wrong. We claimed it'd be harder. We assumed that a higher resolution sensor wouldn't be so simply defeated with just a higher resolution camera. We bet money. We lost (and Starbug of the CCC won).
Many people claim this hack is "too much trouble". This is profoundly wrong. Just because it's too much trouble for you doesn't mean it's too much trouble for a private investigator hired by your former husband. Or the neighbor's kid. Or an FBI agent. As a kid, I attended science fiction conventions in costume, and had latex around the house to get those Vulcan ears to look just right. As a kid, I etched circuit boards. This sort of stuff is easy, easy, easy -- you just need to try.
At the same time, it doesn't mean Touch ID is completely useless. Half the population doesn't lock their phone at all because it's too much trouble entering a 4 digit PIN every time they want to use it. If any of them choose to use Touch ID security instead of no security, then it's a win for security.
There are also some ways around the hack. Use your ring finger or pinky finger instead. You don't use these fingers to navigate your phone, so these prints won't be on your phone. These are also the most difficult and unlikely prints to retrieve from other surfaces, like beer glasses.
So here are the four lessons:
1. security experts can be wrong
2. don't believe the security assurances from vendors
3. bad security is still better than no security
4. knowledge is your best defense: understand this hack and how to use your pinkie finger instead