A spokesman for the Chaos Computer Club (CCC) said the group managed to fool the phone's biometric sensor into accepting a fingerprint created with a household printer and wood glue.
"A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5S secured with TouchID," reads the announcement on the CCC's website. "This demonstrates - again - that fingerprint biometrics is unsuitable as [an] access control method and should be avoided."
Dirk Engling of CCC told The Associated Press on Monday that the exploit has been documented with several videos so independent experts can verify it. A YouTube video (below) appears to verify the claim.
He added that the hardest part had been getting hold of an iPhone 5S, which went on sale in Germany last week.
Apple didn't respond to repeated requests for comment. But another industry leader invested heavily in fingerprint and other biometric security were not so shy.
"Do you think its easy to first take a high-resolution picture of your fingerprint and then steal your mobile?" Fingerprint Cards Chief Executive Officer Johan Carlstroem of Stockholm asked in a telephone interview with Bloomberg news agency. "Wouldn't it be better to pick up a gun and press it against your temple and ask you to unlock it?"
But his reply did not address the direct claim that the Apple 5S sensor had been breached.
Fingerprint Cards and Precise Biometrics have soared more than fivefold since the end of last year through Sept 20, partly because of predictions that all smartphones will eventually be equipped with fingerprint technology after Apple added such sensors to its iPhone 5S. Fingerprint said today it expects "all Tier 1 smartphone OEMs will have a capacitive fingerprint sensor in their flagship models by the end of 2014."
According to the hackers:
First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone.
Apple claimed the 5S phone's biometrics ability was superior to all other known systems, and seemed to claim it was essentially unbreakable.
This was an extraordinary claim, since every known fingerprint sensor can be beaten with tactics similar to those used by the German hackers. Apple also claimed there was no way anyone could steal the fingerprint of a user, because it was encrypted inside the phone, and not on Apple's servers.
Apple and other big US technology companies have been exposed in recent months helping US intelligence agencies compile vast information files on their users, both inside the US and overseas.
While it is impossible for now to know whether Apple was truthful about the security of the stored biometric information on the fingerprint sensor, it appears that it can be overridden like other such systems, with a camera, a laser printer, and some wood glue.