Time To Change Your Fingerprints: Apple's Fingerprint Scanner Already Hacked

from the no-problem,-just-change-your...-oh-wait dept

While Apple has been touting its new TouchID fingerprint scanner as more secure, many people with experience in biometrics are quick to note that the problem with biometric security is once it’s cracked, you’re kind of in trouble, since you can’t just change your fingerprint/retina/voice etc. And, indeed, it took almost no time at all for the biometrics hacking team of the Chaos Computer Club to crack TouchID “using everyday means.” You can see a video of them getting into a new iPhone with a different finger:

It appears that they’ve used the same basic method as has been used to hack fingerprint scanners in the past — get a high quality image of the user’s fingerprint and then:

The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone.

The only “difference” here is that they needed to use a higher resolution in the printing to match the higher resolution of Apple’s scanner. CCC points out, as others have in the past, that this should remind people that fingerprint scanning is not very secure.

“We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can’t change and that you leave everywhere every day as a security token”, said Frank Rieger, spokesperson of the CCC. “The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.” Fingerprint biometrics in passports has been introduced in many countries despite the fact that by this global roll-out no security gain can be shown.

iPhone users should avoid protecting sensitive data with their precious biometric fingerprint not only because it can be easily faked, as demonstrated by the CCC team. Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.

It wasn’t difficult to assume that this would happen. What’s surprising is that Apple doesn’t seem to have considered this fact.

Filed Under: , , , , , , ,
Companies: apple

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Time To Change Your Fingerprints: Apple's Fingerprint Scanner Already Hacked”

Subscribe: RSS Leave a comment
87 Comments
Anonymous Coward says:

Re: Re:

“…the sound of Apple executives banging their heads on their desks?”

I don’t hear any “THUD, BANG, CRASH”, just “KA-CHING, KA-CHING, KA-CHING”.

Let’s be real for a minute here. No matter how shitty an Apple product is (remember? “You’re holding it wrong”), people will buy it. Because people are stupid and don’t care about functionality, just bling.

PRMan (profile) says:

Re: Apple doesn't seem to have considered this fact

So, how long did they spend to break this? I’m sure if a team spent 10 hours they could figure out how to get your unlock code as well.

This just in. The deadbolt on your storage locker can be cut immediately with bolt cutters!

Security isn’t about absolutes, it’s about what is secure enough for the price and purpose. Apple’s method is fine for 99% of their users. If the CIA wants an iPhone, they’ll have to write some additional code.

(I can’t believe I’m defending Apple…)

John Fenderson (profile) says:

Re: Re: Apple doesn't seem to have considered this fact

So, how long did they spend to break this

Probably no time at all. This is the standard way to defeat fingerprint scanners, so it’s probably the firs thing they thought of. It certainly was the first thing that I thought of.

BTW, this method, or a variant, can be used to defeat literally any fingerprint scanner — which is why using fingerprints as a form of security is not just stupid, but brain-dead.

The really high end fingerprint scanners are slightly more difficult to defeat, although it’s the same basic technique. The modification is that you have to put the fake fingerprint onto a gelatin sheet and wear it on your own finger.

That Anonymous Coward (profile) says:

So…
TouchID – broken day one, patched.
patched TouchID not secure.
People able to make calls from a locked screen.
Some people reporting worse battery life.

What did work?
Blocking 3rd party charging cables.

Corporate priorities in action, secure our revenue stream and then maybe get around to protecting customers.

SeanSatori (profile) says:

Everyday means?

Sorry, but this procedure isn’t exactly ‘everyday means.’ Sure, if you have access to someone you can somehow figure out how to get a high resolution copy of their fingerprint, then invest the time and effort to make your latex copy of their fingerprint. But come on, for the average user, worrying about an attack along this vector is ridiculous.

Newsflash: nothing is 100% secure. That said, it’s reasonably secure. Like most any other form of security, it’s susceptible to social engineering.

Anonymous Coward says:

Re: Everyday means?

Yep, exactly right. The XKCD $5 hacking scheme still way way easier than what they did here.

In fact their “hack” requires a good deal of fabrication time. I would go out on a limb and say that to execute this hack effectively, you would need to have full physical access to the phone. And any security specialist worth their salt know that the game is over once you have full physical access anyway.

Fingerprint scanning is security against someone swiping and immediately accessing your phone. Conflating the fingerprint scanner with actual secret or top secret level device controls is disingenuous.

Anonymous Coward says:

Re: Re: Everyday means?

The XKCD $5 hacking scheme still way way easier than what they did here.

The problem with the $5 wrench method of accessing a device is that it alerts the user that you have gained access to the device. It is therefore no good for attackers that, for whatever reason, wish to procure more clandestine access.

Not an Electronic Rodent (profile) says:

Re: Everyday means?

Newsflash: nothing is 100% secure. That said, it’s reasonably secure. Like most any other form of security, it’s susceptible to social engineering.

Last time I needed to look into biometric security, about 95% of fingerprint readers available at the time could be broken with a Gummy Bear and possibly an LED light. I don’t image that’s changed much.

not an idiot says:

Re: Everyday means?

Don’t waste your time. No one here understands the concepts. The scanner is at least as secure as the 4 digit code that already existed. Guessing a 4 digit number would probably take a day or two. This would also take at least that given that you’d have to somehow find a very high quality copy of the target’s finger print! Also, this would probably work for any finger print scanner out there, but we wouldn’t want to bring that up on this POS site.

Not an Electronic Rodent (profile) says:

Re: Re: Everyday means?

The scanner is at least as secure as the 4 digit code that already existed.

Perhaps yes, I honestly can’t be bothered to work out the maths, but that’s not the point.
The concequences of breaking a biometric are more severe. If a passcode becomes broken you can change it. If your fingerprint becomes known, you’re a bit stuck.
I have no idea whether the iPhone can use any other type of security apart from fingerprints (Apple SOP means I guess not but I don’t care to find out), but it seems daft to put front and centre a technology with obvious limitations.

Also, this would probably work for any finger print scanner out there

Yes indeed it would likely along with many other methods such as Gummy Bears, which kinda goes to show how flawed it is but Apple is claiming to be more secure is it not?

Lachlan Hunt (profile) says:

Re: Everyday means?

Yeah, if only a phone theif had access to something the victim may have touched. Maybe something smooth made of glass so it’s really easy to lift a finger print. Oh, right. the phone itself!

That’s right, anyone who steals your phone already has a copy of your finger prints, potentially even in tact, that they can copy. That’s like keeping a copy of your password stuck to the back of device.

Aaron Toponce (profile) says:

Identification, not authentication

I wish people would understand that there are two different roles at work here, and fingerprints really should only be used for one of them: identification and authentication. Your fingerprint should only be used as an identifier of who you are. IE: present a list of users, and swiping your fingerprint picks the right user from the list. Then, and only then, should you provide a token that authenticates you to the system, such as a PIN code, password, or secure key card.

The fact that companies the world over continue to use fingerprints as a method of authentication shows a lack of understanding how easy it is hack, and the difficulty required in “changing your fingerprint”.

Remember, if someone has your phone, they have your fingerprint, but they don’t necessarily have your PIN or password. Too bad Apple didn’t recognize this.

Not an Electronic Rodent (profile) says:

Re: Identification, not authentication

Remember, if someone has your phone, they have your fingerprint, but they don’t necessarily have your PIN or password. Too bad Apple didn’t recognize this.

Yep, anything involving a biometric should be a minimum of 2-factor authentication.
3 is better:
Something you have (token of some kind)
Something you are (biometric of some kind)
Something you know (password of some kind)

Not an Electronic Rodent (profile) says:

Re: Re: Passwords>>>>>>>>>>>>>>>>Fingerprints for security

It would not take much to make the copies now being made wearable, at least for an hour or so.

Which kinda illustrates the point – a security measure that’s easy to change for illegitimate purposes but not legitimately is hardly great.

And if you could do it legitimately and you had to carry around a box full of wearable fingerprint gloves to operate your phone, what would be the point of having a biometric in the first place?

peter says:

Not to rain on your parade.....

but everyone seems to forget that the easiest method of getting your pin/swipe is to threaten you with the same knife that they used to steal your phone.

I am a fan of the multiple layer of security. The first layer that opens up the screen and some apps making it look as if the phone has unlocked, and a second layer that allows to useful functions like making phone calls/texts.

It a bit like having a wallet full of worthless notes and cards o give to the thief whilst you make your getaway.

Anonymous Coward says:

Re: Not to rain on your parade.....

The pin to decrypt my phone is different than the pin to unlock my phone. I’m assuming that anyone that steals it from me at knife point is probably going to turn it off pretty quick so it can’t be tracked, effectively turning it into a brick. While this may not stop me from getting stabbed in the face, it brings me a certain joy that no one will be able to look at how many cat photos I’ve taken.

The answer is a lot. A lot of cat photos.

PeterScott (profile) says:

@”Yeah smart guy, how about your prints are all over your phone. “

Borrow a friends phone and try to lift any clean print off it (let alone the exact one you need). You are watching too much CSI if you think you can pull that off.

This “hack” starts with the owner providing them a perfect smudge free print on a clean glass.

I know it is fashionable for some to bash Apple at every turn, but I hoped we could have a reasoned discussion about how likely it is someone could pull this off in the real world, by surreptitiously trying to pull a print from a phone or other surfaced in the home/office.

I would say that chances are approaching zero.

missingxtension (profile) says:

Re: Re:

This begs for a man in the middle attack.
if you are say someone from a 3 letter agency, you can easily either intercept the scanner or just make a lock screen app that would be exact as the original. Or may e just activate the scanner when you are playing a game. Either way, its no better than face unlock. Thank goodness its gone from android. No wait I know how face unlock can be secured and revolutionary. Why not put a 41 mega pixel front facing camera. That way only people who can take a 41 mp picture of you can unlock it. It will be revolutionary and evolutionary. Most of all it will be secured…..

Anonymous Coward says:

Also a video is not proof.

A video of someone claiming to do something is not proof that they did it.

Also, unless someone (at least one other researcher) independent from the CCC shows that they can bypass the authentication in the same manner. i.e. it is repeatable then I shall believe it.

Otherwise it’s just a video!

Androgynous Cowherd says:

Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.

It wasn’t difficult to assume that this would happen. What’s surprising is that Apple doesn’t seem to have considered this fact.

Or perhaps they did. Government’s been wanting to bypass that pesky 5th Amendment and get into everyone’s smartphones for quite some time now. Maybe they paid Apple a bundle to make that happen.

John Fenderson (profile) says:

What I wonder about

When I first heard about the phones using a fingerprint scanner, I wondered how it could be that a company filled with really smart engineers could possible bring a feature like this to market without anyone stopping and saying “hey guys, this is stupid.”

Fingerprint scanners are not, and with today’s technology cannot be, secure. Period. They’re far too easy to fool.

Berenerd (profile) says:

Law suit in 3...2....1....

I suspect Apple already had this planned and it’s lawyers were waiting in the bushes to pounce on anyone stealing their trade secrets on how not to do security on a phone.

Seriously, when they announced it I was thinking “damn, how did they get past the known issues of fingerprint readers?” I guess that answers my question. They made it so you need to have a higher resolution (BTW most company printers that we have here for printing manuals have a higher resolution than the Iphone. I would assume most companies do hence the ease of being able to do this.

akp (profile) says:

This isn't a hack...

Nor is it a “crack.” As someone else said, it’s a spoof, and not a particularly easy one to pull off.

Someone has to make a dedicated effort to get in to your phone specifically. How easy is it really to get the “high res scan” of a person’s fingerprint?

In any case, this isn’t a uniquely Apple screwup. It’s a failure of *any* system using this type of authentication.

No code or hardware is being compromised. The method would work on any fingerprint-scanning system, so it seems disingenuous to bash Apple specifically about it.

Especially when they even admit that to get into an iPhone they have to have an even higher res print than usual when spoofing these systems.

This is a FUD non-story, except to point out the weaknesses of biometric authentication in general.

Jeffrey Nonken (profile) says:

I think the fingerprint thing is more of a gimmick than real security. Especially since the phone is specifically designed to encourage you to leave your fingerprint on the glass.

That said, as long as you don’t have somebody following you around collecting fingerprints and waiting to steal your phone, it’s simple enough to defeat. Just use, say, your off-hand pinky for the scan, and put a matte case on the phone.

Anonymous Coward says:

unreal criticism

Nothing but sour grapes. This is fantastic technology. I find it fascinating that so many people here are criticizing Apple for developing *only* a damn good alternative to freaking annoying passwords — such a good and seamless alternative that literally tens or hundreds of millions of phones will be more secure in the future compared to today (unsecured, no password) as this technology gets traction. Is it unhackable? Obviously not. Am I worried? Heck no – nobody is going to break their balls to work this hack on my phone, period – which means the 0.01% chance that someone would gain unauthorized access to my phone just dropped to 0.00001% and I saved a helluva lot of time and hassle in the process. Huge win for me – and Apple. If you don’t get the value add you’re not living in the real world.

John Fenderson (profile) says:

Re: unreal criticism

This is fantastic technology

It is not fantastic technology. It is misapplied technology. BTW, the criticism isn’t against Apple as such. It’s against fingerprint scanners. The problems with them are well-known.

developing *only* a damn good alternative to freaking annoying passwords

How is an authentication system that is objectively worse than passwords a “good alternative”?

nobody is going to break their balls to work this hack on my phone, period

True, but nobody needs to. This is simple to accomplish. That’s rather the point.

Unless you clean off the scanner after every use, your fingerprint is easy to lift from it to be used to unlock the phone. So, this is only marginally better than leaving your phone unlocked. It’s inferior to even using the (also dumb) four digit unlock code.

Including this feature is worse than not including security at all – it gives you the illusion of being effective when, in fact, it is not. The illusion of security is worse than knowing that you’re unsecured.

Anonymous Coward says:

Re: Re: unreal criticism

It is not fantastic technology. It is misapplied technology. BTW, the criticism isn’t against Apple as such. It’s against fingerprint scanners. The problems with them are well-known.

The is perfectly applied technology, unless you honestly think that phone thieves have the knowledge and capabilities to pull off this hack. This is a simple to use and unobtrusive way to create relative security on a product you use many times a day.

No, this won’t be secure enough for super duper top secret stuff, but if you are walking around with that on your phone, you are going to have a bad time regardless of your password. What it will do, is secure your data from random prying eyes, people who find your phone when you misplace it, or common thieves (you know, the types of threats that those of us in the real world are worried about).

Unless you clean off the scanner after every use, your fingerprint is easy to lift from it to be used to unlock the phone. So, this is only marginally better than leaving your phone unlocked. It’s inferior to even using the (also dumb) four digit unlock code.

The hack shows nothing like this happening and looking at my phone I would be shocked if you could get a decent print at all, let alone one clear enough to use for this. Even if this was possible, what kind of fantasy world do you live in where common criminals (people desperate enough to steal phones) have the capability and knowledge to do this (not to mention what would they expect to get out of it, as someone mentioned above, they are going to go through all this effort to get access to cat pics?).

Anonymous Coward says:

There is a simple solution to this...

Don’t use your finger tip as the source for the print!

You should be able to use any part of such digit as the source (and even other body parts as well), so a practical source would be your second knuckle. It’s print isn’t left everywhere around you and on the device itself. That, and it’s also a less obvious source point upping the security level through its randomness. There are the drawbacks though, one being there may be a chance of higher false positives by using your knuckle. Also, you won’t be able to unlock the phone with just one hand like someone who uses their thumb as the key.

Tom B. (profile) says:

Can we agree this wasn't the TouchID 'hacked'?

They did not hack the TouchID system itself.
There is a difference.

They figured out how to create a copy of the index finger and use it in a way that they could fool the sensor. In a controlled environment.

I’d like to see them get a volunteer to use the phone, register their finger print of choice, and then after 24 hours of use give the phone to the team and see if they can go through that again.

They could easily patch and fix this, and add a second layer of security. Pin + Finger etc.

Not everyone cares about their data as much as some of us. On my personal phone I barely use I’d probably want to use this, however on my work phone I would stick with a password, using all the characters available.

Annoying as hell to enter, but much less guessable.

out_of_the_blue says:

Exclusive: Apple admits, ?iPhone 5s Fingerprint Database To Be Shared With NSA?

I don’t usually bother with Apple, but ALREADY this is out:

Tim Richardson, District Manager of Apple?s North America Marketing Department:

?Frankly, if a person is foolish enough to allow something as specific and criminally implicit as their fingerprints to be cataloged by faceless corporations and Government officials? Well, you can?t exactly blame us for capitalizing upon it, can you? Personally, I believe this effort will support a greater good. Some of the folks they?re hoping to apprehend are quite dangerous. Besides, it?s not like this is covered in the Constitution.?

http://hackersnewsbulletin.com/2013/09/apple-admits-iphone-5s-fingerprint-database-shared-nsa.html

Man, that’s the corporatist view short and plain! BEWARE OF CORPORATIONS!

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop ยป

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...