Time To Change Your Fingerprints: Apple's Fingerprint Scanner Already Hacked
from the no-problem,-just-change-your...-oh-wait dept
While Apple has been touting its new TouchID fingerprint scanner as more secure, many people with experience in biometrics are quick to note that the problem with biometric security is once it’s cracked, you’re kind of in trouble, since you can’t just change your fingerprint/retina/voice etc. And, indeed, it took almost no time at all for the biometrics hacking team of the Chaos Computer Club to crack TouchID “using everyday means.” You can see a video of them getting into a new iPhone with a different finger:
The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone.
The only “difference” here is that they needed to use a higher resolution in the printing to match the higher resolution of Apple’s scanner. CCC points out, as others have in the past, that this should remind people that fingerprint scanning is not very secure.
“We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can’t change and that you leave everywhere every day as a security token”, said Frank Rieger, spokesperson of the CCC. “The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.” Fingerprint biometrics in passports has been introduced in many countries despite the fact that by this global roll-out no security gain can be shown.
iPhone users should avoid protecting sensitive data with their precious biometric fingerprint not only because it can be easily faked, as demonstrated by the CCC team. Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.
It wasn’t difficult to assume that this would happen. What’s surprising is that Apple doesn’t seem to have considered this fact.
Filed Under: biometrics, chaos computer club, fingerprint, fingerprint scanner, fingerprints, hacked, ios, iphone 5
Companies: apple
Comments on “Time To Change Your Fingerprints: Apple's Fingerprint Scanner Already Hacked”
Do I hear the cry of thousands of Apple fanbois and the sound of Apple executives banging their heads on their desks?
Re: Re:
“…the sound of Apple executives banging their heads on their desks?”
I don’t hear any “THUD, BANG, CRASH”, just “KA-CHING, KA-CHING, KA-CHING”.
Let’s be real for a minute here. No matter how shitty an Apple product is (remember? “You’re holding it wrong”), people will buy it. Because people are stupid and don’t care about functionality, just bling.
Re: Re: Re:
Indeed, I lost all respect for Apple when they continued to deny for weeks that there was a problem with the iPhone dropping calls if you held it the wrong (as in ‘normal’) way. Not that I had much respect for them to begin with, but that made me a big Apple hater.
Re: Re:
seriously, I don’t think they care.
Apple products have a history of insecurity, overpricing, coupled-sales, forced lock-in, and all kinds of crap that ‘the invisible hand of the market’ should have gotten rid of. And they still line up to get their new models.
Re: Re: Re:
Apple created something that often is more important to a brand than the real benefits their products may offer: brand worshiping.
Re: Re: Re:
The bigger question is not, “How secure is this?”, it is, “Will Apple deliver on its promise that anyone who could successfully bypass the security gets money, donuts and chicks?”
Re: Re: Re: Re:
Apple will probably sue them claiming defamation of their products and profit losses or some such nonsense.
Re: Re:
The response seems to have largely have been “it’s just meant to
Apple doesn't seem to have considered this fact
Not really suprising :-/
Apple doesn’t care about the security of your device or your data.
All they care about is a catchy marketing slogan and another “great and indispensable” (=absolutely useless) feature they can boast over their competition.
Re: Apple doesn't seem to have considered this fact
So, how long did they spend to break this? I’m sure if a team spent 10 hours they could figure out how to get your unlock code as well.
This just in. The deadbolt on your storage locker can be cut immediately with bolt cutters!
Security isn’t about absolutes, it’s about what is secure enough for the price and purpose. Apple’s method is fine for 99% of their users. If the CIA wants an iPhone, they’ll have to write some additional code.
(I can’t believe I’m defending Apple…)
Re: Re: Apple doesn't seem to have considered this fact
I’m more concerned about the local cops than the CIA. They have significant precedent to extract physical identifiers from your person (DNA, fingerprints) but it’s less clear that they can coerce you to divulge a pass-code.
Re: Re: Apple doesn't seem to have considered this fact
Your not very good at defending Apple since the main point still stands:
“It is plain stupid to use something that you can’t change and that you leave everywhere every day as a security token”
Re: Re: Apple doesn't seem to have considered this fact
Probably no time at all. This is the standard way to defeat fingerprint scanners, so it’s probably the firs thing they thought of. It certainly was the first thing that I thought of.
BTW, this method, or a variant, can be used to defeat literally any fingerprint scanner — which is why using fingerprints as a form of security is not just stupid, but brain-dead.
The really high end fingerprint scanners are slightly more difficult to defeat, although it’s the same basic technique. The modification is that you have to put the fake fingerprint onto a gelatin sheet and wear it on your own finger.
So…
TouchID – broken day one, patched.
patched TouchID not secure.
People able to make calls from a locked screen.
Some people reporting worse battery life.
What did work?
Blocking 3rd party charging cables.
Corporate priorities in action, secure our revenue stream and then maybe get around to protecting customers.
Re: Re:
What did work?
Pretty gold color sold out in seconds.
So long fingers, now I have to change my fingers.
Would Frankenwinnie be the perfect user for this type of security?
Everyday means?
Sorry, but this procedure isn’t exactly ‘everyday means.’ Sure, if you have access to someone you can somehow figure out how to get a high resolution copy of their fingerprint, then invest the time and effort to make your latex copy of their fingerprint. But come on, for the average user, worrying about an attack along this vector is ridiculous.
Newsflash: nothing is 100% secure. That said, it’s reasonably secure. Like most any other form of security, it’s susceptible to social engineering.
Re: Everyday means?
Does cutting off your finger count as social engineering?
Re: Everyday means?
Yeah smart guy, how about your prints are all over your phone. Someone else pointed it out on another post.
Re: Re: Everyday means?
So use a pinky or ring finger, so your usable print is less likely to be on the device itself
Re: Everyday means?
Newsflash: nothing is 100% secure. That said, it’s reasonably secure.
I wouldn’t classify something that uses a key that you inherently leave all over the place for copying as something secure…
Re: Re:
I wouldn’t classify something that uses a key that you inherently leave all over the place for copying as something secure…
Easy fix: use your nipple.
Re: Re: Re: Re:
“use your nipple”
Hey! I leave my nipple prints everywhere .. now what am I gonna do .. sigh
Re: Re: Re: Re:
that will make an awkward dinner with your inlaws if you have to make a call
Re: Re: Re: Nipple
Not sure if that’s usable. Noseprint, yes. (My son had to test that one!) This means even one handed people can hold their phone in their hand and authenticate.
Re: Everyday means?
Yep, exactly right. The XKCD $5 hacking scheme still way way easier than what they did here.
In fact their “hack” requires a good deal of fabrication time. I would go out on a limb and say that to execute this hack effectively, you would need to have full physical access to the phone. And any security specialist worth their salt know that the game is over once you have full physical access anyway.
Fingerprint scanning is security against someone swiping and immediately accessing your phone. Conflating the fingerprint scanner with actual secret or top secret level device controls is disingenuous.
Re: Re: Everyday means?
The XKCD $5 hacking scheme still way way easier than what they did here.
The problem with the $5 wrench method of accessing a device is that it alerts the user that you have gained access to the device. It is therefore no good for attackers that, for whatever reason, wish to procure more clandestine access.
Re: Everyday means?
I love the ‘this will never work in the real world’. It always ends up working in the real world.
Yes, they cracked in in a ‘lab’, but a lot of things happen ‘in a lab’ before they happen int he real world.
Re: Everyday means?
Last time I needed to look into biometric security, about 95% of fingerprint readers available at the time could be broken with a Gummy Bear and possibly an LED light. I don’t image that’s changed much.
Re: Everyday means?
But it’s not. This is a well-known technique that’s been around for years. It is in common use.
Re: Everyday means?
Don’t waste your time. No one here understands the concepts. The scanner is at least as secure as the 4 digit code that already existed. Guessing a 4 digit number would probably take a day or two. This would also take at least that given that you’d have to somehow find a very high quality copy of the target’s finger print! Also, this would probably work for any finger print scanner out there, but we wouldn’t want to bring that up on this POS site.
Re: Re: Everyday means?
Perhaps yes, I honestly can’t be bothered to work out the maths, but that’s not the point.
The concequences of breaking a biometric are more severe. If a passcode becomes broken you can change it. If your fingerprint becomes known, you’re a bit stuck.
I have no idea whether the iPhone can use any other type of security apart from fingerprints (Apple SOP means I guess not but I don’t care to find out), but it seems daft to put front and centre a technology with obvious limitations.
Yes indeed it would likely along with many other methods such as Gummy Bears, which kinda goes to show how flawed it is but Apple is claiming to be more secure is it not?
Re: Re: Everyday means?
Guessing a 4 digit number would probably take a day or two.
Unless the device locks (bricks, factory resets, whatever) after a certain number of failed attempts. With the fingerprint technique, it may take a few hours, but you’re in on the first attempt if you do it right. There’s no guarding against that.
Re: Re: Everyday means?
This would also take at least that given that you’d have to somehow find a very high quality copy of the target’s finger print!
Given that one leaves one prints all over the phone and pretty much everything else one touches, that won’t be too difficult.
Re: Everyday means?
Yeah, if only a phone theif had access to something the victim may have touched. Maybe something smooth made of glass so it’s really easy to lift a finger print. Oh, right. the phone itself!
That’s right, anyone who steals your phone already has a copy of your finger prints, potentially even in tact, that they can copy. That’s like keeping a copy of your password stuck to the back of device.
And what about the Apple TV?
A new update to Apple TV, the hockey puck TV plug in, causes it to be bricked. Folks are going to Apple stores to get hardware replacements. I guess it just works.
Identification, not authentication
I wish people would understand that there are two different roles at work here, and fingerprints really should only be used for one of them: identification and authentication. Your fingerprint should only be used as an identifier of who you are. IE: present a list of users, and swiping your fingerprint picks the right user from the list. Then, and only then, should you provide a token that authenticates you to the system, such as a PIN code, password, or secure key card.
The fact that companies the world over continue to use fingerprints as a method of authentication shows a lack of understanding how easy it is hack, and the difficulty required in “changing your fingerprint”.
Remember, if someone has your phone, they have your fingerprint, but they don’t necessarily have your PIN or password. Too bad Apple didn’t recognize this.
Re: Identification, not authentication
Right…really the fingerprint is just a way of filling in the “username” field…but as implemented it’s being used for both username and password which seems kind of a bad idea…
Re: Identification, not authentication
Yep, anything involving a biometric should be a minimum of 2-factor authentication.
3 is better:
Something you have (token of some kind)
Something you are (biometric of some kind)
Something you know (password of some kind)
Passwords>>>>>>>>>>>>>>>>Fingerprints for security
When a password is compromised, it can be changed to something that is more difficult to crack.
When fingerprint security is compromised, you can’t very well change your fingerprints.
Re: Passwords>>>>>>>>>>>>>>>>Fingerprints for security
I don’t know about changing your fingerprints. It would not take much to make the copies now being made wearable, at least for an hour or so.
Re: Re: Passwords>>>>>>>>>>>>>>>>Fingerprints for security
Which kinda illustrates the point – a security measure that’s easy to change for illegitimate purposes but not legitimately is hardly great.
And if you could do it legitimately and you had to carry around a box full of wearable fingerprint gloves to operate your phone, what would be the point of having a biometric in the first place?
Not to rain on your parade.....
but everyone seems to forget that the easiest method of getting your pin/swipe is to threaten you with the same knife that they used to steal your phone.
I am a fan of the multiple layer of security. The first layer that opens up the screen and some apps making it look as if the phone has unlocked, and a second layer that allows to useful functions like making phone calls/texts.
It a bit like having a wallet full of worthless notes and cards o give to the thief whilst you make your getaway.
Re: Not to rain on your parade.....
The pin to decrypt my phone is different than the pin to unlock my phone. I’m assuming that anyone that steals it from me at knife point is probably going to turn it off pretty quick so it can’t be tracked, effectively turning it into a brick. While this may not stop me from getting stabbed in the face, it brings me a certain joy that no one will be able to look at how many cat photos I’ve taken.
The answer is a lot. A lot of cat photos.
Re: Not to rain on your parade.....
Plus, if they guy that just stole your phone is carrying bolt cutters – just swipe it before you hand it to him.
@”Yeah smart guy, how about your prints are all over your phone. “
Borrow a friends phone and try to lift any clean print off it (let alone the exact one you need). You are watching too much CSI if you think you can pull that off.
This “hack” starts with the owner providing them a perfect smudge free print on a clean glass.
I know it is fashionable for some to bash Apple at every turn, but I hoped we could have a reasoned discussion about how likely it is someone could pull this off in the real world, by surreptitiously trying to pull a print from a phone or other surfaced in the home/office.
I would say that chances are approaching zero.
Re: Re:
I thought of it but you don’t need to get the print from a phone. A glass or any other surface. Or, let’s say, the fingerprints you gave the Govt when making your passport. There are tons of possibilities for a determined person.
Re: Re:
Watch the Mythbusters episode where they break a couple of different fingerprint systems and you will see how easy it is.
Re: Re:
The technology to get finger prints will only get better as time goes on. They’re so good at DNA that they can grab it off of the leftovers of a slice of pizza you had.
Re: Re:
This begs for a man in the middle attack.
if you are say someone from a 3 letter agency, you can easily either intercept the scanner or just make a lock screen app that would be exact as the original. Or may e just activate the scanner when you are playing a game. Either way, its no better than face unlock. Thank goodness its gone from android. No wait I know how face unlock can be secured and revolutionary. Why not put a 41 mega pixel front facing camera. That way only people who can take a 41 mp picture of you can unlock it. It will be revolutionary and evolutionary. Most of all it will be secured…..
Re: Re:
Unless users actually clean off the scanner each time they use use it to unlock the phone, then the chances of being able to pull this off on a random phone approaches 100%.
If you’ve got someone going to these lengths to get the data on your iPhone, you’re probably screwed anyway.
This is ridiculous and in a very controlled setting. And…You’re ignorant if you expected a fingerprint scanner to truly stop a thief.
I suppose you thought the club was absolute???
Re: Re:
I hit a guy with one of those things once – trust me, he’s never going to try to steal a car again.
What’s the infamous saying?
‘It’s not a bug, it’s a feature…’
So...just get a HI-RES copy of someone's fingerprint?
I think the point that’s being missed is, just how easy is it for someone to get a HI-RES scan of MY fingerprint? I’m not exactly handing them out, and they aren’t on the web (yet, lol).
While the technique used here is basic, the very first step is the security of the whole process.
preventing the useful scenarios (family/friends needing to use your phone for whatever reason) while not preventing the illegit ones.
Kudos, Apple, you DRM’d it.
I’m not impressed
It hasn't been *hacked*.
Using a fake finger isn’t hacking the fingerprint scanner – it’s spoofing it.
Hacking it would mean you’ve found a way to get it to respond to someone else’s finger.
Also a video is not proof.
A video of someone claiming to do something is not proof that they did it.
Also, unless someone (at least one other researcher) independent from the CCC shows that they can bypass the authentication in the same manner. i.e. it is repeatable then I shall believe it.
Otherwise it’s just a video!
Re: Also a video is not proof.
This was proven to be a weakness before the phone even came out. It was shown to be weak several years ago.
only the fanatics didn’t know. the rest of the informed population knew this would be broken in a bronx minute.
Otherwise, you’re just fanboi.
Or perhaps they did. Government’s been wanting to bypass that pesky 5th Amendment and get into everyone’s smartphones for quite some time now. Maybe they paid Apple a bundle to make that happen.
What I wonder about
When I first heard about the phones using a fingerprint scanner, I wondered how it could be that a company filled with really smart engineers could possible bring a feature like this to market without anyone stopping and saying “hey guys, this is stupid.”
Fingerprint scanners are not, and with today’s technology cannot be, secure. Period. They’re far too easy to fool.
Law suit in 3...2....1....
I suspect Apple already had this planned and it’s lawyers were waiting in the bushes to pounce on anyone stealing their trade secrets on how not to do security on a phone.
Seriously, when they announced it I was thinking “damn, how did they get past the known issues of fingerprint readers?” I guess that answers my question. They made it so you need to have a higher resolution (BTW most company printers that we have here for printing manuals have a higher resolution than the Iphone. I would assume most companies do hence the ease of being able to do this.
This isn't a hack...
Nor is it a “crack.” As someone else said, it’s a spoof, and not a particularly easy one to pull off.
Someone has to make a dedicated effort to get in to your phone specifically. How easy is it really to get the “high res scan” of a person’s fingerprint?
In any case, this isn’t a uniquely Apple screwup. It’s a failure of *any* system using this type of authentication.
No code or hardware is being compromised. The method would work on any fingerprint-scanning system, so it seems disingenuous to bash Apple specifically about it.
Especially when they even admit that to get into an iPhone they have to have an even higher res print than usual when spoofing these systems.
This is a FUD non-story, except to point out the weaknesses of biometric authentication in general.
Re: This isn't a hack...
This is a FUD non-story, except to point out the weaknesses of biometric authentication in general.
and, of course, appl’s stupidity for including it in their product.
all is proceeding as I have forseen…
Isn’t the easiest way to bypass security is to do a hard reset? I mean I want the phone not the data.
Fingerprints for authentication isn’t broken, this just isn’t the right place to use it. Think about the scene in True Lies where they are going into the headquarters: it’s the combination of biometrics and the lady with the gun that makes it work 🙂
I think the fingerprint thing is more of a gimmick than real security. Especially since the phone is specifically designed to encourage you to leave your fingerprint on the glass.
That said, as long as you don’t have somebody following you around collecting fingerprints and waiting to steal your phone, it’s simple enough to defeat. Just use, say, your off-hand pinky for the scan, and put a matte case on the phone.
Re: Re:
I guess that is the “You’re holding it wrong” defense.
unreal criticism
Nothing but sour grapes. This is fantastic technology. I find it fascinating that so many people here are criticizing Apple for developing *only* a damn good alternative to freaking annoying passwords — such a good and seamless alternative that literally tens or hundreds of millions of phones will be more secure in the future compared to today (unsecured, no password) as this technology gets traction. Is it unhackable? Obviously not. Am I worried? Heck no – nobody is going to break their balls to work this hack on my phone, period – which means the 0.01% chance that someone would gain unauthorized access to my phone just dropped to 0.00001% and I saved a helluva lot of time and hassle in the process. Huge win for me – and Apple. If you don’t get the value add you’re not living in the real world.
Re: unreal criticism
It is not fantastic technology. It is misapplied technology. BTW, the criticism isn’t against Apple as such. It’s against fingerprint scanners. The problems with them are well-known.
How is an authentication system that is objectively worse than passwords a “good alternative”?
True, but nobody needs to. This is simple to accomplish. That’s rather the point.
Unless you clean off the scanner after every use, your fingerprint is easy to lift from it to be used to unlock the phone. So, this is only marginally better than leaving your phone unlocked. It’s inferior to even using the (also dumb) four digit unlock code.
Including this feature is worse than not including security at all – it gives you the illusion of being effective when, in fact, it is not. The illusion of security is worse than knowing that you’re unsecured.
Re: Re: unreal criticism
The is perfectly applied technology, unless you honestly think that phone thieves have the knowledge and capabilities to pull off this hack. This is a simple to use and unobtrusive way to create relative security on a product you use many times a day.
No, this won’t be secure enough for super duper top secret stuff, but if you are walking around with that on your phone, you are going to have a bad time regardless of your password. What it will do, is secure your data from random prying eyes, people who find your phone when you misplace it, or common thieves (you know, the types of threats that those of us in the real world are worried about).
The hack shows nothing like this happening and looking at my phone I would be shocked if you could get a decent print at all, let alone one clear enough to use for this. Even if this was possible, what kind of fantasy world do you live in where common criminals (people desperate enough to steal phones) have the capability and knowledge to do this (not to mention what would they expect to get out of it, as someone mentioned above, they are going to go through all this effort to get access to cat pics?).
Re: Re: Re: unreal criticism
“…and looking at my phone I would be shocked if you could get a decent print at all…”
I heard the cops say just that last night when they were investigating a house robbery. “Looking at the house, I didn’t see any fingerprints.”
I need some fake fingers!!!
Gimme a decent fake finger, put a peace symbol and some others in the “fingerprint”. I can replace that as often as I need!!!
Re: I need some fake fingers!!!
This is actually a reasonable suggestion. it wouldn’t help make it any more secure, but it would help the other deep flaws of the technology (being unable to change the fingerprint if it’s compromised, and the problem of what happens when your fingerprint is unexpectedly changed due to injury.)
There is a simple solution to this...
Don’t use your finger tip as the source for the print!
You should be able to use any part of such digit as the source (and even other body parts as well), so a practical source would be your second knuckle. It’s print isn’t left everywhere around you and on the device itself. That, and it’s also a less obvious source point upping the security level through its randomness. There are the drawbacks though, one being there may be a chance of higher false positives by using your knuckle. Also, you won’t be able to unlock the phone with just one hand like someone who uses their thumb as the key.
Re: There is a simple solution to this...
It’s left on the scanner window.
Re: Re: There is a simple solution to this...
It’s left on the scanner window.
Since the scanner is on the home button, that particular print will likely get covered by thumb or index finger prints over the course of normal use. Not sure that would get a clean print.
Can we agree this wasn't the TouchID 'hacked'?
They did not hack the TouchID system itself.
There is a difference.
They figured out how to create a copy of the index finger and use it in a way that they could fool the sensor. In a controlled environment.
I’d like to see them get a volunteer to use the phone, register their finger print of choice, and then after 24 hours of use give the phone to the team and see if they can go through that again.
They could easily patch and fix this, and add a second layer of security. Pin + Finger etc.
Not everyone cares about their data as much as some of us. On my personal phone I barely use I’d probably want to use this, however on my work phone I would stick with a password, using all the characters available.
Annoying as hell to enter, but much less guessable.
It doesn’t matter because the majority of people will be duped into thinking it’s far more secure than other methods.
Not the case, but sadly most will never know until it’s too late.
I’m surprised the National Institute of Standards and Technology (NIST), hasn’t recommended Apple’s fingerprint scanner as an international security standard by now.
Apple and the NSA could be the sole authors of the security standard. It would be just like old times!
Best title ever. 🙂
And next up ...
NSA, GCHQ, NZ’s SIS, the Royal Mounties, etc collect all fingerprints which were inadvertently “collected” by Apple … pics to follow
Exclusive: Apple admits, ?iPhone 5s Fingerprint Database To Be Shared With NSA?
I don’t usually bother with Apple, but ALREADY this is out:
Tim Richardson, District Manager of Apple?s North America Marketing Department:
http://hackersnewsbulletin.com/2013/09/apple-admits-iphone-5s-fingerprint-database-shared-nsa.html
Man, that’s the corporatist view short and plain! BEWARE OF CORPORATIONS!
Re: Exclusive: Apple admits, ?iPhone 5s Fingerprint Database To Be Shared With NSA?
Absolutely the databases will be merged.
I had this whole rebuttal typed up and then noticed this is ootb. Just look at http://nationalreport.net/, you’ll see the whole thing is a joke.
Every law has its loophole
It’s really funny! Every law has its loophole.