Time To Change Your Fingerprints: Apple's Fingerprint Scanner Already Hacked

from the no-problem,-just-change-your...-oh-wait dept

While Apple has been touting its new TouchID fingerprint scanner as more secure, many people with experience in biometrics are quick to note that the problem with biometric security is once it's cracked, you're kind of in trouble, since you can't just change your fingerprint/retina/voice etc. And, indeed, it took almost no time at all for the biometrics hacking team of the Chaos Computer Club to crack TouchID "using everyday means." You can see a video of them getting into a new iPhone with a different finger:
It appears that they've used the same basic method as has been used to hack fingerprint scanners in the past -- get a high quality image of the user's fingerprint and then:
The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone.
The only "difference" here is that they needed to use a higher resolution in the printing to match the higher resolution of Apple's scanner. CCC points out, as others have in the past, that this should remind people that fingerprint scanning is not very secure.
"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token", said Frank Rieger, spokesperson of the CCC. "The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access." Fingerprint biometrics in passports has been introduced in many countries despite the fact that by this global roll-out no security gain can be shown.

iPhone users should avoid protecting sensitive data with their precious biometric fingerprint not only because it can be easily faked, as demonstrated by the CCC team. Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.
It wasn't difficult to assume that this would happen. What's surprising is that Apple doesn't seem to have considered this fact.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    Ninja (profile), Sep 23rd, 2013 @ 5:19am

    Do I hear the cry of thousands of Apple fanbois and the sound of Apple executives banging their heads on their desks?

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Sep 23rd, 2013 @ 5:36am

      Re:

      "...the sound of Apple executives banging their heads on their desks?"

      I don't hear any "THUD, BANG, CRASH", just "KA-CHING, KA-CHING, KA-CHING".

      Let's be real for a minute here. No matter how shitty an Apple product is (remember? "You're holding it wrong"), people will buy it. Because people are stupid and don't care about functionality, just bling.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Sep 23rd, 2013 @ 6:19am

        Re: Re:

        Indeed, I lost all respect for Apple when they continued to deny for weeks that there was a problem with the iPhone dropping calls if you held it the wrong (as in 'normal') way. Not that I had much respect for them to begin with, but that made me a big Apple hater.

         

        reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Sep 23rd, 2013 @ 6:12am

      Re:

      seriously, I don't think they care.

      Apple products have a history of insecurity, overpricing, coupled-sales, forced lock-in, and all kinds of crap that 'the invisible hand of the market' *should* have gotten rid of. And they still line up to get their new models.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        Ninja (profile), Sep 23rd, 2013 @ 6:48am

        Re: Re:

        Apple created something that often is more important to a brand than the real benefits their products may offer: brand worshiping.

         

        reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Sep 23rd, 2013 @ 6:59am

        Re: Re:

        The bigger question is not, "How secure is this?", it is, "Will Apple deliver on its promise that anyone who could successfully bypass the security gets money, donuts and chicks?"

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Sep 23rd, 2013 @ 7:57am

          Re: Re: Re:

          Apple will probably sue them claiming defamation of their products and profit losses or some such nonsense.

           

          reply to this | link to this | view in chronology ]

    •  
      icon
      Tim Griffiths (profile), Sep 23rd, 2013 @ 6:30am

      Re:

      The response seems to have largely have been "it's just meant to

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    relghuar, Sep 23rd, 2013 @ 5:45am

    Apple doesn't seem to have considered this fact

    Not really suprising :-/
    Apple doesn't care about the security of your device or your data.
    All they care about is a catchy marketing slogan and another "great and indispensable" (=absolutely useless) feature they can boast over their competition.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      PRMan, Sep 23rd, 2013 @ 7:46am

      Re: Apple doesn't seem to have considered this fact

      So, how long did they spend to break this? I'm sure if a team spent 10 hours they could figure out how to get your unlock code as well.

      This just in. The deadbolt on your storage locker can be cut immediately with bolt cutters!

      Security isn't about absolutes, it's about what is secure enough for the price and purpose. Apple's method is fine for 99% of their users. If the CIA wants an iPhone, they'll have to write some additional code.

      (I can't believe I'm defending Apple...)

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        Jeremy Lyman (profile), Sep 23rd, 2013 @ 7:52am

        Re: Re: Apple doesn't seem to have considered this fact

        I'm more concerned about the local cops than the CIA. They have significant precedent to extract physical identifiers from your person (DNA, fingerprints) but it's less clear that they can coerce you to divulge a pass-code.

         

        reply to this | link to this | view in chronology ]

      •  
        icon
        techflaws (profile), Sep 23rd, 2013 @ 8:02am

        Re: Re: Apple doesn't seem to have considered this fact

        Your not very good at defending Apple since the main point still stands:

        "It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token"

         

        reply to this | link to this | view in chronology ]

      •  
        icon
        John Fenderson (profile), Sep 23rd, 2013 @ 8:43am

        Re: Re: Apple doesn't seem to have considered this fact

        So, how long did they spend to break this


        Probably no time at all. This is the standard way to defeat fingerprint scanners, so it's probably the firs thing they thought of. It certainly was the first thing that I thought of.

        BTW, this method, or a variant, can be used to defeat literally any fingerprint scanner -- which is why using fingerprints as a form of security is not just stupid, but brain-dead.

        The really high end fingerprint scanners are slightly more difficult to defeat, although it's the same basic technique. The modification is that you have to put the fake fingerprint onto a gelatin sheet and wear it on your own finger.

         

        reply to this | link to this | view in chronology ]

  •  
    icon
    That Anonymous Coward (profile), Sep 23rd, 2013 @ 5:52am

    So...
    TouchID - broken day one, patched.
    patched TouchID not secure.
    People able to make calls from a locked screen.
    Some people reporting worse battery life.

    What did work?
    Blocking 3rd party charging cables.

    Corporate priorities in action, secure our revenue stream and then maybe get around to protecting customers.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 23rd, 2013 @ 5:53am

    So long fingers, now I have to change my fingers.

    Would Frankenwinnie be the perfect user for this type of security?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    SeanSatori, Sep 23rd, 2013 @ 6:01am

    Everyday means?

    Sorry, but this procedure isn't exactly 'everyday means.' Sure, if you have access to someone you can somehow figure out how to get a high resolution copy of their fingerprint, then invest the time and effort to make your latex copy of their fingerprint. But come on, for the average user, worrying about an attack along this vector is ridiculous.

    Newsflash: nothing is 100% secure. That said, it's reasonably secure. Like most any other form of security, it's susceptible to social engineering.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Sep 23rd, 2013 @ 6:03am

      Re: Everyday means?

      Does cutting off your finger count as social engineering?

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      missingxtension, Sep 23rd, 2013 @ 6:07am

      Re: Everyday means?

      Yeah smart guy, how about your prints are all over your phone. Someone else pointed it out on another post.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Sep 23rd, 2013 @ 6:48am

        Re: Re: Everyday means?

        So use a pinky or ring finger, so your usable print is less likely to be on the device itself

         

        reply to this | link to this | view in chronology ]

    •  
      icon
      Ninja (profile), Sep 23rd, 2013 @ 6:10am

      Re: Everyday means?

      Newsflash: nothing is 100% secure. That said, it's reasonably secure.

      I wouldn't classify something that uses a key that you inherently leave all over the place for copying as something secure...

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Sep 23rd, 2013 @ 7:24am

      Re: Everyday means?

      Yep, exactly right. The XKCD $5 hacking scheme still way way easier than what they did here.

      In fact their "hack" requires a good deal of fabrication time. I would go out on a limb and say that to execute this hack effectively, you would need to have full physical access to the phone. And any security specialist worth their salt know that the game is over once you have full physical access anyway.

      Fingerprint scanning is security against someone swiping and immediately accessing your phone. Conflating the fingerprint scanner with actual secret or top secret level device controls is disingenuous.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Sep 23rd, 2013 @ 7:38am

        Re: Re: Everyday means?

        The XKCD $5 hacking scheme still way way easier than what they did here.

        The problem with the $5 wrench method of accessing a device is that it alerts the user that you have gained access to the device. It is therefore no good for attackers that, for whatever reason, wish to procure more clandestine access.

         

        reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Sep 23rd, 2013 @ 8:06am

      Re: Everyday means?

      I love the 'this will never work in the real world'. It always ends up working in the real world.

      Yes, they cracked in in a 'lab', but a lot of things happen 'in a lab' before they happen int he real world.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Not an Electronic Rodent (profile), Sep 23rd, 2013 @ 8:10am

      Re: Everyday means?

      Newsflash: nothing is 100% secure. That said, it's reasonably secure. Like most any other form of security, it's susceptible to social engineering.
      Last time I needed to look into biometric security, about 95% of fingerprint readers available at the time could be broken with a Gummy Bear and possibly an LED light. I don't image that's changed much.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), Sep 23rd, 2013 @ 8:45am

      Re: Everyday means?

      for the average user, worrying about an attack along this vector is ridiculous.


      But it's not. This is a well-known technique that's been around for years. It is in common use.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      not an idiot, Sep 23rd, 2013 @ 11:25am

      Re: Everyday means?

      Don't waste your time. No one here understands the concepts. The scanner is at least as secure as the 4 digit code that already existed. Guessing a 4 digit number would probably take a day or two. This would also take at least that given that you'd have to somehow find a very high quality copy of the target's finger print! Also, this would probably work for any finger print scanner out there, but we wouldn't want to bring that up on this POS site.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        Not an Electronic Rodent (profile), Sep 23rd, 2013 @ 12:41pm

        Re: Re: Everyday means?

        The scanner is at least as secure as the 4 digit code that already existed.
        Perhaps yes, I honestly can't be bothered to work out the maths, but that's not the point.
        The concequences of breaking a biometric are more severe. If a passcode becomes broken you can change it. If your fingerprint becomes known, you're a bit stuck.
        I have no idea whether the iPhone can use any other type of security apart from fingerprints (Apple SOP means I guess not but I don't care to find out), but it seems daft to put front and centre a technology with obvious limitations.
        Also, this would probably work for any finger print scanner out there
        Yes indeed it would likely along with many other methods such as Gummy Bears, which kinda goes to show how flawed it is but Apple is claiming to be more secure is it not?

         

        reply to this | link to this | view in chronology ]

      •  
        icon
        nasch (profile), Sep 23rd, 2013 @ 1:06pm

        Re: Re: Everyday means?

        Guessing a 4 digit number would probably take a day or two.

        Unless the device locks (bricks, factory resets, whatever) after a certain number of failed attempts. With the fingerprint technique, it may take a few hours, but you're in on the first attempt if you do it right. There's no guarding against that.

         

        reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Sep 24th, 2013 @ 5:40am

        Re: Re: Everyday means?

        This would also take at least that given that you'd have to somehow find a very high quality copy of the target's finger print!

        Given that one leaves one prints all over the phone and pretty much everything else one touches, that won't be too difficult.

         

        reply to this | link to this | view in chronology ]

    •  
      icon
      Lachlan Hunt (profile), Sep 24th, 2013 @ 7:20am

      Re: Everyday means?

      Yeah, if only a phone theif had access to something the victim may have touched. Maybe something smooth made of glass so it's really easy to lift a finger print. Oh, right. the phone itself!

      That's right, anyone who steals your phone already has a copy of your finger prints, potentially even in tact, that they can copy. That's like keeping a copy of your password stuck to the back of device.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    streetlight (profile), Sep 23rd, 2013 @ 6:08am

    And what about the Apple TV?

    A new update to Apple TV, the hockey puck TV plug in, causes it to be bricked. Folks are going to Apple stores to get hardware replacements. I guess it just works.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Aaron Toponce, Sep 23rd, 2013 @ 6:14am

    Identification, not authentication

    I wish people would understand that there are two different roles at work here, and fingerprints really should only be used for one of them: identification and authentication. Your fingerprint should only be used as an identifier of who you are. IE: present a list of users, and swiping your fingerprint picks the right user from the list. Then, and only then, should you provide a token that authenticates you to the system, such as a PIN code, password, or secure key card.

    The fact that companies the world over continue to use fingerprints as a method of authentication shows a lack of understanding how easy it is hack, and the difficulty required in "changing your fingerprint".

    Remember, if someone has your phone, they have your fingerprint, but they don't necessarily have your PIN or password. Too bad Apple didn't recognize this.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      raf (profile), Sep 23rd, 2013 @ 9:27am

      Re: Identification, not authentication

      Right...really the fingerprint is just a way of filling in the "username" field...but as implemented it's being used for both username and password which seems kind of a bad idea...

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Not an Electronic Rodent (profile), Sep 23rd, 2013 @ 12:32pm

      Re: Identification, not authentication

      Remember, if someone has your phone, they have your fingerprint, but they don't necessarily have your PIN or password. Too bad Apple didn't recognize this.
      Yep, anything involving a biometric should be a minimum of 2-factor authentication.
      3 is better:
      Something you have (token of some kind)
      Something you are (biometric of some kind)
      Something you know (password of some kind)

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    Zakida Paul (profile), Sep 23rd, 2013 @ 6:20am

    Passwords>>>>>>>>>>>>>>>>Fingerprints for security

    When a password is compromised, it can be changed to something that is more difficult to crack.

    When fingerprint security is compromised, you can't very well change your fingerprints.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Sep 23rd, 2013 @ 6:35am

      Re: Passwords>>>>>>>>>>>>>>>>Fingerprints for security

      I don't know about changing your fingerprints. It would not take much to make the copies now being made wearable, at least for an hour or so.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        Not an Electronic Rodent (profile), Sep 23rd, 2013 @ 2:47pm

        Re: Re: Passwords>>>>>>>>>>>>>>>>Fingerprints for security

        It would not take much to make the copies now being made wearable, at least for an hour or so.
        Which kinda illustrates the point - a security measure that's easy to change for illegitimate purposes but not legitimately is hardly great.

        And if you could do it legitimately and you had to carry around a box full of wearable fingerprint gloves to operate your phone, what would be the point of having a biometric in the first place?

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    peter, Sep 23rd, 2013 @ 6:32am

    Not to rain on your parade.....

    but everyone seems to forget that the easiest method of getting your pin/swipe is to threaten you with the same knife that they used to steal your phone.

    I am a fan of the multiple layer of security. The first layer that opens up the screen and some apps making it look as if the phone has unlocked, and a second layer that allows to useful functions like making phone calls/texts.

    It a bit like having a wallet full of worthless notes and cards o give to the thief whilst you make your getaway.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Sep 23rd, 2013 @ 6:40am

      Re: Not to rain on your parade.....

      The pin to decrypt my phone is different than the pin to unlock my phone. I'm assuming that anyone that steals it from me at knife point is probably going to turn it off pretty quick so it can't be tracked, effectively turning it into a brick. While this may not stop me from getting stabbed in the face, it brings me a certain joy that no one will be able to look at how many cat photos I've taken.

      The answer is a lot. A lot of cat photos.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Michael, Sep 23rd, 2013 @ 7:12am

      Re: Not to rain on your parade.....

      Plus, if they guy that just stole your phone is carrying bolt cutters - just swipe it before you hand it to him.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    PeterScott (profile), Sep 23rd, 2013 @ 6:45am

    @"Yeah smart guy, how about your prints are all over your phone. "

    Borrow a friends phone and try to lift any clean print off it (let alone the exact one you need). You are watching too much CSI if you think you can pull that off.

    This "hack" starts with the owner providing them a perfect smudge free print on a clean glass.

    I know it is fashionable for some to bash Apple at every turn, but I hoped we could have a reasoned discussion about how likely it is someone could pull this off in the real world, by surreptitiously trying to pull a print from a phone or other surfaced in the home/office.

    I would say that chances are approaching zero.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Ninja (profile), Sep 23rd, 2013 @ 6:51am

      Re:

      I thought of it but you don't need to get the print from a phone. A glass or any other surface. Or, let's say, the fingerprints you gave the Govt when making your passport. There are tons of possibilities for a determined person.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Sep 23rd, 2013 @ 7:04am

      Re:

      Watch the Mythbusters episode where they break a couple of different fingerprint systems and you will see how easy it is.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Sep 23rd, 2013 @ 7:32am

      Re:

      The technology to get finger prints will only get better as time goes on. They're so good at DNA that they can grab it off of the leftovers of a slice of pizza you had.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      missingxtension (profile), Sep 23rd, 2013 @ 8:21am

      Re:

      This begs for a man in the middle attack.
      if you are say someone from a 3 letter agency, you can easily either intercept the scanner or just make a lock screen app that would be exact as the original. Or may e just activate the scanner when you are playing a game. Either way, its no better than face unlock. Thank goodness its gone from android. No wait I know how face unlock can be secured and revolutionary. Why not put a 41 mega pixel front facing camera. That way only people who can take a 41 mp picture of you can unlock it. It will be revolutionary and evolutionary. Most of all it will be secured.....

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), Sep 23rd, 2013 @ 8:49am

      Re:

      I would say that chances are approaching zero


      Unless users actually clean off the scanner each time they use use it to unlock the phone, then the chances of being able to pull this off on a random phone approaches 100%.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    herbturbo (profile), Sep 23rd, 2013 @ 7:19am

    If you've got someone going to these lengths to get the data on your iPhone, you're probably screwed anyway.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 23rd, 2013 @ 7:21am

    This is ridiculous and in a very controlled setting. And...You're ignorant if you expected a fingerprint scanner to truly stop a thief.

    I suppose you thought the club was absolute???

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    avideogameplayer, Sep 23rd, 2013 @ 7:26am

    What's the infamous saying?

    'It's not a bug, it's a feature...'

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Jack-Jack, Sep 23rd, 2013 @ 7:40am

    So...just get a HI-RES copy of someone's fingerprint?

    I think the point that's being missed is, just how easy is it for someone to get a HI-RES scan of MY fingerprint? I'm not exactly handing them out, and they aren't on the web (yet, lol).
    While the technique used here is basic, the very first step is the security of the whole process.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 23rd, 2013 @ 7:42am

    preventing the useful scenarios (family/friends needing to use your phone for whatever reason) while not preventing the illegit ones.

    Kudos, Apple, you DRM'd it.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 23rd, 2013 @ 7:43am

    I'm not impressed

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 23rd, 2013 @ 7:56am

    It hasn't been *hacked*.

    Using a fake finger isn't hacking the fingerprint scanner - it's spoofing it.
    Hacking it would mean you've found a way to get it to respond to someone else's finger.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 23rd, 2013 @ 8:10am

    Also a video is not proof.

    A video of someone claiming to do something is not proof that they did it.

    Also, unless someone (at least one other researcher) independent from the CCC shows that they can bypass the authentication in the same manner. i.e. it is repeatable then I shall believe it.

    Otherwise it's just a video!

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      jackn, Sep 23rd, 2013 @ 8:16am

      Re: Also a video is not proof.

      This was proven to be a weakness before the phone even came out. It was shown to be weak several years ago.

      only the fanatics didn't know. the rest of the informed population knew this would be broken in a bronx minute.

      Otherwise, you're just fanboi.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Androgynous Cowherd, Sep 23rd, 2013 @ 8:46am

    Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.

    It wasn't difficult to assume that this would happen. What's surprising is that Apple doesn't seem to have considered this fact.


    Or perhaps they did. Government's been wanting to bypass that pesky 5th Amendment and get into everyone's smartphones for quite some time now. Maybe they paid Apple a bundle to make that happen.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    John Fenderson (profile), Sep 23rd, 2013 @ 8:51am

    What I wonder about

    When I first heard about the phones using a fingerprint scanner, I wondered how it could be that a company filled with really smart engineers could possible bring a feature like this to market without anyone stopping and saying "hey guys, this is stupid."

    Fingerprint scanners are not, and with today's technology cannot be, secure. Period. They're far too easy to fool.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Berenerd (profile), Sep 23rd, 2013 @ 9:01am

    Law suit in 3...2....1....

    I suspect Apple already had this planned and it's lawyers were waiting in the bushes to pounce on anyone stealing their trade secrets on how not to do security on a phone.

    Seriously, when they announced it I was thinking "damn, how did they get past the known issues of fingerprint readers?" I guess that answers my question. They made it so you need to have a higher resolution (BTW most company printers that we have here for printing manuals have a higher resolution than the Iphone. I would assume most companies do hence the ease of being able to do this.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    akp (profile), Sep 23rd, 2013 @ 9:31am

    This isn't a hack...

    Nor is it a "crack." As someone else said, it's a spoof, and not a particularly easy one to pull off.

    Someone has to make a dedicated effort to get in to your phone specifically. How easy is it really to get the "high res scan" of a person's fingerprint?

    In any case, this isn't a uniquely Apple screwup. It's a failure of *any* system using this type of authentication.

    No code or hardware is being compromised. The method would work on any fingerprint-scanning system, so it seems disingenuous to bash Apple specifically about it.

    Especially when they even admit that to get into an iPhone they have to have an even higher res print than usual when spoofing these systems.

    This is a FUD non-story, except to point out the weaknesses of biometric authentication in general.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      jackn, Sep 23rd, 2013 @ 9:34am

      Re: This isn't a hack...

      This is a FUD non-story, except to point out the weaknesses of biometric authentication in general.

      and, of course, appl's stupidity for including it in their product.

      all is proceeding as I have forseen...

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 23rd, 2013 @ 9:59am

    Isn't the easiest way to bypass security is to do a hard reset? I mean I want the phone not the data.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Brad C (profile), Sep 23rd, 2013 @ 10:22am

    Fingerprints for authentication isn't broken, this just isn't the right place to use it. Think about the scene in True Lies where they are going into the headquarters: it's the combination of biometrics and the lady with the gun that makes it work :)

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Jeffrey Nonken (profile), Sep 23rd, 2013 @ 10:50am

    I think the fingerprint thing is more of a gimmick than real security. Especially since the phone is specifically designed to encourage you to leave your fingerprint on the glass.

    That said, as long as you don't have somebody following you around collecting fingerprints and waiting to steal your phone, it's simple enough to defeat. Just use, say, your off-hand pinky for the scan, and put a matte case on the phone.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 23rd, 2013 @ 10:52am

    unreal criticism

    Nothing but sour grapes. This is fantastic technology. I find it fascinating that so many people here are criticizing Apple for developing *only* a damn good alternative to freaking annoying passwords -- such a good and seamless alternative that literally tens or hundreds of millions of phones will be more secure in the future compared to today (unsecured, no password) as this technology gets traction. Is it unhackable? Obviously not. Am I worried? Heck no - nobody is going to break their balls to work this hack on my phone, period - which means the 0.01% chance that someone would gain unauthorized access to my phone just dropped to 0.00001% and I saved a helluva lot of time and hassle in the process. Huge win for me - and Apple. If you don't get the value add you're not living in the real world.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), Sep 23rd, 2013 @ 12:01pm

      Re: unreal criticism

      This is fantastic technology


      It is not fantastic technology. It is misapplied technology. BTW, the criticism isn't against Apple as such. It's against fingerprint scanners. The problems with them are well-known.

      developing *only* a damn good alternative to freaking annoying passwords


      How is an authentication system that is objectively worse than passwords a "good alternative"?

      nobody is going to break their balls to work this hack on my phone, period


      True, but nobody needs to. This is simple to accomplish. That's rather the point.

      Unless you clean off the scanner after every use, your fingerprint is easy to lift from it to be used to unlock the phone. So, this is only marginally better than leaving your phone unlocked. It's inferior to even using the (also dumb) four digit unlock code.

      Including this feature is worse than not including security at all - it gives you the illusion of being effective when, in fact, it is not. The illusion of security is worse than knowing that you're unsecured.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Sep 23rd, 2013 @ 12:30pm

        Re: Re: unreal criticism

        It is not fantastic technology. It is misapplied technology. BTW, the criticism isn't against Apple as such. It's against fingerprint scanners. The problems with them are well-known.

        The is perfectly applied technology, unless you honestly think that phone thieves have the knowledge and capabilities to pull off this hack. This is a simple to use and unobtrusive way to create relative security on a product you use many times a day.

        No, this won't be secure enough for super duper top secret stuff, but if you are walking around with that on your phone, you are going to have a bad time regardless of your password. What it will do, is secure your data from random prying eyes, people who find your phone when you misplace it, or common thieves (you know, the types of threats that those of us in the real world are worried about).

        Unless you clean off the scanner after every use, your fingerprint is easy to lift from it to be used to unlock the phone. So, this is only marginally better than leaving your phone unlocked. It's inferior to even using the (also dumb) four digit unlock code.

        The hack shows nothing like this happening and looking at my phone I would be shocked if you could get a decent print at all, let alone one clear enough to use for this. Even if this was possible, what kind of fantasy world do you live in where common criminals (people desperate enough to steal phones) have the capability and knowledge to do this (not to mention what would they expect to get out of it, as someone mentioned above, they are going to go through all this effort to get access to cat pics?).

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          btrussell (profile), Sep 25th, 2013 @ 2:04am

          Re: Re: Re: unreal criticism

          "...and looking at my phone I would be shocked if you could get a decent print at all..."

          I heard the cops say just that last night when they were investigating a house robbery. "Looking at the house, I didn't see any fingerprints."

           

          reply to this | link to this | view in chronology ]

  •  
    identicon
    Christenson, Sep 23rd, 2013 @ 11:27am

    I need some fake fingers!!!

    Gimme a decent fake finger, put a peace symbol and some others in the "fingerprint". I can replace that as often as I need!!!

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), Sep 23rd, 2013 @ 12:02pm

      Re: I need some fake fingers!!!

      This is actually a reasonable suggestion. it wouldn't help make it any more secure, but it would help the other deep flaws of the technology (being unable to change the fingerprint if it's compromised, and the problem of what happens when your fingerprint is unexpectedly changed due to injury.)

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 23rd, 2013 @ 11:39am

    There is a simple solution to this...

    Don't use your finger tip as the source for the print!

    You should be able to use any part of such digit as the source (and even other body parts as well), so a practical source would be your second knuckle. It's print isn't left everywhere around you and on the device itself. That, and it's also a less obvious source point upping the security level through its randomness. There are the drawbacks though, one being there may be a chance of higher false positives by using your knuckle. Also, you won't be able to unlock the phone with just one hand like someone who uses their thumb as the key.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), Sep 23rd, 2013 @ 12:03pm

      Re: There is a simple solution to this...

      It's print isn't left everywhere around you and on the device itself


      It's left on the scanner window.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Sep 24th, 2013 @ 5:48am

        Re: Re: There is a simple solution to this...

        It's left on the scanner window.

        Since the scanner is on the home button, that particular print will likely get covered by thumb or index finger prints over the course of normal use. Not sure that would get a clean print.

         

        reply to this | link to this | view in chronology ]

  •  
    icon
    Tom B. (profile), Sep 23rd, 2013 @ 12:29pm

    Can we agree this wasn't the TouchID 'hacked'?

    They did not hack the TouchID system itself.
    There is a difference.

    They figured out how to create a copy of the index finger and use it in a way that they could fool the sensor. In a controlled environment.

    I'd like to see them get a volunteer to use the phone, register their finger print of choice, and then after 24 hours of use give the phone to the team and see if they can go through that again.

    They could easily patch and fix this, and add a second layer of security. Pin + Finger etc.

    Not everyone cares about their data as much as some of us. On my personal phone I barely use I'd probably want to use this, however on my work phone I would stick with a password, using all the characters available.

    Annoying as hell to enter, but much less guessable.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 23rd, 2013 @ 3:28pm

    It doesn't matter because the majority of people will be duped into thinking it's far more secure than other methods.

    Not the case, but sadly most will never know until it's too late.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 23rd, 2013 @ 4:17pm

    I'm surprised the National Institute of Standards and Technology (NIST), hasn't recommended Apple's fingerprint scanner as an international security standard by now.

    Apple and the NSA could be the sole authors of the security standard. It would be just like old times!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 23rd, 2013 @ 4:46pm

    Best title ever. :)

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Sep 23rd, 2013 @ 8:03pm

    And next up ...

    NSA, GCHQ, NZ's SIS, the Royal Mounties, etc collect all fingerprints which were inadvertently "collected" by Apple ... pics to follow

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    out_of_the_blue, Sep 24th, 2013 @ 6:57pm

    Exclusive: Apple admits, ‘iPhone 5s Fingerprint Database To Be Shared With NSA’

    I don't usually bother with Apple, but ALREADY this is out:

    Tim Richardson, District Manager of Apple’s North America Marketing Department:
    “Frankly, if a person is foolish enough to allow something as specific and criminally implicit as their fingerprints to be cataloged by faceless corporations and Government officials… Well, you can’t exactly blame us for capitalizing upon it, can you? Personally, I believe this effort will support a greater good. Some of the folks they’re hoping to apprehend are quite dangerous. Besides, it’s not like this is covered in the Constitution.”

    http://hackersnewsbulletin.com/2013/09/apple-admits-iphone-5s-fingerprint-database-s hared-nsa.html

    Man, that's the corporatist view short and plain! BEWARE OF CORPORATIONS!

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Leonardo Balliache (profile), Sep 25th, 2013 @ 12:19pm

    Every law has its loophole

    It's really funny! Every law has its loophole.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This