You might wanna stay away from that abbreviation... I originally read "MILF"...
----------
When the CCC guy enrolls his finger, there are no slots, so no, he only enrolled his index finger.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Chaos Computer Club Bypasses Apple's Touch ID System (With Copy of Original Fingerprint)
- Thread starter MacRumors
- Start date
- Sort by reaction score
You might wanna stay away from that abbreviation... I originally read "MILF"...
----------
When the CCC guy enrolls his finger, there are no slots, so no, he only enrolled his index finger.
Congratulations, you weren't paying attention!
----------
Had to think of this:
http://www.youtube.com/watch?v=V-fRuoMIfpw
Try reading. I am simply asking someone with a 5S to see IF the scanner can read through a thin film to see the fingerprint underneath. Is that so hard to do?
Just scanned the BACKSIDE of my index finger and it works flawlessly and this print can't be found anywhere because nobody touches items with this side of the finger.
because nobody touches items with this side of the finger.It doesn't matter. gr8tfly was suggesting that the guy had already enrolled his middle finger before enrolling his index finger, which is not the case, as we can clearly see there are no fingerprints enrolled when he starts the enrollment process, and after the enrollment process, we can see that there's only 1 fingerprint saved.
So a bunch of nerds in their parents basement with no lives managed to do something that is so absurd and over-the-top that Apple should somehow be worried... ok.
How is it even a "hack"? They just used a fingerprint as designed...
I think the ultimate irony in this post is that this is exactly what Steve Jobs started as.
It's incredible how people resort to ad-hominem attacks right from the get go, not realizing that 'hackers' are the ones who always move technology forward.
This is laughable, and anyone who classes this as bypassing the touch I.D has bypassed some brain cells.
firstly if you can copy a fingerprint and the phone recognises it, then the first problem here is the guy has one already made up that would be as discussed in this thread a lengthy and demanding process requiring high quality equipment. Not something your average iPhone thief has...or they wouldn't need the money from stealing the phone.
next the film is so thin I wouldn't be surprised if its able to just read prints straight through it anyway I'm more worried about people seeing my 4 digit passcode than a fingerprint. I imagine it will see improvements by the time of the iPhone 6
firstly if you can copy a fingerprint and the phone recognises it, then the first problem here is the guy has one already made up that would be as discussed in this thread a lengthy and demanding process requiring high quality equipment. Not something your average iPhone thief has...or they wouldn't need the money from stealing the phone.
next the film is so thin I wouldn't be surprised if its able to just read prints straight through it anyway I'm more worried about people seeing my 4 digit passcode than a fingerprint. I imagine it will see improvements by the time of the iPhone 6
Thank you. It would, then, seem that the scanner can indeed recognise a fingerprint through an applied film.
Any chance you could repeat with some other material/thickness, e.g. paper?
----------
I read somewhere in the discussions that things aren't so clear cut, and this may not necessarily be the case.
Regardless, it was a very poor demonstration video. What he really had to do to make it much more convincing was demonstrate that his middle finger could not be recognised, then with the print attached, show that it could. Even then, there's already the possibility that it was the fake attachment that was registered itself. I'm not ruling out by any means that the video tells the truth, but it's not presented in a convincing way, so FAIL on that front.
I guess that Apple has to respond to this sooner or later because Marketing will be hopping mad. It's going to be interesting to see the response.
Last edited:
Looking closely, it does indeed seem that the index finger is used to scan initially - though it's nowhere near clear, and obviously very easy to fake if you don't see a clear image of which finger is doing what. Also, given that more than one finger can be used to unlock, there's no guarantee that they didn't previously setup the middle finger.
Regardless, it's not terribly convincing or concerning, given that the method requires an extremely high resolution photograph of one's finger, knowledge of which finger is used to unlock (out of 10 possibilities), the ability to clean up the resulting image and print on rubber material, etc.
Dave
I understand where you two are coming from, I was only commenting on the pure mathematical angle.
That said, To me, the people using simple pass codes, aren't really taking security seriously to begin with. I personally don't use simple passcodes. I can't really enter my passcode when driving, but that is actually a good thing
Of course, his statement is a simple, self-fulfilling prophecy. He knows which 4-digit code's he'd try, and the list includes 1234, but not 5317. Of course, he'd "crack more 1234 than 5317". If his list included 5317 (significantly *less* random than he thinks), but not 1234, he'd crack more 5317 than 1234.
Not at all. The sub-epidermal scan doesn't change the pattern of your fingerprint. The structures that make up your fingerprint exist pretty deep into your skin. What it does is provide resilience to surface damage, such as paper cuts and the like.
----------
1) Yes. It is certainly possible to lift a fingerprint from a glass surface, such as a phone. The phone's surface being a 'high traffic area' complicates it, but does not render it impossible.
2) Yes. It takes anywhere from 15 minutes to 2 hours to create the mock fingerprint, depending mostly on the cure time of the material used to cast the print.
3) Agreed. This makes the process more difficult, but it is still certainly possible to do this inside the 48 hour time limit. (This assumes a decent quality print from the correct finger can be found on the phone.)
----------
Did they really? Or was it just people who confuse sufficiently advanced technology with magic that made that claim.
Please provide a reference to Apple's claim that the fingerprint scanner was immune to this spoofing technique.
Not picking on you, but just using your nicely detailed comment as a convenient jump-in point for a devil's advocate reply. Thanks!
- While they used more, I don't think it requires a very big or high resolution image. The Apple sensor is 500 DPI. It's also only about 10mm (.4 in) square. That makes it about 200 x 200 pixels (let's round up to binary 256x256). A complete fingerprint is unnecessary.
- It's a good bet that almost everyone is going to register their thumb as an unlock digit, just because the whole point is convenience.
- Cleaning up the image is something for image processing software, which is abundant these days.
- The materials are commonly available, and the modeling techniques have been used for 15 years now by all sorts of amateurs. Heck, I would not even be surprised to see somebody demonstrate a way to image a fingerprint and feed it to a 3D printer.
I actually looked for this, watched the keynote and read the info on Apple's website again, nowhere did Apple claim that the TouchID sensor is impervious to spoofing.
It was actually commenters and bloggers that came up with that claim. The only thing Apple said was that it reads into the sub-epidermal "living" tissue in order to get a more accurate sample of your fingerprint. Nowhere did they say you couldn't slap a fake fingerprint on a frozen sausage and get in the phone.
So, Apple implements a fingerprint sensor in a really innovative and convenient way, people find out that it's ... a fingerprint sensor ... and freak out because it's not made of unicorn tears and magical rainbow fragments.
You can have the most secure thing ever, and I believe Apple's done a really good job.
You can have multiple layers of security, lock down the encryption keys, and whatever you want, but if all of that hardware security is **** by a simple mis-judment of a print of a finger... then its its no secure at al.
Add to this the time spent to crack this, only a few days.. This alone should tell you how much thought had gone into the security side of this.
If is was Really bullet proof, the Touch ID would ignore everything, BUT the original print.
Apple can't claim this, because they don't know. And, I bet even if you tel them, do you expect them to listen?
You can have multiple layers of security, lock down the encryption keys, and whatever you want, but if all of that hardware security is **** by a simple mis-judment of a print of a finger... then its its no secure at al.
Add to this the time spent to crack this, only a few days.. This alone should tell you how much thought had gone into the security side of this.
If is was Really bullet proof, the Touch ID would ignore everything, BUT the original print.
Apple can't claim this, because they don't know. And, I bet even if you tel them, do you expect them to listen?
I'm not so sure that photographing a fingerprint and "cleaning up the image" is a one-button affair that can be performed by anyone using any software. I'm pretty sure you probably have to have expertise so you know which details to enhance/correct and which not to. It's like retouching a photo: in order to do it properly, you need real skill and training, not just an expensive piece of software.
The materials are readily available, but the procedure still requires lots of patience and skill to pull off. You have to pull a near-to-perfect print, which I understand is a very delicate process, for which you only have one shot. One mistake lifting the print and the original is destroyed. Even then, you have to hope that the print you're lifting is the one that's registered.
Add on top of that the fact that actually creating the fake print, despite the ready availability of materials, is still no small feat. Then you only have 5 or 6 tries with that spoofed print (CCC Expert-Man used 2 tries), otherwise the phone will lock itself out from fingerprints completely.
And that's the real point. This isn't a fingerprint sensor for James Bond and Co. This is a fingerprint sensor for people who aren't being chased by international superspies (no matter how strongly they believe they are). If your phone gets stolen on a train, bus, or you lose it in a bar, the thieves are going to have a very hard time accessing your phone.
----------
Apple never claimed this.
Good point. The 4^4 is the worst-case scenario based on the number of digits and number of possibilities. Knowing they're all different (or not) definitely reduces the search-space significantly.
Here's some thoughts behind all this by the guy who did this:
https://blog.lookout.com/blog/2013/09/23/why-i-hacked-apples-touchid-and-still-think-it-is-awesome/
https://blog.lookout.com/blog/2013/09/23/why-i-hacked-apples-touchid-and-still-think-it-is-awesome/
That's a different guy who just replicated the results, goes to some lengths to make the method seem exceptionally complicated and comes to reasonable conclusions, I think.
http://istouchidhackedyet.com/
claimed others did it as well as proof.
Let the minimizing for not reason (as nobody made a big deal out of it) continue.
claimed others did it as well as proof.
Let the minimizing for not reason (as nobody made a big deal out of it) continue.