Chaos Computer Club Bypasses Apple's Touch ID System (With Copy of Original Fingerprint)

[daxiel22]

how is a 2400 dpi photograph of someones fingerprint an everyday item? I'm sorry but this is click bait pure and simple.

+10000

 

[xDKP]

Seriously shaky hands. I think he needs to worry about his health.

Yeah might be a good idea to skip a cop of coffee or two and just drink water mate...

And get out of that basement a little more...

 

[scottsjack]

Wow, the Apple apologists are out in full force now. The point of fingerprint phone ID was that it is another nobody-else-has-it-welcome-to-the-new-paradigm Apple thing. If it is no more secure or reliable than any other method used to secure a phone why have additional technology to break or malfunction in the future?

 

[MacDav]

Again it shows he only has 1 finger registered and he used a different finger with the latex. Watch it again.

I guess I wil never hear the end of this... I made a mistake. I wasn't really watching the video closely and assumed he used the same finger. By the way thanks for not insulting my intelligence. You are a decent person.

 

[Onimusha370]

Umm, "The iPhone sucks, also, I have to wait too long to get one?"

That's like "The food is horrible. Also, the portions are way too small."

I can only applaud this analogy

 

[Dr Kevorkian94]

I want to see somone other than him use the copy of his own finger.....doesn't the sensor supposedly go deeper than just the pattern of your print? Also saying this is an easy hack is %100 stupid (it was stated why already I wont type it).

 

[iphoneclassic]

But as long as a perfect quality "sample" from your fingerprint is needed, I wouldn't call that a real danger.

That's the rub. Being a cheapo sensor, it uses very few reference points. Even without hacking there is a possibility different person's finger can authenticate your phone (again one in several million chance). Even though they tested using high quality copy, it is not required.

Having said that, it definitely serves as a very good convenience.

 

[manu chao]

And we should trust the CCC because ???

Because they haven't shown to be suicidal in the past.

 

[yeah]

It's 1 in 10000, Einstein.

Thanks, Mr. Probability.

 

[leesmith2]

Yes, however the fingerprint gizmo is just ridiculous.

Don't forget you have your password written all over your phone when the the password is your fingerprint !!!

Not if I don't use my index finger or my thumb for the Touch ID.

 

[yeah]

Explain.

1/10 (10 digits on the number pad) x 1/4 (four possible digits) = 1/40.

 

[baryon]

1. So the Touch ID does NOT check if the finger is alive then does it? Many on these forums have been saying that cutting off someone's finger (say, a thief who wants to use your stolen phone in a worst case scenario) would not work, but then, surely, it would.
2. This method requires access to the owner's finger and their consent to scan their finger. So might as well ask them to unlock their iPhone for you, no? Unless you can lift a fingerprint off of an object they touched, and use that to unlock the phone, this is not a security breach. I can hack into someone's email account by asking them what their password is. That doesn't count.

 

[carl0sian]

Shaky hand freaks me out!!

 

[unobtainium]

1. So the Touch ID does NOT check if the finger is alive then does it?

Yes, it does. The thief needs to place his/her finger behind the print so the scanner will detect an actual finger.

 

[Brittany246]

Did anybody else notice how violently his hand was shaking?

No, not at all. We're all blind.

 

[leesmith2]

This is still far more secure than the non-existent passcode most have been using. It's not shocking that Touch ID can be hacked, but let's get real, this isn't something most people need to worry about, and this is still a much better solution than not using a passcode, especially considering it makes it easier to use a long-passcode that is more complicated...

In the meantime, what are some things that would make this even more secure?

Allow users to set a shorter timeframe before requiring the full passcode. Even being able to set it for as little as an hour would make this far more secure tech while maintaining quite a high level of convenience. This is really the simplest option and perhaps makes the most sense in the short term.

This makes a lot of sense without adding inconvenience.

 

[AgentElliot007]

1/10 (10 digits on the number pad) x 1/4 (four possible digits) = 1/40.

You sure about that? Really, really sure?

 

[jon3543]

1/10 (10 digits on the number pad) x 1/4 (four possible digits) = 1/40.

Worth waiting for. Thank you.

 

[iRockApple]

This doesn't surprise me at all. CCC was able to do this with PC laptops with finger print sensors more than 10 years ago. Apple, ignorant as always, couldn't care less about security concerns.

Trust me.....Apple is not the ignorant one here.

 

[manu chao]

Fingerprints are not secret, and that's the point the CCC is making. They don't need to hack the print out of the secret key store. Using something that is not secret for a key, is not secure. What is the point point of storing public information in a secret key store?

I have to follow a person in real life to get a fingerprint from them (eg, I have to watch them holding a glass such that I can link the fingerprint to an actual person. If you have a fingerprint but don't know whom it belongs to, you don't have much (unless you are the police and have access to a fingerprint database).

If somebody could hack into one phone and get the fingerprint + identity of the owner, they could do that to hundred of thousands of phones and then criminals could get into the business of selling fingerprints without the need to follow the target in person.

 

[cbreak]

1. So the Touch ID does NOT check if the finger is alive then does it? Many on these forums have been saying that cutting off someone's finger (say, a thief who wants to use your stolen phone in a worst case scenario) would not work, but then, surely, it would.
2. This method requires access to the owner's finger and their consent to scan their finger. So might as well ask them to unlock their iPhone for you, no? Unless you can lift a fingerprint off of an object they touched, and use that to unlock the phone, this is not a security breach. I can hack into someone's email account by asking them what their password is. That doesn't count.

1. The attacker substitutes his own live finger, overlaid with the fingerprint copy from the victim. As shown in the movie.
2. The attacker takes the fingerprint from a suitable imprint on a suitable surface. As described here: http://dasalte.ccc.de/biometrie/fingerabdruck_kopieren?language=en

 

[ElTorro]

1/10 (10 digits on the number pad) x 1/4 (four possible digits) = 1/40.

Dude, you really should go and take some more math. It's 10^4.
4 places with numbers 0-9. So 10 * 10 * 10 * 10 = 10000

You better get it right when you're applying for that job at Apple.

 

[Regbial]

****... why is he so nervous? Dude, calm down. Drink less coffee. Take a chill pill. Geez..

 

[manu chao]

Wow, the Apple apologists are out in full force now. The point of fingerprint phone ID was that it is another nobody-else-has-it-welcome-to-the-new-paradigm Apple thing. If it is no more secure or reliable than any other method used to secure a phone why have additional technology to break or malfunction in the future?

Well, if you want to claim that the fingerprint sensor is no more secure than no passcode at all, be my guest.

 

[Michael Scrip]

You leave your fingerprints all over the phone.

And yet the article uses a nice clean fingerprint off a beer bottle instead of a smudgy oily phone.

In fact... they say "A good source of originals for our counterfeits are glasses, doorknobs and glossy paper."

I'm waiting for the next video to use fingerprints on the phone to make a counterfeit.

I'll bet that fingerprint was carefully placed on that bottle. Notice there are no other fingerprints or smudges around it.

In other words... this was a controlled experiment from beginning to end.

Clever... no doubt. But let's study this a little more.