It would at the least drastically reduce the number of times you have to enter the PIN. I enter mine multiple times a day and I find it extremely annoying. I can live with entering it once in the morning.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Chaos Computer Club Bypasses Apple's Touch ID System (With Copy of Original Fingerprint)
- Thread starter MacRumors
- Start date
- Sort by reaction score
It would at the least drastically reduce the number of times you have to enter the PIN. I enter mine multiple times a day and I find it extremely annoying. I can live with entering it once in the morning.
What's with all the finger chopping in this thread?
If someone has that sensitive of information, you hold them at gun point/drug them/or simply hold them down, and force them to unlock the phone with their own finger.
That is the easiest route to obtain the information, far easier than simply stealing their phone, then following them to lift prints off of objects, then go through this fairly extensive routine.
Seriously, if a thief wants your information bad enough, they will go to any lengths to obtain it. Nothing is 100% secure.
This will however deter any common thieves.
And really, what are they going to obtain anyways? Currently, only your Apple ID, so then what? They can make some illegitimate purchases using your iTunes account? Tell your wife you're texting some other broad?
Who really leaves any pertinent, sensitive information, unencrypted on a phone anyways?
Jeez.
which is in itself ridiculous. Phones get stolen and then wiped and sold. You are not that precious a snowflake that someone who steals your phone, wants to read your texts.
arn
True. About the only people that would want to go to these measures would be law enforcement and perhaps a paranoid romantic partner.
couple of hours, you say
let's see
for 4 digit pin we have 10000 combination
you can make only 3 mistakes, after that you have to wait for 5 min i think
so at very least it will take around 6 min for 3 attempts, max time
around 20000 min = 333 hours, ok 300 hours
so good luck with that
You obviously don't get it.
It's not about getting into your phone. It's about VERY easily getting a copy of your fingerprint, along with all your other personal info. With 3D printing, it will be very easy to either impersonate you or frame you for anything.
Nice job Apple. Even nicer than your Apple TV 6.0 brick. WTF is going on at Cupertino??
only if you know the icloud account password. Otherwise you can't turn off Find My iPhone or use the onboard erase. Anyone with any sense would have triggered Lost Mode asap or at least changed their email password (if they aren't using an @icloud.com email) so you can't use iforgot to change it.
So only course of action is a DFU restore which would trigger the activation lock.
Here's the point for me. YMMV. Once your password is compromised, you can change it. Once your pin code is compromised, you can change it. Once your VPN token or E-grid is compromised, you can change it. Once your fingerprint is compromised, you can't ever change it (within practical reason).
You don't leave your password or pin code on a sticky attached to your forehead, you don't hand your VPN token or e-grid to anyone, but you do leave your fingerprint everywhere.
Even if it is difficult for this particular hack to be made to work, there will be other easier methods developed in the future. Why fingerprint authentication by itself (and not as a part of 2-factor authentication) is felt to be better security perplexes me.
You obviously don't get it.
It's not about getting into your phone. It's about VERY easily getting a copy of your fingerprint, along with all your other personal info. With 3D printing, it will be very easy to either impersonate you or frame you for anything.
Nice job Apple. Even nicer than your Apple TV 6.0 brick. WTF is going on at Cupertino??
I think it's you that doesn't get it.
In this case the obtaining of your fingerprint has nothing to do with Apple.
Seems to me the media is latching on to this because they wanted in the worst way for Touch ID to be a failure. And it isn't. Read any 5S review from the tech press or other media and you'll be hard pressed to find one that didn't get Touch ID to work flawlessly. Of course that's not what the anti-Apple brigade in the media wanted to hear. So they latch on to this even though it appears to have been done in a controlled environment and hasn't been independently verified or replicated. And no comment from Apple.
Oh... *that's* all... thieves will have all this handy in their little black bag.
Why not follow a guy into Starbucks, then wait for him to log in, then hit him over the head and take his phone, and his latte.
TouchID isn't meant to be absolutely crack-proof security. Apple never claim it as such, nor do they provide money-back guarantees the way manufacturers of safes do.
It's meant to be more convenient than entering a passcode every time, so that more users lock access to their phones and the precious data inside them.
Not only that, but TouchID's security is enhanced by requiring a passcode entry every boot or every 48 hours (whichever is shorter).
The best protection Apple can provide is still Find my iPhone (i.e. tracking, remote wiping, etc). All keys are vulnerable; even house keys can be copied (if not by a locksmith, then by some random bloke with a 3D printer).
It's meant to be more convenient than entering a passcode every time, so that more users lock access to their phones and the precious data inside them.
Not only that, but TouchID's security is enhanced by requiring a passcode entry every boot or every 48 hours (whichever is shorter).
The best protection Apple can provide is still Find my iPhone (i.e. tracking, remote wiping, etc). All keys are vulnerable; even house keys can be copied (if not by a locksmith, then by some random bloke with a 3D printer).
This is what should be being asked. First you would need a super clean print, some kind of high powered microscope camera, a high quality printer and physical access to your phone.
What people seem to forget is that this is replacing a 4-digit pin for a majority of people. Which is more secure, your fingerprint, or '1111'? Even if you have a longer/more complicated pin it can easily be 'cracked' by looking over your shoulder.
Ultimately Touch ID is more about convenience - you no longer even need to swipe to unlock, just press the home button.
No, but 2400 dpi flatbed scanners are easy to come by. So, the question is how easy is it to lift a print that is good enough to scan? I believe this CCC announcement and video are legit. But I would like to see a video of them demonstrating the entire hack; lifting, scanning, making fake, and then using it.
The real question now is this. Can they successfully lift a print from the phone, rather than a glass, and perform the hack? Then, can they practice it to the point of being able to do it most of the time? Then, can the new security features for locking and erasing a phone be deactivated using TouchID only, or is the pin still required? Any 5s owners want to test this?
If those are all true, this circumvents Apple's theft protection by determined thieves. That would however be easily fixed by requiring the pin to deactivate Find My iPhone. So, I'm not too concerned about that. This mostly boils down to it's not as secure as Apple implied in the keynote.
If you are concerned about information security, use a pin. If you are just worried about theft, TouchID is probably still a good deterrent. Although at this point thieves are going to steal your phone first, and figure out if it is secure later. So until this is on basically 90% of phones, creating "herd immunity", your phone will still be target.
But if some thief chop off your finger and use it to access your iPhone 5S...Is this have anything to do with Apple
Attachments
Last edited:
I honestly don't know what this video proves.
1st it doesn't show the process of creating the "fingerprint copy".
2nd, while you see the person setup the fingerprint with the index and then pickup the latex with the middle finger and unlock the phone, this proves nothing.
You can setup multiple fingers to unlock an iPhone. Thus, the middle finger could have already been set to unlock the phone. In addition, the reader is reads the subsurface layers of the skin, not the outer layer. So, it then could be reading right through whatever he placed on his finger and then unlocking he phone. There is no proof what he picked up is a fingerprint copy anyway. Does it so fast and while he quickly shows it to the camera, you can't make out crap. To me all this proves is that the reader ignores what may be placed on the surface and unlocks by reading through to the subsurface part of the finger.
I call BS
1st it doesn't show the process of creating the "fingerprint copy".
2nd, while you see the person setup the fingerprint with the index and then pickup the latex with the middle finger and unlock the phone, this proves nothing.
You can setup multiple fingers to unlock an iPhone. Thus, the middle finger could have already been set to unlock the phone. In addition, the reader is reads the subsurface layers of the skin, not the outer layer. So, it then could be reading right through whatever he placed on his finger and then unlocking he phone. There is no proof what he picked up is a fingerprint copy anyway. Does it so fast and while he quickly shows it to the camera, you can't make out crap. To me all this proves is that the reader ignores what may be placed on the surface and unlocks by reading through to the subsurface part of the finger.
I call BS
See that's a bit that makes me not buy all of this. How do we know that he didn't have several fingers registered and it's reading through the paper. Better to have used a partner's phone and finger just to prove that it is breakable.
Fairly sure there isn't even a 100ppi image of my fingerprint anyone can gather, let alone one that is 2100ppi. Secondly, the video doesn't show full navigation into the enrollment process (well enough for my liking).
What do the screens look like when adding an additional finger, versus what is shown? (sorry I don't have a 5s, and the display demo at the stores don't show normal TouchID preferences.) . Is there any way to confirm that his middle finger was not previously enrolled?
Good luck obtaining that from my phone
A) I have a case that is highly difficult to get fingerprints off of (material is not smooth)
B) I would register a finger I never use holding the phone, nor in normal operation of the touch interface
C) on the given finger I would register, I would only register a portion of that digit, that normally wouldn't come into contact with my Phone (or anything else I am holding). You can (it takes some effort) only register part of your finger. the Software makes it hard, but you can get away with registering only one side of your fingerprint if you choose to do so.
That said, Most people won't think outside of the box, and will go with the easiest way to unlock their phones. I will (when I get a 5S, or 6), likely keep my complex passcodes, and use a partial fingerprint for TouchID.
You can clearly see at the beginning of the video that the author of the video is on the main Passcodes & Fingerprints page in settings, and that there are no pre-existing fingerprints stored there. The CCC should've done a few things to clear up the issues for any naysayers. They should've tried this with a fresh 5s unboxed on screen and had a second person provide the target fingerprint.
That said, this is not merely a trivial hardware hiccough, but the makings of a PR nightmare. By all accounts, the direct interface of non-live tissue, either a latex impression or a severed finger, was reported, at least by the media, not to be able to pass the scan. Questions of difficulty or feasibility of this method are absolutely irrelevant. If the much-vaunted capacitive sensor so blatantly suffers from the same basic problems as optic sensors, then I have to ask what the point of the whole exercise was. As others have said, this method of faking a fingerprint is so mature that it has been elevated to the level of a film or television trope. I had my misgivings concerning the reliability of the system, but purchased a 5s despite them because of Apple's assurances that such things would not be a problem. If so rudimentary a workaround was ignored, willfully or not, then Apple has given these assurances in bad faith and I hope there are massive returns, as mine will be if it turns out to be true.
shame only comes if they get caught and everyone is so paranoid that they might not bother to try to replicate the whole thing with a mismatched set and see that it doesn't actually work
