Chaos Computer Club Bypasses Apple's Touch ID System (With Copy of Original Fingerprint)

[charlituna]

why go through all that trouble when you could just cut off the persons finger?

cut off finger would have no electric charge for the capacitive sensor

 

[richard371]

Again complete non issue. If they can lift a print of the phone and unlock it then we will talk but I don't see that happening.

 

[pipa]

I thought the touch ID only works with live tissue. Maybe I'm wrong but could have swore I read that somewhere. If this is accurate then maybe a dead persons finger can be used to unlock a phone.

 

[albusseverus]

Has anybody reputable reproduced this method? It's not a story until it's verified.

Until then, at best it's - hackers CLAIM to bypass Touch ID.

Oh, that's right. We'd rather have the wrong news first than real news. No wonder we're so easily mislead.

 

[vsighi]

cut off finger would have no electric charge for the capacitive sensor

HAHAHA...guys, guys just buy an htc or Samsung and your finger will have no value on the black market

I think by the end of this year some thief's will sell the iPhone 5S with the original owner finger cut off in ice

 

[Zerilos]

Excellent point. This video seems like a lot of BS.

The fact that it was translucent and the Touch ID was set up to recognize his fingerprint does kind of call this "hack" into question. Not saying it's not legit, but I'd like to see it replicated by someone who's print wasn't used as the ID already.

 

[duneriderltr450]

Locks are only used to keep the honest people honest.

Locks won't do much to protect you from the hardened thieves, who can get into your House/Device if they really want to.

Won't go well for the thieve when they run into a armed home owner.

 

[Gherkin]

Excellent point. This video seems like a lot of BS.

he puts the "fake fingerprint" on his middle finger so no, it is not fake.

they've beaten past fingerprint scanners, so there's no reason to think this is fake. They said they just needed to use a higher resolution photo to trick Touch ID. And they can get the a fake from a print left on a surface, they don't need to photograph someone's actual finger.

it's not easy and you need to know what you are doing to trick the iPhone. But obviously a high security risk person shouldn't use this on their iPhone basically (which probably isn't many people really).

 

[wovel]

he puts the "fake fingerprint" on his middle finger so no, it is not fake.

they've beaten past fingerprint scanners, so there's no reason to think this is fake. They said they just needed to use a higher resolution photo to trick Touch ID. And they can get the a fake from a print left on a surface, they don't need to photograph someone's actual finger.

it's not easy and you need to know what you are doing to trick the iPhone. But obviously a high security risk person shouldn't use this on their iPhone basically (which probably isn't many people really).

How do you know his middle finger wasn't scanned?

I am amazed that in 2013 so many people believe everything they see on the Internet.

 

[kenwk]

I honestly don't know what this video proves.

1st it doesn't show the process of creating the "fingerprint copy".

2nd, while you see the person setup the fingerprint with the index and then pickup the latex with the middle finger and unlock the phone, this proves nothing.

You can setup multiple fingers to unlock an iPhone. Thus, the middle finger could have already been set to unlock the phone.
I call BS

the video showed that he needed to input a passcode... I think that is required at the first setup so his index finger should be the first and only finger setup in that phone. Someone correct me if I am wrong.

 

[wovel]

the video showed that he needed to input a passcode... I think that is required at the first setup so his index finger should be the first and only finger setup in that phone. Someone correct me if I am wrong.

Unless he just rebooted the phone.

 

[Gherkin]

How do you know his middle finger wasnt scanned?

http://www.youtube.com/watch?v=HM8b8d8kSNQ#t=30

he scans his index finger to set up Touch ID on his phone.

 

[Rogifan]

How do you know his middle finger wasn't scanned?

I am amazed that in 2013 so many people believe everything they see on the Internet.

These days people will believe anything that might put Apple in bad light.

 

[840quadra]

You can clearly see at the beginning of the video that the author of the video is on the main Passcodes & Fingerprints page in settings, and that there are no pre-existing fingerprints stored there. The CCC should've done a few things to clear up the issues for any naysayers. They should've tried this with a fresh 5s unboxed on screen and had a second person provide the target fingerprint.

That said, this is not merely a trivial hardware hiccough, but the makings of a PR nightmare. By all accounts, the direct interface of non-live tissue, either a latex impression or a severed finger, was reported, at least by the media, not to be able to pass the scan. Questions of difficulty or feasibility of this method are absolutely irrelevant. If the much-vaunted capacitive sensor so blatantly suffers from the same basic problems as optic sensors, then I have to ask what the point of the whole exercise was. As others have said, this method of faking a fingerprint is so mature that it has been elevated to the level of a film or television trope. I had my misgivings concerning the reliability of the system, but purchased a 5s despite them because of Apple's assurances that such things would not be a problem. If so rudimentary a workaround was ignored, willfully or not, then Apple has given these assurances in bad faith and I hope there are massive returns, as mine will be if it turns out to be true.

As I stated before, I am not 100% clear on the process, or how the screens look on a standard 5S. The floor models at my local store simply have a TouchID demo application. Clearly seeing the screen didn't do me any good, as I hadn't seen the interface on an actual consumer phone.

That said, I too would like to see a more detailed test of this , by a reputable security firm. Perhaps there is truth in this security hole. If so, Shame on Apple for missing the Myth busters episode from which people bypassed Fingerprint scanners by simple means.

 

[charlituna]

my point is anyone going after you hardware does not care about how you are locking up your personal data. all that **** will be wiped for resale anyway

trouble is with iOS 7 when they wipe it they are locked out of it. Won't get past the first screen. So thieves will be more likely to eyeball the phone in action to see if you've upgraded before snatching.

 

[AppleScruff1]

Even if this is true, I don't think it's a big deal for most people. It sounds like a lot of work to do and it may be hit or miss too. How much effort is required to get the fingerprint just right? Perhaps this would work for a band of professional thieves, but not for the average street thug stealing phones.

 

[jraske]

Touch ID is still a lot better than a 4 digit passcode and a Million times better than no passcode.

No one with who has a life is going to use type complex passwords into their phones everytime they want to unlock.

Actually, a 4-digit passcode is much better than Touch ID if it meets the following criteria:

1. It has no repeating or consecutive characters;
2. Is not an easy-to-guess, dictionary word;
3. Isn't four digits (or a four digit word) you might choose that are widely known by friends/family or easily discoverable; and
4. You have set the iPhone to Erase Data after 10 failed login attempts.

As an example, 5836, or 0731.

The odds of an attacker successfully guessing/brute-forcing those 4-character passcodes are extremely low, if not negligible. Yet, those passcodes are trivial to remember.

 

[furi0usbee]

Want to see what these guys do with facial recognition + fingerprint. If you can get Barack Obama's fingerprint, you could wear one of those cheesy halloween masks and get right in!!!!

Or, Apple should make it so shaky hands can't use the tech. Then this guy doesn't get in.

Also wiping the phone after 10 unsuccessful attempts is very useful.

 

[Crzyrio]

Actually, a 4-digit passcode is much better than Touch ID if it meets the following criteria:

1. It has no repeating or consecutive characters;
2. Is not an easy-to-guess, dictionary word;
3. Isn't four digits (or a four digit word) you might choose that are widely known by friends/family or easily discoverable; and
4. You have set the iPhone to Erase Data after 10 failed login attempts.

As an example, 5836, or 0731.

The odds of an attacker successfully guessing/brute-forcing those 4-character passcodes are extremely low, if not negligible. Yet, those passcodes are trivial to remember.

Yes, But it is much much easier for a person to see your 'Passcode' by looking over your shoulder than to get a 2400dpi scan of your fingerprint.

 

[840quadra]

Actually, a 4-digit passcode is much better than Touch ID if it meets the following criteria:

1. It has no repeating or consecutive characters;
2. Is not an easy-to-guess, dictionary word;
3. Isn't four digits (or a four digit word) you might choose that are widely known by friends/family or easily discoverable; and
4. You have set the iPhone to Erase Data after 10 failed login attempts.

As an example, 5836, or 0731.

The odds of an attacker successfully guessing/brute-forcing those 4-character passcodes are extremely low, if not negligible. Yet, those passcodes are trivial to remember.

The odds are no better or worse, it is still only 4 digits that need to be entered. Odds only really come into play, when using more complex passcodes that exceed 4 digits.

 

[SoGood]

What's the problem with that guy in the video? Any one notice the tremor in his thumb and fingers? On crack? Very dodgy!

 

[mrjr101]

a lot of people in this thread missed the big picture here. This video shows that Touch ID is no different than other fingerprint technologies when it comes to trick it by reproducing your fingerprints outside of the original intended medium and still make it work. Perhaps it shouldn't be called bypassing but rather reproducing your identity.This is no different than cloning someone else's credit card or ID to gain access. The point of this video is to realize that your original finger or fingers are not the only thing that can be placed on the sensor for it to work. That is as far as this so called breach goes.

 

[freedevil]

Avoid this by keeping kitty with you all times. When attacked, the kitty will split and you may die but your phone will not be unlocked.

 

[furi0usbee]

The odds are no better or worse, it is still only 4 digits that need to be entered.

Not entirely true. In relative terms, you are more likely to break a 0000, 1234, 1111, than a 5317. Odds may be the same for any given 4 digit number in terms of randomness, but people use the same set of easy passlocks over and over. People don't follow the rules, thus your odds of breaking a 1234 are much better than breaking a 5317, just for the fact odds are that if someone is lazy they'll set it as such. Just like "password" and "12345" are always high on the list of passwords people use.

If you hand me a phone, and I have 10 tries, and not knowing the person, I already know which passwords I'm going to try. Given enough of a sample group, I'd crack more 1234 than 5317.

----------

What's the problem with that guy in the video? Any one notice the tremor in his thumb and fingers? On crack? Very dodgy!

Hist first big break. He's nervous.

 

[Bahroo]

Touch id is safer then your typical passcode, say your on a train or public environment, passcode is much worse for security then touch id... Someone looks over your shoulder and they can get into your phone...Touch id is vulnerable when your sleeping lol(people can pick up your finger and unlock your phone) but who the **** will be around untrustful people in their sleep?

Main question is that can hackers break into the touch id and break the TrustZone encryption? Because then that is a big issue