Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Chaos Computer Club Bypasses Apple's Touch ID System (With Copy of Original Fingerprint)

Rogifan said:
Seems to me the media is latching on to this because they wanted in the worst way for Touch ID to be a failure. And it isn't. Read any 5S review from the tech press or other media and you'll be hard pressed to find one that didn't get Touch ID to work flawlessly. Of course that's not what the anti-Apple brigade in the media wanted to hear. So they latch on to this even though it appears to have been done in a controlled environment and hasn't been independently verified or replicated. And no comment from Apple.
Click to expand...

If by media you mean. macrumors and 9to5macs.. Then yes.. Talk to me when this supposed touch id bypass hit front page on the NY Times or the WSJ.. For now its just some video and some pics posted by some hackers from Germany.. lol not even MCgyver...
 
i.mac said:
misinformed useless comment. Many more to come I'm sure.
Click to expand...

Yours is useless unless you explain. I remember reading that it was impossible to use anything but the real finger on this because it scans lower layers of the finger.
 
JohnGrey said:
You can clearly see at the beginning of the video that the author of the video is on the main Passcodes & Fingerprints page in settings, and that there are no pre-existing fingerprints stored there. The CCC should've done a few things to clear up the issues for any naysayers. They should've tried this with a fresh 5s unboxed on screen and had a second person provide the target fingerprint.

That said, this is not merely a trivial hardware hiccough, but the makings of a PR nightmare. By all accounts, the direct interface of non-live tissue, either a latex impression or a severed finger, was reported, at least by the media, not to be able to pass the scan. Questions of difficulty or feasibility of this method are absolutely irrelevant. If the much-vaunted capacitive sensor so blatantly suffers from the same basic problems as optic sensors, then I have to ask what the point of the whole exercise was. As others have said, this method of faking a fingerprint is so mature that it has been elevated to the level of a film or television trope. I had my misgivings concerning the reliability of the system, but purchased a 5s despite them because of Apple's assurances that such things would not be a problem. If so rudimentary a workaround was ignored, willfully or not, then Apple has given these assurances in bad faith and I hope there are massive returns, as mine will be if it turns out to be true.
Click to expand...
I disagree that questions of difficulty and feasibility are irrelevant. if this requires hours of careful work to pull off with uncertain results then thieves won't bother and it can be easily mitigated by other security features like the activation lock. But it is certainly a PR disaster for the reasons you mentioned. The press is all over this story already.

But I don't see massive returns because of this. I will likely still get a 5S. will you really return yours?
 
lilo777 said:
Obviously not all phones will have good fingerprints but some will. What does it mean? It may entice the thieves to steal as many iPhones as possible. They will be able to unlock some (those with better fingerprints). So much for security.
Click to expand...

True... but now they will be faced with these:

1. iPhones with no security at all
2. iPhones with a pass code
3. iPhones with TouchID and some readable fingerprints on the phone
4. iPhones with TouchID and no readable fingerprints on the phone

Up until last week... it was only #1 and #2 and apparently the results were worth it to thieves.

But with TouchID... the difficulty of opening a stolen iPhone just increased by a huge factor. Even if there was a nice clear fingerprint in the middle of the screen... they still have to go through all these steps to capture and recreate the fingerprint. And hope it works.

And all this while they are racing against the clock... hoping the owner doesn't invoke "Activation Lock"

So I dunno. Thieves might start stealing more iPhones in hopes of getting a nice easy #1

But #2 is still a pain in the ass... and #3 and #4 are most likely serious deterrents.
 
arn said:
which is in itself ridiculous. Phones get stolen and then wiped and sold. You are not that precious a snowflake that someone who steals your phone, wants to read your texts. :)

arn
Click to expand...
Unacceptable! I was promised legions of iPhone thieves chopping off peoples fingers and thumbs so the phone could be used!
 
Zerilos said:
You really think finding a phone with the users fingerprint on it is as rare as finding a car with the key in the ignition? And there's no need to reverse engineer anything, just need to follow a few steps to creat an image of the owners print.
Click to expand...

A few steps involving 2400 dpi scans that may or may not work depending on how good the scan is. And they got the fingerprint from the guy's finger anyway.
 
The real issue for Apple is if Corporate IT departments start telling their employees that that can't use the fingerprint sensor. I wonder if there's an Exchange policy to control this yet?
 
vsighi said:
[/COLOR]

You must be a Pakistani comedian...please cut in half the Prozac my friend :mad:
Click to expand...

Umm... Not really getting the whole joke here, but it's just natural, if it's harder to steal, people tend to begin to stay away from it. Would you rather steal a safe that is track able and very difficult to break that has $100,000 in it, or $50,000 in a bag on a table?
 
Breaking news!

Fingerprint scanners all have the same vulnerability; if you replicate someone's print or acquire said finger you can gain access! Wow! Who would have thought?!

Are people really this stupid?
 
840quadra said:
The odds are no better or worse, it is still only 4 digits that need to be entered. Odds only really come into play, when using more complex passcodes that exceed 4 digits.
Click to expand...

Let me try and explain . . . in the scenario I described, the phone is set to erase all content after 10 failed login attempts. So, the attacker has to successfully enter/guess the passcode within that limit.

With a 10-character set (0-9), there are 11,110 possible passcodes that can be created. The odds of an attacker guessing a four-character passcode out of 11,110 possible combinations in ten chances are pretty damn low. So, adding a fifth (or sixth, etc) character doesn't matter as you suggest.

That being said, people who steal iPhones know that people use weak passcodes such as 1234, or 1111, or 0000. These are weak because of how commonly they are used.

http://news.yahoo.com/blogs/sideshow/-the-10-most-easily-stolen-atm-pins--184658424.html

So, if someone uses a four character passcode, and avoids the commonly used ones, or uses four numbers known to their spouse/friends (e.g., last four digits of your iPhone number, or the last four of your SSN), you should be OK.
 
Breaking news!!! iphone finger print sensor hacked by cutting off a users finger and scanning it.

Also, iPhones password has been cracked as well by asking a user about their password
 
V.K. said:
I disagree that questions of difficulty and feasibility are irrelevant. if this requires hours of careful work to pull off with uncertain results then thieves won't bother and it can be easily mitigated by other security features like the activation lock. But it is certainly a PR disaster for the reasons you mentioned. The press is all over this story already.

But I don't see massive returns because of this. I will likely still get a 5S. will you really return yours?
Click to expand...

Absolutely, I will, as much for principle of the matter as the objective failure in security. I believe that all congress between humans, economic congress included, is meant to be undertaken in good faith, which in terms of ethics may be defined as a state exceuted in the sincere belief or motive, lacking malice or the intention to defraud others. When one makes a purchase, one is given information, weighs the risks and costs against the benefits, and makes an informed decision whether for or against. In the contingency of the bypass being accurate as reported, then there are two possibilities: Apple was ignorant of the possibility or blatantly ignored the possibility. If the former, then we must accept that Apple, despite being a corporation on which we intrinsically rely for their technological expertise, was culpably ignorant, that is to say willfully ignorant of a bypass method discernible by any basic investigation. If the latter, then we must accept that Apple knew of the bypass possibility. discounted the possibility, but still did not inform end users that the possibility existed, nor correct the media that reported that neither severed digits or fake impressions would be able to pass the scan. Now, while these possibilities may or may not make Apple civilly liable, I cannot conceive of how they can be construed as other than constituting bad faith. A firm that willfully makes millions of sales, at a premium, with such practices and with so sensitive a consideration, is not worthy of my business.
 
So after that tedious process of photographing, printing, drying, breathing (lol)...
g1334797991599414388.jpg
 
Last edited:
jraske said:
Actually, a 4-digit passcode is much better than Touch ID if it meets the following criteria:
  1. It has no repeating or consecutive characters;
  2. Is not an easy-to-guess, dictionary word;
  3. Isn't four digits (or a four digit word) you might choose that are widely known by friends/family or easily discoverable; and
  4. You have set the iPhone to Erase Data after 10 failed login attempts.

As an example, 5836, or 0731.

The odds of an attacker successfully guessing/brute-forcing those 4-character passcodes are extremely low, if not negligible. Yet, those passcodes are trivial to remember.
Click to expand...


Nope, i can look over your shoulder or see where your fingerprints hit on the passcode pad and get your phone

Not much people have a 2400 dpi resolution camera with all these materials laying around. But people always have eyes
 
Romy90210 said:
If by media you mean. macrumors and 9to5macs.. Then yes.. Talk to me when this supposed touch id bypass hit front page on the NY Times or the WSJ.. For now its just some video and some pics posted by some hackers from Germany.. lol not even MCgyver...
Click to expand...

Do a google news search. This story is all over the place.
 
AaronEdwards said:
Someone taking the time to lift your print from somewhere will also make sure that your phone won't receive any signals.

----------



The next videos will be of people trying to do this by lifting whole/smudged/partial prints from bottles/glasses/etc.
Click to expand...

I really don't know how would someone be able to block remote erase from find my iPhone . If he/she were to restore the phone, activation lock would block his/her acces.
If iPhone is restarted, touch ID is ignored and password authentication is needed.
Conclusion:

If someone stole your iPhone he wouldn't be able to do anything with it (if you have find my iPhone enabled).
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back