Chaos Computer Club Bypasses Apple's Touch ID System (With Copy of Original Fingerprint)

[teknikal90]

You are to blind "teknikal90"...passwords are secret and dynamic; fingerprints are public and permanent. If you don’t tell anyone your password, no one will know what it is. If someone hacks your password, you can change it — as many times as you want. “Let me put it this way: if hackers get a hold of your thumbprint, they could use it to identify and impersonate you for the rest of your life.”

We did not ask or some how wanted this Apple "innovation"...all what we wanted was a new iPhone with a bigger screen

then keep using a password then "vsighi" if you have so much sensitive data in your phone. you are blind if you believe apple took that option away. all i know is its a lot easier to unlock my phone and enter in my itunes password by tapping the home button. i like it

and i still think its stupid to think that now that fingerprint scanners are on the iphone, it entices thieves to steal even more iphone than before until they find one with a good fingerprint on it.

 

[dolph0291]

This is why I use a different body part

Must be fun when you get a call in a restaurant.

 

[jinspin]

Ok so how do we know he didn't register that finger print prior to the video? Doesn't it store a few different prints?

Either way, by the time you went through all the trouble to make this fake print, the victim could easily wipe the device, report it stolen and have the PO PO pick you up. I'm just happy apple is making attempts to reduce the crimes.

I just tested it out and put my finger on glass front. The fingerprint is very clean looking and very visible on the glass face. It should be easy to photograph it and clean it even more in photoshop. So we are in fingerprintgate now?

 

[MisterPunchy]

Well, something sure seems goofy about that video. Maybe it's just me, but...

For one thing, when he's doing the setup and placing his finger, there are several times when he lifts the finger, but the animation on the screen continues, even though his finger is up, and not touching the sensor. Every other demo video I've watched clearly shows that the animation of the fingerprint filling in is only happening when the finger is actually on the sensor.

Also, in both of the videos - the one where the same guy spoofs the sensor, and the other one where a second individual does the spoof - there is a point at which pressing the home button automatically brings up the passcode screen, at which point he types "0000", hits the power button, hits it again - this time no pass code screen, just the home screen - and the spoofed fingerprint works. Weird behavior. Normally just pressing the home button doesn't bring up the pass code lock screen immediately. It brings up the lock screen, and if you try to swipe it open, it brings up the pass code.

I know I'm a skeptic - but something seems odd and off about it. But, I don't have a 5S of my own yet to compare behavior to. Anyone else?

 

[notabadname]

Given the size of the iPhone sensor, it only deals with partial fingerprints. So partials will do just fine.

"most people don't manipulate the device with their thumb". Really? Perhaps most Android users don't do that but according to Apple most iPhone users do just that. Just watch their commercial.

My bad for not being clearer. Most of us, when manipulating our tablets with any digit, do so with the tips of our fingers (or thumbs), at the part just under our nails, and generally to the side and tip of our index finger. While the sensor only uses a partial print from our finger, it will only recognize the same partial. So, while people will likely scan the center of their thumb for set up and subsequent unlocks, or flat central person of whatever digit they use, that is not the same portion they use to interact with their tablet. And unless the tip of your finger was scanned for setup, a partial from your finger tip will be useless for opening the device.

The real take-away: it's optional. If people don't find it to be a secure method to lock their phone, then here's an idea; don't use it, Enter a password instead. Maybe a good one like "1 2 3 4" will work - it is more security than many use to protect their device.

 

[JohnGrey]

Did you read the article? Ease with which it was broken? You are being ridiculous. It's no feat your average thug is capable of, nor your above average thug.

Besides, you can lock your phone with a very long, more secure password and disengage the four-digit password and the fingerprint login, so your entire argument is WRONG.

I both read the article and watched the video. Admittedly, the ease is relative, but one must also consider the effort and cost expended to make and market the technology, a not-inconsiderable amount of that cost passed on to the buyer, versus the cost and effort necessary to circumvent it. Only a fool would argue that the investment of the latter was equal to the former.

Nor was that actually the point of my complaint, which was the manner in which the technology was marketed, with no public acknowledgement or correction by Apple regarding the vulnerability despite it being repeatedly trumpeted in the media that facsimiles would not work.

By all means, continue to stick your fingers in your ears and hum consolingly to yourself that Apple hasn't screwed a pooch in this situation. It's all the Apple haters, just like all of the BB haters are responsible for the failure of BB10, like those poor kook-aid drinkers at Crackberry zealously thunder about.

 

[xnu]

The situations are not analogous. No lock-maker suggests that no other key but the original, not even a facsimile of sufficient precision, can open the lock nor permit their product to be reported in such a way without clarification. Second, the variability of lock quality can be combatted by replacing those locks with better locks, equipped with countermeasures, to augmenting them with additional security features. No such options exist with the iPhone, nor is Touch ID intended for combined use with pass code, beyond those instances where it is required and never sequentially. Lastly, the security expected of Touch ID must be commensurate with the amount of sensitive information or financial harm that can be done immediately should it be circumvented. Someone having a key to your house does not immediately mean that someone can have access to your financial information, passwords, etc. The same cannot be said in the case of bypassed Touch ID. Admittedly, Touch ID may only be presently used in direct purchases from the App Store or iTunes. Given the apparent ease with which it seems to have been broken, one must ask then if such a policy were a necessity rather than a laudable commitment to segregative security.

Clearly you are an attorney.. or at least your logic follows the professions standards. I would judge the ethical problem in this situation is the theft of an iPhone, not the performance of enhanced security provided by the technology.

 

[Atomic Walrus]

What?! Madness! I was certain that the button-sized fingerprint scanner on my phone would be impervious to elaborate latex reproductions of 2400 DPI images of my finger!

In other words, this method works on all fingerprint scanners. No surprise here. No one is billing the iPhone's scanner as an invulnerable security system for sensitive confidential data. Based on the effort it takes to make a fake, it's likely more secure than a 4-digit code and certainly way better than no password, which is how most people use their devices.

A stolen phone is wiped and sold. It may be briefly browsed for relevant financial data if it's unlocked. If you're the kind of person who fears targeted espionage you may want to look into more aggressive security measures not covered by this functionality, like armed escorts or psychiatric care (depending on the reality level of your concerns). Or at the very least a long-form password.

 

[DVK916]

I don't believe it would work. The Touch ID scanner is supposed to look at sub-epidermal layers (or whatever). This guy used his OWN finger to unlock his OWN phone - there just happened to be a thin layer in between. The scanner may still have been reading his sub-epidermal details.

This demo is a fail. He should have proven that his phone could be unlocked by someone else.

You have no idea what you are talking about, if he uses a different finger, it is no different than a different person using it.

 

[MattInOz]

Ok so how do we know he didn't register that finger print prior to the video? Doesn't it store a few different prints?

Either way, by the time you went through all the trouble to make this fake print, the victim could easily wipe the device, report it stolen and have the PO PO pick you up. I'm just happy apple is making attempts to reduce the crimes.

So to avoid that you'd turn off the phone, which then wipes the fingerprint data. Bringing you back to either cracking the password, dumping the data off the device and trying to crack the device key. Or just wiping the device clean and trying to sell to the shadier parts of the second hand market. So exactly the same as the non-touchID device.

 

[JohnGrey]

Clearly you are an attorney.. or at least your logic follows the professions standards. I would judge the ethical problem in this situation is the theft of an iPhone, not the performance of enhanced security provided by the technology.

No, I'm not an attorney. Just an old engineer who believes that for one, whether individual or cooperation, to have the expectation of equitable exchange, be it material goods or information, one has the obligation to communicate with honesty, consequences be damned. It's a habit that has cost me professionally at times but has always done me far greater good than harm, as people always know where they stand with me.

Certainly the theft constitutes an ethical problem but that problem can be argued to be both enabled and compounded by the original misinformation, which for many will offer a sense of security which is unrealistic.

 

[vsighi]

Haha funny. That will just reinforce the Samsungites assertions that they'll be cutting off our fingers to read our emails. Morons.[/QUOT

If you smart enough you can avoid your thumb amputation by using your happy toe

 

[michaeljordan]

Well said. No security is perfect. Touch ID will still be a strong protection against most intruders.

Exactly. I'm not an expert in security. But in theory I suppose that any security can be bypassed. That said, I don't see anyone going through that amount of work just to hack into an average consumer's phone. Unless you name is James Bond or Nikita. So I think we're pretty safe.

 

[Razeus]

lol

 

[AnonMac50]

This isn't a real world test, it's a proof of concept.

 

[sshhoott]

The concern is that other companies will follow suit with biometric data used to unlock things, and make purchases. The nightmare scenario really is that biometrics become so widespread that somebody who can get your fingerprint like this process here can use it elsewhere to do some real damage. Identity theft is bad enough when it's just credit card numbers you have to change. You can't change your fingerprint.

Considering just how quickly the TouchID was shown to be vulnerable (which of course it was), I feel all the better about my decision not to use the feature when I get my 5s tomorrow. I will fight against biometric "security" every time it comes up in a consumer context. It's a terrible idea that needs to not become widespread. Regardless of Apple's particular implementation, other companies will see Apple doing it and copy it with varying degrees of precaution. I'm not going to encourage them.

You got that right. Fingerprints can never be changed, whereas passwords and credit card numbers can be because they're temporary. But do check this out (I've seen many "security" ideas and things in the past, but never anything like this):

http://arstechnica.com/security/201...es-heartbeats-as-a-password-but-is-it-secure/

 

[pirateyarrr]

I don't see how people can say that Apple devices aren't the most secure consumer-level smartphones.

Apple devices aren't the most secure consumer-level smartphones.

See how easy that was?

 

[inscrewtable]

First, the fingerprint of the enroled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone.

Seems like a pretty good endorsement of the technology in my book.

 

[MacinDoc]

This says it all. It's yet another major software flaw and why it is becoming hard to trust Apple with your personal information.

Obviously you need to do some reading about how Touch ID works. It stores biometric information about your fingerprint, not the fingerprint itself. You would have a better chance of duplicating the Mona Lisa from someone's written description of it than you would have of duplicating a fingerprint by somehow (as yet to be determined) lifting the biometric info from someone's phone. For that matter, it would likely be orders of magnitude easier to simply lift the user's prints off the surface of the phone.

 

[Michael Scrip]

You need only 1 print and then use photoshop to clean it up. Then you have good print of high profile target like Tim Cook or Paris Hilton. Sammy would love to read Timmy's emails.

If Tim Cook lost his iPhone... it would be bricked 30 seconds after it was reported missing.

That's the big thing people are missing. Pass codes and TouchID will just slow you down until they can nuke the phone from orbit.

Let's say you find an iPhone 5S... or actively steal it. And happens to have a good fingerprint on it. And you go through the dozen steps it takes to make a fake fingerprint.

If the phone has any kind of important data on it... it's been wiped already.

 

[chucksav]

It's been done

Didn't I see this exact procedure on Mission: Impossible in 1968?

 

[MacinDoc]

Umm. I would like to see someone else use the latex copy other than the guy whose finger print unlocks it.

If it is indeed sub-dermal, couldn't it have unlocked simply due to it picking up the legitimate finger through the latex copy???

That is the key to this demo. Let's see them do this with something other than a finger behind the film.

 

[yodaxl7]

The video may not be a complete video. He may have registered five fingers. He did not show how he lifted the finger print and where. Most of us may use a thumb to unlock and then use other index to navigate the phone. I am not sure the sapphire on the home button allows a fingerprint to stay on.

It took him to press his middle finger twice and it seems he rubbed it on the scanner. I cannot be sure what he did after he registered his finger. It looked like he entered a passcode for some reason.

Also, maybe he should place the fake print on the home button and apply pressure with a pencil. If it unlocks, then the sub-dermal theory is wrong.

 

[smoking monkey]

My bad for not being clearer. Most of us, when manipulating our tablets with any digit, do so with the tips of our fingers (or thumbs), at the part just under our nails, and generally to the side and tip of our index finger. While the sensor only uses a partial print from our finger, it will only recognize the same partial. So, while people will likely scan the center of their thumb for set up and subsequent unlocks, or flat central person of whatever digit they use, that is not the same portion they use to interact with their tablet. And unless the tip of your finger was scanned for setup, a partial from your finger tip will be useless for opening the device.

The real take-away: it's optional. If people don't find it to be a secure method to lock their phone, then here's an idea; don't use it, Enter a password instead. Maybe a good one like "1 2 3 4" will work - it is more security than many use to protect their device.

I didn't know it was available on an Apple tablet yet...

I agree with you on the 2nd paragraph though.

 

[njytouch]

Is he being held at gunpoint while doing this?