Not necessarily. The material will also count because the sensor is not based on optical fingerprint imaging.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Chaos Computer Club Bypasses Apple's Touch ID System (With Copy of Original Fingerprint)
- Thread starter MacRumors
- Start date
- Sort by reaction score
Not necessarily. The material will also count because the sensor is not based on optical fingerprint imaging.
It seems a reasonable suspicion, but if you look at the fingerprint enrollment screen you can see the text:
Fingerabdrücke:
Fingerabdruck hinzufügen...
Which means:
Fingerprints:
Add fingerprint...
Which suggests that had he enrolled fingerprints beforehand, they would have shown up under "Fingerabdrücke," which they do not, so it seems that Sir Shakesalot took a fresh configuration, enrolled his fingerprint and spoofed it directly thereafter.
Edit: When he's done enrolling his fingerprint you can see:
Fingerabdrücke:
Finger 1
Fingerabdruck hinzufügen...
Fingerprints:
Finger 1
Add fingerprint...
So yea, it was a fresh enrollment with no other fingerprints.
Last edited:
Not a new problem
I passed my Masters degree in IT back in 2005. One module on security covered off biometrics. Things may have moved forward a little, but not that much. It was possible then, and I think still is, to defeat a fingerprint reader with something you can buy at the cake and baking section of your local supermarket for a couple of pence a sheet.
However, we have been told by Apple that their reader is also supposed to check that a real (live) finger has been used by using other technology that checks for the blood supply amongst other things. It appears that this is not the case.
I passed my Masters degree in IT back in 2005. One module on security covered off biometrics. Things may have moved forward a little, but not that much. It was possible then, and I think still is, to defeat a fingerprint reader with something you can buy at the cake and baking section of your local supermarket for a couple of pence a sheet.
However, we have been told by Apple that their reader is also supposed to check that a real (live) finger has been used by using other technology that checks for the blood supply amongst other things. It appears that this is not the case.
Well, beyond the latex and glue was a real live finger. Maybe it wouldn't have worked if he had put that spoofed fingerprint on a sausage or something.
He made the fake fingerprint to be moist (like real finger), plus wear the mold on his own finger to fool the scanning.
The test won't work in real life because you get 3 tries. After that the passcode kicks in.
During his test, he had to test and re-adjust his 2400dpi fingerprint image multiple times and print it out on 1200dpi printer. He didn't show that part. It's a boring, trial-and-error process.
Basically, he had to re-enter his passcode several times to continue to test when the earlier prints failed. Once he get the "perfect" result, he film the last part.
In reality, he needed the passcode _and_ the fingerprint to bypass the system.
I read the press release from ccc.de, didn't notice any mention of this. Where did you get this information?
Easiest way to illustrate this is to ask him to recreate the test with someone else's fingerprint from a mug or bottle. Not using his own finger and phone.
There is a $19,000 bounty !
Easiest way to illustrate this is to ask him to recreate the test with someone else's fingerprint from a mug or bottle. Not using his own finger and phone.
There is a $19,000 bounty !
Still, where did you read that it took multiple tries and passcode unlocks in order to get it to work just right?
Because if that's true, then this video is disingenuous, because it doesn't show that the phone would have locked itself down after several failed attempts.
Otherwise we have to assume that an experienced hacker could do this in short time without triggering the automatic passcode lock, or worse.
19000 is for a hack. This is not a hackEasiest way to illustrate this is to ask him to recreate the test with someone else's fingerprint from a mug or bottle. Not using his own finger and phone.
There is a $19,000 bounty !
The website has been updated to indicate that CCC will get the prize if they can reproduce it with a fingerprint from a bottle or cup (i.e., a live test case, not a lab one using his own finger).
Let's see if he take up the challenge. The thing is it needs to be done using a stranger's finger and phone. Not his friends' or his.
They should really send a crew down to film the entire process if they value their $19,000.
I played around with my friend's 5s for a short while. I triggered the passcode screen a few times.
When you reboot the phone to reset the state, you need to enter the passcode too.
Last edited:
First - What medication is this poor guy in need of to control his shakes?
Second - If someone wants to invest that much time and effort to get into MY iPhone - essentially being able to steal my photos, listen to my music and surf the web - please do.
Third - Even in this day and age of increased security apps but also increased by-passing of said apps, I'm kind of dumbfounded as to why people would keep sensitive information on a device that is much easier to lose or have stolen (iPhone/iPad/laptop).
Most people here aren't getting the big picture.
First of all, that guy is from the CCC, a very reputable organization in IT security. They're not the usual nerds that make these videos just for getting some youtube buzz.
The thing is:
Accessing secure systems usually requires one or more of the following facts to be met:
So the fingerprint reader on the new iPhone is a nice idea for conveniently unlocking your phone, but it's a security nightmare for anything else.
First of all, that guy is from the CCC, a very reputable organization in IT security. They're not the usual nerds that make these videos just for getting some youtube buzz.
The thing is:
- It's quite easy for an intruder to get your fingerprints, as you leave them hundreds of times each day on various items
- Fingerprint readers can get bypassed sooner or later. This has happened in the past and it will happen in the future. Apple might have used state of the art sensors and software, but they'll be bypassed as well.
- You can't change your fingerprints. Once they're known there's only the quality of the sensors between you and the intruder.
Accessing secure systems usually requires one or more of the following facts to be met:
- You know something that others don't know (i.e. a pin code, a password)
- You possess something that others don't possess (i.e. a chip card)
- Your body has a specific signature (fingerprint, retina, ...) that other's don't have (or at least it's very unlikely)
So the fingerprint reader on the new iPhone is a nice idea for conveniently unlocking your phone, but it's a security nightmare for anything else.
Well, most "high-tech" startups are usually good in claiming "most amazing stuff" while it is just well know stuff with a new fancy color paint and (good) marketing.
And just look at all this amazing software patents to get another good overview of that, ...
Well, 5s falls back on passcode if the fingerprint part failed.
Getting an average fingerprint for the attack may not be as easy as it sounds. Like I said, someone should organize a crew to film the entire process using a random test case.
It will be interesting to see how Apple address or tweak the system, if they bother to, that is.
Would you call a fingerprint scanner non-secure if it recognises a fingerprint off a sheet of paper that needs to be moist and what not?
This is not a security flaw, or a bypass. This is deliberate fooling and as is apparent, requires the original fingerprint in the first case and then trying to make the scanner believe it is the original user.
Under normal circumstances, a user concerned with security would already have remote wiped the device before the thief would get an opportunity to prepare a finger to fool the device.
This is not a security flaw, or a bypass. This is deliberate fooling and as is apparent, requires the original fingerprint in the first case and then trying to make the scanner believe it is the original user.
Under normal circumstances, a user concerned with security would already have remote wiped the device before the thief would get an opportunity to prepare a finger to fool the device.
Last edited:
Everything you, me, and everyone else on MacRumors says about this video is pure speculation at this point. So chill out. As more information becomes available we will all be able to make a more accurate judgement. The video could easily be a complete fake, or as you say, Apple is B/S...ing about the sub dermal layer scanning. No one, not even you, knows the real story at this time.
Yeah... the real test should be an anonymous "daily accessible" (read: average quality) fingerprint. And then 3 blind tests on the target phone when the fake fingerprint is ready.
If he can do it like in the video with his own finger, he can do it with prints virtually from anywhere. The only thing is the access to the technology to obtain the prints like commonly seen in forensic departments. The question is, whether cost and efforts worth $19,000 bounty ? Plus the int'l spotlight, yes maybe.
Not necessarily. Getting pristine fingerprint of his own fingers in a lab environment is easy.
Well maybe he's referring to this: http://mashable.com/2013/09/23/lock...Partial&utm_medium=feed&utm_source=feedburner - you dirty.