This is not military grade hardware for heavens sake, it's just a simpler way to access your iPhone and to quickly verify your ID for payments. Someone could just as easily break your password. Look how easy it is for criminals to clone your credit card. I think touch ID is a great idea but it's never going to be perfect.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Chaos Computer Club Bypasses Apple's Touch ID System (With Copy of Original Fingerprint)
- Thread starter MacRumors
- Start date
- Sort by reaction score
Let's say that the video is true-let's say that this is actually a way to get through the security...
Umm, where's the practicality in this? I've never seen any thread/post anywhere saying someone's phone was taken from them forcefully. So if the phone is stolen in ANY other fashion this method renders useless.
Now should the spouse of a other than honest hubby or wifey happens to grab the phone while the other is knocked out, well then I don't think a stolen phone will be the issue..
Umm, where's the practicality in this? I've never seen any thread/post anywhere saying someone's phone was taken from them forcefully. So if the phone is stolen in ANY other fashion this method renders useless.
Now should the spouse of a other than honest hubby or wifey happens to grab the phone while the other is knocked out, well then I don't think a stolen phone will be the issue..
Am I the only person that saw this sensor as a novelty, that will save me time when say, at the gym and I don't want to keep tapping in my passcode in order to see the rest of my sets etc? Seriously, who has information on their phone that is THAT important? If they do, then get some military grade security, or, better yet, don't hold that **** on your phone!
The only thing that people should care about, is the ability to copy the print out of the chip. Even if this is possible (with some serious skills) then it shouldn't be a biggy to 99.99999 percent of people. As nobody is going to go through all of that effort, to get some unimportant guy's fingerprint.
So, in conclusion, be scared if you're in any government organisation etc, and have ****** consumer security on your phone (that shouldn't hold any sensitive information anyway).
The only thing that people should care about, is the ability to copy the print out of the chip. Even if this is possible (with some serious skills) then it shouldn't be a biggy to 99.99999 percent of people. As nobody is going to go through all of that effort, to get some unimportant guy's fingerprint.
So, in conclusion, be scared if you're in any government organisation etc, and have ****** consumer security on your phone (that shouldn't hold any sensitive information anyway).
Yeah, ok, but that doesn't mean that the guy in the video had to try multiple times.
If an experienced hacker had to try multiple times to get the fingerprint juuust right, then the video can be discounted, but if we're to believe that he made a fake fingerprint and it worked right away, then there's trouble.
Peace of cake, a 2400 dpi picture of your finger!
On one hand you will take the picture of the fingerprint at 2400 dpi... If you need to ask the iPhone owner to let you take that picture to his finger because you want to use it to get his fingerprint and gain access to his iPhone... you better ask (or force) him directly to put his finger at the iPhone's menu button!!
On the other hand: What's wrong with the guy at the video?? His shaky hand indicates that he has SERIUS problems!!
On one hand you will take the picture of the fingerprint at 2400 dpi... If you need to ask the iPhone owner to let you take that picture to his finger because you want to use it to get his fingerprint and gain access to his iPhone... you better ask (or force) him directly to put his finger at the iPhone's menu button!!
On the other hand: What's wrong with the guy at the video?? His shaky hand indicates that he has SERIUS problems!!
Why do people throw the phrase "military grade" around like that? Like it actually means something desirable? Have you actually seen what passes for "military grade" hardware? You'd be shocked to know that the high-end encrypted digital communication systems used by the U.S. military were built in the 80's, and definitely look the part. "Military grade" means, to someone with actual experience, "bulky, old and outdated by several decades."
Yes you can.
Unless you're talking about the situation where you enroll a finger, the fingerprint gets lifted and your phone gets stolen... then you can't change your fingerprint on the phone (because you don't have it). Otherwise, if your fingerprints are known (to hackers, law enforcement agencies, whatever...), you can change them.
He also didn't say whether he only tried once. The article mentioned they have to clean up the fingerprint (How clean is good enough or too clean ?).
The test is not realistic to begin with.
Given a bottle covered with fingerprints. How does the attacker know which finger the user uses to unlock his or her phone ? I would only register one.
That's one out of ten possibilities right away.
Then assuming he guessed the right finger to use, he has to create a pristine fingerprint mold that works *just right* to prevent triggering the passcode.
Like I said, it's easy to break your own password or fingerprint because you already have access to everything you need/know. Not so simple for a live case for a random phone.
EDIT:
If I were Apple, I would tune the sensor to increase its sensitivity after every failure. i.e., After the initial scan failure, take slightly more time to take a better second scan, so on and so forth, until the passcode is triggered.
Last edited:
Hate to be "that guy," but if the phone has control center access from the lock screen enabled, then you can just enable airplane mode and work on the phone without it being remotely wiped.
But yeah, if you're concerned about security, then you'd disable the control center from the lock screen.
CCC didn't get fingerprints from various items. They got a fingerprint from a beer bottle that was part of this experiment. It was a controlled environment. This was basically a lab experiment.
I guess I'm having a hard time imagining the real-world implications.
Gangs of thieves who not only steal iPhones... but they follow you around and also steal water glasses from restaurants and any doorknobs you've touched? Or any of the hundreds of other items you've touched during the day?
I mean... I guess it could happen.
Touch ID do not scan the picture!
Haven't read through all the comments, but I'm sure it was mentioned - TouchId scanner do not scan the image. Educate yourself a little bit before jumping to discussion. Anandtech for example have a really good overview of how the technology works:
"The hardware is pretty simple to understand. Touch ID is a capacitive fingerprint sensor embedded behind a sapphire crystal cover. The sensor works by forming a capacitor with your finger/thumb. The sensor applies a voltage to one plate of a capacitor, using your finger as the other plate. The resulting electric field between your dermis (layer right below your outward facing skin) and the Touch ID sensor maps out the ridges and valleys of your fingerprint. Because the data thats being stored is somewhat sub-epidermal, dirt and superficial damage to your finger shouldnt render Touch ID inoperable (although admittedly I didnt try cutting any of my fingers to test this theory). The map is recorded (and not an image of your finger) and stored in some secure memory on the A7 SoC itself. The data is stored in an encrypted form and is never uploaded to iCloud or stored anywhere other than on your A7 SoC."
Hence you can't use image of fingerprint or cut out finger - no electricity, no scan. The only thing that video shows is that TouchID scanner works really well even if you have a layer of material between your finger and the scanner.
Haven't read through all the comments, but I'm sure it was mentioned - TouchId scanner do not scan the image. Educate yourself a little bit before jumping to discussion. Anandtech for example have a really good overview of how the technology works:
"The hardware is pretty simple to understand. Touch ID is a capacitive fingerprint sensor embedded behind a sapphire crystal cover. The sensor works by forming a capacitor with your finger/thumb. The sensor applies a voltage to one plate of a capacitor, using your finger as the other plate. The resulting electric field between your dermis (layer right below your outward facing skin) and the Touch ID sensor maps out the ridges and valleys of your fingerprint. Because the data thats being stored is somewhat sub-epidermal, dirt and superficial damage to your finger shouldnt render Touch ID inoperable (although admittedly I didnt try cutting any of my fingers to test this theory). The map is recorded (and not an image of your finger) and stored in some secure memory on the A7 SoC itself. The data is stored in an encrypted form and is never uploaded to iCloud or stored anywhere other than on your A7 SoC."
Hence you can't use image of fingerprint or cut out finger - no electricity, no scan. The only thing that video shows is that TouchID scanner works really well even if you have a layer of material between your finger and the scanner.
True. But it does mean that for other applications where security is important, like in medicine, that more has to be known before relying on Touch ID.
Those are valid points, of course. Is it resonable to lift a fingerprint from a bottle or a glass or the phone's screen, or do you need a perfectly flat piece of glass and a perfect print? How reasonable is it to expect that a perfect print gets lifted something you've touched?
And of course, if you do have a perfect print, does it take multiple tries to get it to work right, or can you rely on this print transfer process to do it right every time?
There's just not enough information from the CCC one way or the other, so we're left relying on the video for evidence.
I was really hoping you could cite the information that they had to try multiple times, though.
For really secure applications, they would have multiple factor authentication, of which fingerprint can be one of them.
In iPhone 5s, if the system suspect foul play, it will ask for passcode as well. That is essentially a second factor.
----------
It will depend on experiences, the victim and the sensor (How moist ? how much clean up needed for the stolen fingerprint ? which finger ? what material ?)
Nope. When you don't have enough info to decide one way or another, it means you can't trust the video too.
It's inferred from my own experiences playing with 5s, and also from their article that mentioned "clean up". Their article also didn't mention they get it right the first time. They would have bragged about it if it's a "hole in one".
He can verify his changes with his finger repeatedly until he gets it right.
Come to think of it, the beer bottle may have someone else's (e.g., the bartender's, the waiter's or spouse's) fingerprints.
Last edited:
I haven't heard a definitive answer on what happens when Airplane Mode is activated or if you pull out the SIM.
After you lose your phone... you would start Find My iPhone and put your phone into "Lost Mode"
So what happens when the thief turns off Airplane Mode or they insert a new SIM?
I'm guessing the moment your phone reaches the network... it goes back into "Lost Mode"
The whole point of Activation Lock is that your phone is tied to your AppleID and password. If there's any funny business... it will ask for your ID and password.
Basically... it makes your iPhone useless to a thief.
Why did he show us enrolling his forefinger in the first place? Does he think we don't know that it's possible to enroll more than only one finger? As long as i don't see any proof i consider this as a fake.
not sure how safe Touch ID really is...
Its crazy, because the touch ID actually works with your knuckle also! lol as seen here: http://VaultFeed.com/iphone-fingerprint-reader-your-knuckle-works-touch-id/ And honestly, if a knuckle can be "knuckle-printed." It might not be as secure. I didn't think that a knuckle could actually be used for a "print" but it can as seen here http://VaultFeed.com/iphone-fingerprint-reader-your-knuckle-works-touch-id/
Not sure how secure Touch ID is now that I've seen both this hacking video and knuckles and the cat Touch ID video also by TechCrunch. Also the news that your finger can be used while your sleeping. I'm not sure how good this is as said here: http://VaultFeed.com/touch-id-on-iphone-5s-works-a-sleeping-finger-and-a-cat/
You might need a iNeckless also lol...
Its crazy, because the touch ID actually works with your knuckle also! lol as seen here: http://VaultFeed.com/iphone-fingerprint-reader-your-knuckle-works-touch-id/ And honestly, if a knuckle can be "knuckle-printed." It might not be as secure. I didn't think that a knuckle could actually be used for a "print" but it can as seen here http://VaultFeed.com/iphone-fingerprint-reader-your-knuckle-works-touch-id/
Not sure how secure Touch ID is now that I've seen both this hacking video and knuckles and the cat Touch ID video also by TechCrunch. Also the news that your finger can be used while your sleeping. I'm not sure how good this is as said here: http://VaultFeed.com/touch-id-on-iphone-5s-works-a-sleeping-finger-and-a-cat/
You might need a iNeckless also lol...
All the people here with this kind of argumentation do not really get the point of the whole thing.
No one denies that the possibility of random people stealing your phone on the street and in addition are able to obtain your fingerprint is very low. But because that's the case, you shouldn't deny that it seems that the finger print sensor in general is not as secure as Apple claims it to be.
What the Chaos Computer Club proves, is about, that for someone in a more controlled enviroment, lets say someone you know and/or for someone who has an certain interest in breaking into your phone, the finger print sensor is not a secure method to stop him.
You can argue that you don't care about this fact, but as I said, you shouldn't deny it though...
Last edited:
I don't see Apple claiming that the fingerprint sensor is very secure. Is there a published security rating on their website or marketing material ?
For someone who knows you, the pin code is easier to crack. My 7 year old already stole 5-6 of my pin codes. Sometimes, he caught me keying my code bit by bit, sometimes he guessed part of it too.
The thing is: I don't think this video shows that the fingerprint security is weak. It just shows that if you know enough about yourself, and you ignore/know the pin code too, you can crack your own fingerprint.
It doesn't necessarily mean it will be a cake walk to bypass everyone else's fingerprint security.
For someone who knows you, the pin code is easier to crack. My 7 year old already stole 5-6 of my pin codes. Sometimes, he caught me keying my code bit by bit, sometimes he guessed part of it too.
The thing is: I don't think this video shows that the fingerprint security is weak. It just shows that if you know enough about yourself, and you ignore/know the pin code too, you can crack your own fingerprint.
It doesn't necessarily mean it will be a cake walk to bypass everyone else's fingerprint security.
Last edited:
Just so you guys know
after 3 fingerprint read fails it brings up the passcode screen you can relock and try again .... 3 more times. ( or if you try then lock you still only get 6 total chances)
then it locks out the fingerprint scanner and you must enter the passcode.
this makes a thief attempting to break in with a faked finger print have few chances to get it right ...
out of 10 fingers they have to guess the proper one and then have a good copy of it that works within 6 tries...
So yes this "hack" works but Apple has made it tougher for them to pull off.
after 3 fingerprint read fails it brings up the passcode screen you can relock and try again .... 3 more times. ( or if you try then lock you still only get 6 total chances)
then it locks out the fingerprint scanner and you must enter the passcode.
this makes a thief attempting to break in with a faked finger print have few chances to get it right ...
out of 10 fingers they have to guess the proper one and then have a good copy of it that works within 6 tries...
So yes this "hack" works but Apple has made it tougher for them to pull off.
No, you can't change your own biometric features. That's the whole point of it I guess. Changing your fingerprints would mean to change your finger (or cut it until it's not recognizable any more).
So basically, you need a few thousand dollars, knowledge, and time to break into the device. Yes, this seems like a real threat for 99.5% of people
Unless you can place someone else's thumb and get through, TouchID works. Apple designed this for consumers, not to protect the countries nuclear facilities
A few thousand dollars? For what? For a digicam, a laser printer and a bit of glue? Yeah sure! You didn't understand how easy it is, did you?
They take a photo of a fingerprint, refine it, print it, put the glue on it. Done!
Takes only a few minutes.
See it in Action here! -> https://www.youtube.com/watch?v=OPtzRQNHzl0
chill out ? I simply commented , perhaps tell this to the person accusing others ?
As more information becomes available we will all be able to make a more accurate judgement. The video could easily be a complete fake, or as you say, Apple is B/S...ing about the sub dermal layer scanning. No one, not even you, knows the real story at this time.
Speculation ? Fake ? Do you know ccc ?
This isnt a fake if you are hoping for this .
Whats the actuall issue ? That a company has inflated its specs ? Why do pepple seem always so protective of the brand they happen to like .