Was it 6 to totally lock out the fingerprint scanner ? I only remember it asked for my friend's passcode after 3 times. But I guess you're right.
Will be interesting to see how Apple address the challenge.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Chaos Computer Club Bypasses Apple's Touch ID System (With Copy of Original Fingerprint)
- Thread starter MacRumors
- Start date
- Sort by reaction score
Was it 6 to totally lock out the fingerprint scanner ? I only remember it asked for my friend's passcode after 3 times. But I guess you're right.
Will be interesting to see how Apple address the challenge.
yup 6 max for total lock out of the scanner.
3 n a row will bring up the code screen but you can put it back to sleep and try again.
tested with my 5s
CCC's article sounds pretty strong in opinion too after they have shown one success case using the attacker's own fingerprint.
5s uses a mix of passcode and fingerprint security. It's not a fingerprint-only system. I was disappointed at first after toying with my friend's unit. But now, I guess Apple made the right call to introduce passcode checking.
I am interested to see what and how Apple can tweak to vary the sensor's capability. Best case is probably for them to visit CCC, walkthrough their methods to establish the risk, and come up with a solution -- if necessary.
----------
Thanks ! Mine will arrive in October. :-(
i see someone hasn't passed their 3rd grade math exam yet....
I see someone didn't complete their spelling and grammar test correctly.
Not entirely useless, they can easily sell the phone for spares on ebay, you still get a decent return on a non functioning iPhone
For all the people who are decrying that this is a failure- what do your homes look like? Do you have protective walls, industry grade security systems, guard dogs, etc.? If not, a thief *could* get in in. At what point do you decide that your home is secure enough that it is not worth adding additional effort to yourself, detracting from your home's look, and paying for the additional security? The fingerprint technology here is an improvement- an additional barrier that improves security. Nothing is foolproof.
We have to decide when purchasing our devices what level of security is worth achieving. I would say the threat to an iPhone could be described in three levels:
A) A specific, concentrated attack against the specific user. This could mean having valuable government or corporate secrets on the phone, or it could mean the type of thing like a crazy ex or legitimate spouse checking into cheating (don't really feel sorry for you there).
B) Organized crime. Not "the mob" but a group of criminals that could pool their resources to have the types of technology like dedicated fingerprint scanners and printers described above and the time to dedicate to such an attack.
C) The common thief
The iphone does a pretty good job of protecting somewhere between a B and C level of threat.
The iPhone is in no way designed to defend against an A level of attack. If someone tracked your movements, had access to several areas where your print could be found, was a government or corporation bent on stealing your secrets, etc., I think it is safe to say they could get into your phone, fingerprint sensor or otherwise. If not, they would try your home instead.
The B level is the critical point, and more questions need to be answered now. The attack shown is an interesting proof of concept, but as I see it, its no worse off than a passcode. I don't think it would be too easy to get the detailed scan described above from an unwilling source. An organized group could develop a mini fingerprint scanner and could force it on someone in a dark alley, but that is already more difficult than just swiping a phone off someone. Again, if you could force someone to provide a scan of their fingerprint, you could force them to give you their passcode just as easily. If you think you have something on your phone that is worth the risk of death or torture, see threat level A and get a different security plan.
The next logical and important step is to see exactly how difficult it is to infiltrate a phone using prints typically found on the device. Specifically, we need to see:
A) Could a print found on a device be used to unlock the device?
B) How likely is it that a good enough print can be found on a random device?
C) How long would the process take per phone?
With that info, we could gauge the real practical benefit of the fingerprint scanner. If one in two devices has a good print and it takes an hour with a do-it-yourself kit to unlock a phone, then you might face B and even C level threats. If one in five devices has a good print and it takes four hours per phone, then only a really sophisticated, well-organized B-level threat might be able to do this on a financially viable manner by stealing several phones and trying this multiple times and breaking enough devices to make a profit. And they would have to be interested specifically in data mining the target- not just selling the device, which would likely mean a different operation altogether. If it is more difficult, it would likely not worth the effort at all. Keep in mind that the phone won't accept fingerprints after a certain amount of time as well.
So, lets see that next experiment. Its good to be cautious, but I'm hopeful that while the fingerprint scanner is not perfect like any other secure device, it is likely that it will be so difficult to break that it won't be worth it for even organized criminals.
We have to decide when purchasing our devices what level of security is worth achieving. I would say the threat to an iPhone could be described in three levels:
A) A specific, concentrated attack against the specific user. This could mean having valuable government or corporate secrets on the phone, or it could mean the type of thing like a crazy ex or legitimate spouse checking into cheating (don't really feel sorry for you there).
B) Organized crime. Not "the mob" but a group of criminals that could pool their resources to have the types of technology like dedicated fingerprint scanners and printers described above and the time to dedicate to such an attack.
C) The common thief
The iphone does a pretty good job of protecting somewhere between a B and C level of threat.
The iPhone is in no way designed to defend against an A level of attack. If someone tracked your movements, had access to several areas where your print could be found, was a government or corporation bent on stealing your secrets, etc., I think it is safe to say they could get into your phone, fingerprint sensor or otherwise. If not, they would try your home instead.
The B level is the critical point, and more questions need to be answered now. The attack shown is an interesting proof of concept, but as I see it, its no worse off than a passcode. I don't think it would be too easy to get the detailed scan described above from an unwilling source. An organized group could develop a mini fingerprint scanner and could force it on someone in a dark alley, but that is already more difficult than just swiping a phone off someone. Again, if you could force someone to provide a scan of their fingerprint, you could force them to give you their passcode just as easily. If you think you have something on your phone that is worth the risk of death or torture, see threat level A and get a different security plan.
The next logical and important step is to see exactly how difficult it is to infiltrate a phone using prints typically found on the device. Specifically, we need to see:
A) Could a print found on a device be used to unlock the device?
B) How likely is it that a good enough print can be found on a random device?
C) How long would the process take per phone?
With that info, we could gauge the real practical benefit of the fingerprint scanner. If one in two devices has a good print and it takes an hour with a do-it-yourself kit to unlock a phone, then you might face B and even C level threats. If one in five devices has a good print and it takes four hours per phone, then only a really sophisticated, well-organized B-level threat might be able to do this on a financially viable manner by stealing several phones and trying this multiple times and breaking enough devices to make a profit. And they would have to be interested specifically in data mining the target- not just selling the device, which would likely mean a different operation altogether. If it is more difficult, it would likely not worth the effort at all. Keep in mind that the phone won't accept fingerprints after a certain amount of time as well.
So, lets see that next experiment. Its good to be cautious, but I'm hopeful that while the fingerprint scanner is not perfect like any other secure device, it is likely that it will be so difficult to break that it won't be worth it for even organized criminals.
When you watch him start the enroll process, there are no fingerprints listed. When he finishes the enroll process, there's one fingerprint listed.
Ergo, he did not enroll any other fingerprints.
Getting own fingerprint or from finger directly is straight forward. But getting fingerprint that was left on daily items (cups etc) including his own is trivial if you don't have access to the technology or the device needed to obtain it and is not accessible by everybody, ain't cheap too.
Actually if you restart the device it wont show.. This would be hArd to believe untill its verified by a Real security organization..
In which case the thief will not bother with bypassing TouchID or any other security measures.
____________
I lost a bet with my colleague (we all work on a biometrics company): I said it
would take a week for such a video to surface, and he bet on two days.
Yes, it's tough to reproduce, requires a lot of knowledge, and the technique is quite refined, yadda, yadda, yadda. But people repeating this are missing some very important points:
1. Easy or difficult, it's possible: TouchID has been bypassed, and it's not as secure as Apple claimed (subskin scanning? Rubbish).
2. Hackers from around the world now have an extra incentive to make this easier, now that it has been proved to be possible. And of course that's how things go nwhen it comes to technology: it starts cumbersome, difficult, available only to the initiated, and then gets easier and easier, spreading to anyone curious enough to care.
3. Passcodes didn't cut it before, and certainly won't be the solution now. If TouchID has been breached, one cannot count on one's four digit passcode.
4. It's not just information that is at risk: I can purchase lots of stuff from Apple with my fingerprint, so there is a potential for large financial loss if someone with this knowledge gets hold of my phone.
That said, I still believe TouchID to be a good solution, that will improve the security of about 99.99% of the general population.
One way to mitigate the risk of having your fingerprint lifted by a thief is to use your knuckle instead of your fingertip. Typically a knuckle can yield the necessary biometric minutiae for a biometric template, and one doesn't leave nearly as many knuckle prints around.
This was expected to happen, but what too many people think is not correct.
This only allows a hacker access to the Phone. You might even use it to buy stuff in the apple-store but then linked to the owner of the iPhone. So a thief cannot buy stuff on your account for his own usage.
The iPhone will still ask for the passcode (after powerdown). And you cannot reset the passcode with the touch-id. So a thief will still need to find out your passcode to make it usable.
Further if you activate find-my-iphone, this is linked to your apple-id with PW. You cannot disable find-my-iphone, wipe or reset the iphone without the apple-id/pw combination. The original owner will still be able to reset the iPhone. So this hack does not help anymone in stealing the iphone. It will gives you access to the Email, texts, contacts and all other personal data of the user though.
This only allows a hacker access to the Phone. You might even use it to buy stuff in the apple-store but then linked to the owner of the iPhone. So a thief cannot buy stuff on your account for his own usage.
The iPhone will still ask for the passcode (after powerdown). And you cannot reset the passcode with the touch-id. So a thief will still need to find out your passcode to make it usable.
Further if you activate find-my-iphone, this is linked to your apple-id with PW. You cannot disable find-my-iphone, wipe or reset the iphone without the apple-id/pw combination. The original owner will still be able to reset the iPhone. So this hack does not help anymone in stealing the iphone. It will gives you access to the Email, texts, contacts and all other personal data of the user though.
Amazed at how many responses this thread has attracted on a weekend.
Ultimately, that was A LOT of work for for CCC to do to unlock the phone. In real life terms it doesn't seem all that practical unless a government or business is allowing employees to store top secrets on their phone -- even then its a special circumstance. Most people don't have valuable info on their phone & too complicated for a run of the mill mugger (unless you believe CSI is real, not drama).
Ultimately, that was A LOT of work for for CCC to do to unlock the phone. In real life terms it doesn't seem all that practical unless a government or business is allowing employees to store top secrets on their phone -- even then its a special circumstance. Most people don't have valuable info on their phone & too complicated for a run of the mill mugger (unless you believe CSI is real, not drama).
I get the point of the whole thing. Fingerprint sensors can be faked... if you take the time to do it. I acknowledge that.
It's not easy or quick... but it is possible under the right circumstances with the right equipment. Apple's fingerprint sensor can be fooled.
You said the fingerprint sensor is not a secure way to stop someone from unlocking the phone.
Guess what... I can unlock my friends' phone by spying on their 4-digit pass codes. I see them type their codes all the time. If I wanted to... I can be in and out of their phones in 30 seconds. That's not a secure method at all.
Or... I can get a highDPI scanner or camera, super glue, latex, wood glue, etc. It would take hours... assuming I could even get a good fingerprint from him in the first place. But the German's proved it's possible.
Both of those methods can be cracked... so neither can be considered "secure"
So now what?
shaky fingers, makes this video extra creepy.
He could have Parkinsons, who knows?
lol, what's next? will they announce they are able to hack into the CIA using quantum computing?
so hackers have been waiting for apple to release such a feature before making the process easier? phew, and i thought the use of fingerprints in various security services and banks would have done it years ago
People do this... Disable the control center from the lock screen.
Then:
If your phone is ever stolen:
1. The time it takes for them to reproduce your fingerprint would give you all the time you need to do a lock on your phone with findmyiphone app, and or trace it.
2. Without the control center, they cannot airplane mode. (yes they can pull the sim but I am not sure what happens at that point. Someone should try it)
If they power down the device, a reboot requires the pin code, not a fingerprint.
3. When they try to wipe the device it will require your apple id and password.
Pretty secure to me!
Then:
If your phone is ever stolen:
1. The time it takes for them to reproduce your fingerprint would give you all the time you need to do a lock on your phone with findmyiphone app, and or trace it.
2. Without the control center, they cannot airplane mode. (yes they can pull the sim but I am not sure what happens at that point. Someone should try it)
If they power down the device, a reboot requires the pin code, not a fingerprint.
3. When they try to wipe the device it will require your apple id and password.
Pretty secure to me!
Stopped reading there. Many here are not making boastful claims in the media about how awesomely impenetrable our homes are. We are not holding press conferences touting our home's security. We are not selling the privilege of enjoying our home environment, in a mobile device for a $1K. Big difference.
Oh, what about the "take an image of your finger from the subepidermal layers of your skin" - http://www.apple.com/iphone-5s/videos/#video-touch It's NOT supposed to be a simple picture, it's supposed to do MORE than simply take a picture.
On Apple's support site... iPhone 5s: About Touch ID security
"Touch ID uses all of this to provide an accurate match and a very high level of security."
There was a famous paper back in 2000 that outlined how easy it was to fool fingerprint sensors of almost any type. Interested people should take the time to skim it:
http://cryptome.org/fake-prints.htm
AFAIK, Apple never said that it required a live finger or that it checked for a heartbeat or anything like that.
Such claims came from the usual internet "tech sites" and echo chamber, and from misreadings. Yes, the sensor can read into live tissue. No, that does not mean it requires it. "Can" does not mean "must".
not use fingertip?!
What would happen if you do not use a fingertip to unlock your phone, but say some spot on the palm of your hand?
I would try it, but my ip5s hasn't arrived yet.
Some thoughts about this...
- Is it possible at all?
if so:
- it should be much harder for someone to get a sufficient print of your whole hand
- and just for the sake of argument:
if someone has a good enough print of your hand, he still does not know the exact spot your are using...
This might be a method for the special agents amongst us to hide their vital secrets.
What would happen if you do not use a fingertip to unlock your phone, but say some spot on the palm of your hand?
I would try it, but my ip5s hasn't arrived yet.
Some thoughts about this...
- Is it possible at all?
if so:
- it should be much harder for someone to get a sufficient print of your whole hand
- and just for the sake of argument:
if someone has a good enough print of your hand, he still does not know the exact spot your are using...
This might be a method for the special agents amongst us to hide their vital secrets.