Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Using a 4 digit pin number? That can be cracked in a couple hours so don't even try it!
couple of hours, you say
let's see
for 4 digit pin we have 10000 combination
you can make only 3 mistakes, after that you have to wait for 5 min i think
so at very least it will take around 6 min for 3 attempts, max time
around 20000 min = 333 hours, ok 300 hours
so good luck with that

You have the wrong assumptions here. There is forensic software that allows you to crack the passcode offline, preventing the phone from erasing itself after 10 attempts. The only real limitation that is that the keys are stored within hardware, which purposefully limits you to one guess every three seconds. For an alphanumeric password, this can take a very long time. But if you do the math, a 4 digit pin can be cracked very fast.
 
On Apple's support site... iPhone 5s: About Touch ID security

"Touch ID uses all of this to provide an accurate match and a very high level of security."

The full description is here:

The technology within Touch ID is some of the most advanced hardware and software we've put in any device. To fit within the Home button, the Touch ID sensor is only 170 microns thin, not much thicker than a human hair. This high-resolution 500 ppi sensor can read extremely fine details of your fingerprint. The button itself is made from sapphire crystal—one of the clearest, hardest materials available. This protects the sensor and acts as a lens to precisely focus it on your finger. The steel ring surrounding the button detects your finger and tells Touch ID to start reading your fingerprint. The sensor uses advanced capacitive touch to take a high-resolution image from small sections of your fingerprint from the subepidermal layers of your skin. Touch ID then intelligently analyzes this information with a remarkable degree of detail and precision. It categorizes your fingerprint as one of three basic types—arch, loop, or whorl. It also maps out individual details in the ridges that are smaller than the human eye can see and even inspects minor variations in ridge direction caused by pores and edge structures. Touch ID can even read multiple fingerprints, and it can read fingerprints in 360-degrees of orientation. It then creates a mathematical representation of your fingerprint and compares this to your enrolled fingerprint data to identify a match and unlock your iPhone. Touch ID will incrementally add new sections of your fingerprint to your enrolled fingerprint data to improve matching accuracy over time. Touch ID uses all of this to provide an accurate match and a very high level of security.

Security safeguards

Every fingerprint is unique, so it is rare that even a small section of two separate fingerprints are alike enough to register as a match for Touch ID. The probability of this happening is 1 in 50,000 for one enrolled finger. This is much better than the 1 in 10,000 odds of guessing a typical 4-digit passcode. Although some passcodes, like "1234", may be more easily guessed, there is no such thing as an easily guessable fingerprint pattern. Instead, the 1 in 50,000 probability means it requires trying up to 50,000 different fingerprints until potentially finding a random match. But Touch ID only allows five unsuccessful fingerprint match attempts before you must enter your passcode, and you cannot proceed until doing so.

To configure Touch ID, you must first set up a passcode. Touch ID is designed to minimize the input of your passcode; but your passcode will be needed for additional security validation, such as:

After restarting your iPhone 5s
When more than 48 hours have elapsed from the last time you unlocked your iPhone 5s
To enter the Passcode & Fingerprint setting
Since security is only as secure as its weakest point, you can choose to increase the security of a 4-digit passcode by using a complex alphanumeric passcode. To do this, go to Settings > General > Passcode & Fingerprint and turn Simple Passcode off. This will allow you to create a longer, more complex passcode that is inherently more secure. Security is further strengthened by using a mixture of uppercase and lowercase letters, numbers, and symbols.

You can also use Touch ID instead of entering your Apple ID password to purchase content from the iTunes Store, App Store, and iBooks Store. You will be asked to scan your fingerprint with each purchase. If Touch ID does not recognize your finger, you'll be asked to try again. After five failed attempts, you'll be given the option of entering your Apple ID password. In addition, you will need to enter your Apple ID password after:

Restarting your iPhone 5s
Enrolling or deleting fingers

In this context, the fingerprint method is indeed more secure than the pass code.

The attacker has 5 unsuccessful attempts, not 6, before the second factor kicks in. Before working on the fingerprint, the cracker also needs to identify what exactly was used to unlock the phone, which finger or other body parts. Or he will waste his chances.

There was a famous paper back in 2000 that outlined how easy it was to fool fingerprint sensors of almost any type. Interested people should take the time to skim it:

http://cryptome.org/fake-prints.htm



AFAIK, Apple never said that it required a live finger or that it checked for a heartbeat or anything like that.

Such claims came from the usual internet "tech sites" and echo chamber, and from misreadings. Yes, the sensor can read into live tissue. No, that does not mean it requires it. "Can" does not mean "must".

It is possible that the sensor checks for moisture level. That's why the cracker needed to keep his mold moist. He may need to try a few times how moist to make the print though. It is different for different people.

Passwords can also be cracked rather easily these days. They don't even need anything from you.
 
"The sensor uses advanced capacitive touch to take a high-resolution image from small sections of your fingerprint from the subepidermal layers of your skin. "


The issue : this is now proven to be (once again) total BS from apple.



I wouldnt use any smartphone certainly not something from apple.

I'll agree that it's misleading marketing, but it's technically not a lie. It may indeed include skin layers below the epidermal layer in its image, but it was never suggested that this means it can differentiate skin from latex rubber. In practice all this means is that it won't fail to read your print due to minor variations in the layer of dead cells on your finger, which could confuse older styles of readers that used optics.
 
It is possible that the sensor checks for moisture level. That's why the cracker needed to keep his mold moist. He may need to try a few times how moist to make the print though. It is different for different people.

No, the moisture just helps make the conductivity more like a live finger.

In fact, this was the most important discovery almost 15 years ago when people first started trying to spoof capacitive fingerprint readers with fake fingers.

At first, they weren't that successful. Then someone discovered that if they licked the fake finger first, the success rate went sky high.

Once this was reported, everyone started using similar tricks.

Funny, but true story.
 
Oh please, by the time you do all this, someone should have:
1) launched FMP
2) located the perp
3) notified the police, or beat the ***** of you
4) self destruct the data if unable to do perform #2 or #3.
:)
 
Beyond adding the ability to employ a print scan and pin code in tandem, it seems like it would be fairly simple for Apple to issue an update that allows the security conscious to opt for a coded series of fingerprint scans (i.e., thumb, thumb, index finger, ring finger). That would be pretty damn hard to crack in any reasonable amount of time.

Or, if you happen to be a super spy or a drug cartel kingpin, might be worth using your toe print lol.

There are many ways to improve the existing system.

Taking more time to scan may also tighten the check.

I like using the knuckle to scan if it works reliably. It automatically double the possibility, and knuckle prints are hard to come by.

----------

No, the moisture just helps make the conductivity more like a live finger.

In fact, this was the most important discovery almost 15 years ago when people first started trying to spoof capacitive fingerprint readers with fake fingers.

At first, they weren't that successful. Then someone discovered that if they licked the fake finger first, the success rate went sky high.

Once this was reported, everyone started using similar tricks.

Funny, but true story.

Yes, but Apple is using capacitive check, which means it also checks for moisture, unlike optical imaging.

As for licking the finger, I think there are reports that a wet finger will cause recognition problem. So it may not be as easy as just wetting it like old systems. The moist level requires experimenting, plus a host of other possibilities in 5 tries.
 
Fixed that for ya.

Current implementation dont require both fingerprint and passcode, fingerprint only up to 48h.

would be nicer to enable requiring both fingerprint and passcode to unlock, this will increase the security level, and in case no fingerprint available use a long passcode or unlock via iTunes (connected to the mother PC).

I agree. It would be nice if the timeout was configurable as well. I'd set it to 24 hours. You're still not understanding my point though. The person I was replying to seemed to think it was possible to only EVER use a fingerprint. To not even had a PIN code set at all (whether you ever use it more than once or not).

----------

Question... can you not always get into a phone using DFU mode anyway?
 
So let me get this right- he bypasses a fingerprint scanner with an exact copy of his fingerprint? And this is news?

So this is like a photocopy of a barcode? Has no one watched a spy move before? This has been in movies since like the 80s and these 'hackers' think they hacked Apple's new device? haha, fail.
 
yeah, currently 3 iphones, 1 imac and most of the network runs on apple equipment.

But yeah I "hate" apple.

You seem to think criticizing means hating, its actually quite the reverse .

I like apple and I want them to actually make good products, not spend most of the budget on PR to dupe people like you.

Sure sure..yeah :rolleyes:

And yes apple did it again and duped many millions of low tech stupid folks (like me) out there.
 
Question... can you not always get into a phone using DFU mode anyway?

With the new Activation Lock feature you will need the Apple ID and Password still I believe. The new Activation Lock feature is one of the best security measures Apple has done in a while I believe.
--------------------------------------------------------------------------

Though to reply to the topic at hand: As a tech person, a Computer Science Major and someone was has done their fair share of hacking (little joke/pranks on friends in the past nothing serious to get me thrown in prison) I must say this bypass that people seem to be making a big deal out of is pretty ridiculous.

First off Apple never once claimed that their fingerprint sensor was full proof and that it could never be bypassed. All they said and claimed was that it would more secure for the average user, my parents for example, to have a lock on their phone that can't easily be bypassed by the average joe.

Could I go and get a fingerprint of my parents and bypass it? Yes I technically could, just like I could crack the passcode on a phone (nearly impossible brute force only considering it would take more time and lock me out) using special software (more complicated now but still possible).

Though lets take this example of the real world. How does this work in the real world with a phone out in the "wild?"
Let's say I am at a restaurant using my phone. I put my phone down on the table and I end up getting up and walking away not realizing I didn't put it in my pocket. Now think about how does someone who is stealing a phone pick it up? They just pick it up with their bare hands and fingerprints. What next? Well now their fingerprints are all over it making it even harder to my fingerprint off of it.

Ok well lets say they pick it up with a glove (how many punk iPhone Thieves wear gloves though)? They must then take the phone and be careful with it to make sure they can still get a good enough print off of it. Next the chances of only one person ever using that phone are still very slim and it is still very possible that someone else has used the iPhone putting their fingerprint. But now they must take the phone back home and preform their "experiment" to my fingerprint in a workable form. By the time all of this has passed by I have more than likely already noticed the phone is missing report it stolen causing the Activation Lock feature to kick in. Now this phone you have stolen is more than likely useless to you and it becomes nearly impossible for the average joe to sell to even make money off of. In the end all you have doe is give me a inconvenience of having my phone gone which has nothing to do with the fingerprint sensor considering my my phone can go missing period.

Though again, lets be honest and think about this for a second. How many people walk around trying to get fingerprints from people? Don't act like just because Apple released something that uses fingerprints people are going to all of a sudden start being a spy and go out and start trying to get our fingerprints.

This so called "hack" is as likely to happen as someone having software and tools needed to crack passwords. The average joe that steals iPhones won't do it. Don't kid yourself in thinking they will. Even a tech nerd like me who used to play hack pranks on people wouldn't even go through this.

Now when/if they find a way that the average joe will do that doesn't require them to attempt to get a clean print off the phone or something else I use (remember must use gloves and you can't touch it) then I will be impressed and say it is hacked. Until then this is absolutely nothing...
 
The attacker has 5 unsuccessful attempts, not 6, before the second factor kicks in. Before working on the fingerprint, the cracker also needs to identify what exactly was used to unlock the phone, which finger or other body parts. Or he will waste his chances.

That's 5 for the app store

it's 6 failed on a login ... again tested live on my iPhone 5S...
( and yes i just double checked again in case I was really tired and miscounted last night)
 
Sticky?

OK. Just read this entire thread. And I think there are some takeaways (to summarize) so far:

Thanks for doing this. Also read thread. Wanted to summarize…but was then too tired to do so.
Makes me wonder if there should be multiple threads for news discussion (one for comedians, one for "is this important?", one for "is this true?", one for technical aspects). Would be less fun but would save a lot of time.

IMO macrumors has become a home to some excellent comedians, there should be a macrumors comedy roast!
 
Last edited:
This so called "hack" is as likely to happen as someone having software and tools needed to crack passwords. The average joe that steals iPhones won't do it.

I think people agree that most thieves aren't going to bother with the sensor.

(Although that would change in a hurry if Apple were to try to use only a fingerprint to authorize payments for anything outside of iTunes.)

At the same time, the few people who really do need or wish to hide info from people around them, should probably avoid using the sensor at all for now.
 
Apple already win if they can get those people who don't set up their pincode today to use the fingerprint sensor.

For the others, using fingerprint can be more secure because it is easy to guess or peek at your pincodes. I am looking forward to it. My kid already knows all my pincodes. :)

----------

Very interesting if true. Almost seems too easy. Why not just call them knuckle sensors and be done with the vulnerability?

People have tried using other body parts like nose too. I am going to try knuckle and other ideas myself. :p
 
For one, getting a carefully constructed image of your finger is easy.

Getting a carefully constructed image of someone else's finger is difficult.

Half jokingly, I wonder if this would give rise to the same kind of underground exchanges as have always gone on for email addresses, credit card numbers, passwords, etc.

I can just see the hacker's website now: "For sale by waiter, Tim Cook's fingerprints. Lifted after giving him several clean wine glasses. Good clean prints. Steal his iPhone and check out his secrets. Highest bidder wins." etc

Within hours, more ads appear: "3D printed Tim Cook fingers for sale. Top quality. Ready to use."

;)

Plus, while this particular set of material may work for this guy. It may not work with everyone.

Materials like he used have worked for over 15 years to spoof sensors.

I had hoped that one of AuthenTec's newer patents applied here. They specifically point out how easy it is to spoof most sensors, and how even things like heartbeat and temperature are usually useless.

So they invented some other methods, such as testing the inductance of the finger to make sure it was real. Doesn't seem like those methods are in play. Or maybe they are, and putting the artificial one over his own, made it work.

Perhaps a better version will come in the next iPhone model, or as you said, updates could be made to the current one's software. Or perhaps Apple won't worry over it at all.
 
Half jokingly, I wonder if this would give rise to the same kind of underground exchanges as have always gone on for email addresses, credit card numbers, passwords, etc.

I can just see the hacker's website now: "For sale by waiter, Tim Cook's fingerprints. Lifted after giving him several clean wine glasses. Good clean prints. Steal his iPhone and check out his secrets. Highest bidder wins." etc

Within hours, more ads appear: "3D printed Tim Cook fingers for sale. Top quality. Ready to use."

;)



Materials like he used have worked for over 15 years to spoof sensors.

I had hoped that one of AuthenTec's later patents applied here. They specifically point out how easy it is to spoof most sensors, and how even things like heartbeat and temperature are usually useless.

So they invented some other methods, such as testing the inductance of the finger to make sure it was real. Doesn't seem like those methods are in play.

It worked for the past 15 years. Doesn't mean it will continue to work consistently for the next 15 years. It depends on how sensitive the sensors are, how much time the vendors take to scan, and other progress for a very secure system.

Apple will no doubt continue to tune the system. The sensor learns too. The more you use it, the more accurate it should become.

Fingerprint also changes with age. I have friends whose fingerprints can't be recognized consistently anymore. That's why a learning and frequently used system is good.
 
Very interesting if true. Almost seems too easy. Why not just call them knuckle sensors and be done with the vulnerability?

It is true. I've succeeded in registering and verifying knuckles with several fingerprint readers, including the Lumidigm V-Series, which is the best thing around for detecting spoofs (my knuckle is mine, and it's not a spoof, so it works).

And if a cat paw (http://www.youtube.com/watch?v=muLWtGkKgKI) can be used, other body parts can as well.

.
 
Your password you can change once it's been stolen, your fingerprints stay the same for your entire life and you leave them everywhere. If you touch a can of soda in a bar everyone with a bit of basic knowledge can take a high-res photograph of it and print our your fingerprints in 3D within 30 Minutes.
 
I had hoped that one of AuthenTec's newer patents applied here.

Same here.

Testing the inductance of the finger to make sure it was real

Yes I saw that. Some of their products can have issues with static. Maybe related.

-------
Perhaps a better version will come in the next iPhone model

Try to put the fear of God in everybody then make it a sales pitch. Fear-mongering; a solid business model! Plus take credit for solving the problem when you had the solution from another company all along! Yee-haa!

Disclaimer: The above was a joke. Apologies if time lost as it is not reimbursable.
 
Fingerprint also changes with age. I have friends whose fingerprints can't be recognized consistently anymore. That's why a learning and frequently used system is good.

As AuthenTec notes in their patents, it's the fact that recognition software usually allows a wider range... in order to not have too many false negatives and annoy the user... that makes sensors relatively easy to spoof.

IIRC, one of their other recent patents was on watching for too great a range change in a short period of time.
 
Your password you can change once it's been stolen, your fingerprints stay the same for your entire life and you leave them everywhere. If you touch a can of soda in a bar everyone with a bit of basic knowledge can take a high-res photograph of it and print our your fingerprints in 3D within 30 Minutes.

Yes, except the likelihood of leaving a perfect print are small. Most forensic fingerprint analysts quote around 3-5% change on a surface like a can. If the can has condensation they are non-existent. If you have sweaty hands you tend to smudge.

Latent prints are actually extremely fragile. This isn't CSI. Even when found, someone good will lift maybe ~30% without damaging them.
 
It's reading his finger, not the rubber

Am I the only one who noticed the supposed fake finger is being laid over the actual finger used for TouchID? Can't believe anyone is giving even the scent of credence to this video. You can probably also unlock with putting any thin membrane between the finger and sensor. If it were reading a 2D image only, then the fingerprint left from the last time you used it would just automatically unlock it. No doubt the hacker convinced himself he was actually doing something, not hard to do considering the amount of coffee/cocaine/other stimulant he's apparently using.....
:) Dave
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.