Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Chaos Computer Club Bypasses Apple's Touch ID System (With Copy of Original Fingerprint)
- Thread starter MacRumors
- Start date
- Sort by reaction score
Sweet! Now that I've thought about it for more than 3 seconds I also have a fingerprint sensor and can try it. Apple should add this to their knowledge base article.
Just out of curiosity. Would a knuckle be easier to spoof?
No, you are not the first one to make the mistake of believing that. Now when you watch it again, you'll likely see that he scanned his index finger and used his middle finger with the replica.
I believe someone said earlier they'd need the passcode to get in after removing the SIM card.
People keep talking about obtaining a fingerprint. You need to obtain the fingerprint. Assuming the prints can be lifted from the phone, and further assuming the home button is smudged, as it would be if you use (say) your pinky to unlock and your thumb for ordinary operation, the attacker has to hope to find your pinky somewhere on the phone amidst the many partial and smudged prints he will find. So how many prints does one need to lift on average to attempt this attack, and how often is it successful?
Seeing how Apple like to make things better it'll be interesting if they do. Especially as this is apparently endemic to all fingerprint sensors and has been for a while.
Biometrics Myths from AuthenTec:
http://support.authentec.com/KnowledgeBase/KBview/tabid/843/ArticleId/503/Biometrics-Myths.aspx
On AuthenTec product page they say they make the only FIPS 201 compliant silicon fingerprint sensor. It is interesting to note that according to wiki to comply with FIPS 201 PIV II you need smart cards.
http://support.authentec.com/KnowledgeBase/KBview/tabid/843/ArticleId/452/What-are-the-differences-between-Eikon-fingerprint-readers-Which-one-is-the-best-for-me.aspx
-------
Quantum key distribution:
Uses quantum mechanics to guarantee secure communication.
An important and unique property of quantum distribution is the ability of the two communicating users to detect the presence of any third party trying to gain knowledge of the key.
Quantum Hacking:
Single-photon detectors in two commercial devices could be fully remote-controlled using specially tailored bright illumination.
The first attack that claimed to be able to eavesdrop the whole key without leaving any trace was demonstrated in 2010.
From wiki
And the race goes on
Biometrics Myths from AuthenTec:
http://support.authentec.com/KnowledgeBase/KBview/tabid/843/ArticleId/503/Biometrics-Myths.aspx
On AuthenTec product page they say they make the only FIPS 201 compliant silicon fingerprint sensor. It is interesting to note that according to wiki to comply with FIPS 201 PIV II you need smart cards.
http://support.authentec.com/KnowledgeBase/KBview/tabid/843/ArticleId/452/What-are-the-differences-between-Eikon-fingerprint-readers-Which-one-is-the-best-for-me.aspx
-------
Quantum key distribution:
Uses quantum mechanics to guarantee secure communication.
An important and unique property of quantum distribution is the ability of the two communicating users to detect the presence of any third party trying to gain knowledge of the key.
Quantum Hacking:
Single-photon detectors in two commercial devices could be fully remote-controlled using specially tailored bright illumination.
The first attack that claimed to be able to eavesdrop the whole key without leaving any trace was demonstrated in 2010.
From wiki
And the race goes on
Well, if you're a thief and just wanted the phone to make some bucks selling it, just remove SIM, go home and reflash the phone in DFU mode. Bam. There's your factory fresh iPhone ready to be sold for some crack money.
I found this post on a news web site that I thought was very telling.
=======
Jesus, some people are muppets.
Phone thefts are on the whole opportunist crimes.
How many people have the ability/desire or time to stalk you, get a clear print, steal your phone and create these fakes? Not many.
How many phones are stolen by James Bond villains to get your secure data (bank details?) which of course you keep in a file marked 'BANK DETAILS' on your phone? About none.
AFAIK, if they do go through this laborious process and hack into your phone via a fake fingerprint they STILL NEED YOUR PASSCODE to alter anything in order to make the phone useable. Otherwise the second it connects to the internet it will be disabled (presuming the owner disables it). There is no way around that. The phone is useless except as a source of information and it you are think enough to carry that info around with you on a device you deserve all you get.
I used to laugh at the Apple fanbois but now the most hilarious bunch are the anti-apple brigade...
===========
=======
Jesus, some people are muppets.
Phone thefts are on the whole opportunist crimes.
How many people have the ability/desire or time to stalk you, get a clear print, steal your phone and create these fakes? Not many.
How many phones are stolen by James Bond villains to get your secure data (bank details?) which of course you keep in a file marked 'BANK DETAILS' on your phone? About none.
AFAIK, if they do go through this laborious process and hack into your phone via a fake fingerprint they STILL NEED YOUR PASSCODE to alter anything in order to make the phone useable. Otherwise the second it connects to the internet it will be disabled (presuming the owner disables it). There is no way around that. The phone is useless except as a source of information and it you are think enough to carry that info around with you on a device you deserve all you get.
I used to laugh at the Apple fanbois but now the most hilarious bunch are the anti-apple brigade...
===========
See that is the point of the changes to iOS7
even if you do that ..
BAM locked out by needing the apple ID password.
The sensor should included something that detects a human pulse.
Boy Apple is on a roll.
1) No iPhones 5S until sometime in October
2) Finger ID easily thwarted
3) Apple TV Bricking
Bad
Not going to be good for Apple stock tomorrow.
Enjoying that egg on your face?
Reality check
While the reactions here are lively and passionate, I can't help but think this is the reality of Apple's Touch ID implication for 99% of people.
1. The system is secure enough for the information in the phone. Really, to break into the system, the thief has to have physical access to the phone, and have a good copy of your finger print (not easy as seen on TV), and time to pull it off.
2. What does you have to lose: Photos, emails, bank account access info? Why would a thief be interested in the first two? As for the third, by the time you figure out your phone is stolen and act on it, the 3rd is useless or can be use as a trap.
3. The 1% are either the foil hat crowd, or have very important information to protect, like what you see in movies. There are apps that one can use to store that sensitive information.
While the reactions here are lively and passionate, I can't help but think this is the reality of Apple's Touch ID implication for 99% of people.
1. The system is secure enough for the information in the phone. Really, to break into the system, the thief has to have physical access to the phone, and have a good copy of your finger print (not easy as seen on TV), and time to pull it off.
2. What does you have to lose: Photos, emails, bank account access info? Why would a thief be interested in the first two? As for the third, by the time you figure out your phone is stolen and act on it, the 3rd is useless or can be use as a trap.
3. The 1% are either the foil hat crowd, or have very important information to protect, like what you see in movies. There are apps that one can use to store that sensitive information.
always remember
Security is like running from a bear. You don't need to be faster then the bear. You just need to be faster then the guy next to you.
PS Breaking into your own front door is meaningless. They need to show they can get into a third partys phone. One they can't enter with the passcode to reset the failed attempts limit.
PPS How is this even useful unless there are nuclear launch codes on the phone. Which someone didn't bother to encrypt. Cant use the itunes buying function without being on a network, so if you tried it would be most likely wiped and bricked.
Security is like running from a bear. You don't need to be faster then the bear. You just need to be faster then the guy next to you.
PS Breaking into your own front door is meaningless. They need to show they can get into a third partys phone. One they can't enter with the passcode to reset the failed attempts limit.
PPS How is this even useful unless there are nuclear launch codes on the phone. Which someone didn't bother to encrypt. Cant use the itunes buying function without being on a network, so if you tried it would be most likely wiped and bricked.
Sure sure..yeah
And yes apple did it again and duped many millions of low tech stupid folks (like me) out there.
Duped? Its one of the best smartphone out avaible. Wich is why it doent need the "magical deep scanning finger scanner ." An easier to use then pincode button for acces is good enough .
But do cheer apple on to make up the most ridiculous slogans, those are free I hear .
----------
Gee get a life, stop identifying with a brand.
Btw I think that was the tapatalk app on my iphone adding that. :lol:
----------
Nope
Well someone could do the same thing by mounting a brute force attack on your 4-digit passcode. These light security measures trade strength for convenience. If you're really worried that someone is going to search through your photos and Facebook, then you should use a complex password with a mix of upper and lower case letters, numbers, and punctuation marks. Apple makes this option available, knowing that 99% of people will ignore it in favour of more convenient options. It's a trade-off.
Like others have said, you avoid this rare possibility if you use your nose... not going to lift your nose print off a glass or something. I like to look at my phone close anyway
So if your paranoid, just use your nose, outside of that just don't use your thumb or index finger, the other prints are left far less often.
The other thing is, once your phone is taken or lost, just remote wipe immediately if you have that much to lose.
Not an issue for me, Touch ID offers the best of both worlds, security and convenience, and I wouldn't be surprised if Apple figures out a way to detect other print features that offer greater security.
So if your paranoid, just use your nose, outside of that just don't use your thumb or index finger, the other prints are left far less often.
The other thing is, once your phone is taken or lost, just remote wipe immediately if you have that much to lose.
Not an issue for me, Touch ID offers the best of both worlds, security and convenience, and I wouldn't be surprised if Apple figures out a way to detect other print features that offer greater security.
Not really though. Getting a clear enough print required a distinct fingerprint on a clear glass bottle, treated with superglue fumes, photographed at high resolution and touched up in Photoshop. It's probably not that easy to get clear prints, though technically possible. Good thing the fingerprint scanner isn't being used to secure anything like financial data. It's easy enough to set up Activation Lock on your phone using a *complex* passcode, and use the fingerprint scanner for day-to-day convenient security.
Who leaves their phone lying around for a thief to snatch?
The lazy users are the ones negligent enough to let their phones be stolen in the first place. The vigilant user doesn't need an unlock code.
Nope, just as easy to spoof (on readers from Digital Persona, Futronic, Lumidigm and Cross Match, which are the ones I've been testing these last several months). Much harder to get a latent knuckle print, though, as opposed to a fingerprint, which we leave absolutely everywhere.
Just for curiosity's sake, I've succeeded in enrolling and verifying both my nose and my elbow on the above mentioned readers. The nose is excellent for verification, as it's naturally greasy, while the elbow is harder to verify for being naturally drier.
The problem is that if you are using the iPhone for work, the IT guys may not see the fingerprint sensor as "secure enough." For all the people using the iPhone in healthcare, for example, most places are putting in extra extra security, like 6-digit pass codes, etc.
Who leaves their phone lying around for a thief to snatch?
*raising hand*
Oh! Oh! I know the answer to that one!
.
.
.
.
Drunk Apple field test engineers?
No comment needed.
Based on what I've read, the "it scans under your skin" is both true, and *widely* misunderstood.
The layer 'scanned' by the capacitive sensor is, indeed, under the skin. However, it is not so far 'under the skin' that the shapes differ significantly from the surface, and it doesn't do some uber-high-tech cellular scan or anything. What the 'under the skin' 'scan' buys isn't extra security, it's resilience to surface skin damage (such as paper cuts).
Decent fingerprint readers these days do some 'life checks' which include a capacitive requirement similar to a human finger, temperature readings, and possibly even pulse-detection. These can all be 'faked' by making sure the print overlay is thin enough to pass through your own natural capabilities, but thick enough that it won't read your own print behind the fake.
It would be interesting to find out if folks who don't have visible fingerprints (due to any number of reasons) might actually still have the underlying structures in a form detectable by these scanners. I'll have to check with my M-i-L if she upgrades to a 5s, she's lost her fingerprints to 50+ years of playing guitar.
Biometrics are useless for security against a determined attacker. They are marginally useful for identification ("Hi, I'm Bob."), but worthless for authentication ("And I can prove it.") precisely because they can be 'faked' relatively easily, *and* can't be changed once they are compromised.
----------
How is a 2400 DPI photograph of someones fingerprint an everyday item? I'm sorry but this is click bait pure and simple.
Because it's pretty easy to lift a print off of a smooth glass surface, and those are found on pretty much every smart phone today. It's still a labor-intensive process, and won't be a worry when you're discussing casual snooping, or basic theft. From a security stand point, TouchID is a step forward from, "swipe to unlock", and about on par with the basic 4-digit PIN (but it's much more convenient, so more people will bother, so it's still a net 'win' there).
----------
They're not the sort of thing that everyone would be carrying around *on* them, but they're certainly not unusual things for someone to have easy (and unrestricted) access to.
If I wanted to do this, the only thing I'd need to go out and buy would be the the latex milk or wood glue to fill in the mold. (And that assumes I don't have an old bottle of wood glue floating around the garage somewhere that's still liquid.)
On the other hand, it's a process that's going to take a while unless you're well-practiced at doing it. (15-20 minutes for a 'pro', and probably upwards of 2 hours for a novice to actually get it right)
----------
This one uses a *different* finger, behind the 'copy' of the *registered* fingerprint. The copied print provides the pattern. The finger behind it provides the capacitance, heat, etc. necessary to convince the sensor that the print belongs to a live finger. There are ways to use the faked fingerprint with a non-finger to get those effects, but why would you bother when just putting your finger behind the faked print is so much easier and more convenient? (A very carefully temperature regulated hot dog has been shown to work with similar systems in the past.)
Speculation ? Fake ? Do you know ccc ?
This isnt a fake if you are hoping for this.
Not speculation? Not fake? Do you know ccc? You know it isn't a fake? Because ? I'm only hoping for the truth. You on the other hand seem to want this to be true, and don't really care that you have no real facts to base your opinion on. You may be right or you may be wrong...deal with it.
That depends. Have you touched your phone with the registered finger since the last time you wiped it down? If so, then there's the chance that the thief just walked off with a copy of your print that is of sufficient quality for this process. There's also a chance that the print is too smudged, or will be smudged in transit so that it *wont'* be of sufficient quality.
----------
That's only necessary for an in-depth risk analysis. Not to demonstrate that the process works.
Do some youtube searches, and you'll be able to find videos that show the whole process. (Most of them will have a cut in the video for the cure time of the cast, since that's generally 15 minutes to 2 hours, depending on the material being used, and there's no point in showing 15-120 minutes of 'paint drying'.)
----------
True. Assuming you immediately notice your phone is missing, and can get to a computer in that 2 hours. Not a terribly bad assumption on the second half (especially since you could, at worst, borrow someone else's phone to do so), but that first part is a bit iffy.
My point about Activation Lock is that it will eventually deter thieves from stealing iphones to sell them because they are rendered unusable, the iphone cannot be restored or erased without the owner's Apple ID & password. I don't think we'll be seeing a lot of chop shops setting up, as people tend to buy phones, not parts for them, so, that would be few and far between, and it would be a professional operation, whereas, again, most thieves only want to move the stolen devices for cash as quickly as possible.
Remote wipe, a Find My iPhone feature that's been around a while solves the issue of someone gaining any information from your iPhone, so, that would be a matter of who gets to it first, the thief figures out how to get into your iPhone (assuming you are using a passcode or Touch ID), or you use Find My iPhone to erase & lock it.
Between these two, the chances of someone gaining your information are pretty low.
https://www.macrumors.com/2013/09/1...ck-feature-of-ios-7-following-public-release/
http://www.gazelle.com/thehorn/2013/08/26/how-to-turn-off-activation-lock-in-ios7/