iPhone 6 Touch ID Still Vulnerable to Specialized Fake Fingerprint Hack

[Michael Scrip]

Not normally one to criticize Macrumors, but I agree. Articles like this do more harm than good. Geez.

Exactly.

And this is basically the same article that came out a year ago: a controlled lab experiment to prove that TouchID can be spoofed... not that it will.

It's nice that they reference the previous article... since that article and this new article are the only known cases of this ever happening.

I predict that we will see a 3rd article in September 2015 telling us that the iPhone 6S fingerprint sensor can be spoofed too

 

[kdarling]

The technique requires a hacker to lift a suitable fingerprint from a solid surface and create a copy using forensic techniques that require specialized equipment.

It's "specialized equipment" only to someone who's never made hobby circuit boards before.

This technique, btw, was documented on the internet as far back as 2000 or so. RF sensor technology is at least that old.

There was a security research paper back then that not only showed how to do simple fake prints like this, but also talked about how to fake pulsing blood to fool those kinds of sensors as well. If I dig around, I can find it.

I think that paper was one of the main reasons why fingerprint sensors fell off in popularity as a real security device.

Touch ID may offer adequate security for unlocking phones, but Rogers questions its effectiveness as a deterrent to the much more lucrative credit card and mobile payment theft.

At the least, we can foresee TV spy shows with plots where someone's iPhone is snuck away after a waitress picks up good prints from a glass, and the good/bad guys buy a ton of (perhaps incriminating) stuff with the phone, then put it back before the owner notices.

Heck, our kids and spouses and college roommates and even coworkers could do the same thing. They have plenty of opportunity to pick up a good print, and no need to rush making a fake

The worst part is this: you'd have one hell of a time proving that it wasn't you.

 

[lewismayell]

You mean... It reads fingerprints?

 

[Gasu E.]

My only question is whether a print lifted from your phone itself is going to be good enough for this method. Unless you are a high value target of espionage, no one is going to go to the effort of collecting both your phone PLUS multiple ambient fingerprint samples just to steal your credit cards.

----------

And the number of Pay transactions you have done so far is...?

So far there just hasn't been any sufficient gain to justify the effort in the wild. That could quickly change! Although I admit a criminal would rather cut off your fingers (all of them, just to make sure) after stealing your iPhone, rather than undergoing the effort to extract any fingerprints from you...

On the other hand, if you're in the bar, leaving all your fingerprints on glasses, and maybe leaving your iPhone on the table nearby...

If that turns out to be a problem, then "bar gloves" will become very chic. So fair warning; you now know where the next growth stock will come from.

 

[iSimx]

Apple fixed this problem in update 8.0.1.......

 

[Mr. Retrofire]

Not this crap again...

Yeah, reality.

 

[AlecZ]

Reminds me of how we "hacked" our computer science teacher's rMBP in 12th grade without being allowed to open it (mind, it was a hacking competition). We found an identical laptop, made a fake login screen that sends the password to my server, and swapped the laptops when he wasn't looking. Unfortunately, he didn't use the same password for his server, and he didn't have file sharing enabled to let me steal the key, so we failed.

I wouldn't worry about it.

 

[jayducharme]

This improved scanner makes it harder for a fingerprint to be cloned by an unskilled criminal, but it does not add any additional security precautions, such as a time-based passcode requirement, to the Touch ID authentication system.

What the heck are they talking about? I had a few friends try to unlock my phone with their own fingerprints. After three unsuccessful tries, the iPhone would no longer accept fingerprint authentication and insisted on a passcode, even for me. I'd say that's a security precaution. After a few minutes, I was able to once again unlock the phone with my fingerprint.

 

[flux73]

He's a security researcher for a security firm. His livelihood depends on justifying the need for his job. Did anyone expect him to say it works well enough and people like him aren't needed?

 

[rGiskard]

I doubt any spur of the moment criminal is going to go through all of that trouble to get into my phone and steal my GBs upon GBs of slow mo video of me kissing my wife.

Nope, a spur of the moment criminal will just hack off your finger. For added security, program the fingerprint sensor to read only your toes. That way, when someone snatches your phone and an index finger, you'll be fine!

 

[dacreativeguy]

Just install 8.0.1. My touchID is super secure now!

 

[l00pback]

I didn't read all the comments, so I'm not sure if this has been referenced. Just in case it hasn't:

 

[Stella]

Its a consumer device, its not supposed to be 100% foolproof!

Touch ID is 'good enough'.

 

[mrxak]

In other news, if somebody gets your passcode they can get into your phone.

A passcode you can change, virtually an unlimited number of times. A passcode is also digital, in other words, if you don't enter it exactly right, it's not going to work.

A fingerprint is both limited, you've got 10 of them, and analog, which means your iPhone checks to see if the object pressed against the sensor is close enough to the digital signature on file. That's why a fake finger works as well as a real finger, and why you can use your finger in a variety of positions on the sensor and variety of "smooshedness" on the sensor. In reality, the sensor calculates a probability that it's looking at the correct finger, and then decides to unlock, or not, based on that probability function. An infinite variation of fingers and finger-like objects will unlock your iPhone. The "size" of that infinity is not as big as the "size" of infinity of fingers and finger-like objects in the world, but it's not negligible, and that variation is what allows the sensor to work with analog fingers in a digital world of computer chips.

What's more, you leave your fingerprints everywhere, thousands of times a day. Some of those fingerprints you're leaving right there on your iPhone, and on the home button itself. You don't write your passcode down on the back of your iPhone, do you? Now granted, not every print you leave is going to be useful, but it's not going to be that hard to find a clean one. Forensic scientists do all the time when they're investigating crimes.

If you want to provide evidence to a jury that somebody was there at a crime scene, fingerprints are a pretty good way of doing that. If you want to lock something, a fingerprint is terrible as a key.

I've said it before, and I'll say it again. Both police and criminals are very eager to see widespread adoption of analog biometric security in consumer devices. What they fear is digital security, the power of discrete math to protect secrets.

 

[applepuree]

I am sure the NSA etc know all my passwords anyway

 

[l00pback]

A passcode you can change, virtually an unlimited number of times. A passcode is also digital, in other words, if you don't enter it exactly right, it's not going to work.

The problem is, not many people were using passcodes. Touch ID was meant to encourage more people to lock their phones, and use complex passcodes. Touch ID is a better balance between security and usability.

An infinite variation of fingers and finger-like objects will unlock your iPhone. The "size" of that infinity is not as big as the "size" of infinity of fingers and finger-like objects in the world, but it's not negligible, and that variation is what allows the sensor to work with analog fingers in a digital world of computer chips.

I'm not sure I follow you, it's late in the day, and my brain is fried. Not just any finger (or "finger-like object") is going to unlock your device. I'd be interested to know what margin of error Touch ID allows, and how many fingers in the world fall within that margin.

What's more, you leave your fingerprints everywhere, thousands of times a day. Some of those fingerprints you're leaving right there on your iPhone, and on the home button itself.

[...]

I've said it before, and I'll say it again. Both police and criminals are very eager to see widespread adoption of analog biometric security in consumer devices. What they fear is digital security, the power of discrete math to protect secrets.

Any criminal who is determined enough will get past any security available on any consumer device. Touch ID is meant to make the average consumer safer against the opportunistic thief. If you're worried about the police, don't do illegal stuff on your phone. Really, they don't need to fake your fingerprint to get into your phone, anyway.

 

[cymerc]

Thats why Governments love to have your fingerprints. They can easily make a dummy finger now. So when they arrest you with your new shiny iPhone they just phone the lab to make one up. The lab kit makes it in 10, it arrives with the officer in 30 minutes. No need to know your password. And no one will know they've been in your iPhone

/s
/jk
enable panic mode

Or they could just force your finger onto the the Touch ID sensor...

 

[JCrz]

easier penetration

...and it's still a lot easier to find someone without TouchID and look over their shoulder when they type in their 4-digit passcode.

 

[rp2011]

A passcode you can change, virtually an unlimited number of times. A passcode is also digital, in other words, if you don't enter it exactly right, it's not going to work.

A fingerprint is both limited, you've got 10 of them, and analog, which means your iPhone checks to see if the object pressed against the sensor is close enough to the digital signature on file. That's why a fake finger works as well as a real finger, and why you can use your finger in a variety of positions on the sensor and variety of "smooshedness" on the sensor. In reality, the sensor calculates a probability that it's looking at the correct finger, and then decides to unlock, or not, based on that probability function. An infinite variation of fingers and finger-like objects will unlock your iPhone. The "size" of that infinity is not as big as the "size" of infinity of fingers and finger-like objects in the world, but it's not negligible, and that variation is what allows the sensor to work with analog fingers in a digital world of computer chips.

What's more, you leave your fingerprints everywhere, thousands of times a day. Some of those fingerprints you're leaving right there on your iPhone, and on the home button itself. You don't write your passcode down on the back of your iPhone, do you? Now granted, not every print you leave is going to be useful, but it's not going to be that hard to find a clean one. Forensic scientists do all the time when they're investigating crimes.

If you want to provide evidence to a jury that somebody was there at a crime scene, fingerprints are a pretty good way of doing that. If you want to lock something, a fingerprint is terrible as a key.

I've said it before, and I'll say it again. Both police and criminals are very eager to see widespread adoption of analog biometric security in consumer devices. What they fear is digital security, the power of discrete math to protect secrets.

Great post and great point.

If I wasn't overdrawn on my account, or planned an evil plot, I would surely use a password instead of Touch ID

....good thing Jennifer Lawrence didn't rely on Touch ID to protect her naked pics. Could you imagine what could have happened?

 

[Melrose]

And the number of times this "hack" has actually been used successfully in the wild is...?

They said this could be done by everyday people using every day means. I worked in an office with at least a couple of more-than-your-average-knowledge-of-tech people... trust me, this can't be done by these people.

It's a wild plea for attention by a couple people pseudo-hackers with lots of time on their hands. Sadly, it obviously is succeeding in capturing attention.

The bottom line is this: If someone really wants to get your data, they're gonna get it - and they'll probably get it a heck of a lot easier than lifting a print off your diet Coke. TouchID works because most smartphone intrusions are made by nosy parkers in your family or workplace... the very people who won't ever bother trying to pull this off. I now work sometimes in an office for a multi-million dollar local company. Security? My iPhone stays in my pocket whilst the filing room with all the applications, that include SSNs, is unlocked 24/7... and the filing cabinets themselves don't even close.

 

[Mr. Retrofire]

Its a consumer device, its not supposed to be 100% foolproof!

And why does Apple develop specialized hardware like the "Secure Enclave", if 100% foolproof is not a target for Apple?

Touch ID security
The fingerprint sensor is active only when the capacitive steel ring that surrounds the
Home button detects the touch of a finger, which triggers the advanced imaging array
to scan the finger and send the scan to the Secure Enclave.
The 88-by-88-pixel, 500-ppi raster scan is temporarily stored in encrypted memory
within the Secure Enclave while being vectorized for analysis, and then it’s discarded.
The analysis utilizes subdermal ridge flow angle mapping, which is a lossy process
that discards minutia data that would be required to reconstruct the user’s actual
fingerprint. The resulting map of nodes is stored without any identity information in
an encrypted format that can only be read by the Secure Enclave, and is never sent to
Apple or backed up to iCloud or iTunes.

 

[rp2011]

Surely the next step is the Touch ID also collecting your heartbeat along with your fingerprint.

...only thing is, now you're going to have to get rid of the body instead of just a finger.

 

[polbit]

And the number of times this "hack" has actually been used successfully in the wild is...?

Why do you have to get all rational.

This reminds me of an old article with a big headline of "Unbreakable lock hacked!". It was about some crazy door lock that required not only a big, fancy key but also a special technique of opening it - push all the way in, turn 1/2 rotation, pull half way out, turn 1 rotation, and so on. The gist of the story was - if you can steal the key, and know how to work with CNC machines, you can make a copy, and then by trial and error, you can figure out the combo! This TouchID is about as good.

 

[chr1s60]

Great! Not only does my iPhone 6+ bend, but it can also be hacked into by all the forensic scientists out there. Thanks a lot Apple.

 

[Stella]

And why does Apple develop specialized hardware like the "Secure Enclave", if 100% foolproof is not a target for Apple?

Your expectations are excessive. If you want 100% security, your not going to use an iPhone.

Apple Marketing at work.