Touch ID Bypass Detailed, 'Average Consumer' Shouldn't Worry

[Ries]

I would suggest that something that takes 30 hours and more than a $1K worth of of specialized equipment (plus the expertise to use it) to hack into pretty secure. Not bulletproof but pretty dang secure. Unless you're a secret agent, I'de say this is all the security any of us need.

Thats the prototype. Someone will simplify it. Someone will write a program to do the image processing. You don't need the scanner and printer, do it in a copy shop.

One phone unlocked as a thief, and you got more than your expenses paid.

 

[locust76]

I wouldn't still save my fingerprint on my iOS-device. It's just not save enough.
The fingerprint may be a very specific password for each one of us, but it sure as hell is not one you can change.

You can change your fingerprints. Besides, just a mathematical hash of the parameters that make up your fingerprint are stored on the chip. Hashes cannot be reversed, so not only is your fingerprint image not stored on the phone, but the data that is stored is permanently encrypted.

 

[darkplanets]

well, that's sort of the problem.. in a roundabout way, you are leaving a post-it note with your pin written down and it's stuck to your phone (fingerprint) [though yes, it's a bit of a convoluted process to read it etcetc.]

Maybe I didn't make my sarcastic post clear enough, but that's exactly what I said. Your fingerprint is your password. It's easily accessible on your phone, ergo the thief has your password. If they have your password, they can unlock your device. It's not a "bypass" as they still go through the touch ID system. It's no different than a post it note with your pin attached to your phone.

I don't understand A) why people are freaking out, and B) why this is surprising to anyone who has two brains cells to rub together. It's not hard to understand.

These articles are just link bait.

 

[Dontazemebro]

My god it's so infuriating on Mac rumors at times.

Did half of you even read the op, hell not even the article just the opening post.

OK....

Whomever hacked/spoofed the fingerprint sensor or whatever you want to call it in 30 hrs Did NOT use thousands of dollars of equipment. He used inexpensive office equipment and said the process could take less than 30mins. It was another person who claimed it would require thousands of dollars worth of equipment and that the process was nearly impossible.

How long did it take for you to bypass Touch ID? Was there anything that you found hard or challenging about the hack? Was there anything about Touch ID that you think was well engineered or well implemented?

It took me nearly 30 hours from unpacking the iPhone to a [bypass] that worked reliably. With better preparation it would have taken approximately half an hour. I spent significantly more time trying to find out information on the technical specification of the sensor than I actually spent bypassing it.

I was very disappointed, as I hoped to hack on it for a week or two. There was no challenge at all; the attack was very straightforward and trivial.

The Touch ID is nevertheless a very reliable fingerprint system. However, users should only consider it an increase in convenience and not security.

How feasible is the hack that you came up with? Is it something anyone can do, or is it something that only talented hackers with a fair amount of skill and expensive equipment call pull off?

It's very easy. You basically can do it at home with inexpensive office equipment like an image scanner, a laser printer, and a kit for etching PCBs. And it will only take you a couple of hours. The techniques are actually several years old and are readily available on the Internet.

http://arstechnica.com/security/2013/09/touchid-hack-was-no-challenge-at-all-hacker-tells-ars/



My god if I had a dollar for every time some idiot fan boy mentioned 30 hrs and thousands of dollars worth of equipment all in the same breath, I'd be filthy rich.

 

[flat five]

Maybe I didn't make my sarcastic post clear enough, but that's exactly what I said.

nah, i re-read and better understand what you said.. my bad

I don't understand A) why people are freaking out, and B) why this is surprising to anyone who has two brains cells to rub together. It's not hard to understand.

These articles are just link bait.

i don't really see a lot of people freaking out about it (though a lot of people are maybe brushing it off a bit too hastily imo.. "30hrs ?!?.." or "you're not special!!" etc.

really, it's not a big deal right now in it's current implementation (and apple wisely haven't released access to 3rd parties yet).. it's just that if we're going to see this type of stuff more in the future, it's better to bring awareness and fixes now with wide-scale consumer usage when there's not much of a threat by having your phone compromised..
i mean, if atm cards suddenly dropped 4digit pins in favor of fingerprint id and this 'hack' happened.. ? it would be a much crazier scene with a lot less people brushing it off.. and i'm almost certain our phones/devices/(something) will soon enough be replacing our debit cards.. while i fully agree the current touchID is plenty secure for the vast majority of its users, i see it as a not so secure setup for possible future usages of the technology so it's good that this hack has been brought to light now instead of down the line when it may actually matter

 

[Michael Scrip]

Except keys and locks can be easily changed.

You're right... you can change your keys and locks... but you can't change your fingerprints.

So if your phone gets stolen and IF there is a workable fingerprint on it and IF the thief is able to spend hours and hours on this process... they will have a latex copy of your fingerprint.

The bad news is... you've already bricked the phone remotely.

But the thief still has your fingerprint... so will they track you down and steal your next iPhone?

 

[sofila]

Why not give the option?
1. Passcode only
2. TouchID only
3. Passcode and TouchID

Everyone has different needs, and the three options above should satisfy more people than the two options available now.

You're talking about Apple. User Options and choices are not familiar to them.
Anyway, the passcode and touchID "together" option would minimize the belief that touchID is safe enough, and that's not what they want.

 

[MarcelNBG]

What is your Neighbours Job?

I guess the NSA has all our Fingerprints, at least it has the Fingerprints of every foreigner who traveled to the US in the past 10 years.
So approximetly one in 1000 of the US-Citizens only needs a Laserprinter, Woodglue and just 20 minutes...
But then again: Why would they use the Lock on the front Door if there is their Backdoor to your personal data?

 

[henrystar]

I wouldn't still save my fingerprint on my iOS-device. It's just not save enough.
The fingerprint may be a very specific password for each one of us, but it sure as hell is not one you can change.

You leave fingerprints wherever you go. Much easier to lift them from your beer glass than from your iPhone.

 

[kdarling]

You may well be right concerning Apple not having said anything about the anti-spoof technology, but I read a good many articles that referenced it concerning the iPhone 5s. One would've hoped that they would've seen it and issued a statement clarifying whether or not such countermeasures were indeed present. We're not talking about flubbing a screen resolution or which USB profile it might use.

That's a whole other topic, where some of us agree with you that Apple is too quiet sometimes. A charitable view is that perhaps they just don't pay attention to what the internet saying.

Since the fingerprint needs to be "lifted" from the image that is displayed on the iPhone's screen after a scan, it would be very easy for Apple to thwart this kind of attack by not displaying the print on the screen after scanning. Apple could display a placeholder image that does not resemble a fingerprint, an therefore will not allow thieves to replicate it.

That _is_ a placeholder image. It has nothing to do with your actual fingerprint. It's just showing the training progress.

You can change your fingerprints. Besides, just a mathematical hash of the parameters that make up your fingerprint are stored on the chip. Hashes cannot be reversed, so not only is your fingerprint image not stored on the phone, but the data that is stored is permanently encrypted.

Neither AuthenTec nor Apple ever said it was a hash. That's another internet myth, just like the idea that it required a live finger.

The data stored is encrypted, but that's because it's in a secure enclave which is encrypted.

Whomever hacked/spoofed the fingerprint sensor or whatever you want to call it in 30 hrs DID not use thousands of dollars of equipment. He used inexpensive office equipment and said the process could take less than 30mins. It was another person who claimed it would require thousands of dollars worth of equipment and that the process was nearly impossible.

This. As has been noted before, the techniques have been around for 15 years. The only reason it takes "a thousand dollars" is if you didn't already have a laptop and scanner/printer like millions of people do. Otherwise it's probably more like $40 worth of PC board kits and other minor stuff.

 

[sintra1]

Read with interest and only one person with clearly Law Enforcement background has come close to acknowledging iOS has a back door and of cause it does at right root level.

All stock iOS devices share the same root password !

Mount them in a terminal insert a certain mountain range and away you go.

 

[elvislives]

If you want to stop this Hack working...

Total pointless Hack! in the time it takes to do this hack, most people would have disabled the iPhone anyway... No security is 100%...but at least with this fingerprint scanner, people will use it! unlike most people that have smart phones and never have the passcode lock enabled.

Also If you want to stop this Hack, all you really need to do is use a finger you never use on you iPhone like your pinky finger.

 

[dol4n]

The TouchID-solution is unfinished and unoptimized.

Steve would never have allowed this

He would have released the feature when it was mature and ready.

 

[croooow]

The thief still can't turn of find my iphone even after gaining access with the print. Basically they won't be able to wipe the phone and sell it.

But yes if you're trying to get rid of sensitive data before the thief can access it you could easily do so.

My point is that you (the phone's owner) has 30 hours to lock up your phone and make it unusable. I am assuming that Touch ID/iOS 7 does not negate the security that has been in place in iOS 6. If I am wrong please let me know.

----------

...Whomever hacked/spoofed the fingerprint sensor or whatever you want to call it in 30 hrs DID not use thousands of dollars of equipment. He used inexpensive office equipment and said the process could take less than 30mins. It was another person who claimed it would require thousands of dollars worth of equipment and that the process was nearly impossible...

I wonder why MR left the 30 minutes mention out of the summary. I also wonder why you bolded (and "CAPS locked") the word "DID" and not the word "not" which would seem to be the more important word in that statement.

Whomever hacked/spoofed the fingerprint sensor or whatever you want to call it in 30 hrs DID not use thousands of dollars of equipment.

Whomever hacked/spoofed the fingerprint sensor or whatever you want to call it in 30 hrs did NOT use thousands of dollars of equipment.

See the difference?

----------

The TouchID-solution is unfinished and unoptimized.

Steve would never have allowed this

He would have released the feature when it was mature and ready.

I know you are having a laugh but: The original iPhone was unfinished:

Look at all that blank space, 15 icons on the screen when it looks like it should be 20. One row of 3 icons when the others have 4? It looks like they were planning the changes in iOS 2 (3rd party apps) but they released it like this anyway. I know they had to be planning iOS 2 before the original keynote, my point is that the design is not "finished" or "mature" but who was complaining then?

 

[musicianm]

30 hours.

By that time the phone is tracked via GPS.
If they power it off, it doesn't require the thumbprint it requires the passlock.
So then they've wasted 30 hours.


This is just silly. I think it's awesome how people just try everything to bypass the best phone out there.

 

[AaronEdwards]

The tell-tale part here is "requiring just 30 hours".

Actually, it doesn't take 30 hours to copy the print and unlock the iPhone.

The 30 hours was the time between him getting his hands on the iPhone and being able to unlock it with a copied print.

The process to copy the print and make a fake print is in itself a lot faster. According to Ars that process would with better preparation only take 30 min....

Edit:

The other major thing in the video was that he was able to get the fingerprint by scanning the iPhone. Now, the caveat here is obviously how good prints you get from that process and how perfect prints Touch ID requires to authenticate. I wouldn't be surprised if the system allows for not entirely perfect prints, just to make sure that people can unlock their phones. The algorithm may allow for more false positives rather than more false negatives.
I guess we are going to see videos soon of people repeating this process and then removing part of the fake fingerprint to check how complete prints are needed.

 

[tbrinkma]

No thanks.

Why would I want to use TouchID AND a passcode?

TouchID is supposed to remove the need for the passcode ...

Why would you want to? Apparently *you* wouldn't, but (as the poster you replied to said), it would be a more secure option for those who *did* if it were available.

TouchID is there to add convenience so that more people take advantage of it and get a level of security at *least* on par with a 4-digit PIN instead of just relying on 'swipe to unlock'.

Note: Absent a clean fingerprint to lift, TouchID is about as secure as a 10-12 character passcode. Even *with* a fingerprint to lift, the time and effort involved in using it leaves the security at or above a 4-digit PIN, because there are techniques that can be used to narrow down *which* 4 digits were used, potentially reducing the search space there to 24 combinations. Fewer if the PIN has duplicated digits. (Those techniques rely on the same oils left behind as the fingerprint.)

----------

I wouldn't still save my fingerprint on my iOS-device. It's just not save enough.
The fingerprint may be a very specific password for each one of us, but it sure as hell is not one you can change.

That's good, because it *doesn't* save your fingerprint on your iOS device. It takes an image, does the analysis, and encrypts that data when saving it into the secure enclave on the A7 chip. And, based on what is known about the system so far, it isn't actually possible to retrieve that hash from that storage, only wipe it, or ask the hardware to compare against the stored data.

 

[TWSS37]

Which was the point I was making when it was first reported, and I kept getting crap for it. It's that there was blatant misinformation as to how it worked and its reliability. The scanner should not have been marketed as anything other than a technology if increased convenience and the sub dermal scanning invalidating dead tissue or false impressions is a blatant falsehood.

Consequently, I put my money where my mouth is and cancelled my order. More than that, I'd planned on snagging the new iPad mini and maybe a Haswell rMBP; neither of those purchases are going to happen presently. I won't buy another Apple product until there's a public apology admitting that they either overstated the security benefit or were grossly ignorant of the possibility. It's time companies learn that they can't lie to us with impunity.

As others have very graciously pointed out, it sounds like there was more of a miscommunication from what Apple said vs how it was interpreted by the media when reporting on the tech specs of what exactly constituted 'subdermal' reading of skin layers. IMO, while this may be technically correct - to promote a product based on this level of security but it is very difficult for the average consumer to understand that 'subdermal' may not necessarily need skin to be true (???), to me it still is in the realm of outright lying.

 

[tbrinkma]

I don't see the point of option 3. That's like having a simple passcode and strong passcode.

It's called 2-part authentication.
1) Something you know (the passcode).
2) Something you are (the fingerprint).

If you also had an associated RSA dongle and had to key in the timecode, you could get 3-part authentication by adding:
3) Something you have.

Your fingerprint is not a passcode.

Get into the habit of swiping your phone across your shirt when you're done using it for the moment, and this particular TouchID hack is no longer a worry.

 

[JohnGrey]

As others have very graciously pointed out, it sounds like there was more of a miscommunication from what Apple said vs how it was interpreted by the media when reporting on the tech specs of what exactly constituted 'subdermal' reading of skin layers. IMO, while this may be technically correct - to promote a product based on this level of security but it is very difficult for the average consumer to understand that 'subdermal' may not necessarily need skin to be true (???), to me it still is in the realm of outright lying.

Agreed. I definitely consider it, at least, a lie by omission. When such a controversial and potentially dangerous method is introduced Apple has an obligation to make very clear what it is, what it isn't, what dangers there are, and a conservative estimate as to how likely it is that it will be broken.

 

[spicynujac]

"According to Starbug, who spoke to Ars Technica, the process "was way easier than expected," taking just 30 hours to complete."

What a dweeb. That's a pretty major effort if you ask me. Give me 30 hours, and I could defeat a lot of security systems (blowtorch through a safe, drill into a safe room, hack a wifi network, guess a lot of random passwords, etc.)

 

[AaronEdwards]

"According to Starbug, who spoke to Ars Technica, the process "was way easier than expected," taking just 30 hours to complete."

What a dweeb. That's a pretty major effort if you ask me. Give me 30 hours, and I could defeat a lot of security systems (blowtorch through a safe, drill into a safe room, hack a wifi network, guess a lot of random passwords, etc.)

That's the time for him to figure out the process. The actually process would only take him 30 min if he's prepared...

 

[tbrinkma]

And so can the password on the iPhone.

In the 30 hours that it takes for the world class thief who picked your iPhone up off the floor to hack it using this method you can reach out and lock it permanently using Find my iPhone.

That's 30 hours, folks. It take less time than that for an iPhone to get from China to the US.

As others have already pointed out, the actual time taken to reproduce the fingerprint was a relatively small fraction of the 30 hours. The 30 hours included a good bit of time researching the specifics of the fingerprint sensor used. Replicating the actual fingerprint apparently *did* take somewhere on the order of 30 minutes.

Still a non-issue for most people because it takes more skill and effort than most random thieves have and are willing to go through, even assuming they *did* find a good print of the right finger on the phone after they stole it.

Additionally (something I can't believe so many people are still missing), you still can't wipe and re-use the stolen phone if Find My iPhone was enabled, because the fingerprint specifically cannot be used to authenticate with the servers. You need the passcode for that.

 

[flat five]

[did/ did not]
See the difference?

sure, i see the difference.. but arguing against donta's pov based on a typo doesn't negate his post/point in any way.

 

[tbrinkma]

Lol, there's no way that 30hrs with professional equipment was way easier than expected, what nonsense

I've hacked HP laptop scanners with gummy bears, now THAT was way easier than expected

It took me nearly 30 hours from unpacking the iPhone to a [bypass] that worked reliably. With better preparation it would have taken approximately half an hour. I spent significantly more time trying to find out information on the technical specification of the sensor than I actually spent bypassing it.

Still not a major issue, because your typical thief will actually have *worse* preparation than a guy who is explicitly attempting to hack the scanner.