Touch ID Bypass Detailed, 'Average Consumer' Shouldn't Worry

[Nevaborn]

This was hilarious in it's absurdity when first posted, now its just pathetic.

30 HOURS

Seriously, why are we concerned at all ? in every day life the fingerprint will be smudged away or disturbed by an overlaying one which would make a clean transfer impossible.

£1000

So it needs not only time but some pretty expensive equipment to do this and a knowledge base and ability to accurately copy and transplant a fingerprint...your average thief will not have a clue how this works and if they had the money to do it most would of just spent the money on an iPhone. Some people seem to be panicking that every iPhone thief will now be after your most personal information when most as they always have been just want an iPhone or any Apple device to sell on quickly and make a few £££

30 HOURS !!!

Seriously its 30 hours... How many people lose their phone and don't notice for 30 hours...I would notice within mins and be straight on to a computer to wipe it and lock it down.

 

[tomtendo]

This is getting out of hand. 99.8% of people aren't going to have this problem. AND.. where were these same people when IBM released a finger print scanner for computers? I think my computer has a lot more important information on it than my phone. Especially since IBM(Or Lenovo) are mainly used as business computers.

 

[tbrinkma]

Since the fingerprint needs to be "lifted" from the image that is displayed on the iPhone's screen after a scan, it would be very easy for Apple to thwart this kind of attack by not displaying the print on the screen after scanning. Apple could display a placeholder image that does not resemble a fingerprint, an therefore will not allow thieves to replicate it.

The image displayed on the screen is a generic 'fingerprint', not your *actual* fingerprint.

The print that is 'lifted' is the one left behind on the glass surface when you touch it.

 

[AaronEdwards]

This was hilarious in it's absurdity when first posted, now its just pathetic.

30 HOURS

Seriously, why are we concerned at all ? in every day life the fingerprint will be smudged away or disturbed by an overlaying one which would make a clean transfer impossible.

£1000

So it needs not only time but some pretty expensive equipment to do this and a knowledge base and ability to accurately copy and transplant a fingerprint...your average thief will not have a clue how this works and if they had the money to do it most would of just spent the money on an iPhone. Some people seem to be panicking that every iPhone thief will now be after your most personal information when most as they always have been just want an iPhone or any Apple device to sell on quickly and make a few £££

30 HOURS !!!

Seriously its 30 hours... How many people lose their phone and don't notice for 30 hours...I would notice within mins and be straight on to a computer to wipe it and lock it down.

If you had spent the time writing this comment actually reading the article, then you would have know that the process actually only takes 30 min, not 30 hours.

Hilarious indeed.

----------

I wonder how many would remote wipe their iPhone if they can't find it after 30 min? After 1 hour? After 2 hours? Maybe they still believe that it will turn up... And do most people generally keep their Apple ID and Apple ID password with them at all times and another device that you use to remote wipe your iPhone?

 

[Borghetti]

What a pointless video. He didn't bypass anything.

 

[flat five]

This is getting out of hand. 99.8% of people aren't going to have this problem. AND.. where were these same people when IBM released a finger print scanner for computers? I think my computer has a lot more important information on it than my phone. Especially since IBM(Or Lenovo) are mainly used as business computers.

probably doing something else and having absolutely zero thoughts/concerns regarding fingerprint ID because nothing they've ever used/owned/considered had the technology?

(for instance- me personally? i didn't even know ibm had a fingerprint scanner available for computers until reading your post.. so why would i have thought about it in the past?)

----------

What a pointless video. He didn't bypass anything.

luckily for most of us, apple won't/can't take a similar stance as yours and just completely ignore what the ccc guy is showing

 

[steelecan]

Most people don't have the resources nor the wits to go through all this. Too time consuming just to get into an iPhone! Just rob a bank!

 

[AaronEdwards]

luckily for most of us, apple won't/can't take a similar stance as yours and just completely ignore what the ccc guy is showing

The big question is what Apple can do about it, not sure that there's a software update to fix this and the sensor itself will not be updated or replaced.

I'm guessing any software fix making this bypass more difficult to accomplish would also lead to a lot of people having problems unlocking their iPhones with their fingers.

 

[kdarling]

Real life significance

The real life upshot of all this is that -

Unless you're somebody important... or Apple went ahead and implemented real world store payments via fingerprint alone (not likely to happen now!)... most thieves aren't going to bother.

What's far more likely to happen with the easy sensor unlock, is that people around you (roommates, spouses, siblings, etc) will unlock your phone with your finger while you're asleep, and check out your personal photos, emails, texts and call logs.

Word to the wise: if you're stepping out on your significant other, or you live in a dorm, it's probably not a good idea to enable fingerprint unlock

 

[cfurlin]

I don't know if someone posted this already, but I got tired of reading all the derp in this thread.

The iPhone was not hacked. Someone replicated a fingerprint and used it to unlock an iPhone. That is not "hacking" the iPhone. You can do this with any device that accepts a fingerprint.

Seriously MacRumors, either stop sensationalizing your news or hire some tech-saavy writers who know the difference. The iPhone did exactly what it was supposed to do...and should do.

 

[AaronEdwards]

I don't know if someone posted this already, but I got tired of reading all the derp in this thread.

The iPhone was not hacked. Someone replicated a fingerprint and used it to unlock an iPhone. That is not "hacking" the iPhone. You can do this with any device that accepts a fingerprint.

Seriously MacRumors, either stop sensationalizing your news or hire some tech-saavy writers who know the difference.

Well, what would you call it?

iPhone 5s skimming?
Social Hacking?

 

[Rootus]

$1000 and 30 hours is a hurdle? Sure, for some random schmuck who probably doesn't really care what's on your phone anyway. For the police, or a corporation? Trivial.

 

[cfurlin]

Well, what would you call it?

iPhone 5s skimming?
Social Hacking?

Fingerprint impersonation.

There isn't a device on the planet that can save you from that.

 

[croooow]

sure, i see the difference.. but arguing against donta's pov based on a typo doesn't negate his post/point in any way.

Oh, he has a "white knight"? Lovely.

He has a valid point, but my point was that if a story is presented in a certain way, people will take it as such:

• MR presented this story as if it would take 30 hours, no mention of 30 minutes (I do not click every link I am presented with. I, along with many others, are commenting on MR's article, not the source. Since these comments are on MR's site, that makes sense)

• His own comment (at a quick glance) makes it look like the person who spent 30 hours also spent $1000's (which was not his point)

 

[Gypsy36]

I just don't understand all the freaking out over a fingerprint. Sure, your fingerprint is stored in your phone and Big Brother can access it potentially. However, it is also "stored" on that Starbucks cup you threw in the trash. BB can also access that as well AND turn it into a digital image fairly quickly.

Seems much ado about nothing for the average person to me...

 

[croooow]

Actually, it doesn't take 30 hours to copy the print and unlock the iPhone.

The 30 hours was the time between him getting his hands on the iPhone and being able to unlock it with a copied print.

The process to copy the print and make a fake print is in itself a lot faster. According to Ars that process would with better preparation only take 30 min....

This really just points out how awfully written MR's summaries are.

If the "30 hour hacker" spent time doing other things (as pointed out by Dontazemebro and others from the source article:

"It took me nearly 30 hours from unpacking the iPhone to a [bypass] that worked reliably. With better preparation it would have taken approximately half an hour. I spent significantly more time trying to find out information on the technical specification of the sensor than I actually spent bypassing it."

Why is MR not including key parts of the article?

 

[cfurlin]

This really just points out how awfully written MR's summaries are.

If the "30 hour hacker" spent time doing other things (as pointed out by Dontazemebro and others from the source article: Why is MR not including key parts of the article?

News isn't interesting when it contains facts.

 

[mrwheet]

Apple really should warn people that the system is for convenience, and does not provide strong security.

The security it provides is a hell of a lot "stronger" than the 4-digit passcode it's replacing. These articles about bypassing it are misleading.

 

[flat five]

The big question is what Apple can do about it, not sure that there's a software update to fix this and the sensor itself will not be updated or replaced.

I'm guessing any software fix making this bypass more difficult to accomplish would also lead to a lot of people having problems unlocking their iPhones with their fingers.

i don't feel in danger with it's current implementation.. as in, i plan on getting a 5s and i'll still (happily and welcomely) use the touchID over the 4s style passcode entry.

with the type of info i have on my phone and how rare it would be to have my phone stolen by someone prepared to get into it with this method, i feel my risks are incredibly low. (as in, the biggest concern for me regarding my stolen phone would be that i no longer physically have the phone and have to buy another).

so does apple have to fix the phones currently being sold? no, i don't think so.. the phones can already be set up with long passwords (longer than 4 digits) so if someone really requires more security, they could/should be going that route..

what they can't do, imo, is add or allow more sensitive type of data/capabilities to be accessible via the current touchID.. (for example- release to 3rd party who may in turn allow touchID to unlock and start a car.. or make point of sale purchases using touchID as the only means of verification ... ATM withdrawls etc.)

so it's either back to the drawing board if they (apple) plan on using this type of functionality as future means of security in more sensitive areas or, just leave it as is and have it do what it's currently designed to do.. which, as i understand via reviewers, works great and is an awesome feature.

----------

Oh, he has a "white knight"? Lovely.

meh

 

[croooow]

Apple really should warn people that the system is for convenience, and does not provide strong security.

The security it provides is a hell of a lot "stronger" than the 4-digit passcode it's replacing. These articles about bypassing it are misleading.

You mean "the 4-digit passcode that most people do not use" (And you can use a longer alpha-numeric password, but even even fewer use that. I do see people unlock their phones with a 4 digit PIN but I cannot recall EVER seeing anyone type in a more complex code)

----------

meh

You do not care yet took the time to edit my comment and reply after replying to someone else? Get over yourself.

 

[bmt134]

Today it might take 30 hours to break in. How about 3 months from now? This touch "security" is a joke.

 

[nStyle]

Let's face it. There is no security invulnerable to attacks. Biometrics aren't necessarily more secure than a memory of numbers. It's an alternative. It may be slightly quicker, but not enough to make a significant difference.

For what its worth, I'd say most "average consumers" wouldn't have to worry about a 4 digit passcode being hacked either.

If a hacker finds a sure-fire way to bypass the lock screen all together, it wouldn't matter how secure the overlying lock is, would it?

I applaud Apple for trying to differentiate, but it isn't anything revolutionary or necessarily "better".

 

[flat five]

You do not care yet took the time to edit my comment and reply after replying to someone else? Get over yourself.

right.. i don't care for the name calling.. it's even more useless than arguing over a typo.

the reason i replied in the first place to you wasn't in direct defense of the dude you were quoting (who i am apparently the white night of).. i made a very similar point as him earlier in the thread along with a few other people..

 

[AaronEdwards]

Today it might take 30 hours to break in. How about 3 months from now? This touch "security" is a joke.

In the time it will take you to read the original article, you'll find out that it now will only take 30 minutes...

 

[larrybeo]

This is Great!

How much money is this thing and how do I buy one?