Touch ID Bypass Detailed, 'Average Consumer' Shouldn't Worry

[croooow]

right.. i don't care for the name calling.. it's even more useless than arguing over a typo.

the reason i replied in the first place to you wasn't in direct defense of the dude you were quoting (who i am apparently the white night of).. i made a very similar point as him earlier in the thread along with a few other people..

It is not a simple typo. When you emphasize the wrong word in a sentence you can change the meaning (especially when you briefly look at it, as most do. I am sure most just skim over these comments) I said this in conjunction with MR leaving out key points in their summary, which also changes the meaning to most (and in this case, most of the comments were regarding the 30 hours it seemed to take to fake a fingerprint)

Again, I think he has a very valid point (and apparently so do you, I did not see your similar post) about the facts in the article.

"white knight" is not really "name calling" it is a description of your action (If you were actually defending your own post, I missed that. Your comment to me looked like a pretty direct defense of this guy)

 

[flat five]

It is not a simple typo. When you emphasize the wrong word in a sentence you can change the meaning (especially when you briefly look at it, as most do. I am sure most just skim over these comments) I said this in conjunction with MR leaving out key points in their summary, which also changes the meaning to most (and in this case, most of the comments were regarding the 30 hours it seemed to take to fake a fingerprint)

sure, i agree that a mis-emphasized word can dramatically alter a statement's meaning and i said so in the first post i responded to you in (smthng like "yes, i see the difference you're pointing out")

that said, this is written language on the interwebs which often requires more than just taking words at face value.. sometimes you have to also consider context and overall tone etc in order to understand what someone is saying (and just to be clear, i'm not trying to claim i'm perfect and/or always properly interpret things people say.. in fact, i made a similar mistake earlier in the thread in which the person i responded to had to point out that i just repeated what he said when i responded with what i originally felt was an opposing view)..

a n y w a y...
regarding the original MR post.. sure, i can see how someone may not pick up on all the details via the summary.. i think the author thought that when she/he posted the quote:

"I was very disappointed, as I hoped to hack on it for a week or two. There was no challenge at all; the attack was very straightforward and trivial. "

immediately after the 30hrs statement that people would understand the context.. as in the hacker didn't expect a week or two in order to bypass touchID via this specific method.. he expected a week or two to find some sort of method to crack it..

but sure, it could of been more clearly written especially in hindsight seeing so many people saying "well, it takes 30hrs to do this.. who gives a !? "

Again, I think he has a very valid point (and apparently so do you, I did not see your similar post) about the facts in the article.

"white knight" is not really "name calling" it is a description of your action (If you were actually defending your own post, I missed that. Your comment to me looked like a pretty direct defense of this guy)

the first time i said it was in post #222 in response to someone saying 30hrs-wtf on the first page of the thread.. as i read through the rest of the thread, i noticed quite a few other people had already pointed out the same thing.. and quite a few people have pointed it out since then.

 

[cfurlin]

Wait. Are we still talking about the iPhone fingerprint "hack" or did I stumble into a thread about croooow and flat five's lovers quarrel?

 

[flat five]

Wait. Are we still talking about the iPhone fingerprint "hack" or did I stumble into a thread about croooow and flat five's lovers quarrel?

both
#

 

[TTile]

Today it might take 30 hours to break in. How about 3 months from now? This touch "security" is a joke.

I guarantee I could get into your phone faster by stealing your password/passcode than trying to break in by replicating your print.

 

[cisco1138]

No thanks.

Why would I want to use TouchID AND a passcode?

TouchID is supposed to remove the need for the passcode ...

Agree, I don't want to have to enter a code after the finger scan, but I would be willing to to scan two fingers

 

[croooow]

Wait. Are we still talking about the iPhone fingerprint "hack" or did I stumble into a thread about croooow and flat five's lovers quarrel?

You want some of this, newbie?

 

[TTile]

I just don't understand all the freaking out over a fingerprint. Sure, your fingerprint is stored in your phone and Big Brother can access it potentially. However, it is also "stored" on that Starbucks cup you threw in the trash. BB can also access that as well AND turn it into a digital image fairly quickly.

Seems much ado about nothing for the average person to me...

People aren't really concerned about the fingerprint data stored on the phone. They're concerned that someone can replicate your print and use it to break into your phone and get your sensitive data.

 

[cisco1138]

I wouldn't still save my fingerprint on my iOS-device. It's just not save enough.
The fingerprint may be a very specific password for each one of us, but it sure as hell is not one you can change.

I can change mine, but only 10 times.

 

[croooow]

...a n y w a y...

hurm

 

[TTile]

The real life upshot of all this is that -

Unless you're somebody important... or Apple went ahead and implemented real world store payments via fingerprint alone (not likely to happen now!)... most thieves aren't going to bother.

What's far more likely to happen with the easy sensor unlock, is that people around you (roommates, spouses, siblings, etc) will unlock your phone with your finger while you're asleep, and check out your personal photos, emails, texts and call logs.

Word to the wise: if you're stepping out on your significant other, or you live in a dorm, it's probably not a good idea to enable fingerprint unlock

You don't think they'll use it for store payments? I just was looking at google wallet's security procedures and they seem to just require a 4 digit pin to authorize payment. It seems like the fingerprint would be just as safe as the pin (especially considering that 10% of pins are just 1234 and nearly 30% fall within a list of 20 unique pins). Furthermore if the fingerprint alone proves to be problematic they could always implement a 2 step verification method (ie requiring a 4 digit pin as well).

 

[croooow]

People aren't really concerned about the fingerprint data stored on the phone. They're concerned that someone can replicate your print and use it to break into your phone and get your sensitive data.

In most cases, what do people really think someone is trying to get? Your phone is stolen and they get in after 30 mins - 30 hours and what do they see? Your lame texts? Pictures that you did not post to facebook?

Realistically, if someone steals your iPhone they want your iPhone, not you precious data!

People really think they are that interesting or important? Or do people keep copies of their tax returns and SS# on their phone with only iOS's locks to stop people from viewing them?

 

[layphone]

Can any one provide me a real world situation where I am going to leave a clean fingerprint that some one else would be able to use for this?

Everyone look at your iPhone screen, mine is smudged (Candy Crush Saga) and I can't think of anywhere else that I would leave a clean print.

I might get suspicious if someone handed me a drink and then took it back after I touched it once.

Without a clean print this is completely useless, I think CSI:[favorite big city] has fooled us into thinking this is much easier than real life.

 

[TTile]

Let's face it. There is no security invulnerable to attacks. Biometrics aren't necessarily more secure than a memory of numbers. It's an alternative. It may be slightly quicker, but not enough to make a significant difference.

For what its worth, I'd say most "average consumers" wouldn't have to worry about a 4 digit passcode being hacked either.

If a hacker finds a sure-fire way to bypass the lock screen all together, it wouldn't matter how secure the overlying lock is, would it?

I applaud Apple for trying to differentiate, but it isn't anything revolutionary or necessarily "better".

I think using a fingerprint is much "'better'". Typing in a password (or even a 4 digit passcode) is incredibly cumbersome to do multiple times a day. The fingerprint is quick and painless.

----------

Can any one provide me a real world situation where I am going to leave a clean fingerprint that some one else would be able to use for this?

Everyone look at your iPhone screen, mine is smudged (Candy Crush Saga) and I can't think of anywhere else that I would leave a clean print.

I might get suspicious if someone handed me a drink and then took it back after I touched it once.

Without a clean print this is completely useless, I think CSI:[favorite big city] has fooled us into thinking this is much easier than real life.

Right and that's why this security method is still incredibly robust and secure.

 

[cisco1138]

They didn't 'bypass' anything.

Grow up mac rumours.

He hacked into his own phone, I bet he would find it a bit more difficult to bypass mine. He will find at least 10 finger prints on my phone, he will have to repeat his steps on every single print he finds. What if I open the phone with a finger (pinky) that never touches the phone's surfaces other than to open it?

 

[TTile]

In most cases, what do people really think someone is trying to get? Your phone is stolen and they get in after 30 mins - 30 hours and what do they see? Your lame texts? Pictures that you did not post to facebook?

Realistically, if someone steals your iPhone they want your iPhone, not you precious data!

People really think they are that interesting or important? Or do people keep copies of their tax returns and SS# on their phone with only iOS's locks to stop people from viewing them?

Right completely agree. And your phone will still be protected by find my iphone (which is still behind the wall of your Apple ID password).

Sensitive data can be a lot of things: Corporate emails, patient records, private communications with a mistress (for cheating husbands), naked pictures (for scandalous teenagers)---its a wide spectrum.

 

[Jason98]

Since the fingerprint needs to be "lifted" from the image that is displayed on the iPhone's screen after a scan, it would be very easy for Apple to thwart this kind of attack by not displaying the print on the screen after scanning. Apple could display a placeholder image that does not resemble a fingerprint, an therefore will not allow thieves to replicate it.

That's what the hack is using? If so then it would indeed be pretty easy for Apple to strengthen the security of the Touch ID. But in any case what this unfortunate PR annoyance for Apple does is force them to somehow strengthen the feature and fast. Especially if this hack story doesn't fade away.

Hmm, dumb and dumber?

 

[croooow]

Can any one provide me a real world situation where I am going to leave a clean fingerprint that some one else would be able to use for this?

Everyone look at your iPhone screen, mine is smudged (Candy Crush Saga) and I can't think of anywhere else that I would leave a clean print.

I might get suspicious if someone handed me a drink and then took it back after I touched it once.

Without a clean print this is completely useless, I think CSI:[favorite big city] has fooled us into thinking this is much easier than real life.

Thank you, I was thinking "Dexter" or "24" for the prints but I agree 100% otherwise

 

[flat five]

Can any one provide me a real world situation where I am going to leave a clean fingerprint that some one else would be able to use for this?

Everyone look at your iPhone screen, mine is smudged (Candy Crush Saga) and I can't think of anywhere else that I would leave a clean print.

I might get suspicious if someone handed me a drink and then took it back after I touched it once.

Without a clean print this is completely useless, I think CSI:[favorite big city] has fooled us into thinking this is much easier than real life.

i think it's important to realize this story is showing a proof of concept as opposed to a refined technique.. i mean, for all i know, it's possible that down the line someone will discover a chemical/material which can be sprinkled on a fingerprint and it will rise in the areas of the oils.. i.e.- sprinkle a bit of the fairy juice on the home button, wait 10 seconds for the ridges to rise, press the home button while wearing a latex glove.. and you're in via the same print/portion of print that the owner used to unlock the phone.

farfetched? sure, maybe.. but it's definitely the type of stuff you should be expecting your manufacturers to completely rule out.. i definitely believe apple already knows about this 'hack' shown in the OP and i bet they know of a few others.. how wouldn't they? the ccc guy didn't invent the technique.. he read about it on the internet and simply applied it to touchID..
it's probably the reason why they're not releasing the tech to 3rd parties but they honestly believe it's plenty secure for it's current use (which i agree with).


assuming a security is impenetrable or beatable is one thing.. seeing it either withstanding attacks or falling prey is another.. it's not so much an issue of how, exactly, it's being done.

 

[Dontazemebro]

My point is that you (the phone's owner) has 30 hours to lock up your phone and make it unusable. I am assuming that Touch ID/iOS 7 does not negate the security that has been in place in iOS 6. If I am wrong please let me know.

----------



I wonder why MR left the 30 minutes mention out of the summary. I also wonder why you bolded (and "CAPS locked") the word "DID" and not the word "not" which would seem to be the more important word in that statement.

Yeah, one of those early morning brain farts.

 

[roblafave]

Haven't read through all the comments, but has anyone considered simply registering the Touch ID with a finger that is rarely/never used to interact with the touch interface (ring, middle or pinky finger).

Once the device has been unlocked with a less commonly used finger, you'd likely end up removing any scannable trace of that print with the first use of the home button by your thumb or index finger.

 

[cfurlin]

You want some of this, newbie?

Maybe, but I suspect you don't look anything like your picture.

 

[Dontazemebro]

Haven't read through all the comments, but has anyone considered simply registering the Touch ID with a finger that is rarely/never used to interact with the touch interface (ring, middle or pinky finger).

Once the device has been unlocked with a less commonly used finger, you'd likely end up removing any scannable trace of that print with the first use of the home button by your thumb or index finger.

It's definitely a possibility but how cumbersome and unnatural would it be for you to unlock your phone with your pinky? How many times a day would you say you unlock your phone? 20 times a day? 30 times a day?

Personally I can't imagine doing that, it would frustrate the hell out of me. At the end of the day I'll most likely use it, (because really who am I) but I still can't get over the fact that Apple was disingenuous about the whole sensor concept.

 

[skinned66]

Qu'elle surprise.

----------

In most cases, what do people really think someone is trying to get? Your phone is stolen and they get in after 30 mins - 30 hours and what do they see? Your lame texts? Pictures that you did not post to facebook?

Realistically, if someone steals your iPhone they want your iPhone, not you precious data!

People really think they are that interesting or important? Or do people keep copies of their tax returns and SS# on their phone with only iOS's locks to stop people from viewing them?

These are good points. I'd also like to add that if the new stolen phone/re-activation feature works as expected with no simple bypass then the phone itself in addition to being locked down will only have resale value for parts.

 

[flat five]

It's definitely a possibility but how cumbersome and unnatural would it be for you to unlock your phone with your pinky? How many times a day would you say you unlock your phone? 20 times a day? 30 times a day?

Personally I can't imagine doing that, it would frustrate the hell out of me. At the end of the day I'll most likely use it, (because really who am I) but I still can't get over the fact that Apple was disingenuous about the whole sensor concept.

I wouldn't want to use my pinkie either. it becomes a two handed ordeal at that point. the thumb is where it's at.

possibly the best way to thwart this hack while still using your thumb as the identifier would be to use the portion of your thumbprint just above it's second knuckle instead of more out there at the tip which is the part used to actually interact with the phone.
for further security, make it a habit to unlock with that part of ur thumb then swipe away once opening instead of lifting.

(and yes.. I realize this is pretty ridiculous to think about/ mention.. I'll get into something a little more productive here in a minute.. I promise )