Touch ID Bypass Detailed, 'Average Consumer' Shouldn't Worry

[seamer]

I'll be worried when these systems stop requiring biometrics to go along with the actual print. Of course, given this kind of hack, biometrics weren't really needed which kind of negates the whole point behind a thumbprint.

The technique keeps it secure enough from most thievery though.

 

[Rocco83]

Well this info is enough for me to not buy the 5S. If someone were to get ahold of my grocery list from the Notes App and find out that I am going to have Lasagna on Thursday my life will be flipped upside down.

 

[iSee]

I think this is actually good news.

For the vast majority of us what is on our phones that needs protecting?

- Sensitive personal stuff - text, pics, etc. These are of interest only to people who know us. E.g., some may not what their wife to know about their girlfriend, etc.
- Identity info that could be used by identity theves.

Probably few of us know someone with the skill (or money) and interest enough to pull this off, so personal info is safe.
And there are a lot easier ways to steal identities than this, so I doubt any would bother.

Of course, there are some who have info that really, really needs to be protected (though that probably shouldn't be on your phone in the first place)... so with this info out there they know to opt not to use touch id... they can save themselves $100 and get a 5c.

 

[TTile]

Why stop there?

4. TouchID, passcode, and retinal scan using FaceTime Camera
5. TouchID, passcode, retinal scan, and DNA sample (using accessory that collects blood or saliva and then matches it with DNA data stored in an encrypted database).
6. The phone can never be unlocked; if the screen ever turns off or if it leaves the owners hand it bricks itself, overwrites all data with a 35 pass Gutmann method, catches fire, reducing the iPhone to nothing but dust - at which point the iPhone molecules each travel through different wormholes into alternate universes.

The original poster's comments were in line with normal security practices: 1 or 2 step verification. You didn't seem to understand what he was saying. Try again.

 

[uberman15]

So much discussion and very little of it looks at the security issue holistically. The TouchID system adds a layer of security for the majority of users who opt not to use a passcode. For those that use a passcode, the option still remains however the use of TouchID is more convenient. That they should offer the option to do both is a reasonable criticism.

But let's say a thief goes through this entire process and unlocks the phone. What then? They still need your password to reset the phone and, for as long as they stay connected to the internet, you can locate the thief. The combination of added security to just unlock the phone plus the substantial difficulty in reseting it to sell it will deter the vast majority of thieves. It simply will not become worth it for most.

But what of the important data on your phone? For truly critical data, it should be hidden behind a secure password (ostensibly, you won't need to access it as often) and encrypted. Locking the phone should not be the only means of protection behind critical data. And if it must be, then use an alpha-numeric password in its place. It is the most secure option available and if security is that important, the inconvenience is worthwhile. For me, info like bank passwords is stored in 1password and protected by an alpha-numeric password and encrypted. Very little else on my phone requires that attention.

The one exception I've seen is email. As someone who doesn't require high levels of security behind his email, I've not investigated this at all. But I'm guessing that if your email needs to be protected by high levels of security, such clients can be downloaded from the App store and separately protected behind an alpha-numeric password.

There's no such thing as a completely unhackable system. But the combination of appropriate security techniques covers the vast vast majority of users. And for the majority who are not so security conscious (and, by design, hopefully don't store that much critical data on the phone), the TouchID and password reset is more than sufficiently secure.

I'm willing to bet that we'll start to see a drop off in iPhone 5S thefts as a result of the added security measures. This ultimately would be the true benefit.

 

[AppleInLVX]

use your nipples instead.

You owe me a keyboard.

 

[needfx]

I'm willing to bet that we'll start to see a drop off in iPhone 5S thefts as a result of the added security measures. This ultimately would be the true benefit.

thief : "so, is that a 5 or 5S?"

 

[Popeye206]

They really need to add a saliva test, voice ID along with the touch ID and a passcode to meet my needs.

I need my Starbuck rewards secure! No one is getting my free latte but me!

 

[bbeagle]

In other news, house keys and car keys can be circumvented if you take a picture of the keys and create your own key.

 

[Cappy]

The solution is simple...use another body part that might not come into contact with anything...something like your nose, private part, etc.

 

[Popeye206]

use your nipples instead.

ROFL! This cracked me up! Good one!

 

[applegigs]

Gee and all this for a fingerprint ? c'mon 30 sec flat it takes to cut a finger.. it's easier to point a gun at their head and unlock the god damn device =P Just kid... I don't know why people are so paranoid about security, security... you gave all your info to facebook and google.. on top of that in EU they take your fingerprints for Bio-metrical passport anyway.. I doubt they give half the **** to secure my fingerprint as much as Apple does.

 

[yanki01]

jeez, is all that necessary?

 

[Cappy]

In other news, house keys and car keys can be circumvented if you take a picture of the keys and create your own key.

Except keys and locks can be easily changed.

 

[iabacus]

Stealing an iphone. Finding some useable prints on it. Going through hours of meticulous csi/forensic work. Hoping that one of the prints you have works on the touch id. Only 5 attempts before it defaults to password, and you are guessing with multiple partial prints, that may or may not work depending on how well you duplicated the fingerprint.

Sounds easy enough

 

[jlc1978]

One would think someone who is

A dedicated attacker with time and resources to observe his victim and collect data

Portably has the resources to extract any desired data without worrying about locks, just as can be done today and unless Apple changed how a remote wipe is done even that is not a challenge.

It may make it harder for the average thief to sell a device except for parts.

 

[Chrjy]

If people are really worried about this, they need to be more concerned about how they view their own self-importance!

 

[legioxi]

Funny how people get up in arms about this but they didn't care or seem to realize that since about 2008 we've been able to pull all the data from your iPhone including passwords, email, text messages, web browsing history, and more. Doesn't matter if your passcode is set or not.

I was not aware of this. Source?

 

[Snits]

This little piggy ...

Why not offer a pro option: Require three fingers in a certain sequence. That's 720 possibilities, not counting toes.

 

[jonnymo5]

Considering that most people don't even set a passcode and "Slide to Unlock" is the only barrier to their digital treasure chest I think that Touch ID is a great step forward.

 

[duffman9000]

use your nipples instead.

Give this person some Benjamins!

 

[Dontazemebro]

Surely this is not the first time a fingerprint system has been "hacked" is it? I'm almost certain that it's because Apple being under the microscope as they always are is why they'd go through so much trouble to "hack" TouchID. And they did it by replicating a fingerprint. How's that not like taking a photograph of a key and machining a duplicate? Or taking an imprint of a key and doing the same thing. IE - they needed a somewhat physical way of duplicating the fingerprint in order to physically use it on the TouchID sensor.

I don't see anywhere in Apple's documentation that TouchID can tell the difference between a real fingerprint and a simulated one. They've only stated that the actual fingerprint data stored within the phone is inaccessible. Now, if someone were to be able to extrapolate the fingerprint from what's stored inside the phone....then I'd be worried.

I would think it common knowledge that it should be able to tell the difference between a real and fake fingerprint. Do we really need Apple to state this.

 

[duffman9000]

I was not aware of this. Source?

I've heard the same. Supposedly law enforcement can do it. Waiting for a link.

 

[Nozuka]

probably would make sense to add the following option:

only make touchID available when the iphone is connected to the internet and can be wiped remotely.

 

[shiinx]

For even more security:
Lock your iPhone using TouchID with your cat's paw. Create a fake paw print with the method described by Chaos Computer Club. Use the fake to unlock.
As you press the home button several times in normal use, the cat's paw print should no longer be retrievable.