You missed the tongue-in-cheek expansionem ad absurdum of my post; it was not a critique of the original poster's comment.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Touch ID Bypass Detailed, 'Average Consumer' Shouldn't Worry
- Thread starter MacRumors
- Start date
- Sort by reaction score
You missed the tongue-in-cheek expansionem ad absurdum of my post; it was not a critique of the original poster's comment.
Hopefully they didn't implement the "sub-epidermal" stuff because it required a longer scan time. I'd still like touch-ID to integrate with a keychain, and a longer scan time would be acceptable for things like bank transactions.
I'll assume for a second that you don't know how the "fingerprint" is stored on the device. You do realize that they just lifted a print from the side of a phone and via very technical means and time were able to replicate it enough to fool the device? Forget whatever is on the device, the FBI could have framed you for murder since the day you were born. Lifting fingerprints isn't new, and your fingerprint is EVERYWHERE.
The thing is, you just aren't special enough to be targeted like this. And if you ARE that special, you are already using a strong password and knew you had a snowballs chanceinhell of being allowed to use this, let alone afraid of it.
First off, how do you measure that scale you are using called "security" and how do you determine where "strong" falls? I can take a ride on any public bus here in Seattle and on just about any ride can find either
A: Someone with no password
B: Someone who does not conceal their password as they enter it.
I need exactly no skills but the power of observation to take advantage of those people. If everyone starts using their finger? Well screw that, I don't have the time, equipment, money or patience for it.
And ONCE AGAIN, if the phone is not unlocked in 48 hours, the fingerprint is no longer valid.
If the phone is ever turned off, the fingerprint is no longer valid.
Until they turn the phone off, they will need a Faraday cage so that "Find My iPhone" does work.
I'm still quite sure that the security of the average iPhone will rise by a few bars due to this.
This is crazy. So it can be defeated - not very easily and wasn't the real point to encourage people to use SOME kind of security vs none? With the fingerprint I will have an access code and my finger print vs just swiping to unlock my phone.
Put up any wall and a determined person will find a way around it. Has happened repeatedly throughout history.
Put up any wall and a determined person will find a way around it. Has happened repeatedly throughout history.
Absolutely! Why would most want this, especially when over half the users doen't even turn on the 4 digit passcode feature? Apple could probably include the double system as an option for those that feel insecure.
One tool: http://www.zdnet.com/blog/hardware/...he-iphone-passcode-in-under-two-minutes/19335
I would assume the jailbreaking community is actually unwittingly helping out companies like the above that make such tools. Although the more they find (and thus Apple knows about), the more that should be closed as well.
Although not iPhone specific, still interesting:
Freezing Android phones to read RAM contents: http://www.technobuffalo.com/2013/02/18/frost-android-attack-security/
Freezing Android phone to bypass encryption: http://www.ehackingnews.com/2013/03/bypassing-android-encryption-by.html
Last edited:
If someone wants to steal your data its going to happen. No single verification method is unbeatable (password, fingerprint). Multiple layers of security are the only way to minimize the chances of it occurring. The fingerprint sensor is still incredibly useful as it adds another layer to the existing simple/complex passwords available on the iPhone. On its own it has its weaknesses but combining it with a complex password would make it incredibly secure. If you have extremely sensitive data on your phone (corporate emails, etc) you will employ this type of two-step verification.
For the average user fingerprint verification is still a great security tool for the following reasons:
1) No security -> basic security: Most users didn't use any password before because it was a pain to enter it each time they wanted access to their phone. Their phones were completely unlocked and could be accessed by anyone (in spite of the fact that the data on it wasn't of particular importance). Since Apple's fingerprint verification is simple, fast, and easy, people will use it. And when they use it these people will now have at least some barrier on their devices.
2) Theft deterrent: Even if thieves could lift a print from your phone (which would not be guaranteed due to the need for a non-smudged print) and gain access to your phone, its still not a trivial process. It takes time. If you can only do a phone once every 15 minutes that would eat into their profits (before iOS7 thieves could just wipe your phone and it was ready to be sold). And after all that work if the iPhone owner has "Find my Iphone" turned on all that work would be for nothing since the thief would still need the Apple ID's password to turn it off that feature and erase the phone.
For the average user fingerprint verification is still a great security tool for the following reasons:
1) No security -> basic security: Most users didn't use any password before because it was a pain to enter it each time they wanted access to their phone. Their phones were completely unlocked and could be accessed by anyone (in spite of the fact that the data on it wasn't of particular importance). Since Apple's fingerprint verification is simple, fast, and easy, people will use it. And when they use it these people will now have at least some barrier on their devices.
2) Theft deterrent: Even if thieves could lift a print from your phone (which would not be guaranteed due to the need for a non-smudged print) and gain access to your phone, its still not a trivial process. It takes time. If you can only do a phone once every 15 minutes that would eat into their profits (before iOS7 thieves could just wipe your phone and it was ready to be sold). And after all that work if the iPhone owner has "Find my Iphone" turned on all that work would be for nothing since the thief would still need the Apple ID's password to turn it off that feature and erase the phone.
In that case I would imagine using a different finger from the one you typically use for input... like say your pinky... would make it a little more secure.
I would suggest that something that takes 30 hours and more than a $1K worth of of specialized equipment (plus the expertise to use it) to hack into pretty secure. Not bulletproof but pretty dang secure. Unless you're a secret agent, I'de say this is all the security any of us need.
While everything else you wrote in your post is correct, one minor correction: I believe that simply putting the phone in airplane mode (which can be done either with Siri or control center if it's available on the lock screen) will prevent "Find My iPhone" from working. Of course, there's limited use to an iPhone that is not connected to the internet and cannot be easily reset.
I challenge anyone to construct an even remotely common use-case for which the available security measures do not offer sufficient protection.
Alternatively, I challenge anyone to construct a typical use-case for which the added security measure of TouchID (not to mention password requirements for resetting the iPhone) will not improve the security of the iPhone and act as a deterrent against thieves.
The purpose of TouchID is not to cover every single possible contingency. It's to cover as many as possible. I believe this offers a good balance of convenience and security for the vast vast majority of users. Enough so that with the password reset requirements, thieves will start to think twice about stealing modern iPhones.
Last edited:
Where did you hear that?
That's nonsense. its designed to get the vast majority of users who use no passcode at all to at least use something.
No one claims that a single-factor authentication of any kind results in complete security.
Not necessarily false. It could be that the sub-layer structures that are read correspond very well (or exactly) to the surface structures. The advantage of reading the sub-layer would then not be that the scanner is reading a pattern different from that left behind on shiny surfaces as fingerprints, the advantage of sub-layer reading would be that it could ignore changes to the surface structures / surface image: ink, pizza sauce, small wounds on the surface of the finger, etc.
The tell-tale part here is "requiring just 30 hours".
First off, after 48 hours, Touch ID will not even allow fingerprint authentication. Nor will it function if it gets 5 bad fingerprint reads (and a thief would have no idea if he is using the correct finger or just holding it wrong or or has created a bad copy).
This guy knew exact which finger to use, made a perfect smudge of the fingerprint to lift and pulled it off the phone.
Mind you, all the while the thief would have to be blocking the iPhone from radio signals to prevent Find my iPhone from erasing the phone remotely.
If this guy took 30 hours in a best-case scenario, then the likelihood of somebody pulling this off without specifically targeting the victim is nil.
----------
I think it is reading under your skin, but the false print is three-dimensional and Apple's sensor is likely calibrated for less sensitivity in order to prevent rejecting the actual owner of the phone. They could probably crank up the sensitivity, but it would also likely cause more false negatives in general use. Given the configured sensitivity of Touch ID and the 3D approximation of the fingerprint using latex with a real finger behind the latex, it manages to fall within the realm of accepted parameters.
First off, after 48 hours, Touch ID will not even allow fingerprint authentication. Nor will it function if it gets 5 bad fingerprint reads (and a thief would have no idea if he is using the correct finger or just holding it wrong or or has created a bad copy).
This guy knew exact which finger to use, made a perfect smudge of the fingerprint to lift and pulled it off the phone.
Mind you, all the while the thief would have to be blocking the iPhone from radio signals to prevent Find my iPhone from erasing the phone remotely.
If this guy took 30 hours in a best-case scenario, then the likelihood of somebody pulling this off without specifically targeting the victim is nil.
----------
I think it is reading under your skin, but the false print is three-dimensional and Apple's sensor is likely calibrated for less sensitivity in order to prevent rejecting the actual owner of the phone. They could probably crank up the sensitivity, but it would also likely cause more false negatives in general use. Given the configured sensitivity of Touch ID and the 3D approximation of the fingerprint using latex with a real finger behind the latex, it manages to fall within the realm of accepted parameters.
Actually no. Try it sometime: attempting to brute force the password will get you locked out of the device.
I don't consider this hacked unless you can complete the process without the target's fingerprint. Having the fingerprint is pretty darn close to having the pin number and then claiming you've succeed in a hack.
Would they call this a hack if they said, first I take video of you entering your pin number, then I enter your pin number?
Would they call this a hack if they said, first I take video of you entering your pin number, then I enter your pin number?
iGrip said:
Exactly. I'm much more fearful of someone looking over while I enter my password. Beating the fingerprint sensor requires commandeering my phone, finding a perfect print, replicating it perfectly, and then using it to access my phone. I'll choose the fingerprint method over as passcode/password any day.
