Touch ID Bypass Detailed, 'Average Consumer' Shouldn't Worry

[rdlink]

Except keys and locks can be easily changed.

And so can the password on the iPhone.

In the 30 hours that it takes for the world class thief who picked your iPhone up off the floor to hack it using this method you can reach out and lock it permanently using Find my iPhone.

That's 30 hours, folks. It take less time than that for an iPhone to get from China to the US.

 

[monaarts]

I wouldn't still save my fingerprint on my iOS-device. It's just not save enough.
The fingerprint may be a very specific password for each one of us, but it sure as hell is not one you can change.

I'll take your suggestion to heart once you learn to write correctly.

 

[ValSalva]

The time to make the replicated fingerprint won't always be 30 hours.

When someone figures out a way to make it in 30 minutes then this will be a problem.

 

[Sincci]

When they say that it took 30 hours, it means the amount of time that it took them to hack it after unboxing the iPhone, not that it actually would take 30 hours every time.

 

[APlotdevice]

is it just me or is this not considered a hack??? A hack would be bypassing the fingerprint sensor without a fingerprint. Period. This not new. We can learn how to lift finger prints from watching Beverly Hills Cop 2. LMAO

Hacking is a broad term. For instance it can apply to social engineering, as was Kevin Mitnick's preferred method. Or to spoofing, which this is arguably an example of.

 

[uberman15]

As anyone working in IT or even just Electronics Retail will tell you, most people are pretty ignorant about technology. That said, ignorance is NOT stupidity. It just means someone is not well versed in a particular thing.

Most of those people are not on MacRumors commenting on articles about TouchID and paying attention to the latest technology trends. Plenty of people come on MacRumors to either troll or make sarcastic comments. Simple probability would indicate that this person was most likely being sarcastic.

Anyways, further discussion of this is irrelevant and a waste of time.

 

[OldSchoolMacGuy]

I was not aware of this. Source?

Not sure I should go mentioning product names. The product is only sold to licensed law enforcement. Apple is well aware of it. Myself and my previous boss have sat down with their iOS security team on a number of occasions. They saw what the software could do and insisted that iOS was secure (even though we were showing it was far from it). It's since become a popular tool for the law enforcement community and has been used in hundreds of investigations. Keep in mind that these tools aren't being used until after a warrant has been issued and law enforcement has every right to search the persons computer and electronic devices. People on these types of sites always get all up in arms about how their rights are being violated when that simply isn't the case.

On another note the same product will also plug into a Mac and pull all the Keychain passwords, email history, web history, and a ton more. Also works on Windows and Linux.

 

[uberman15]

The time to make the replicated fingerprint won't always be 30 hours.

When someone figures out a way to make it in 30 minutes then this will be a problem.

This is why MacRumors can be infuriating. Read the linked article on Ars Technica. The guy says he could do it in a half-hour (hey, the exact time you stated!). Annoying that MacRumors left that piece of info out.

On the other hand, it's still not really a problem.

 

[layphone]

iPhone 5s Owner

I think I might be the first person to reply to this thread who has actually used a 5s. That is the problem, no one knows how it actually works and is scared. A few points:

1. After 48 hours your phone requires the passcode. (Noted in #96)
2. If the phone is turned off/restarted it requires the passcode.
3. To change the passcode or fingerprint, it requires the passcode.
4. If you try to reset the phone, that requires the Apple ID and password.
5. You can turn off Touch ID and just use passcode.
6. You can just use Touch ID for your iTunes password.

I have had lots of luck just looking over people's shoulder for the passcode.

It is very secure. I have never used a passcode before but am using Touch ID, it works amazingly and makes things more secure. There is nothing I am really worried about someone hacking into my iPhone for but I might as well use it, because once again with Apple, it just works.

 

[Fishticks]

I'm just not that important for someone to go through all that trouble to fake my fingerprint. I'll continue to use Touch ID. It works fine for what I use it for.

If you loose your iPhone or its stolen, anyone will be able to unlock it, given all the fingerprints all over it (unless you're not using your index for unlocking).
Bye bye passwords and beware payments etc with your private data.

Fingerprint sensor is just a bigger fail than Maps !

 

[lcmazza]

Looks like anyone can also be kidnapped, thus making Touch ID useless.

 

[TTile]

The time to make the replicated fingerprint won't always be 30 hours.

When someone figures out a way to make it in 30 minutes then this will be a problem.

Not really. That's still a significant amount of time. Plus if someone has find my iphone engaged the phone will be completely locked down and unusable anyways...

 

[Rogzilla]

Your house lock can be bypassed with a copy of your key!

Or picking the lock.

Or kicking in an undeadbolted door.

Or the simple expedience of throwing a brick through a window.

 

[btcutter]

much ado about nothing

So we are worried about Touch ID not secure enough to protect most email accounts that are already being read by NSA? Most free email accounts are already being scan and read by computers (see Google) for your shopping tendencies and keywords.

 

[TTile]

If you loose your iPhone or its stolen, anyone will be able to unlock it, given all the fingerprints all over it (unless you're not using your index for unlocking).
Bye bye passwords and beware payments etc with your private data.

Fingerprint sensor is just a bigger fail than Maps !

I'm just going to be blunt: You're either an Android fanboy or you haven't read a thing in this thread. Either way, you're an idiot.

1) You need a perfect print. Good luck finding one "all over" the phone
2) You password is still required to turn off find my iPhone.
3) What payments? App payments? I'm not really concerned if a thief buys a bunch of apps that will be associated with my account. Apple would refund me in an instant.
4) 50% of people who didn't have any password before touch ID allowed anyone who picked up their phone to access their "private data." If your data is important or sensitive its best to protect it with an additional password.

 

[zecks420]

I wouldn't still save my fingerprint on my iOS-device. It's just not save enough.
The fingerprint may be a very specific password for each one of us, but it sure as hell is not one you can change.

Seriously your a idiot... Anything can be bypassed if you go through enough trouble. Go live in a fortress. cause your door locks are not safe enough.

 

[mrmyk]

Did he use his own fingerprint?

Did this person hack the finger print by copying HIS OWN finger print. It's one thing to hack it if you have the finger to make a finger print copy, but what about making a copy of the fingerprint you don't have. Then it might not be so easy.

 

[pubwvj]

Hmm... To worry or not to worry.

1. I have no sensitive data on my iOS devices.

2. I don't use the existing security entry method because it doesn't matter and it is a bother.

3. I might use the TouchID because it is so easy. But I might not because that means I need to TouchID each of our families six devices for all five family members and that would be a bother to setup.

4. Go To #1 above.

 

[zecks420]

Some of you people amaze me... Never had such a secure option before...and half of you NEVER even used anything... But now your gonna bitch about something like fingerprint not being enough? Too Easy? Lmao... unreal. No one else even has this tech and apparently you all want Retina Scanners next... But then someone will find a way to make a image of your eye blah blah blah... Get over it. Use it or don't buy it. 30 hours later and over a grand to get into my phone that takes 90 seconds to wipe remotely. I would say thats a win...

 

[duffman9000]

One tool: http://www.zdnet.com/blog/hardware/...he-iphone-passcode-in-under-two-minutes/19335

I would assume the jailbreaking community is actually unwittingly helping out companies like the above that make such tools. Although the more they find (and thus Apple knows about), the more that should be closed as well.

Although not iPhone specific, still interesting:

Freezing Android phones to read RAM contents: http://www.technobuffalo.com/2013/02/18/frost-android-attack-security/

Freezing Android phone to bypass encryption: http://www.ehackingnews.com/2013/03/bypassing-android-encryption-by.html

Thanks for the links. I'm not surprised. Anytime you lose physical access to your device you have to consider it compromised.

 

[TTile]

Some of you people amaze me... Never had such a secure option before...and half of you NEVER even used anything... But now your gonna bitch about something like fingerprint not being enough? Too Easy? Lmao... unreal. No one else even has this tech and apparently you all want Retina Scanners next... But then someone will find a way to make a image of your eye blah blah blah... Get over it. Use it or don't buy it. 30 hours later and over a grand to get into my phone that takes 90 seconds to wipe remotely. I would say thats a win...

Based on their inability to speak English and make even a remotely logical argument I'm going to say they're from Samsung's mudslinging PR department...

 

[Ryth]

If you loose your iPhone or its stolen, anyone will be able to unlock it, given all the fingerprints all over it (unless you're not using your index for unlocking).
Bye bye passwords and beware payments etc with your private data.

Fingerprint sensor is just a bigger fail than Maps !

Go ahead and break into the phone...lets see you try it with a nice fingerprint.

99.9% of the people will not be able to accomplish this.

Only fail is your troll post.

 

[TTile]

Way too much work to be efficient. IF someone really needs to break into your iPhone, they will be able to do that, but for an normal user. No.

Just sayin'

Exactly...

 

[lewisd25]

Note to self: Remotely wipe iPhone 29 hours after being stolen.

iPhone 5s: $299

Some idiot wasting 29 hours of his life in his mother's basement trying to break into my phone without success: Priceless

 

[zecks420]

Porn collection is compromised.

laughed so hard I almost pissed myself