Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Touch ID Bypass Detailed, 'Average Consumer' Shouldn't Worry
- Thread starter MacRumors
- Start date
- Sort by reaction score
30 hours gives the owner plenty of time to activate Apple's "lost phone" protocol: http://www.apple.com/icloud/find-my-iphone.html
Exactly. All he showed was proof-of-principle using an ideal sample. The real-world security feature (access to the phone being denied to an unauthorized user) has yet to be defeated. And even if it eventually does get defeated, such a defeat will still require a highly improbable specific set of circumstances (i.e. finding a perfect print on the phone, reproducing the print, perfectly, the first time).
I feel perfectly safe using my fingerprint. I'm more fearful of someone finding out my password and using it to break into my phone versus my fingerprint.
its still not secure....
I'll stand-by that...
"average consumer' means nothing now-days.....
What security feature is? Plus its still more secure than a password...
Except thats its been proven and also detailed that it will not work with dead tissue
but but what if the thief copies the print off the severed finger and then does the CCC method to gain access to your phone? APPLE IS DOOMED
- Every troll/Samdung PR person on this thread
true .. its more secure than a password, but Apple's touting TouchID as MORE secure.... more secure to the average consumer, yes, but not to someone like this guy that got round it easily..
The thief still can't turn of find my iphone even after gaining access with the print. Basically they won't be able to wipe the phone and sell it.
But yes if you're trying to get rid of sensitive data before the thief can access it you could easily do so.
I don't see anything to get worked up over at this point in time. If someone figures out a simple way to do it in a few minutes, that may be a different story.
ok, so this is the kind of info that was missing from the first report yesterday. If the whole process was relatively simple and fast (and by fast I mean a couple of hours max) it would have been a real cause for concern. but 30 hours + 1000$+ worth of equipment with VERY chancy results!? pft, no casual thief will ever bother with that. plus there is extra security like the activation lock that will kick in long before 30 hours are over.
yes, this is the only issue here so far as I'm concerned. According to media reports supposedly coming from Apple this kind of spoofing should not have been possible. The fact that it was is a black eye for Apple. I guess it means that somebody lied to the press? or is it that the sensor does attempt to read the subepidermal layer but is not sensitive enough and can be fooled? Given the controversy Apple should clear the air on the issue.
yes, this is the only issue here so far as I'm concerned. According to media reports supposedly coming from Apple this kind of spoofing should not have been possible. The fact that it was is a black eye for Apple. I guess it means that somebody lied to the press? or is it that the sensor does attempt to read the subepidermal layer but is not sensitive enough and can be fooled? Given the controversy Apple should clear the air on the issue.
Last edited:
The subdermal reading is correct. The problem was the "tech reporters" who didn't bother to do any research to find out that all it means, is a sharper image of the ridges.
They got caught up in the fact that it was "live tissue" and falsely made it into a requirement.
Actually, the "hash" is another made-up "fact" from the internet echo chamber. Even I once said it a while back. But Apple never said it.
After researching fingerprint recognition algorithms, I now think that each feature's information (type, location, direction) needs to be stored separately. No hash.
What is the "$1,000 worth of equipment" supposed to include? Most people already have a laptop. A lot of people already have a combo scanner and inkjet printer fully capable of the resolution needed.
As for the time required, if you were really after someone's device this way, you'd have a Faraday cage (or even easier, a cell jammer) to stop any attempts to remotely wipe the device.
But as already said, a common thief isn't going to do this. Most people have nothing to fear.
Last edited:
30 hours?
Easy for THEM, but the typical street thug would probably give the iPhone5S back then try and trick the TouchID!!
Easy for THEM, but the typical street thug would probably give the iPhone5S back then try and trick the TouchID!!
I don't get you comment "Apple's touting TouchID as MORE secure..." If you agree that its more secure than a password then what are you debating?
He didn't get around the security feature at all. He merely created artificial circumstances and tricked the sensor. There's a big difference between the two. The security feature is designed for real-world protection. If I lose my fingerprint-protected phone, someone would need to find an ideal fingerprint to replicate. While its possible that one would exist on the phone itself, its extremely unlikely. Any surface that is touched repeatedly (door handles, PHONES) is basically useless for extracting fingerprint data from. Fingerprints overlap/get smudged and you can't do anything with the data (talk to anyone in law enforcement if you don't believe me).
To put it another way, if you give me your computer, I put a keylogger on it and I get your password, I have demonstrated a method by which I could steal your password. So since the possibility exists there is at least some probability that I could get you password in the real world. Will it happen? Very unlikely. I have no idea who you are or where you live. Plus I'd have to someone get your laptop away from you for awhile.
Basically the real-world probability of defeating security features like fingerprints and passwords is extremely low. There are significant hurdles to the hacker in non-ideal circumstances.
"Average consumer shouldn't worry."
Ha! What a joke! Who wrote this? The guy who says... "I have nothing to hide so I don't care if the government listens to my calls."
Ha! What a joke! Who wrote this? The guy who says... "I have nothing to hide so I don't care if the government listens to my calls."
Lol, there's no way that 30hrs with professional equipment was way easier than expected, what nonsense
I've hacked HP laptop scanners with gummy bears, now THAT was way easier than expected
But you still need a usable print. These guys demonstrated their method using ideal circumstances. Would they be able to find a print on someone's phone that wasn't smudged or overlapped with other prints? Low probability. Finding a print the fulfilled those circumstances AND was the print recognized by the sensor? Even lower probability.
Good luck
Good luck to the guy that finds or steals my phone with getting my phone back to his lab with an unsmudged print and then going through this exercise with all that equipment.... it just isn't going to happen... If your really worried verify with a finger you don't use to navigate or type with on your phone.
Good luck to the guy that finds or steals my phone with getting my phone back to his lab with an unsmudged print and then going through this exercise with all that equipment.... it just isn't going to happen...
If your really worried verify with a finger you don't use to navigate or type with on your phone.
well, Apple does say this "Fingerprint data is encrypted and protected with a key available only to the Secure Enclave." it doesn't say hash directly but it does sound like it's something very similar to that to me.
Now, if somebody manages to actually hack THAT then I would be really impressed. Somehow I don't see it though. They still can't jailbreak ATV3 (one hack that I really want to succeed, lol) and I suspect hacking ATV3 is nothing compared to hacking the secure enclave used to store the Touch ID data.
Well you can either put your tin foil hat back on or you can try to understand that an alpha numeric password has vulnerabilities as well. No security measure is 100%. But regardless, I would bet anything that if I gave you my 5s (with whatever fingerprints it currently has on it) you would not be able to find a usable fingerprint nor break into my phone.