Touch ID Bypass Detailed, 'Average Consumer' Shouldn't Worry

[Glideslope]

Non Issue.

Touch ID is fine for 90% of users. Nobody is going to go out and purchase all the stuff to replicate the video. But the video showing the world how to do it sure was nice.

Humans. This planet does not deserve them.

 

[haruhiko]

Click bait. The last article generated 20+ pages of comments.

That's why there are so many Microsoft or Android news in this site. Heated discussion in forums is a dream of any website!

 

[danielsutton]

Touch ID Security

Since the fingerprint needs to be "lifted" from the image that is displayed on the iPhone's screen after a scan, it would be very easy for Apple to thwart this kind of attack by not displaying the print on the screen after scanning. Apple could display a placeholder image that does not resemble a fingerprint, an therefore will not allow thieves to replicate it.

 

[kdarling]

Sure but an enterprising thief could also pay a custodian to install a small camera near your office desk and get your alpha-numeric password to your computer/phone/etc.

Ha. Good point. Unless you only used your fingerprint to unlock your phone, of course

I still think the main upshot of all of this, will be that it'll get featured in some TV detective shows and comedy skits.

 

[Jcknows0]

If we could just add a short password and use TouchID then I think everything would be more secure.

You can do a short password. The Touch ID is strong enough and if your fingerprint is not recognized it will force the password. I had this happen repeatedly to me today working in our data center racking servers. This combined with find my iphone and the wipe and lock features make iphone thievery a lot less desirable. If it takes knowledgeable people up to 30 hours to complete this, this is a nonstarter for enterprising thieves.

 

[captmatt]

I'm sorry, I didn't know it was uncrackable.

 

[Jcknows0]

Who is CCC? lol

no one should be worried..lol

They are a grey hacker group on a mission against biometric data as they see it draconian.

 

[ikramerica]

No thanks.

Why would I want to use TouchID AND a passcode?

TouchID is supposed to remove the need for the passcode ...

Because it's more secure. If you want it to be about security, then it's pretty good security.

If you just want convenience that prevents casual stranger use, the print alone is good.

 

[infinitech]

android users have already started claiming to have all the required items in their everyday bags, I'm sure

 

[demolisher23]

Need for concern

I believe there is actually a need for concern for consumers, I feel like this will be used as an opportunity for people to set up shop for money to create a dummy fingerprint for a stolen iPhone.

 

[alexgowers]

I would only be impressed if the 'hack'. Used no original fingerprint as the source.

I mean come on copying a fingerprint is just like copying a passcode?

A hack would be to bypass the touch ID or fool it without the original as a reference!

The system seems like great benefit to unlocking and is way more secure.

You'll see samsung with a fingerprint or retina scan next just to copy the trend.

 

[kdarling]

Which was the point I was making when it was first reported, and I kept getting crap for it. It's that there was blatant misinformation as to how it worked and its reliability. The scanner should not have been marketed as anything other than a technology if increased convenience and the sub dermal scanning invalidating dead tissue or false impressions is a blatant falsehood.

Apple themselves never said anything about invalidating dead tissue or fake fingers, as far as I know.

OTOH, AuthenTec's website used to say this:

"AuthenTec's anti-spoofing technology dynamically measures the properties of finger skin placed on the sensor while the finger is being scanned. This patented technology ensures that only real fingerprints are read by converting the properties of the skin into digital data which are delivered to the host computer for analysis. AuthenTec anti-spoofing technology then compares the data with expected properties to ensure fingerprint authentication."

That's likely where some of the internet claims originated, although apparently those anti-spoofing methods are not in place here.

I wonder now if the product that AuthenTec shopped around and couldn't get a buyer for from anyone else, was an inexpensive and fast sensor. After all, this scanner is unusual in that it doesn't use anywhere near a full finger image. It only sees a 1/2 inch square section. (Which, btw, might be a lot easier to find on the phone surface than a full image.)

--

As for Apple billing it as secure, yeah, they did say that...

"Touch ID uses all of this to provide an accurate match and a very high level of security." Levels are relative, of course. Apple says there's only a 1 in 50,000 chance of someone else's print matching, vs 1 in 10,000 for a PIN. The 1 in 50,000 is another indicator of a shortcut though. With a full finger image, the chances are like 1 in 64 million.

 

[rmatthewware]

Your brain must be wired wrong to get off on breaking security features for no gain. I could see you doing it if you really had a chance to make some money, but this is a zero sum game. All these people have is bragging rights. And I don't really see why this would be relevant considering the same process would likely work on any commercial fingerprint scanner.

 

[TTile]

android users have already started claiming to have all the required items in their everyday bags, I'm sure

Oh they have. They also have made the bold claim that since your fingerprints are all over your phone, they can easily just lift one and gain access to your phone. They depict it as being analogous to having your computer password written above your computer screen with a post-it note. Too bad no one has managed to lift a print after real, everyday use. And its unlikely they will be able to due to fingerprint overlap (you touch your phone's surfaces multiple times with multiple fingers) and smudging. If people don't believe me try to pick up your phone (iphone or whatever) and find a perfect print...

 

[Rogifan]

They are a grey hacker group on a mission against biometric data as they see it draconian.

Ah so basically they're not impartial and have an agenda.

 

[CFreymarc]

If we could just add a short password and use TouchID then I think everything would be more secure.

That is how enterprise fingerprint scanners work for secure facilities. You use both a biometric scan and a password scan. Thus, lifting both off the authorized person is a harder tricks.

Typically you do a finger scan and a PIN code entry. Touch ID was to avoid the PIN code. Including any short password and you have added an extra task defeating the convenience of the Touch ID.

----------

They are a grey hacker group on a mission against biometric data as they see it draconian.

Bingo! You want to see biometrics to an extreme and how the human spirit can defeat it, watch the much underrated Ethan Hawke and Uma Thurman movie Gattica.

Done fifteen years ago and the story rings stronger than when it was first shown in theaters.

 

[JohnGrey]

Apple themselves never said anything about invalidating dead tissue or fake fingers, as far as I know.

OTOH, AuthenTec's website used to say this:

"AuthenTec's anti-spoofing technology dynamically measures the properties of finger skin placed on the sensor while the finger is being scanned. This patented technology ensures that only real fingerprints are read by converting the properties of the skin into digital data which are delivered to the host computer for analysis. AuthenTec anti-spoofing technology then compares the data with expected properties to ensure fingerprint authentication."

That's likely where some of the internet claims originated, although apparently those anti-spoofing methods are not in place here.

I wonder now if the product that AuthenTec shopped around and couldn't get a buyer for from anyone else, was an inexpensive and fast sensor. After all, this scanner is unusual in that it doesn't use anywhere near a full finger image. It only sees a 1/2 inch square section. (Which, btw, might be a lot easier to find on the phone surface than a full image.)

--

As for Apple billing it as secure, yeah, they did say that...

"Touch ID uses all of this to provide an accurate match and a very high level of security." Levels are relative, of course. Apple says there's only a 1 in 50,000 chance of someone else's print matching, vs 1 in 10,000 for a PIN. The 1 in 50,000 is another indicator of a shortcut though. With a full finger image, the chances are like 1 in 64 million.

You may well be right concerning Apple not having said anything about the anti-spoof technology, but I read a good many articles that referenced it concerning the iPhone 5s. One would've hoped that they would've seen it and issued a statement clarifying whether or not such countermeasures were indeed present. We're not talking about flubbing a screen resolution or which USB profile it might use.

 

[darkplanets]

Newsflash -- if someone has your password, they can access your device. It should come as no surprise that traditional crime scene forensics can be used to recreate someone's fingerprints, since this method works for every fingerprint scanner in existence.

It's not a "bypass" so quit link baiting this garbage (twice).

In other news, if thieves find your PIN written down on some post-it note, they can access your device too. Are we going to get news articles about that as well?

 

[mdlooker]

That seems like a whooooole lot to go through. And all the equipment seems it would cost more than the phone itself.

 

[xensaenigma]

Oh for f's sake!

 

[rdlink]

If you loose your iPhone or its stolen, anyone will be able to unlock it, given all the fingerprints all over it (unless you're not using your index for unlocking).
Bye bye passwords and beware payments etc with your private data.

Fingerprint sensor is just a bigger fail than Maps !

And you're really allowed outside by yourself?

 

[flat five]

It's very unsettling to claim this process as a hack. Naturally, lifting a fingerprint is in the realm of forensic expert, not a task can be done by regular people we come into contact.
If someone has my finger prints, I am at his mercy, and the phone itself is immaterial. What a genius, duh!

yeah.. maybe
though i'm willing to guess that way more 'average' people could pull this off as opposed to having them try hacking as we'd normally understand that word.

----------

Which finger is the least likely to leave an un-smudged print on an iPhone? For me it's the right pinkie.

yeah, same for me.. the inside of my pinkie acts more like a cradle which the phone rests on (as in- the pad(?) of my pinkie doesn't even touch the phone)

----------

not withstanding the fact that the hack is supposedly "very easy," even this expert took 30 hours to complete the hack...In a real life situation, the phone would have been wiped by then. now if it took 30 seconds, then maybe there's something to worry about

hmm. you might of misread that?

the 30hr thing is from a computer hacker..
it took him 30 hours to go from "let me find a way to get into this phone" to finding a way to get into the phone.. in the 30 hrs, he zeroed it down to this method shown in his video..

the expert (or whatever), simply replicated/verified what the ccc guy did.. he doesn't say how long it took him or how long it may take after practicing/refining the technique.

 

[skafia]

Wrong. I'm going to figure out your IP address, find your home, rob you of your iPhone, force you to unlock it with your toe, order a bunch of stuff from Amazon, hijack the UPS truck delivering it and then use my nifty neuralyzer on the entire planet for good measure. That'll show you that TouchID is an epic fail.

You can have my iPhone 5S when you pry it off my cold, dead, toe.

 

[iWe]

Since the fingerprint needs to be "lifted" from the image that is displayed on the iPhone's screen after a scan, it would be very easy for Apple to thwart this kind of attack by not displaying the print on the screen after scanning. Apple could display a placeholder image that does not resemble a fingerprint, an therefore will not allow thieves to replicate it.

That's what the hack is using? If so then it would indeed be pretty easy for Apple to strengthen the security of the Touch ID. But in any case what this unfortunate PR annoyance for Apple does is force them to somehow strengthen the feature and fast. Especially if this hack story doesn't fade away.

 

[flat five]

Your brain must be wired wrong to get off on breaking security features for no gain. I could see you doing it if you really had a chance to make some money, but this is a zero sum game. All these people have is bragging rights. And I don't really see why this would be relevant considering the same process would likely work on any commercial fingerprint scanner.

there's a contest for this stuff.. first to get in wins the pot.

(could totally be wrong but for whatever reason, i think this to be the case )


[EDIT] see here:
http://istouchidhackedyet.com


----------

That's what the hack is using? If so then it would indeed be pretty easy for Apple to strengthen the security of the Touch ID. But in any case what this unfortunate PR annoyance for Apple does is force them to somehow strengthen the feature and fast. Especially if this hack story doesn't fade away.

no.. it's using a real fingerprint left on the phone.. apple already uses a placeholder or generic image of a fingerprint in regards to what your quotee is talking about.

----------

Newsflash -- if someone has your password, they can access your device. It should come as no surprise that traditional crime scene forensics can be used to recreate someone's fingerprints, since this method works for every fingerprint scanner in existence.

It's not a "bypass" so quit link baiting this garbage (twice).

In other news, if thieves find your PIN written down on some post-it note, they can access your device too. Are we going to get news articles about that as well?

well, that's sort of the problem.. in a roundabout way, you are leaving a post-it note with your pin written down and it's stuck to your phone (fingerprint) [though yes, it's a bit of a convoluted process to read it etcetc.]