Slashdot Mirror
CCC Says Apple iPhone 5S TouchID Broken
hypnosec writes with word that the Chaos Computer Club claims to have "managed to break Apple's TouchID using everyday material and methods available on the web. Explaining their method on their website, the CCC hackers have claimed that all they did was photograph a fingerprint from a glass surface, ramped up the resolution of the photographed fingerprint, inverted and printed it using thick toner settings, smeared pink latex milk or white woodglue onto the pattern, lifted the latex sheet, moistened it a little and then placed it on the iPhone 5S's fingerprint sensor to unlock the phone." Update: 09/22 21:32 GMT by T :Reader mask.of.sanity adds a link to a video of the hack.
sounds really trivial to break. I can see all kinds of kids doing this.
new iPhone owner's should get their money back. This was supposed to be updated tech that resisted decade's old spoofing.
Isn't this the same attack vector that can be used with any finger print scanner?
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
That sounds like quite a bit more trouble than guessing a 4 digit PIN.
yeah that's really practical... God save us!
The real question is can you pull this off before I remote wipe the phone.
Maybe the best use of touch Id is as a complement to a code. Something you know, something you have, something you are. They have 2 out of 3, and with their Siri they could add voice too. "My voice is my passport. Verify"
Interesting. We do have to remind ourselves that security needs to be proportionate to risk. The first rule is value, or what the potential for loss is. I want a really really difficult password for my credit card account, I get angry when a newspaper login requests the same password algorithm (how much should I care if someone reads the news site using my login account?) The second factor is proximity. If you steal the president's laptop from off the president's desk, you should face unheard of security. If the president's digital needle lies anonymously at the bottom of a city haystack, the statistical risk shrinks. The fingerprint app, like Android's code generator, seems like an appropriate level of security for a lost or stolen cell phone.
Gently reply
the security sender that you use for the touchscreen..
How hard is that?
In fact I'm surprised that wouldn't already be part of the advice for users of this.
Either that or require a swipe from two different fingers, in a specified order.
Instead of using a fingerprint, use a Nipple print!
This is for casual security for a device you keep in your pocket and everyone sees you use. With a 4 digit passcode that anyone can see you enter, did it really matter? The 4-digit code and your fingerprint were for when you LOST the device, keeping random strangers out of the device. This was never a good defense against a targeted or determined attacker.
New products are never hyped. That would be dishonest. Gadget slogans are all like:
- "We like it well enough, but you should make up your own mind."
- "We tried to improve it over last year's model. We think we succeeded -- at least partially."
- "It has some benefits for some people. It has some drawbacks for some other people. Be careful buying it to make sure it's good for you."
It's the new Internet-forum-approved marketing trend! Internet forum whining and moralizing about dubious gadget hype finally won everyone over!
You know what? I really love the sound of your voice. ... And there's this one word. I've always loved the sound of this word. ... I would really like to hear you say the word ..."passport".
than unlocking my iPhone, which involves sliding the "unlock" slider from left to right.
And only from your right hand.
Unless they've changed something.
Sure beats Nevada. You have to give full handprints for both hands, plus Birth Certificate, plus SSN to get a license there, coming from California.
And keep in mind I looked into this back in 2005 or so, so it could be even worse today.
Guess the criminals there don't like competition eh?
I'm sure law enforcement loves this. While they may not be able to force someone to give up their password, getting a fingerprint is easy.
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
...the iPhone's fingerprint scanner works well. I was expecting it to be a gimmick that would give more false negatives or false positives than real results. That these guys had to use the same methods they would use for a high-quality expensive fingerprint scanner, and that those methods actually worked, tells me the iPhone's fingerprint scanner has potential.
I notice that he uses a different finger to unlock the iPhone with the "fake" fingerprint.
How do we know that he didn't already program in that second finger, and the strip is really doing nothing?
He should have demonstrated that the second finger wasn't already programmed in to the phone, or used something other than a finger, or other object which could be used to program in a "fingerprint".
Sounds like the standard procedure to fake consumer-grade readers.
I remember Mythbusters doing something similar with a multi thousand dollar computer secruity system.
Fingerprints are left behind all the time so it would be trivial for someone to obtain.
For those who prefer the convenience of a fingerprint, but don't mind taking a while more to authenticate, I'm sure a Toe would be much more secure.
Toes are usually covered in socks or shoes so the possibility of getting the print is much less.
Now we just have to make it less of a taboo to take shoes and socks off in public space to check one's phone messages.
See how easy this was?
What mythbuster did.
Something you leave lying around on everything you touch is a poor key for security.
Who'd a thunk it?
I do not fail; I succeed at finding out what does not work.
I think the only solution would be to have some sort of mechanism to prick your finger and check for blood. You can calibrate when you first buy it for blood type and anything else that tends to stay consistent. Maybe in the far future the phone could actually feed off your blood to power itself.
Surprise, surprise. Fingerprint identification is rarely secure, some implementations can even be tricked using gummy bears. Really secure ones usually have rather steep costs and bulky supporting hardware associated (usually to check for blood flow to ensure the finger is a live one). Anything in a laptop or smartphone has no chance at real security whatsoever.
But guess what? This probably wasn't an exercise in security, but ease-of-use: being able to unlock your phone with a touch is easier than slide-to-unlock or passcodes. And it was a good exercise (not to mention fun when it was discovered that the software can even interpret a cat's pawprint). It was successful. So what if it can be broken easily, almost all of fingerprinting is the same.
Hyperbole: I use it liberally!
Am I the only person these days without a slide printer? Jeez.
Not for Apple. Your list doesn't contain any of the following: amazing, insanely, or magical.
Fingerprints are good because they replace ZERO security. Most people don't PIN lock their phones. Finger Print lock is too convenient not to use.
It is meant as a deterrent to common thieves, and works well as such. A robber isn't going to grab your phone, ask for a nice clear print, and then run home to his laser printer and latex (and you could remote wipe the device in the mean time anyway).
If its the government you're worried about...well, if they have physical access to your device they probably have you in custody and can compel you to unlock it anyway, or just use existing forensic tools and warrants to get what they want. Even then we're talking about the unlikely scenario of you being arrested and having anything more interesting on your phone than funny cat pictures.
I'm trying to imagine a "real world" scenario where TouchID is less secure than a 4 digit passcode or no security at all...and I got nothing.
- "Scientia non habet inimicum nisp ignorantem"
How do any of you know this hack actually works? Did any of you actually try it? Or is it true just because the internet says so? Because we all know everything put out on the internef must be true!!
Sure they can break it. If they have your fingerprint to photograph. Assuming this is a lost or robbed phone, where will they get your fingerprint? From the phone? Maybe. Maybe not.
Apple's solution is good enough for civilian security on a phone, as long as you're not oblivious and pay attention to your surroundings while walking in unfamiliar areas so you don't get mugged, and don't lose phones regularly, or store very sensitive information on your phone.
Oh good, now I can make a back-up fingerprint in case I lose my finger...
Lift the fingerprint from the touch sensor of your iPhone. There's no need to have another source for the fingerprint.
I never leave a nipple print anywhere.
The cops will have copies of all 10 fingers, and will be able to add this technique to their fourth and fifth amendment circumvention strategies.
And given the secret associations that the NSA has with Apple, Microsoft, and all the telcos, they will now have fingerprints from all the iPhone users who use this device...
If you want news from today, you have to come back tomorrow.
The website we read about 3 days ago has been updated with the new information.
How does a liberal know when someone is lying? Seems oxymoron to me.
As the German interior minister Wolfgang Schäuble discovered in 2008 when he got all hot for biometric ID cards, the CCC lifted his prints and published the required data as well as a latex print in a little bag in the magazine... The idea went away.
I would be inclined to believe the CCC in this matter, they have form for calling out over hyped biometrics.
Regards, Dan.
Why did he use the same finger for both tests?
About 5 years ago, a group of teens in an Australian school defeated a fingerprint login scanner. There were scanners at each computer in the class, and fingerprints were used to take attendance. Gummy bear applied to finger, flipped over, placed over reader. School staff knew things were wrong when 30 students were logged in, but only 6 were there.
So... you take someone's phone and have access to their fingerprint that you can scan at 2400dpi without their knowledge? ( presumably you would do this since if you want to be more direct you could always force them to unlock it at gunpoint )
Broken indeed.
Lifting fingerprints of glasses is easy. Maybe even directly of the glass of the phone itself. Yet a glass in a bar might be even better... So now they are going to steal BOTH the phone AND the drink?
All fingerprint scanners are utter failures. Anyone that has dealt with them for the past 5 years has known this.
The fingerprint system in it is to keep friends from grabbing your phone and posting photos of their junk as you.
Do not look at laser with remaining good eye.
I live in an extremely high income community (I'm an anomaly here, to be sure). At the local market, hardware store, gas station, etc. there are lots of 0.01% folks touching things (and their hirelings as well, but it's generally clear who writes the checks). It might be interesting to take Scotch tape around and lift fingerprints - now that Apple has given fingerprint biometrics a kick, a collection of high net worth fingerprints could come in handy.
Although a really good pair is expensive.
Have you considered that the people who don't PIN lock their phones might not feel the need to lock their phones? iPhones have been out a long time. It's far more likely that Apple put the fingerprint scanner on the phone for other reasons than helping people who for years have shown no interest in adding a PIN lock to their phone.
Apple was given a direct order to put fingerprint scanners on phones so there is positive ID for every single thing that iPhone owners do with their phones. I read that Apple also adds a fingerprint-based watermark to all iPhone 5s photos.
The fingerprint sensor is not about security. It's about identity.
I'd certainly like some more security on my iPhone, but not so much that I'm willing to type in a code every time I pull it out. I'll certainly use the fingerprint sensor.
The guy in the video used his index finger for identification, and the middle finger for wearing the mold.
I once had a signature.
Well, I'm surprised that the tinfoil-hatted aren't all over this one.
Serious point, what happens when big gov or a carefully crafted malware apps gets all iPhone users prints?
I beleive I stated then that I'd heard you should never say anything in an email, text or voice call that you wouldn't want to be repeated back in an open courtroom. Today, to expect any perfect type of security from any form of electronic device would be quite a stupid thought, especially from any people who keep up on current events.
I take no joy here now in the fact that my suspicions of two years ago were all valid and vindicated. Having said that, fellow /.'ers, who had my 'karma' demoted back then because of my 'Ask Slashdot' submission, I just want to say here....
I told you so!
Apple Inc. partnered with NSA to provide biometric data to DoD agency for $$$$$$$$$ to fund Apple Inc.'s nefarious adventures in narcotics and sex slave trafficking crimes in Asia et al. and with funds to pay for the "Mother Ship" new campus and to fund Mr. Cook's "indulgences."
Eventually, Mr. Cook and Apple Inc. will have to answer to "authorities" whom are not in Its nor the USA Federal Gov's control.
Oh Boy.
Teabagging your phone would be the best security measure, but that would require;
a) Constant temperature to reduce shrinkage in cold weather
b) A stock of alcohol wipes to you can then put it to your face afterwards to talk.
Let's hope your local iPhone thief takes longer to lift a print and fabricate a latex finger than it takes you to lock or wipe the phone with Find My Phone.
I think the article on TechCrunch provides much better perspective on this issue. http://m.techcrunch.com/2013/09/22/hackers-bypass-apples-touch-id-with-lifted-fingerprint/
I found this sweet iPhone 5S gold yesterday. It was in an open convertible car attached to the dash in a cool looking case. My bro Rizzla snapped some photos of it in the car.
Anyway it appears to be a Verizon which I can't use so I figured maybe a trade for a T-Mobile one would be cool. I don't mind if the one you have is Black or Silver as long as it's a 5S.
I posted more pics on http://madmacmods.com
The BPD C Ed Davis will on Monday 23 Sept. 2013 his resignation.
Although media outlets favorable to the city of Boston are putting a "brave" face on the announcement of resignation and Davis' lofty plans to "Teach" at Harvard, 'Hoy Hoy' he has no degrees, the real reason is the BPD involvement and obstruction of justice regarding the events leading up to the "Boston Marathon Bombing."
Hay Ed. You can crawl in a hole, and we will find your hole and pore into it gasoline to burn you alive bugger.
Wakey wakey, eggs and bakey.
Perhaps they'll lift an index finger and someone will be using their pinky? Of course, if you want to be crazy you can assume they've been watching the target and know which finger(s) they use.
I intend to stick with the passcode for my use.
However, the process of getting the hack to work wasn't a cheap solution--the process to make it that far was a complicated and expensive process, far beyond the skills of most people. They're going to have to show how it works to Apple engineers to prove the process is repeatable.
The average slashdotter would rather use semen samples for ID, but ain't gonna happen.
...than i had expected.
No. Google is not my friend, you insensitive clod.
I would like to see an RFID reader in these devices where the RFID would be in your watch, a simple bracelet or a ring. RFID is not solid security but the combination with a simple fingerprint or password would be nice. I would go for RFID only, i.e. proximity security. This would lock a lost phone for a novice thief and provide a hassle free basic security.
Of course a fingerprint sensor can be fooled. It doesn't take a video to prove that the sky is blue, you know?
What everyone misses is two important points. These are the days I'm glad I got out of the security industry because quite frankly, while lots of people are brilliant at the technology, most people are complete failures at the psychology of security.
First, a lot of people have no lock at all on their iPhones today. None. You can pick it up, slide to unlock and you're in. The fingerprint sensor will prevent the casual attacker, especially the one who doesn't want you noticing your phone is missing (people leave their phones on their tables when going to the bathroom, something that puzzles me but it happens).
Second, even an attacker dedicated and knowledgable enough to get your prints from somewhere and then build a fake finger will be slowed down enough to give you time for things like noticing your phone is missing, doing a remote wipe or changing your passwords.
Third, everyone is crying that fingerprints aren't good for "casual security" like your phone and should be reserved for serious stuff. You fools got that exactly backwards. Because fingerprints are so easily faked, never, ever use them for anything serious. But for your phone, it's perfect. It's easy to use, you can't forget it, and it's unique enough that you don't have to worry about everyone else also having 1-2-3-4 as their super-secret password.
Security is never about perfection, it is always about having the adequate security for your purpose and threat scenario. For 99% of people, having a fingerprint sensor is good enough and so easy to use that contrary to all the "good" security (that nobody enables), it will actually get used.
So for all I care, the real-world-stupid geniuses can continue theoretical discussions about theoretical security that nobody really uses, while the real-world normal people have just been given something that will jump their security level up from basically nothing to at least something. That's a massive improvement.
Assorted stuff I do sometimes: Lemuria.org
Apple is going to end up killing off the fingerprint security industry singlehanded, just like they did handwriting recognition a few years back. It's another one of these technologies that sounds good at first, but in practice just doesn't quite hold up. Parents shouldn't use it to keep their kids out of their phone for example, because there are available fingerprints to acquire all over the house. http://pacsec.jp/psj06/psj06krissler-e.pdf
I just saw a news story on how the new Apple phone breaks very easily. So does the Samsung S2, MotoX was rated pretty tough.
Guess I'll be sticking with the Virgin Mobile version of the OptimusV. I've had it for over 2 years now, multiple falls to the concrete, dropped in a creek, and other impacts. No protective case for it, just a screen protector and it looks and works the same as when it was new. Best $120 I ever spent for a $25 per month no contract plan. Y'all can keep your overpriced, brittle iPhone-y's with yer expensive apps/peripheals.
Wouldnt it be easier to just cut the guys finger off?
That's why I use my nipple instead.
http://kotaku.com/lock-your-new-iphone-with-nipples-apparently-1360743607
Make a fake print. Or use someone else's print.
Use it to authenticate your iPhone.
Imagine the fun questions you can ask if someone shows up to ask about your fake print. Like, how do you know, and how do you have my actual prints...
Fun!
This sounds like a story from The Onion... and the length they went to reproduce the "hack" is ridiculuous. Is this the kind of review I'll pin my decision on when deciding on getting a 5s??? NO ! Garbage reporting - worthless before it was written
what if you needed the print to get to the passcode entry gui? That would improve security a tad vs not needing it.
1+.1=1.1 :)
I was thinking the same thing. Basically
a) Have a master backup in case the regular passcode fails
b) Require a regular passcode+fingerprint
With both the above, (b) defeats your average thief who is likely just going to shoulder-surf your password, while also defeating those who might reproduce your thumbprint but don't have the matching passcode
(a) is needed in case something goes wrong with the fingerprint, but won't be entered in normal situations so is less vulnerable to shoulder-surfing.
Apple still gets points because their position is correct: if this makes 20% more people put an actual lock on their phone, it's a win for everyone. This isn't about how you can possible get around it, it's about the fact that 40-60% of phones have no security on them and let you go straight to sensitive information, just like carrying your filing cabinet around with you unlocked and small enough to be forgotten anywhere. Any lock is better than no lock and the reality is that 99.9% of the time that these fingerprint locks are found on a "found" or stolen phone, the person finding the phone isn't going to get through the security. By making the lock a high-visibility feature of the 5s it increases the percentage of phones that are going to be secured . . . probably. . . okay, possibly.
The entire point of Apple's fingerprint system is to get people that don't use a lock password a lazy way to secure their data slightly .. I don't think it was ever intended to encrypt those top secret pictures you took on your iPhone ..
EOL
Solution is very simple.. Instead of just swiping one finger use can swipe multiple fingers in a pattern and that would be the password. So to unlock users would have to swipe the fingers in the same patterns as the password.
So this will be like a password of fingerprints where each print would be a characters... oh wait.
Guy with 5S walking in streets
Thief: Give me your iPhone and wallet or I will shoot you
Guy: Here take it all and leave me alone
Thief: Shit! this is the one with fingerprint lock. Takes out his knife and says "Why so Serious?"
CCC has proved that a targeted attack where the attacker has access to the person and the iPhone and a sophisticated skill set can overcome the finger print sensor on an iPhone 5s. So if I'm walking down the street and some thief takes my iPhone 5s I'm good to go. Walk into any Apple store or Internet Cafe, log in to my iCloud account and wipe the thing. Even if they knew how to do preform this hack, it would still take hours.
I can't tell you the number of times that I've had people watch me in dumb struck amazement as I switched out their ram in a few minutes. A new hard-drive in a ATX case is a ten minute job. I already have the tools and the knowledge. My point being these simple skills are not common, what CCC does is very uncommon even in the DIY crowd. A common person can expect to pay hundreds of dollars buying all of the tools needed and then days or weeks practicing to be able to do this hack.
Sorry, this proves that the fingerprint sensor is a good idea in it's context.
Will the guy who finds my phone in a cab and tries to get to my contact list be able to? Everything in this article and discussion says no. Any info I have that someone will go through this much effort to get shouldn't be on my phone.
Scenario:
You walk down the street with iPhone in hand.
Man walks casually up to you. Points gun at you. "Take out your phone," he says. "Now, unlock it."
You try to fake it. He repeats, "Finger on button - UNLOCK IT NOW."
You unlock it. He takes the phone, shuts off all verification procedures, now that he is "you".
Smacks you in the face until you hit the ground and walks away.
Fingerprint verification defeated. He sells the phone.
Too much knowledge sometimes prevents people from seeing the obvious flaws because they keep doubling down on their own cleverness. See: computerized election systems and the flaws no one sees, for sad examples