Slashdot Mirror

← Back to Stories (view on slashdot.org)

CCC Says Apple iPhone 5S TouchID Broken

Posted by timothy on from the well-if-that's-all dept.

hypnosec writes with word that the Chaos Computer Club claims to have "managed to break Apple's TouchID using everyday material and methods available on the web. Explaining their method on their website, the CCC hackers have claimed that all they did was photograph a fingerprint from a glass surface, ramped up the resolution of the photographed fingerprint, inverted and printed it using thick toner settings, smeared pink latex milk or white woodglue onto the pattern, lifted the latex sheet, moistened it a little and then placed it on the iPhone 5S's fingerprint sensor to unlock the phone." Update: 09/22 21:32 GMT by T :Reader mask.of.sanity adds a link to a video of the hack.

6 of 481 comments (clear)

  1. Re:Easy! by msauve · · Score: 3, Informative

    "the CCC used milk and latex to simulate human skin, to trick the capacitors. A very old technique btw."

    They used latex milk (i.e. liquid latex rubber), not "milk and latex."

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  2. Re:Easy! by Anonymous Coward · · Score: 3, Informative

    You should watch it once more, probably.

    He trains it on his index finger and then unlocks it with a print on his middle finger.

  3. Re:Am I missing something? by shadowrat · · Score: 3, Informative

    Pre-release hype was that Insanely Great Magic Innovation or something used OMG capacitance to magically foil the classic attacks. I don't think that Apple was dumb enough to promise any such thing; but their drooling fans certainly did.

    i don't recall exactly what Tim Cook promised, but i think he was hyping the convenience over the robustness of protection. I think they claimed the advanced technology would enable it to respond quickly, and it provided more protection than no passcode. That seems in line with these findings.

  4. Re:Easy! by Joining+Yet+Again · · Score: 4, Informative

    You made a mistake and you're behaving stupidly, posting the same misunderstanding over and over again on this thread. As far as I can tell, you're an Apple fan and you're annoyed that they were so obviously caught with their pants down, so you're deliberately (you've been corrected multiple times) lying about how capacitive fingerprint scanning works.

    You have two choices now:

    i) Let it go and apologise, and appear reasonable in the eyes of fellow Slashdotters - every business and individual sometimes makes a mistake, including you;

    ii) Continue stomping your feet like a dull child, losing all remaining respect you have on this site, and causing other people to remember back to this thread where you lost it every time they see a post from you.

    Which will it be, BasilBrush? I know you'll have read this, so it's now up to you.

  5. Re:Easy! by Aaden42 · · Score: 3, Informative

    Alas, that’s not settled case law in the US. Results are mixed at Federal district level, and there’s no settling ruling by SCOTUS. Depending on the jurisdiction you’re in, some have ruled that compelling a password is self incrimination whereas others have ruled that it’s the same as compelling the combination to a safe (which *is* settled to *not* be self incrimination).

    The logic goes something like this: Revealing that you know the code reveals that the “container” (safe, phone, etc.) belongs to you. That might be incriminating, but if they can prove via other means that the container belongs to you (easy for a cell phone - check CellCo records), then you’re not incriminating yourself by revealing that you know the code since they already know it belongs to you. Revealing the code proves nothing that they don’t already know. Since the code itself is now not incrimination (only the contents that are revealed by it), you can be compelled to provide the code or rot in a cell until you do.

    Some jurisdictions have been a bit more reasonable in realizing that the contents of a cell phone are likely to be more intimate and thus more deserving of additional protections than bank records sitting in a safe, but that’s not universal at all yet.

  6. Re: Easy! by Khyber · · Score: 1, Informative

    You don't know how the fingerprint scanner works, so obviously you don't have a clue how my attack works.

    Hint: IRON-WAX TONER

    Go back to school and re-learn what materials can create capacitance fields. Take the iPhone apart and see it's the exact fucking same scanner you'll find on any cheap-ass laptop, a capacitance fingerprint scanner - the same fucking ones available on any laptop. Then go learn how a laser printer works, and maybe then you'll have enough education to know how my attack works.

    Or you can shut the fuck up and let people that have done forensic work with the police, such as myself, speak.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.