Slashdot Mirror
CCC Says Apple iPhone 5S TouchID Broken
hypnosec writes with word that the Chaos Computer Club claims to have "managed to break Apple's TouchID using everyday material and methods available on the web. Explaining their method on their website, the CCC hackers have claimed that all they did was photograph a fingerprint from a glass surface, ramped up the resolution of the photographed fingerprint, inverted and printed it using thick toner settings, smeared pink latex milk or white woodglue onto the pattern, lifted the latex sheet, moistened it a little and then placed it on the iPhone 5S's fingerprint sensor to unlock the phone." Update: 09/22 21:32 GMT by T :Reader mask.of.sanity adds a link to a video of the hack.
sounds really trivial to break. I can see all kinds of kids doing this.
new iPhone owner's should get their money back. This was supposed to be updated tech that resisted decade's old spoofing.
Isn't this the same attack vector that can be used with any finger print scanner?
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
Especially when 90% of pins are 0000, and 9% are 1234
Maybe the best use of touch Id is as a complement to a code. Something you know, something you have, something you are. They have 2 out of 3, and with their Siri they could add voice too. "My voice is my passport. Verify"
Interesting. We do have to remind ourselves that security needs to be proportionate to risk. The first rule is value, or what the potential for loss is. I want a really really difficult password for my credit card account, I get angry when a newspaper login requests the same password algorithm (how much should I care if someone reads the news site using my login account?) The second factor is proximity. If you steal the president's laptop from off the president's desk, you should face unheard of security. If the president's digital needle lies anonymously at the bottom of a city haystack, the statistical risk shrinks. The fingerprint app, like Android's code generator, seems like an appropriate level of security for a lost or stolen cell phone.
Gently reply
the security sender that you use for the touchscreen..
How hard is that?
In fact I'm surprised that wouldn't already be part of the advice for users of this.
Either that or require a swipe from two different fingers, in a specified order.
Instead of using a fingerprint, use a Nipple print!
You can only remote-wipe the phone if the phone is on a network that allows it to phone home.
New products are never hyped. That would be dishonest. Gadget slogans are all like:
- "We like it well enough, but you should make up your own mind."
- "We tried to improve it over last year's model. We think we succeeded -- at least partially."
- "It has some benefits for some people. It has some drawbacks for some other people. Be careful buying it to make sure it's good for you."
It's the new Internet-forum-approved marketing trend! Internet forum whining and moralizing about dubious gadget hype finally won everyone over!
You know what? I really love the sound of your voice. ... And there's this one word. I've always loved the sound of this word. ... I would really like to hear you say the word ..."passport".
Because no one could ever guess a pin from fingerprint smears on a phone surface.
I'm sure law enforcement loves this. While they may not be able to force someone to give up their password, getting a fingerprint is easy.
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
...the iPhone's fingerprint scanner works well. I was expecting it to be a gimmick that would give more false negatives or false positives than real results. That these guys had to use the same methods they would use for a high-quality expensive fingerprint scanner, and that those methods actually worked, tells me the iPhone's fingerprint scanner has potential.
How much effort do you think it takes to try to enter a PIN up to 1000 times?
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Sounds like the standard procedure to fake consumer-grade readers.
I wondered that as well. It would have been more conclusive if he'd had a second person come in and use the fake to unlock the phone.
#DeleteChrome
I remember Mythbusters doing something similar with a multi thousand dollar computer secruity system.
Even that wouldn't have proven anything, since you can program in as many fingerprints as you wish into the phone. They need to demonstrate that the finger with the "fake" fingerprint (or whatever they use to hold the fake fingerprint to the sensor) won't unlock the phone on its own.
Something you leave lying around on everything you touch is a poor key for security.
Who'd a thunk it?
I do not fail; I succeed at finding out what does not work.
Surprise, surprise. Fingerprint identification is rarely secure, some implementations can even be tricked using gummy bears. Really secure ones usually have rather steep costs and bulky supporting hardware associated (usually to check for blood flow to ensure the finger is a live one). Anything in a laptop or smartphone has no chance at real security whatsoever.
But guess what? This probably wasn't an exercise in security, but ease-of-use: being able to unlock your phone with a touch is easier than slide-to-unlock or passcodes. And it was a good exercise (not to mention fun when it was discovered that the software can even interpret a cat's pawprint). It was successful. So what if it can be broken easily, almost all of fingerprinting is the same.
Hyperbole: I use it liberally!
Am I the only person these days without a slide printer? Jeez.
No. It wouldn't matter. No matter what they did there would always be the next thing they could have just done. How do we know that the phone wasn't programmed to unlock with the second guys fingerprint? How do we know they didn't edit the video? etc, ad infinitum. What makes it highly believable is none of that. It is the reputation of the Chaos Computer Club that makes it believable. They aren't about to sacrifice a reputation it took them more than 30 years to build, especially for essentially no gain. If it was an unknown group I'd say maybe they are looking for 15 minutes of fame. But this is the CCC we are talking about here.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
About 2 minutes with physical access.
Not for Apple. Your list doesn't contain any of the following: amazing, insanely, or magical.
Think again, and consider learning to read maybe:
FTA:
" I’ve clarified two aspects of this story below. First, Micro Systemation’s XRY tool often requires more than two minutes to crack the iPhone’s password. The two minutes I originally cited were a reference to the time shown in the video (now removed by Micro Systemation) below. Given that, as I originally wrote, the phone in the video used the simplest possible password (0000), the process often takes far longer." - Emphasis Added
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Fingerprints are good because they replace ZERO security. Most people don't PIN lock their phones. Finger Print lock is too convenient not to use.
It is meant as a deterrent to common thieves, and works well as such. A robber isn't going to grab your phone, ask for a nice clear print, and then run home to his laser printer and latex (and you could remote wipe the device in the mean time anyway).
If its the government you're worried about...well, if they have physical access to your device they probably have you in custody and can compel you to unlock it anyway, or just use existing forensic tools and warrants to get what they want. Even then we're talking about the unlikely scenario of you being arrested and having anything more interesting on your phone than funny cat pictures.
I'm trying to imagine a "real world" scenario where TouchID is less secure than a 4 digit passcode or no security at all...and I got nothing.
- "Scientia non habet inimicum nisp ignorantem"
Sure they can break it. If they have your fingerprint to photograph. Assuming this is a lost or robbed phone, where will they get your fingerprint? From the phone? Maybe. Maybe not.
Apple's solution is good enough for civilian security on a phone, as long as you're not oblivious and pay attention to your surroundings while walking in unfamiliar areas so you don't get mugged, and don't lose phones regularly, or store very sensitive information on your phone.
Oh good, now I can make a back-up fingerprint in case I lose my finger...
Phones aren't a good defense against a targeted or determined attacker. If I really want to know what's on yours, I'll steal it and read the flash chips.
Lift the fingerprint from the touch sensor of your iPhone. There's no need to have another source for the fingerprint.
Approximately one order of magnitude more effort than your estimate... ;)
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
Oops. I missed a zero there. Ironic given my SlashID I suppose ;-)
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Fingerprints are left behind all the time so it would be trivial for someone to obtain.
That depends on the situation. If you find a phone lying on a bus seat and decide you're keeping it, then unless you lift the print from the phone itself you are just shit out of luck. If you don't even know who the phone belongs to, you're not going to be able to get a print. Also if you steal a phone, say out of a woman's open purse, you aren't going to be able to get prints from anywhere other than the phone, either. What are you going to do, find out where she lives, break into her house, find a dirty glass and lift a print from it? It's not like people are going to keep government secrets on their phone. If you do, you're dumb as a box of bricks. Phone security is there to keep credit card numbers from casual thieves in the event that you lose your phone. If the cops or the government have you in custody and are trying to get into your phone, you've got much bigger things to worry about.
I don't have a 5S - can it be easily shown that there are no fingerprints stored in it yet? If so, I'd think one could fairly convincingly demonstrate, using two people, that this exploit works.
#DeleteChrome
I take it you don't know anything about Apple or the CCC.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I believe fingerprint hashes as read by TouchID and the likes are rather far from an actual fingerprint, not to mention that your fingerprints are not very useful to NSA and would be much easier to obtain through other means, more direct and closer to government - e.g., driver licenses require your finger prints in some states.
But, hey, gotta have an obligatory NSA conspiracy comment up here, right?
As the German interior minister Wolfgang Schäuble discovered in 2008 when he got all hot for biometric ID cards, the CCC lifted his prints and published the required data as well as a latex print in a little bag in the magazine... The idea went away.
I would be inclined to believe the CCC in this matter, they have form for calling out over hyped biometrics.
Regards, Dan.
About 5 years ago, a group of teens in an Australian school defeated a fingerprint login scanner. There were scanners at each computer in the class, and fingerprints were used to take attendance. Gummy bear applied to finger, flipped over, placed over reader. School staff knew things were wrong when 30 students were logged in, but only 6 were there.
Lifting fingerprints of glasses is easy. Maybe even directly of the glass of the phone itself. Yet a glass in a bar might be even better... So now they are going to steal BOTH the phone AND the drink?
All fingerprint scanners are utter failures. Anyone that has dealt with them for the past 5 years has known this.
The fingerprint system in it is to keep friends from grabbing your phone and posting photos of their junk as you.
Do not look at laser with remaining good eye.
No. Not the who. The beatles.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
How do you know it was the Chaos Computer Club, eh?
Faster! Faster! Faster would be better!
His vision of Apple is warped by years of die-hard fanboyism. Pay him no mind. No one actually takes BasilBrush seriously when it has to do with Apple anymore.
It's on their website. I also don't question if Apple really is the one that sells the .
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
No. It wouldn't matter. No matter what they did there would always be the next thing they could have just done. How do we know that the phone wasn't programmed to unlock with the second guys fingerprint? How do we know they didn't edit the video? etc, ad infinitum. What makes it highly believable is none of that. It is the reputation of the Chaos Computer Club that makes it believable. They aren't about to sacrifice a reputation it took them more than 30 years to build, especially for essentially no gain. If it was an unknown group I'd say maybe they are looking for 15 minutes of fame. But this is the CCC we are talking about here.
A nice and convincing argument. I've said something similar about the "faked" moon landings: never mind all the science-y explanations, if the Soviet Union didn't raise all hell and denounce the USA for faking the landings, then the landings were not faked by the USA.
There is actually not a single similarity in your argument. The most glaring difference being the fact that the CCC and Apple are in no manner way shape or form in any kind of competition. They aren't adversaries. Never have been. Never will be.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
It seems you missed that I was supporting your argument with an analogy, which of course isn't exact.
1) no matter what evidence is given, the disbelievers will demand more proof that it wasn't faked, "ad infinitum."
2) Irrespective of all other evidence, the reputation of the challenger (no need to be a market competitor) is all the supporting evidence needed.
The difference obviously is that the CCC's reputation bolsters their actions/claims, whereas the reputation of the USSR as the USA's chief adversary and the circumstances of the Cold War bolsters their inaction and lack of claim.
I'd certainly like some more security on my iPhone, but not so much that I'm willing to type in a code every time I pull it out. I'll certainly use the fingerprint sensor.
Well, I certainly wasn't sure if you were serious or facetious. Part of that may be that one rarely sees the kind of agreement you have exhibited on Slashdot ;-)
That being said, I truly don't see any real similarity. Adversary/Non-Adversary Didn't Speak Out/Spoke Out Science as Proof/Website as Proof. I think you would agree that there are some pretty glaring differences there. Your SlashID is low enough to know that on Slashdot such differences are likely to attract the trolls like little children thrown under a bridge, even though I accept that you had no attention of opening up that opportunity for them.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
The guy in the video used his index finger for identification, and the middle finger for wearing the mold.
I once had a signature.
Well, I'm surprised that the tinfoil-hatted aren't all over this one.
Serious point, what happens when big gov or a carefully crafted malware apps gets all iPhone users prints?
I beleive I stated then that I'd heard you should never say anything in an email, text or voice call that you wouldn't want to be repeated back in an open courtroom. Today, to expect any perfect type of security from any form of electronic device would be quite a stupid thought, especially from any people who keep up on current events.
I take no joy here now in the fact that my suspicions of two years ago were all valid and vindicated. Having said that, fellow /.'ers, who had my 'karma' demoted back then because of my 'Ask Slashdot' submission, I just want to say here....
I told you so!
Let's hope your local iPhone thief takes longer to lift a print and fabricate a latex finger than it takes you to lock or wipe the phone with Find My Phone.
Neat. We do of course recall that the iphone can be set up to recognise multiple fingers?
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
I think the article on TechCrunch provides much better perspective on this issue. http://m.techcrunch.com/2013/09/22/hackers-bypass-apples-touch-id-with-lifted-fingerprint/
Using the last four digits of your girlfriend's phone number would be slightly better!
A sufficiently advanced simulation is indistinguishable from reality.
However, the process of getting the hack to work wasn't a cheap solution--the process to make it that far was a complicated and expensive process, far beyond the skills of most people. They're going to have to show how it works to Apple engineers to prove the process is repeatable.
I do not think that Apple is too worried about this, because they did not intend to make this for ironclad security, but simply for convenience of the user. The fingerprint scanner however does have potential for higher security by having an application, such as the sign in for a bank to require two or three fingerprints in the correct order. That would take security several orders of magnitude higher than a easy to guess password.
A sufficiently advanced simulation is indistinguishable from reality.
Of course a fingerprint sensor can be fooled. It doesn't take a video to prove that the sky is blue, you know?
What everyone misses is two important points. These are the days I'm glad I got out of the security industry because quite frankly, while lots of people are brilliant at the technology, most people are complete failures at the psychology of security.
First, a lot of people have no lock at all on their iPhones today. None. You can pick it up, slide to unlock and you're in. The fingerprint sensor will prevent the casual attacker, especially the one who doesn't want you noticing your phone is missing (people leave their phones on their tables when going to the bathroom, something that puzzles me but it happens).
Second, even an attacker dedicated and knowledgable enough to get your prints from somewhere and then build a fake finger will be slowed down enough to give you time for things like noticing your phone is missing, doing a remote wipe or changing your passwords.
Third, everyone is crying that fingerprints aren't good for "casual security" like your phone and should be reserved for serious stuff. You fools got that exactly backwards. Because fingerprints are so easily faked, never, ever use them for anything serious. But for your phone, it's perfect. It's easy to use, you can't forget it, and it's unique enough that you don't have to worry about everyone else also having 1-2-3-4 as their super-secret password.
Security is never about perfection, it is always about having the adequate security for your purpose and threat scenario. For 99% of people, having a fingerprint sensor is good enough and so easy to use that contrary to all the "good" security (that nobody enables), it will actually get used.
So for all I care, the real-world-stupid geniuses can continue theoretical discussions about theoretical security that nobody really uses, while the real-world normal people have just been given something that will jump their security level up from basically nothing to at least something. That's a massive improvement.
Assorted stuff I do sometimes: Lemuria.org
Apple is going to end up killing off the fingerprint security industry singlehanded, just like they did handwriting recognition a few years back. It's another one of these technologies that sounds good at first, but in practice just doesn't quite hold up. Parents shouldn't use it to keep their kids out of their phone for example, because there are available fingerprints to acquire all over the house. http://pacsec.jp/psj06/psj06krissler-e.pdf
That's why I use my nipple instead.
http://kotaku.com/lock-your-new-iphone-with-nipples-apparently-1360743607
Make a fake print. Or use someone else's print.
Use it to authenticate your iPhone.
Imagine the fun questions you can ask if someone shows up to ask about your fake print. Like, how do you know, and how do you have my actual prints...
Fun!
I was thinking the same thing. Basically
a) Have a master backup in case the regular passcode fails
b) Require a regular passcode+fingerprint
With both the above, (b) defeats your average thief who is likely just going to shoulder-surf your password, while also defeating those who might reproduce your thumbprint but don't have the matching passcode
(a) is needed in case something goes wrong with the fingerprint, but won't be entered in normal situations so is less vulnerable to shoulder-surfing.
Apple still gets points because their position is correct: if this makes 20% more people put an actual lock on their phone, it's a win for everyone. This isn't about how you can possible get around it, it's about the fact that 40-60% of phones have no security on them and let you go straight to sensitive information, just like carrying your filing cabinet around with you unlocked and small enough to be forgotten anywhere. Any lock is better than no lock and the reality is that 99.9% of the time that these fingerprint locks are found on a "found" or stolen phone, the person finding the phone isn't going to get through the security. By making the lock a high-visibility feature of the 5s it increases the percentage of phones that are going to be secured . . . probably. . . okay, possibly.
Solution is very simple.. Instead of just swiping one finger use can swipe multiple fingers in a pattern and that would be the password. So to unlock users would have to swipe the fingers in the same patterns as the password.
So this will be like a password of fingerprints where each print would be a characters... oh wait.
Without the requirement that they be from the same person. So if you think they might be cheating with one person, they could just as easily cheat if you brought in another.
Unless you're suggesting that they trained it on this extra finger and then forgot. Which isn't beyond the realms of possibility but unlikely I would have thought.
Guy with 5S walking in streets
Thief: Give me your iPhone and wallet or I will shoot you
Guy: Here take it all and leave me alone
Thief: Shit! this is the one with fingerprint lock. Takes out his knife and says "Why so Serious?"
CCC has proved that a targeted attack where the attacker has access to the person and the iPhone and a sophisticated skill set can overcome the finger print sensor on an iPhone 5s. So if I'm walking down the street and some thief takes my iPhone 5s I'm good to go. Walk into any Apple store or Internet Cafe, log in to my iCloud account and wipe the thing. Even if they knew how to do preform this hack, it would still take hours.
I can't tell you the number of times that I've had people watch me in dumb struck amazement as I switched out their ram in a few minutes. A new hard-drive in a ATX case is a ten minute job. I already have the tools and the knowledge. My point being these simple skills are not common, what CCC does is very uncommon even in the DIY crowd. A common person can expect to pay hundreds of dollars buying all of the tools needed and then days or weeks practicing to be able to do this hack.
Sorry, this proves that the fingerprint sensor is a good idea in it's context.
Scenario:
You walk down the street with iPhone in hand.
Man walks casually up to you. Points gun at you. "Take out your phone," he says. "Now, unlock it."
You try to fake it. He repeats, "Finger on button - UNLOCK IT NOW."
You unlock it. He takes the phone, shuts off all verification procedures, now that he is "you".
Smacks you in the face until you hit the ground and walks away.
Fingerprint verification defeated. He sells the phone.
Too much knowledge sometimes prevents people from seeing the obvious flaws because they keep doubling down on their own cleverness. See: computerized election systems and the flaws no one sees, for sad examples