CCC Says Apple iPhone 5S TouchID Broken

← Back to Stories (view on slashdot.org)

CCC Says Apple iPhone 5S TouchID Broken

Posted by timothy on Sunday September 22, 2013 @06:58AM from the well-if-that's-all dept.

hypnosec writes with word that the Chaos Computer Club claims to have "managed to break Apple's TouchID using everyday material and methods available on the web. Explaining their method on their website, the CCC hackers have claimed that all they did was photograph a fingerprint from a glass surface, ramped up the resolution of the photographed fingerprint, inverted and printed it using thick toner settings, smeared pink latex milk or white woodglue onto the pattern, lifted the latex sheet, moistened it a little and then placed it on the iPhone 5S's fingerprint sensor to unlock the phone." Update: 09/22 21:32 GMT by T :Reader mask.of.sanity adds a link to a video of the hack.

87 of 481 comments (clear)

Easy! by amiga3D · 2013-09-22 07:01 · Score: 4, Funny

sounds really trivial to break. I can see all kinds of kids doing this.
1. Re:Easy! by fuzzyfuzzyfungus · 2013-09-22 07:07 · Score: 4, Insightful
  
  It's a bit much for casual purposes; but it effectively demonstrates that Apple's little toy is just another fingerprint sensor (albeit a more attractive one than the usual little stripe-thing) with no more resistance to an under-a-hundred-bucks, probably a few bucks per print, in quantity, attacks than any of the others.
  
  Still beats no passcode at all against a casual attacker; but it sounds like the CCC technique works just fine with digital reproductions (ie, you don't need the original thumbprint to use as a mold, or develop with cyanoacrylate vapor, or anything like that) so it's fuck up once, have your fingerprint on file for however long it stays roughly the same, which is never terribly encouraging.
2. Re:Easy! by noh8rz10 · 2013-09-22 07:14 · Score: 5, Funny
  
  Remember that a hacker won't know which of 5 fingers the owner uses, so that's another layer of security
3. Re:Easy! by Dins · 2013-09-22 07:19 · Score: 5, Insightful
  
  I was with you until you said "sheeple".
4. Re:Easy! by ShanghaiBill · 2013-09-22 07:24 · Score: 4, Insightful
  
  Remember that a hacker won't know which of 5 fingers the owner uses, so that's another layer of security
  Actually, many people have up to ten fingers. Personally, I use my big toe.
  But this shows that Apple was less than honest in their claims about pulse detection, and sub-surface tissue detection.
5. Re:Easy! by dinfinity · 2013-09-22 07:34 · Score: 4, Insightful
  
  Still beats no passcode at all against a casual attacker
  Also beats pattern or password unlocks, which can be 'beaten' by just a bit of careful spying.
  To me, the only things that are of real concern with this technology are false negatives and durability (I'm pretty sure putting the scanner on the home button is going to end up being a bad idea).
6. Re:Easy! by K.+S.+Kyosuke · 2013-09-22 07:36 · Score: 2
  
  Obligatory...
  
  --
  Ezekiel 23:20
7. Re:Easy! by Intrepid+imaginaut · 2013-09-22 07:40 · Score: 2
  
  Indeed, what happened to all the posters insisting it read the blood vessels under the skin instead?
  I'll tell you what though, the security of my phone wouldn't be a concern if I was a new iphone owner, it's where my fingerprints might end up that would worry me. And to think that concern might have been tinfoil hattery only a short while ago.
8. Re:Easy! by Jane+Q.+Public · 2013-09-22 07:41 · Score: 4, Insightful
  
  "sounds really trivial to break. I can see all kinds of kids doing this."
  It's straight out of the Mythbusters fingerprint scanning episode.
  
  They didn't find one they couldn't defeat, and many of them were ridiculously easy. They used exactly this technique.
  
  I've been saying it for years: at our currently level of technology, relying on fingerprints for security (or nearly any biometric for that matter) is asking for trouble. It's just not good enough.
9. Re:Easy! by Jeremy+Erwin · 2013-09-22 07:46 · Score: 5, Insightful
  
  The cops will have copies of all 10 fingers, and will be able to add this technique to their fourth and fifth amendment circumvention strategies.
10. Re:Easy! by Anonymous Coward · 2013-09-22 07:55 · Score: 3, Insightful
  
  This is far short of the lengths a crazy ex girlfriend or suspicious spouse would go to.
11. Re:Easy! by Anonymous Coward · 2013-09-22 07:57 · Score: 2, Insightful
  
  It's a capacitative scanner. It's not a photo scanner.
  
  From the abstract: 'latex sheet, moistened it a little'. I see no reason why that wouldn't work on this capacitative scanner.
12. Re:Easy! by Nerdfest · 2013-09-22 07:58 · Score: 4, Insightful
  
  Based on their respective histories, a sensible person would probably trust CCC over Apple.
13. Re:Easy! by maccodemonkey · 2013-09-22 08:00 · Score: 4, Interesting
  
  It's a bit much for casual purposes; but it effectively demonstrates that Apple's little toy is just another fingerprint sensor (albeit a more attractive one than the usual little stripe-thing) with no more resistance to an under-a-hundred-bucks, probably a few bucks per print, in quantity, attacks than any of the others.
  Still beats no passcode at all against a casual attacker; but it sounds like the CCC technique works just fine with digital reproductions (ie, you don't need the original thumbprint to use as a mold, or develop with cyanoacrylate vapor, or anything like that) so it's fuck up once, have your fingerprint on file for however long it stays roughly the same, which is never terribly encouraging.
  I think every Slashdotter's wet dream is that they need to keep to keep their phones safe against a CSI style government interrogation, but this is really just for anti-theft or corporate secrets. The passcode expires in 48 hours anyway, and a business has remote wipe, so it's just a backup in another chain of security measures. And the fingerprint ready is really meant as a convenience for people who are too lazy to set a passcode at all, which is undeniably less safe.
  You know what a government is going to do if they have you and your phone? Take your finger, and press it to your phone, which legally they can compel (or physically force) you to do. All this talk about "Oh, what if the government has your fingerprint on file?" Please. That's overthinking it.
14. Re:Easy! by Jeremiah+Cornelius · 2013-09-22 08:09 · Score: 5, Insightful
  
  sounds really trivial to break. I can see all kinds of kids doing this.
  Known vector. Gummy-bear attack.
  The core issue is that you leave copies of your authenticator EVERYWHERE. It's as if you dropped 85% accurate copies of your smartcard on every item you touched - with random 15% damage to the material - and a card reader designed for 15% error in reads.
  Any such scheme is going to be subject to this kind of impersonation or gaming. This is why biometrics are always a bad ID choice. Also, the A/D conversion is low-entropy, among other problems.
  There's a false assumption, that because I can uniquely identify another person with 99.999% accuracy, based on your sound, shape and appearance, that therefore this is the best way a machine should do so. It is a falsehood that is reinforced by a misleading intuitive perception. The core issue concerns the questions related to what constitutes "identity" and an "authentication factor" in systems. Neither of these correlate to actual persons or their real-world characteristics in a unique and meaningful way, that is not also subject to spoofing, injecting or revocation DoS.
  
  --
  "Flyin' in just a sweet place,
  Never been known to fail..."
15. Re:Easy! by murdocj · 2013-09-22 08:16 · Score: 2
  
  If you try to brute-force the pin doesn't the machine wipe the data? At least my ITouch claims that it will do so after 10 bad tries.
16. Re:Easy! by lachlan76 · 2013-09-22 08:53 · Score: 2
  
  IIRC, toner has graphite in it, which is probably what makes this work.
17. Re:Easy! by msauve · 2013-09-22 09:12 · Score: 3, Informative
  
  "the CCC used milk and latex to simulate human skin, to trick the capacitors. A very old technique btw."
  
  They used latex milk (i.e. liquid latex rubber), not "milk and latex."
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
18. Re:Easy! by fuzzyfuzzyfungus · 2013-09-22 09:17 · Score: 2
  
  "So how do you imagine you copy a capacitative image on a photocopier?"
  
  You don't; but a photocopier/laser-printer is a dirt-cheap way of depositing a high precision thermoplastic structure on top of a sheet of transparency plastic(ie. creating a fingerprint mold) at which point you just brush on a layer of the actual approximately-human-capacitance material you are using to make the fake print.
  
  That's all the photocopier does. If you can get away with very flat, low-temperature, molds, laser printing is a precise and cheap way to make them.
19. Re:Easy! by mysidia · 2013-09-22 09:21 · Score: 5, Funny
  
  you mean, besides just holding your hand against the sensor? As, if they have your phone, they probably also have you...
  How about you jailbreak the phone, and use a PIN to unlock it normally, BUT you customize the reader, so if certain of your fingers get held against the sensor --- it triggers a "disable power off function" and "start wipe device" command.
20. Re:Easy! by Savage-Rabbit · 2013-09-22 09:34 · Score: 5, Insightful
  
  sounds really trivial to break. I can see all kinds of kids doing this.
  Known vector. Gummy-bear attack.
  The core issue is that you leave copies of your authenticator EVERYWHERE. It's as if you dropped 85% accurate copies of your smartcard on every item you touched - with random 15% damage to the material - and a card reader designed for 15% error in reads.
  Any such scheme is going to be subject to this kind of impersonation or gaming. This is why biometrics are always a bad ID choice. Also, the A/D conversion is low-entropy, among other problems.
  There's a false assumption, that because I can uniquely identify another person with 99.999% accuracy, based on your sound, shape and appearance, that therefore this is the best way a machine should do so. It is a falsehood that is reinforced by a misleading intuitive perception. The core issue concerns the questions related to what constitutes "identity" and an "authentication factor" in systems. Neither of these correlate to actual persons or their real-world characteristics in a unique and meaningful way, that is not also subject to spoofing, injecting or revocation DoS.
  Let's say you get your grubby hands on an iPhone 5S and are immediately overcome by an irresistible urge to crack it open.
  1) Getting the victim to pose his finger for a 2400dpi photo is not an option so you'd have to bag the device and dust it for prints since you'll probably need to make the prints more visible. I suppose you could get the hang of that in about half an hour if you are a novice with a print dusting sets you bought online.
  2) Find a good thumb print. There is no guarantee that the print on the button sensor surface is any good nor is there a certainty that there is a usable print anywhere on the phone. I suppose you could monitor your victim and steal some of his drinking glasses and coffee cups but that means 'trivial' goes out the window right there.
  3) For the sake of argument let's say you get 1 and 2 right and find a good print on the sensor surface or somewhere else on the phone, eliminating the need to poke around stealing coffee cups and drinking glasses. You now have still have to do what it says in the article and the photo processing, printing and latex covering that sounds like quite a bit more than 10 minutes of work, especially if you have never done it before.
  That does not sound exactly trivial to me. Trivial is faking your way past Google's face recognition-login feature with a picture of the phone's owner. You could conceivably do that by borrowing his phone, snapping a picture of him with your iPad and using the image in the iPad to log into his phone... Ooops! somebody already went and did that and it looks like a 20 second operation. Going through the above procedure to defeat the fingerprint scanner takes what? A hour? The average pick-pocket would probably not bother and the time it takes to crack phones this way with no guarantee of reward would make it un-economcal for criminal bands to crack phones on a large scale (in the hope of finding account numbers or dirty pictures for a blackmailing, ... or whatever) which means that this is way better security than no passcode at all. If you are carrying data valuable enough to make it worth while to go through this exercise to retrieve it you should put a 20 character password on your iPhone or consider putting the data on an IronKey in stead. And yes I know the NSA can probably pull this off in 10 minutes or less but if you have the NSA after you:
  a) They probably have more efficient ways to get into your device than stealing it and hacking it by lifting your greasy fingerprints.
  b) You have bigger things to worry about than somebody reading your e-mail... like getting snatched and sent to a secret jail for a course of water-boarding, or being on the shortlist for a drone strike.
  
  --
  Only to idiots, are orders laws.
  -- Henning von Tresckow
21. Re:Easy! by berj · 2013-09-22 09:35 · Score: 2
  
  That is an optional setting, yes.
22. Re:Easy! by Anonymous Coward · 2013-09-22 09:41 · Score: 3, Informative
  
  You should watch it once more, probably.
  He trains it on his index finger and then unlocks it with a print on his middle finger.
23. Re:Easy! by Jeremiah+Cornelius · 2013-09-22 09:51 · Score: 2
  
  Trivial will be running a crack on the limited number of hashes that can be generated by the phone's sampler for fingerprint images.
  The problem with this is not where it has started, as a simple PIN replacement for iPhones. It is where this is headed, now that Apple has used their marketing position to deliver Biometric authentication as a security technology in the mainstream.
  People who are good at technology problem-solving are often equipped with exactly wrong type of mental orientation for examining implication or cross-disciplinary context. So? You get a reasonable PIN replacement for your iPhone, that reduces auto-collisions by people unlocking their phones while driving. Nice.
  You also get this as a cure-all for the password problem, as an option on every device you interact with, over the next 4 years. I don't care if it is thumbprint, retina-scan or gut-biome that is measured. This will lower security and introduce as-yet-unforseen compromises.
  I'd paint the lens on this thing, with black enamel.
  
  --
  "Flyin' in just a sweet place,
  Never been known to fail..."
24. Re:Easy! by AmiMoJo · 2013-09-22 09:53 · Score: 3, Insightful
  
  Anyone targeting data stored on a phone would come armed with a Faraday cage bag. You can buy them commercially, designed for "law enforcement" with the goal of preventing remote wipes. Some even come with a cable entry grommet so you can keep the phone powered and data-rape it without removing it from the bag, just in case the user enabled full device encryption.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
25. Re:Easy! by phluid61 · 2013-09-22 10:41 · Score: 2
  
  Related "story", popped up in the few days. http://9to5mac.com/2013/09/21/touch-id-on-iphone-5s-can-be-used-with-more-than-just-your-fingers/ Fingers and toes aren't the end of it.
26. Re:Easy! by maccodemonkey · 2013-09-22 10:50 · Score: 2
  
  Anyone targeting data stored on a phone would come armed with a Faraday cage bag. You can buy them commercially, designed for "law enforcement" with the goal of preventing remote wipes. Some even come with a cable entry grommet so you can keep the phone powered and data-rape it without removing it from the bag, just in case the user enabled full device encryption.
  Of course any Slashdotter knows that once someone has local access anything stored locally is basically crackable anyway. So if one had information they really wanted secure it would likely be on a remote server anyway, which a device can't get to in a Faraday cage.
  That's also what makes the passcode and fingerprinting debate a bit silly. If someone like the government physically had your device, they need neither the passcode or the fingerprint. They have the abilities to dissect the device and pull any info off, encryption or not.
27. Re:Easy! by Joining+Yet+Again · 2013-09-22 12:42 · Score: 4, Informative
  
  You made a mistake and you're behaving stupidly, posting the same misunderstanding over and over again on this thread. As far as I can tell, you're an Apple fan and you're annoyed that they were so obviously caught with their pants down, so you're deliberately (you've been corrected multiple times) lying about how capacitive fingerprint scanning works.
  You have two choices now:
  i) Let it go and apologise, and appear reasonable in the eyes of fellow Slashdotters - every business and individual sometimes makes a mistake, including you;
  ii) Continue stomping your feet like a dull child, losing all remaining respect you have on this site, and causing other people to remember back to this thread where you lost it every time they see a post from you.
  Which will it be, BasilBrush? I know you'll have read this, so it's now up to you.
28. Re: Easy! by Khyber · 2013-09-22 13:00 · Score: 4, Interesting
  
  Reproducible to a T, though I used a different method.
  1. Get boyfriend to lock his new iPhone with his fingerprint.
  2. Lift said fingerprint from his fresh drinking glass with tape and a light dusting of coarse graphite powder before applying tape.
  3. Make fingerprint better viewable by optical scanners by dusting with extremely fine graphite powder after transfer to white paper.
  4. Scan and print on copier using capacitive iron-wax toner.
  5. Fingerprint security? Same bullshit from the beginning 2000s, with the exact same fucking flaws.
  I was bypassing this exact same crap with the exact same method on IBM ThinkPads and HP NC/NX model Business-class notebooks years ago.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
29. Re:Easy! by mjpaci · 2013-09-22 13:09 · Score: 2
  
  Wouldn't your fingerprint be on the glass of the iPhone in the first place? Like, maybe, on the button itself?
30. Re:Easy! by smash · 2013-09-22 13:29 · Score: 2
  
  Of course, its never going to be 100% secure. However if someone has stolen your device and had enough time to go through the process of faffing around making a fingerprint to ulnlock it, presumably you've already wiped it with find my iphone. If someone has physical control of your device, all bets are off.
  However, as an unlock to prevent against casual snooping, the fingerprint scanner is convenient, and much less hassle than a passcode. Perhaps having the phone fall-back to passcode security after an hour or two is a good idea, and relegate fingerprint scan to a quick unlock, for a limited duration after you've locked the phone.
  
  --
  I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
31. Re:Easy! by formfeed · 2013-09-22 14:08 · Score: 5, Interesting
  
  Based on their respective histories, a sensible person would probably trust CCC over Apple.
  Yes, I agree. No idea why this was modded "troll". There is a decent history to show that.
  CCC:
  Did this before. They lifted the fingerprints of the German minister of Interior from a water glass and turned it into a little stamp so you can place him now at any crime scene. (The hack was actually to show just how idiotic government use of biometric data is).
  Apple:
  I of course don't want to say anything negative against this good company, but some people might say that they have a history of over-hyping things.
32. Re:Easy! by Dare+nMc · 2013-09-22 15:02 · Score: 2
  
  Inkjet printing
  " The charged droplets pass through an electrostatic field and are directed (deflected) by electrostatic deflection plates to print on the receptor material (substrate)"
33. Re:Easy! by swillden · 2013-09-22 16:22 · Score: 5, Interesting
  
  It's a capacitative scanner. Whether you like it or not, that's not imaging the surface layer of skin, but the complexity of what's behind it.
  You're correct that it doesn't image the surface layer, but wrong about it getting what's behind the skin. Capacitive sensors obtain an image of, essentially, the back side of the skin. The ridges are there, but no other subdermal structure is visible, and the ridges are the same ones visible on the surface, so a surface image (e.g. a skin-oil negative), provides a fine panel from which to construct a usable fake finger.
  FWIW, I used to build biometric authentication systems, especially fingerprint stuff. I did security analyses of fingerprint scanners (optical and capacitive) for Visa, wrote the Linux kernel driver for the AuthenTec scanner, and a bunch of other stuff over 10-year period. I've never designed them and don't claim to fully understand the physics (though I've consulted extensively with people who do), but I've worked with them, a lot, and I know very well what they do and do not do.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
34. Re:Easy! by tlhIngan · 2013-09-22 17:23 · Score: 2
  
  It's a bit much for casual purposes; but it effectively demonstrates that Apple's little toy is just another fingerprint sensor (albeit a more attractive one than the usual little stripe-thing) with no more resistance to an under-a-hundred-bucks, probably a few bucks per print, in quantity, attacks than any of the others.
  Still beats no passcode at all against a casual attacker; but it sounds like the CCC technique works just fine with digital reproductions (ie, you don't need the original thumbprint to use as a mold, or develop with cyanoacrylate vapor, or anything like that) so it's fuck up once, have your fingerprint on file for however long it stays roughly the same, which is never terribly encouraging.
  Actually, the take away is that the fingerprint sensor is unreliable. So unreliable that a 4-digit PIN trumps the fingerprint reader. Yes, I said trumps because your PIN is more important to the OS. If you reboot the phone, you need the PIN - the fingerprint will NOT unlock it. If you don't use the fingerprint reader for 48 hours, you need the PIN.
  The only benefit the fingerprint reader has is that people who won't use PINs because they're so inconvenient to use (having to enter it all the time) that they leave their phone at the default swipe to unlock. Which apparently is around 50% of smartphone users out there. The reader simply upgrades their security a tiny bit since it's now PIN-locked rather than people leaving it open.
  And for those who already use PINs, they can upgrade to full complex passcodes (or passphrases), but not have to deal with entering their 100 character long phrase every time they need to send a text.
  It's like how laptop fingerprint readers work - when it worked on my laptop, I locked my laptop all the time when I left it. But since it broke, I don't lock it all the time.
  People seem to think it's unbreakable, yet on the iPhone and on any laptop, it's used to bypass the password. But if you have the password, you don't need the fingerprint. Except Apple's implementation is slightly more secure because it requires using the alternative unlock mechanism.
  Here, the fingerprint reader is quicker to unlock your phone than Android's face unlock (which is equally insecure).
35. Re:Easy! by mrxak · 2013-09-22 17:59 · Score: 3, Insightful
  
  It's trivial to change your password, if it's ever compromised. It's not so easy to change your fingerprints.
  
  --
  -mrxak
  Onions Will Kill You
36. Re:Easy! by MrMickS · 2013-09-22 18:49 · Score: 2
  
  Just like the "unlock gesture" in the new Windows stuff, this is a replacement for a 4 digit PIN, not for a real password. This break seems harder and more time consuming than brute forcing a 4 digit PIN, so it's fine.
  Anyone who actually cares will have forensic tools that will just immediately present the data anyhow - for any consumer device, physical access is access to the data, eventually.
  It's a little more than that. Once unlocked the fingerprint can be used to authorise the iTunes and App stores ... not that that does you much more than allow you to download stuff to your stolen phone at present. Maybe Apple were aware of the limitation and that's why they've withheld access to the TouchID API from developers. It would be different if you could authorise real world purchases with it.
  
  --
  You may think me a tired, old, cynic. I'd have to disagree about the tired bit.
37. Re:Easy! by Aaden42 · 2013-09-23 02:17 · Score: 3, Informative
  
  Alas, that’s not settled case law in the US. Results are mixed at Federal district level, and there’s no settling ruling by SCOTUS. Depending on the jurisdiction you’re in, some have ruled that compelling a password is self incrimination whereas others have ruled that it’s the same as compelling the combination to a safe (which *is* settled to *not* be self incrimination).
  The logic goes something like this: Revealing that you know the code reveals that the “container” (safe, phone, etc.) belongs to you. That might be incriminating, but if they can prove via other means that the container belongs to you (easy for a cell phone - check CellCo records), then you’re not incriminating yourself by revealing that you know the code since they already know it belongs to you. Revealing the code proves nothing that they don’t already know. Since the code itself is now not incrimination (only the contents that are revealed by it), you can be compelled to provide the code or rot in a cell until you do.
  Some jurisdictions have been a bit more reasonable in realizing that the contents of a cell phone are likely to be more intimate and thus more deserving of additional protections than bank records sitting in a safe, but that’s not universal at all yet.
If true by djupedal · 2013-09-22 07:01 · Score: 3, Funny

new iPhone owner's should get their money back. This was supposed to be updated tech that resisted decade's old spoofing.
1. Re:If true by Lehk228 · 2013-09-22 07:16 · Score: 5, Interesting
  
  fingerprint identification is fundamentally and irredeemably broken. no other authentication method leaves copies of itself all over the place.
  
  everything else is an arms race between verifying it is a finger and pretending to be a finger.
  
  --
  Snowden and Manning are heroes.
2. Re:If true by girlintraining · 2013-09-22 08:18 · Score: 2
  
  fingerprint identification is fundamentally and irredeemably broken. no other authentication method leaves copies of itself all over the place.
  Sigh. Biometrics can of course be defeated as long as the sensor is stupidly simple. And big surprise... a mass-produced mobile device built at the absolute lowest cost they can get away with... can be defeated. But biometrics was never meant to replace existing authentication measures, but to augment them. Three factor authentication is still the best way of securing a device, location, etc. One factor authentication like what's demonstrated here... is ... well ... not very smart.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
3. Re:If true by gagol · 2013-09-22 13:12 · Score: 2
  
  A security scheme that depends on a non-changeable password that you leave physical copies around everytime you touch something bare hand... what could go wrong?
  
  --
  Tomorrow is another day...
Re:Am I missing something? by fuzzyfuzzyfungus · 2013-09-22 07:09 · Score: 4, Insightful

Pre-release hype was that Insanely Great Magic Innovation or something used OMG capacitance to magically foil the classic attacks. I don't think that Apple was dumb enough to promise any such thing; but their drooling fans certainly did.
Re:Am I missing something? by Anonymous Coward · 2013-09-22 07:16 · Score: 2, Interesting

Isn't this the same attack vector that can be used with any finger print scanner?
There are a number of things to check to make sure that the fingerprint actually belongs to a human:
- Pulse
- Temperatur
- Conductivity (probably worked around by moisturizing the printed fingerprint)
But at the end of the day, fingerprints are just too easy to fake and not a good method of authentication.
More secure. by noh8rz10 · 2013-09-22 07:20 · Score: 3, Funny

Maybe the best use of touch Id is as a complement to a code. Something you know, something you have, something you are. They have 2 out of 3, and with their Siri they could add voice too. "My voice is my passport. Verify"
1. Re:More secure. by green1 · 2013-09-22 09:51 · Score: 5, Insightful
  
  You mean like the android face unlock that can be defeated by a photo of the user? (at least you don't leave your photo on the glass surface of the phone when you put it down...)
  Let's face it though, unless companies are willing to spend a fair amount more on these biometric sensors, they'll always be trivial to hack, there are good fingerprint readers (that actually don't use the prints, but subdermal tissue) but they cost a lot more than the ones taht are defeated in such trivial ways..
  I'm still looking for the retraction from all those people who posted to the original fingerprint reader on iphone thread last week saying this wasn't a simple fingerprint reader on the iphones and wouldn't be susceptible to this form of attack...
2. Re:More secure. by green1 · 2013-09-22 10:53 · Score: 2
  
  it's relatively secure, and completely unreasonable to expect someone to use every time they access the phone.
  The nice part about the fingerprint scanner isn't the security offered (because we've just seen that it isn't that secure) it's the convenience of not having to enter a pin every time you use the device while still retaining some small measure of security. But then again, Apple is (to my knowledge) only the second major cell phone manufacturer to implement this technology, so it may improve with time.
  This is targetted as a way to get people to use some form of security instead of none. And the best way to do that is to make the security as unobtrusive as possible. (even if not as secure as more intrusive methods)
3. Re: More secure. by GrahamJ · 2013-09-22 12:17 · Score: 2
  
  The iPhone one does use sub dermal tissue scanning.
4. Re: More secure. by green1 · 2013-09-22 13:23 · Score: 4, Insightful
  
  well so far we have a marketing droid saying it does, and a documented hack proving otherwise. If you have better proof I'd suggest you post it because right now your case is pretty weak.
5. Re:More secure. by rthille · 2013-09-22 14:40 · Score: 2
  
  Also, the phone could use the accelerometer to determine it's movement and compare it to the expected change in photos given the 3D model of your face stored in the phone.
  
  --
  Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
6. Re:More secure. by petsounds · 2013-09-22 16:23 · Score: 2
  
  Apple specifically claims their reader IS of the subdermal variety, so I was quite to see this tactic be successful. Hard to believe they would outright lie about that part, as it would be blatant false advertising.
7. Re:More secure. by monzie · 2013-09-22 20:21 · Score: 2
  
  subdermal != foolproof. As has been deomnstrated by CCC now. In fact, it has been repeatedly demonstrated ( by CCC and others ) that we should stop relying on fingerprints ti uniquely identfy an individual. If we do continue to do this - we only make our own identity more vulnerable to theft.
Risk to Security Algorithm by retroworks · 2013-09-22 07:23 · Score: 3, Interesting

Interesting. We do have to remind ourselves that security needs to be proportionate to risk. The first rule is value, or what the potential for loss is. I want a really really difficult password for my credit card account, I get angry when a newspaper login requests the same password algorithm (how much should I care if someone reads the news site using my login account?) The second factor is proximity. If you steal the president's laptop from off the president's desk, you should face unheard of security. If the president's digital needle lies anonymously at the bottom of a city haystack, the statistical risk shrinks. The fingerprint app, like Android's code generator, seems like an appropriate level of security for a lost or stolen cell phone.

--
Gently reply
1. Re:Risk to Security Algorithm by je+ne+sais+quoi · 2013-09-22 07:44 · Score: 2
  
  We do have to remind ourselves that security needs to be proportionate to risk.
  Exactly. You can make your phone the most secure thing in the world, requiring a randomized string of alphanumerics umpteen characters long that you recite from memory, but you've also made it utterly impractical to use.
  
  One thing I noticed about this method is that they didn't get their fingerprints from the iphone itself, on the site they got them from a glass bottle. There's a lot of residue from fingerprints on my screen and a lot of potential fingerprints, but some of them are smudged from where I moved my finger, but I'd like to see if someone can use prints from an actual phone, everything else requires that the attacker have physical access to places you've been, but by far the most likely scenario where this will be useful will be to keep people out if I leave my phone somewhere unintentionally.
  
  --
  Gentlemen! You can't fight in here, this is the war room!
So, don't use the same finger for by The+Cisco+Kid · 2013-09-22 07:25 · Score: 3, Interesting

the security sender that you use for the touchscreen..
How hard is that?
In fact I'm surprised that wouldn't already be part of the advice for users of this.
Either that or require a swipe from two different fingers, in a specified order.
1. Re:So, don't use the same finger for by lgftsa · 2013-09-22 09:30 · Score: 2
  
  eBay?
I have a solution! by Anonymous Coward · 2013-09-22 07:25 · Score: 5, Funny

Instead of using a fingerprint, use a Nipple print!
Hype? For a new product? No way!!! by Kohath · 2013-09-22 07:28 · Score: 2

New products are never hyped. That would be dishonest. Gadget slogans are all like:
- "We like it well enough, but you should make up your own mind."
- "We tried to improve it over last year's model. We think we succeeded -- at least partially."
- "It has some benefits for some people. It has some drawbacks for some other people. Be careful buying it to make sure it's good for you."
It's the new Internet-forum-approved marketing trend! Internet forum whining and moralizing about dubious gadget hype finally won everyone over!
social engineering time by Jeremy+Erwin · 2013-09-22 07:30 · Score: 5, Funny

You know what? I really love the sound of your voice. ... And there's this one word. I've always loved the sound of this word. ... I would really like to hear you say the word ..."passport".
So what they proved is... by NoKaOi · 2013-09-22 07:34 · Score: 4, Funny

...the iPhone's fingerprint scanner works well. I was expecting it to be a gimmick that would give more false negatives or false positives than real results. That these guys had to use the same methods they would use for a high-quality expensive fingerprint scanner, and that those methods actually worked, tells me the iPhone's fingerprint scanner has potential.
Re:Different fingers by 93+Escort+Wagon · 2013-09-22 07:39 · Score: 2

I wondered that as well. It would have been more conclusive if he'd had a second person come in and use the fake to unlock the phone.

--
#DeleteChrome
Not exactly new by TejWC · 2013-09-22 07:40 · Score: 4, Insightful

I remember Mythbusters doing something similar with a multi thousand dollar computer secruity system.
1. Re:Not exactly new by Jason+Levine · 2013-09-22 09:03 · Score: 2
  
  So seven years ago, the Mythbusters defeated a high end alarm system using simple techniques. Now you can buy a smartphone for much less that contains that technology - still able to be defeated by the same methods. The march of technology!
  
  --
  My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Gee by msobkow · 2013-09-22 07:43 · Score: 3, Funny

Something you leave lying around on everything you touch is a poor key for security.
Who'd a thunk it?

--
I do not fail; I succeed at finding out what does not work.
Fingerprint scanners are rarely secure by ThunderBird89 · 2013-09-22 07:44 · Score: 2

Surprise, surprise. Fingerprint identification is rarely secure, some implementations can even be tricked using gummy bears. Really secure ones usually have rather steep costs and bulky supporting hardware associated (usually to check for blood flow to ensure the finger is a live one). Anything in a laptop or smartphone has no chance at real security whatsoever.
But guess what? This probably wasn't an exercise in security, but ease-of-use: being able to unlock your phone with a touch is easier than slide-to-unlock or passcodes. And it was a good exercise (not to mention fun when it was discovered that the software can even interpret a cat's pawprint). It was successful. So what if it can be broken easily, almost all of fingerprinting is the same.

--
Hyperbole: I use it liberally!
Re:Am I missing something? by Desler · 2013-09-22 07:49 · Score: 5, Insightful

Has anyone else verified that the suppose hack really does work? Isn't a bit premature to claim Apple is lying off a single youtube video?
Re:Different fingers by Zero__Kelvin · 2013-09-22 07:49 · Score: 5, Insightful

No. It wouldn't matter. No matter what they did there would always be the next thing they could have just done. How do we know that the phone wasn't programmed to unlock with the second guys fingerprint? How do we know they didn't edit the video? etc, ad infinitum. What makes it highly believable is none of that. It is the reputation of the Chaos Computer Club that makes it believable. They aren't about to sacrifice a reputation it took them more than 30 years to build, especially for essentially no gain. If it was an unknown group I'd say maybe they are looking for 15 minutes of fame. But this is the CCC we are talking about here.

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Re: Am I missing something? by EGSonikku · 2013-09-22 07:51 · Score: 2

Pattern lock is hardly secure considering they can see the smudge on your screen. And the NSA has said they can easily get into any Android device.
TouchID is still harder to trick than that. It's meant to deter common thieves, not James Bond. If the government has your phone they can easily compel you to unlock it or use existing forensic tools combined with warrants to your cellular provider.

--
- "Scientia non habet inimicum nisp ignorantem"
Re:Easier for law enforcement by Desler · 2013-09-22 07:54 · Score: 2

You realize that law enforcement can already gain access to a password locked phone already, right? Why would they bother with recreating a latex fingerprint over just using the software they already have to unlock them?
You're missing the point. by EGSonikku · 2013-09-22 07:59 · Score: 5, Insightful

Fingerprints are good because they replace ZERO security. Most people don't PIN lock their phones. Finger Print lock is too convenient not to use.
It is meant as a deterrent to common thieves, and works well as such. A robber isn't going to grab your phone, ask for a nice clear print, and then run home to his laser printer and latex (and you could remote wipe the device in the mean time anyway).
If its the government you're worried about...well, if they have physical access to your device they probably have you in custody and can compel you to unlock it anyway, or just use existing forensic tools and warrants to get what they want. Even then we're talking about the unlikely scenario of you being arrested and having anything more interesting on your phone than funny cat pictures.
I'm trying to imagine a "real world" scenario where TouchID is less secure than a 4 digit passcode or no security at all...and I got nothing.

--
- "Scientia non habet inimicum nisp ignorantem"
1. Re:You're missing the point. by jones_supa · 2013-09-22 08:28 · Score: 5, Insightful
  
  Fingerprints are good because they replace ZERO security.
  Mod parent up. So often geeks think that if they can find some fancy way to overcome a security feature, it somehow automatically makes it completely useless.
2. Re:You're missing the point. by AmiMoJo · 2013-09-22 08:58 · Score: 2
  
  For a casual user what you say is mostly correct, but that isn't how it was marketed. They claimed it was some kind of super sensor that required a pulse and was immune to simple copying methods. Claimed you could rely on it for security.
  If they had just been honest from the start it would have been fine.
  I'm trying to imagine a "real world" scenario where TouchID is less secure than a 4 digit passcode or no security at all...and I got nothing.
  Anyone who might be targeted, say a business user with potentially valuable information on their phone, would be better off with a pass code. A code is easy to obscure when entering it, fingerprints are basically impossible to protect unless you carefully wipe everything you touch down or wear gloves all the time.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
3. Re:You're missing the point. by Overzeetop · 2013-09-22 11:26 · Score: 3, Funny
  
  Well, some lucky kid *didn't* lock the android phone that fell out of his pocket while rip-roaring drunk, so that when I picked it up off the side of the road I could get in and send him an email that I'd found it. Sure, I could have just popped the SIM and sent it back to Verizon, but it would have taken weeks or days, not 2 hours, for the guy to get his phone back.
  I don't PIN lock my phone because I'm lazy, I do it so my family can use my phone easily. I definitely wouldn't use the fingerprint recognition if I had it.
  
  --
  Is it just my observation, or are there way too many stupid people in the world?
4. Re:You're missing the point. by Just+Some+Guy · 2013-09-22 16:27 · Score: 4, Insightful
  
  And for power users, fingerprint plus passcode is more secure than just one or the other. I'd love to see a setting like "require both fingerprint and passcode to initially unlock the phone. Lock the phone immediately when it goes to sleep, but allow it to be unlocked with either passcode or fingerprint for up to five minutes."
  I'd set this in a heartbeat. Basically, it'd be more secure than any current options when initially unlocking the phone. It'd also be more convenient than the "require a passcode immediately when the phone goes to sleep" setting, and more secure than the "don't require a password for the next x minutes" settings. This is how I'd like the system to work.
  
  --
  Dewey, what part of this looks like authorities should be involved?
5. Re:You're missing the point. by swillden · 2013-09-22 16:28 · Score: 2
  
  Fingerprints are good because they replace ZERO security. Most people don't PIN lock their phones. Finger Print lock is too convenient not to use.
  This is correct.
  I've been explaining on /. (and elsewhere) for years that fingerprint authentication is useless except in high-security applications where someone validates the scan is done properly... but that it's highly useful for identification applications, where all you need is a very low assurance that the person being scanned is who they appear to be.
  The key is to make sure that users understand that the fingerprint scanner is a security upgrade for those who would use NO security, but significantly less secure than using a passcode. So people who would use a passcode should probably continue. People who just swipe to unlock should consider using the fingerprint scanner.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Blah blah blah... by doggo · 2013-09-22 08:06 · Score: 3, Insightful

Sure they can break it. If they have your fingerprint to photograph. Assuming this is a lost or robbed phone, where will they get your fingerprint? From the phone? Maybe. Maybe not.
Apple's solution is good enough for civilian security on a phone, as long as you're not oblivious and pay attention to your surroundings while walking in unfamiliar areas so you don't get mugged, and don't lose phones regularly, or store very sensitive information on your phone.
Oh good... by rkww · 2013-09-22 08:07 · Score: 4, Funny

Oh good, now I can make a back-up fingerprint in case I lose my finger...
Simpler strategy by __aaltlg1547 · 2013-09-22 08:10 · Score: 2

Lift the fingerprint from the touch sensor of your iPhone. There's no need to have another source for the fingerprint.
1. Re:Simpler strategy by __aaltlg1547 · 2013-09-22 12:09 · Score: 2
  
  No, but it neatly identifies which fingerprint to use.
The CCC have history with over hyped biometrics by M0HCN · 2013-09-22 09:18 · Score: 2

As the German interior minister Wolfgang Schäuble discovered in 2008 when he got all hot for biometric ID cards, the CCC lifted his prints and published the required data as well as a latex print in a little bag in the magazine... The idea went away.
I would be inclined to believe the CCC in this matter, they have form for calling out over hyped biometrics.
Regards, Dan.
Re:Am I missing something? by shadowrat · 2013-09-22 09:44 · Score: 3, Informative

Pre-release hype was that Insanely Great Magic Innovation or something used OMG capacitance to magically foil the classic attacks. I don't think that Apple was dumb enough to promise any such thing; but their drooling fans certainly did.
i don't recall exactly what Tim Cook promised, but i think he was hyping the convenience over the robustness of protection. I think they claimed the advanced technology would enable it to respond quickly, and it provided more protection than no passcode. That seems in line with these findings.
Duh... by Lumpy · 2013-09-22 09:45 · Score: 2

All fingerprint scanners are utter failures. Anyone that has dealt with them for the past 5 years has known this.
The fingerprint system in it is to keep friends from grabbing your phone and posting photos of their junk as you.

--
Do not look at laser with remaining good eye.
Re:Different fingers by Zero__Kelvin · 2013-09-22 10:26 · Score: 2

It's on their website. I also don't question if Apple really is the one that sells the .

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
No device is 'secure', guys & gals by SternisheFan · 2013-09-22 12:39 · Score: 3, Insightful

About 2 years ago I had an 'Ask Slashdot' submission accepted, and I was asking the /. community about security on my android phone. My concerns were about 'forced Blue tooth hacks', WiFi security, etc. A couple hundred comments generated, most all of them very derisive of the possibility that these devices were not secure, except for one or two commenters who agreed that, yes, there are ways that the phone can be accessed. Today we know far more about the backdoors on all types of phones, computers, routers, NSA... etc. Then, it turns out, most all the commenters here were..., wrong, or at least 'ill-informed', shall I say?
I beleive I stated then that I'd heard you should never say anything in an email, text or voice call that you wouldn't want to be repeated back in an open courtroom. Today, to expect any perfect type of security from any form of electronic device would be quite a stupid thought, especially from any people who keep up on current events.
I take no joy here now in the fact that my suspicions of two years ago were all valid and vindicated. Having said that, fellow /.'ers, who had my 'karma' demoted back then because of my 'Ask Slashdot' submission, I just want to say here....
I told you so!
Re:Different fingers by grantspassalan · 2013-09-22 15:42 · Score: 2

I do not think that Apple is too worried about this, because they did not intend to make this for ironclad security, but simply for convenience of the user. The fingerprint scanner however does have potential for higher security by having an application, such as the sign in for a bank to require two or three fingerprints in the correct order. That would take security several orders of magnitude higher than a easy to guess password.

--
A sufficiently advanced simulation is indistinguishable from reality.
Re:Am I missing something? by mvdwege · 2013-09-22 16:58 · Score: 2

Let me correct that for you: a youtube video endorsed by known experts in these kind of hacks. Versus lots of fanboi speculation on the superiority of Apple tech and vague marketing claims from Apple.

--
"I know I will be modded down for this": where's the option '-1, Asking for it'?
total miss by Tom · 2013-09-22 20:39 · Score: 3, Insightful

Of course a fingerprint sensor can be fooled. It doesn't take a video to prove that the sky is blue, you know?
What everyone misses is two important points. These are the days I'm glad I got out of the security industry because quite frankly, while lots of people are brilliant at the technology, most people are complete failures at the psychology of security.
First, a lot of people have no lock at all on their iPhones today. None. You can pick it up, slide to unlock and you're in. The fingerprint sensor will prevent the casual attacker, especially the one who doesn't want you noticing your phone is missing (people leave their phones on their tables when going to the bathroom, something that puzzles me but it happens).
Second, even an attacker dedicated and knowledgable enough to get your prints from somewhere and then build a fake finger will be slowed down enough to give you time for things like noticing your phone is missing, doing a remote wipe or changing your passwords.
Third, everyone is crying that fingerprints aren't good for "casual security" like your phone and should be reserved for serious stuff. You fools got that exactly backwards. Because fingerprints are so easily faked, never, ever use them for anything serious. But for your phone, it's perfect. It's easy to use, you can't forget it, and it's unique enough that you don't have to worry about everyone else also having 1-2-3-4 as their super-secret password.
Security is never about perfection, it is always about having the adequate security for your purpose and threat scenario. For 99% of people, having a fingerprint sensor is good enough and so easy to use that contrary to all the "good" security (that nobody enables), it will actually get used.
So for all I care, the real-world-stupid geniuses can continue theoretical discussions about theoretical security that nobody really uses, while the real-world normal people have just been given something that will jump their security level up from basically nothing to at least something. That's a massive improvement.

--
Assorted stuff I do sometimes: Lemuria.org