CCC Says Apple iPhone 5S TouchID Broken

← Back to Stories (view on slashdot.org)

CCC Says Apple iPhone 5S TouchID Broken

Posted by timothy on Sunday September 22, 2013 @06:58AM from the well-if-that's-all dept.

hypnosec writes with word that the Chaos Computer Club claims to have "managed to break Apple's TouchID using everyday material and methods available on the web. Explaining their method on their website, the CCC hackers have claimed that all they did was photograph a fingerprint from a glass surface, ramped up the resolution of the photographed fingerprint, inverted and printed it using thick toner settings, smeared pink latex milk or white woodglue onto the pattern, lifted the latex sheet, moistened it a little and then placed it on the iPhone 5S's fingerprint sensor to unlock the phone." Update: 09/22 21:32 GMT by T :Reader mask.of.sanity adds a link to a video of the hack.

31 of 481 comments (clear)

Easy! by amiga3D · 2013-09-22 07:01 · Score: 4, Funny

sounds really trivial to break. I can see all kinds of kids doing this.
1. Re:Easy! by fuzzyfuzzyfungus · 2013-09-22 07:07 · Score: 4, Insightful
  
  It's a bit much for casual purposes; but it effectively demonstrates that Apple's little toy is just another fingerprint sensor (albeit a more attractive one than the usual little stripe-thing) with no more resistance to an under-a-hundred-bucks, probably a few bucks per print, in quantity, attacks than any of the others.
  
  Still beats no passcode at all against a casual attacker; but it sounds like the CCC technique works just fine with digital reproductions (ie, you don't need the original thumbprint to use as a mold, or develop with cyanoacrylate vapor, or anything like that) so it's fuck up once, have your fingerprint on file for however long it stays roughly the same, which is never terribly encouraging.
2. Re:Easy! by noh8rz10 · 2013-09-22 07:14 · Score: 5, Funny
  
  Remember that a hacker won't know which of 5 fingers the owner uses, so that's another layer of security
3. Re:Easy! by Dins · 2013-09-22 07:19 · Score: 5, Insightful
  
  I was with you until you said "sheeple".
4. Re:Easy! by ShanghaiBill · 2013-09-22 07:24 · Score: 4, Insightful
  
  Remember that a hacker won't know which of 5 fingers the owner uses, so that's another layer of security
  Actually, many people have up to ten fingers. Personally, I use my big toe.
  But this shows that Apple was less than honest in their claims about pulse detection, and sub-surface tissue detection.
5. Re:Easy! by dinfinity · 2013-09-22 07:34 · Score: 4, Insightful
  
  Still beats no passcode at all against a casual attacker
  Also beats pattern or password unlocks, which can be 'beaten' by just a bit of careful spying.
  To me, the only things that are of real concern with this technology are false negatives and durability (I'm pretty sure putting the scanner on the home button is going to end up being a bad idea).
6. Re:Easy! by Jane+Q.+Public · 2013-09-22 07:41 · Score: 4, Insightful
  
  "sounds really trivial to break. I can see all kinds of kids doing this."
  It's straight out of the Mythbusters fingerprint scanning episode.
  
  They didn't find one they couldn't defeat, and many of them were ridiculously easy. They used exactly this technique.
  
  I've been saying it for years: at our currently level of technology, relying on fingerprints for security (or nearly any biometric for that matter) is asking for trouble. It's just not good enough.
7. Re:Easy! by Jeremy+Erwin · 2013-09-22 07:46 · Score: 5, Insightful
  
  The cops will have copies of all 10 fingers, and will be able to add this technique to their fourth and fifth amendment circumvention strategies.
8. Re:Easy! by Nerdfest · 2013-09-22 07:58 · Score: 4, Insightful
  
  Based on their respective histories, a sensible person would probably trust CCC over Apple.
9. Re:Easy! by maccodemonkey · 2013-09-22 08:00 · Score: 4, Interesting
  
  It's a bit much for casual purposes; but it effectively demonstrates that Apple's little toy is just another fingerprint sensor (albeit a more attractive one than the usual little stripe-thing) with no more resistance to an under-a-hundred-bucks, probably a few bucks per print, in quantity, attacks than any of the others.
  Still beats no passcode at all against a casual attacker; but it sounds like the CCC technique works just fine with digital reproductions (ie, you don't need the original thumbprint to use as a mold, or develop with cyanoacrylate vapor, or anything like that) so it's fuck up once, have your fingerprint on file for however long it stays roughly the same, which is never terribly encouraging.
  I think every Slashdotter's wet dream is that they need to keep to keep their phones safe against a CSI style government interrogation, but this is really just for anti-theft or corporate secrets. The passcode expires in 48 hours anyway, and a business has remote wipe, so it's just a backup in another chain of security measures. And the fingerprint ready is really meant as a convenience for people who are too lazy to set a passcode at all, which is undeniably less safe.
  You know what a government is going to do if they have you and your phone? Take your finger, and press it to your phone, which legally they can compel (or physically force) you to do. All this talk about "Oh, what if the government has your fingerprint on file?" Please. That's overthinking it.
10. Re:Easy! by Jeremiah+Cornelius · 2013-09-22 08:09 · Score: 5, Insightful
  
  sounds really trivial to break. I can see all kinds of kids doing this.
  Known vector. Gummy-bear attack.
  The core issue is that you leave copies of your authenticator EVERYWHERE. It's as if you dropped 85% accurate copies of your smartcard on every item you touched - with random 15% damage to the material - and a card reader designed for 15% error in reads.
  Any such scheme is going to be subject to this kind of impersonation or gaming. This is why biometrics are always a bad ID choice. Also, the A/D conversion is low-entropy, among other problems.
  There's a false assumption, that because I can uniquely identify another person with 99.999% accuracy, based on your sound, shape and appearance, that therefore this is the best way a machine should do so. It is a falsehood that is reinforced by a misleading intuitive perception. The core issue concerns the questions related to what constitutes "identity" and an "authentication factor" in systems. Neither of these correlate to actual persons or their real-world characteristics in a unique and meaningful way, that is not also subject to spoofing, injecting or revocation DoS.
  
  --
  "Flyin' in just a sweet place,
  Never been known to fail..."
11. Re:Easy! by mysidia · 2013-09-22 09:21 · Score: 5, Funny
  
  you mean, besides just holding your hand against the sensor? As, if they have your phone, they probably also have you...
  How about you jailbreak the phone, and use a PIN to unlock it normally, BUT you customize the reader, so if certain of your fingers get held against the sensor --- it triggers a "disable power off function" and "start wipe device" command.
12. Re:Easy! by Savage-Rabbit · 2013-09-22 09:34 · Score: 5, Insightful
  
  sounds really trivial to break. I can see all kinds of kids doing this.
  Known vector. Gummy-bear attack.
  The core issue is that you leave copies of your authenticator EVERYWHERE. It's as if you dropped 85% accurate copies of your smartcard on every item you touched - with random 15% damage to the material - and a card reader designed for 15% error in reads.
  Any such scheme is going to be subject to this kind of impersonation or gaming. This is why biometrics are always a bad ID choice. Also, the A/D conversion is low-entropy, among other problems.
  There's a false assumption, that because I can uniquely identify another person with 99.999% accuracy, based on your sound, shape and appearance, that therefore this is the best way a machine should do so. It is a falsehood that is reinforced by a misleading intuitive perception. The core issue concerns the questions related to what constitutes "identity" and an "authentication factor" in systems. Neither of these correlate to actual persons or their real-world characteristics in a unique and meaningful way, that is not also subject to spoofing, injecting or revocation DoS.
  Let's say you get your grubby hands on an iPhone 5S and are immediately overcome by an irresistible urge to crack it open.
  1) Getting the victim to pose his finger for a 2400dpi photo is not an option so you'd have to bag the device and dust it for prints since you'll probably need to make the prints more visible. I suppose you could get the hang of that in about half an hour if you are a novice with a print dusting sets you bought online.
  2) Find a good thumb print. There is no guarantee that the print on the button sensor surface is any good nor is there a certainty that there is a usable print anywhere on the phone. I suppose you could monitor your victim and steal some of his drinking glasses and coffee cups but that means 'trivial' goes out the window right there.
  3) For the sake of argument let's say you get 1 and 2 right and find a good print on the sensor surface or somewhere else on the phone, eliminating the need to poke around stealing coffee cups and drinking glasses. You now have still have to do what it says in the article and the photo processing, printing and latex covering that sounds like quite a bit more than 10 minutes of work, especially if you have never done it before.
  That does not sound exactly trivial to me. Trivial is faking your way past Google's face recognition-login feature with a picture of the phone's owner. You could conceivably do that by borrowing his phone, snapping a picture of him with your iPad and using the image in the iPad to log into his phone... Ooops! somebody already went and did that and it looks like a 20 second operation. Going through the above procedure to defeat the fingerprint scanner takes what? A hour? The average pick-pocket would probably not bother and the time it takes to crack phones this way with no guarantee of reward would make it un-economcal for criminal bands to crack phones on a large scale (in the hope of finding account numbers or dirty pictures for a blackmailing, ... or whatever) which means that this is way better security than no passcode at all. If you are carrying data valuable enough to make it worth while to go through this exercise to retrieve it you should put a 20 character password on your iPhone or consider putting the data on an IronKey in stead. And yes I know the NSA can probably pull this off in 10 minutes or less but if you have the NSA after you:
  a) They probably have more efficient ways to get into your device than stealing it and hacking it by lifting your greasy fingerprints.
  b) You have bigger things to worry about than somebody reading your e-mail... like getting snatched and sent to a secret jail for a course of water-boarding, or being on the shortlist for a drone strike.
  
  --
  Only to idiots, are orders laws.
  -- Henning von Tresckow
13. Re:Easy! by Joining+Yet+Again · 2013-09-22 12:42 · Score: 4, Informative
  
  You made a mistake and you're behaving stupidly, posting the same misunderstanding over and over again on this thread. As far as I can tell, you're an Apple fan and you're annoyed that they were so obviously caught with their pants down, so you're deliberately (you've been corrected multiple times) lying about how capacitive fingerprint scanning works.
  You have two choices now:
  i) Let it go and apologise, and appear reasonable in the eyes of fellow Slashdotters - every business and individual sometimes makes a mistake, including you;
  ii) Continue stomping your feet like a dull child, losing all remaining respect you have on this site, and causing other people to remember back to this thread where you lost it every time they see a post from you.
  Which will it be, BasilBrush? I know you'll have read this, so it's now up to you.
14. Re: Easy! by Khyber · 2013-09-22 13:00 · Score: 4, Interesting
  
  Reproducible to a T, though I used a different method.
  1. Get boyfriend to lock his new iPhone with his fingerprint.
  2. Lift said fingerprint from his fresh drinking glass with tape and a light dusting of coarse graphite powder before applying tape.
  3. Make fingerprint better viewable by optical scanners by dusting with extremely fine graphite powder after transfer to white paper.
  4. Scan and print on copier using capacitive iron-wax toner.
  5. Fingerprint security? Same bullshit from the beginning 2000s, with the exact same fucking flaws.
  I was bypassing this exact same crap with the exact same method on IBM ThinkPads and HP NC/NX model Business-class notebooks years ago.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
15. Re:Easy! by formfeed · 2013-09-22 14:08 · Score: 5, Interesting
  
  Based on their respective histories, a sensible person would probably trust CCC over Apple.
  Yes, I agree. No idea why this was modded "troll". There is a decent history to show that.
  CCC:
  Did this before. They lifted the fingerprints of the German minister of Interior from a water glass and turned it into a little stamp so you can place him now at any crime scene. (The hack was actually to show just how idiotic government use of biometric data is).
  Apple:
  I of course don't want to say anything negative against this good company, but some people might say that they have a history of over-hyping things.
16. Re:Easy! by swillden · 2013-09-22 16:22 · Score: 5, Interesting
  
  It's a capacitative scanner. Whether you like it or not, that's not imaging the surface layer of skin, but the complexity of what's behind it.
  You're correct that it doesn't image the surface layer, but wrong about it getting what's behind the skin. Capacitive sensors obtain an image of, essentially, the back side of the skin. The ridges are there, but no other subdermal structure is visible, and the ridges are the same ones visible on the surface, so a surface image (e.g. a skin-oil negative), provides a fine panel from which to construct a usable fake finger.
  FWIW, I used to build biometric authentication systems, especially fingerprint stuff. I did security analyses of fingerprint scanners (optical and capacitive) for Visa, wrote the Linux kernel driver for the AuthenTec scanner, and a bunch of other stuff over 10-year period. I've never designed them and don't claim to fully understand the physics (though I've consulted extensively with people who do), but I've worked with them, a lot, and I know very well what they do and do not do.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Re:Am I missing something? by fuzzyfuzzyfungus · 2013-09-22 07:09 · Score: 4, Insightful

Pre-release hype was that Insanely Great Magic Innovation or something used OMG capacitance to magically foil the classic attacks. I don't think that Apple was dumb enough to promise any such thing; but their drooling fans certainly did.
Re:If true by Lehk228 · 2013-09-22 07:16 · Score: 5, Interesting

fingerprint identification is fundamentally and irredeemably broken. no other authentication method leaves copies of itself all over the place.

everything else is an arms race between verifying it is a finger and pretending to be a finger.

--
Snowden and Manning are heroes.
I have a solution! by Anonymous Coward · 2013-09-22 07:25 · Score: 5, Funny

Instead of using a fingerprint, use a Nipple print!
social engineering time by Jeremy+Erwin · 2013-09-22 07:30 · Score: 5, Funny

You know what? I really love the sound of your voice. ... And there's this one word. I've always loved the sound of this word. ... I would really like to hear you say the word ..."passport".
So what they proved is... by NoKaOi · 2013-09-22 07:34 · Score: 4, Funny

...the iPhone's fingerprint scanner works well. I was expecting it to be a gimmick that would give more false negatives or false positives than real results. That these guys had to use the same methods they would use for a high-quality expensive fingerprint scanner, and that those methods actually worked, tells me the iPhone's fingerprint scanner has potential.
Not exactly new by TejWC · 2013-09-22 07:40 · Score: 4, Insightful

I remember Mythbusters doing something similar with a multi thousand dollar computer secruity system.
Re:Am I missing something? by Desler · 2013-09-22 07:49 · Score: 5, Insightful

Has anyone else verified that the suppose hack really does work? Isn't a bit premature to claim Apple is lying off a single youtube video?
Re:Different fingers by Zero__Kelvin · 2013-09-22 07:49 · Score: 5, Insightful

No. It wouldn't matter. No matter what they did there would always be the next thing they could have just done. How do we know that the phone wasn't programmed to unlock with the second guys fingerprint? How do we know they didn't edit the video? etc, ad infinitum. What makes it highly believable is none of that. It is the reputation of the Chaos Computer Club that makes it believable. They aren't about to sacrifice a reputation it took them more than 30 years to build, especially for essentially no gain. If it was an unknown group I'd say maybe they are looking for 15 minutes of fame. But this is the CCC we are talking about here.

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
You're missing the point. by EGSonikku · 2013-09-22 07:59 · Score: 5, Insightful

Fingerprints are good because they replace ZERO security. Most people don't PIN lock their phones. Finger Print lock is too convenient not to use.
It is meant as a deterrent to common thieves, and works well as such. A robber isn't going to grab your phone, ask for a nice clear print, and then run home to his laser printer and latex (and you could remote wipe the device in the mean time anyway).
If its the government you're worried about...well, if they have physical access to your device they probably have you in custody and can compel you to unlock it anyway, or just use existing forensic tools and warrants to get what they want. Even then we're talking about the unlikely scenario of you being arrested and having anything more interesting on your phone than funny cat pictures.
I'm trying to imagine a "real world" scenario where TouchID is less secure than a 4 digit passcode or no security at all...and I got nothing.

--
- "Scientia non habet inimicum nisp ignorantem"
1. Re:You're missing the point. by jones_supa · 2013-09-22 08:28 · Score: 5, Insightful
  
  Fingerprints are good because they replace ZERO security.
  Mod parent up. So often geeks think that if they can find some fancy way to overcome a security feature, it somehow automatically makes it completely useless.
2. Re:You're missing the point. by Just+Some+Guy · 2013-09-22 16:27 · Score: 4, Insightful
  
  And for power users, fingerprint plus passcode is more secure than just one or the other. I'd love to see a setting like "require both fingerprint and passcode to initially unlock the phone. Lock the phone immediately when it goes to sleep, but allow it to be unlocked with either passcode or fingerprint for up to five minutes."
  I'd set this in a heartbeat. Basically, it'd be more secure than any current options when initially unlocking the phone. It'd also be more convenient than the "require a passcode immediately when the phone goes to sleep" setting, and more secure than the "don't require a password for the next x minutes" settings. This is how I'd like the system to work.
  
  --
  Dewey, what part of this looks like authorities should be involved?
Oh good... by rkww · 2013-09-22 08:07 · Score: 4, Funny

Oh good, now I can make a back-up fingerprint in case I lose my finger...
Re:More secure. by green1 · 2013-09-22 09:51 · Score: 5, Insightful

You mean like the android face unlock that can be defeated by a photo of the user? (at least you don't leave your photo on the glass surface of the phone when you put it down...)
Let's face it though, unless companies are willing to spend a fair amount more on these biometric sensors, they'll always be trivial to hack, there are good fingerprint readers (that actually don't use the prints, but subdermal tissue) but they cost a lot more than the ones taht are defeated in such trivial ways..
I'm still looking for the retraction from all those people who posted to the original fingerprint reader on iphone thread last week saying this wasn't a simple fingerprint reader on the iphones and wouldn't be susceptible to this form of attack...
Re: More secure. by green1 · 2013-09-22 13:23 · Score: 4, Insightful

well so far we have a marketing droid saying it does, and a documented hack proving otherwise. If you have better proof I'd suggest you post it because right now your case is pretty weak.