Apple's TouchID Fingerprint Scanner: Still Hackable

← Back to Stories (view on slashdot.org)

Apple's TouchID Fingerprint Scanner: Still Hackable

Posted by Soulskill on Tuesday September 23, 2014 @09:58AM from the upgrade-your-thumb dept.

electronic convict writes: A year ago, security researcher Marc Rogers demonstrated how to spoof the TouchID sensor in the iPhone 5S using some Elmer's glue and glycerol — oh, and a high resolution camera and a laser printer. Has TouchID security improved at all on the iPhone 6? Not really, Rogers reports in his latest post, in which he again hacks the iPhone 6's TouchID sensors using the same method as before. "Fake fingerprints created using my previous technique were able to readily fool both devices [the 6 and the 5S]," he reports. Rogers, however, says there's no reason to panic, as the attack requires substantial skill, patience and a good clear fingerprint. As he writes: "We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats."

55 of 70 comments (clear)

Min score:

Reason:

Sort:

Other hackable things by BasilBrush · 2014-09-23 10:04 · Score: 4, Insightful

The summary mentions locks and keys as also being hackable. Also combination locks, face recognition, mag stripes, signatures, DRM, many forms of encryption, passwords, captchas, PINs, ATMs Online banking, credit cards. In fact there is precious little security that isn't hackable.
Of course this isn't going to stop people here ragging on TouchID.
1. Re: Other hackable things by AvitarX · 2014-09-23 10:33 · Score: 1
  
  The security feature I'd like to see is a way to with touch only turn off a phone that's locked ( for example the 5 quick clicks method on the power button most portable vaporizors tend to use) .
  This with a long password and whole disk encryption on boot
  I could then use sloppy security most of the time , ( 4 digit pin) ,but I could easily turn it off in my pocket before handing it over to a malicious actor ( law enforcement / theif) .
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
2. Re: Other hackable things by alen · 2014-09-23 10:52 · Score: 1
  
  But I can buy a new tv at best buy with your phone and a bloody finger and the cashier won't stop me
3. Re:Other hackable things by Anonymous Coward · 2014-09-23 11:06 · Score: 1
  
  The difference is that you don't *hack* a lock by copying the key, right? You tinker with the lock directly. Yet replicating ones fingerprint is somehow hacking...
4. Re: Other hackable things by DocSavage64109 · 2014-09-23 11:08 · Score: 2
  
  If you don't know which finger, you'd have to bring all 10 of them and hope nobody in line behind you gets impatient while you keep trying different ones.
5. Re: Other hackable things by pushing-robot · 2014-09-23 11:21 · Score: 4, Informative
  
  So... get an iPhone, set a complex passcode, and use your fingerprint the rest of the time?
  You can hold home+power for a few seconds to reboot the phone, and your passcode is required to unlock the phone after a reboot/shutdown.
  
  --
  How can I believe you when you tell me what I don't want to hear?
6. Re: Other hackable things by AvitarX · 2014-09-23 12:48 · Score: 1
  
  that's actually exactly what I meant, thanks for the info. I'd mod you up if I could.
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
7. Re:Other hackable things by kelemvor4 · 2014-09-23 14:00 · Score: 1
  
  In fact there is no such thing as security that isn't hackable, except that made from finely ground unicorn horns
  FTFY. I'm the farthest thing in the world from an Apple fanboy, but how does this pass for news?
  
  In other news, shit still stinks.
8. Re: Other hackable things by Noah+Haders · 2014-09-23 17:33 · Score: 2
  
  well yes, that works, but it's a two handed task that is hard to do on-the-sly. Also takes a couple seconds longer that is ideal when you have a knife to your chest or a tazer in your eye.
9. Re:Other hackable things by DrXym · 2014-09-24 00:07 · Score: 1
  
  Of course this isn't going to stop people here ragging on TouchID.
  I think it's quite reasonable to rag on it given that Apple are claiming they encrypt data on the phone. Maybe they do but if you can get at it with a fingerprint then it's not hugely more secure than before. Not that I would single out Apple for all the heat here - most phones are only protected by a short pin and even alternative authentication schemes are likely guessable in some way - e.g. Microsoft's photo login and Google's pattern unlock can probably be inferred just by looking at the finger smears on a screen.
10. Re: Other hackable things by tlhIngan · 2014-09-24 02:56 · Score: 2
  
  well yes, that works, but it's a two handed task that is hard to do on-the-sly. Also takes a couple seconds longer that is ideal when you have a knife to your chest or a tazer in your eye.
  Actually, given you must use a passcode if you fail TouchID 3 times in a row, all you need to do is use the tip of your finger or palm of your hand 3 times.
  Remember, the rules for TouchID:
  1) Must use passcode on boot
  2) Must use passcode if TouchID not used within previous 48 hours
  3) Must use passcode if TouchID fails 3 times in a row.
  The passcode is always the fallback and always good to make more secure than 4 digits because you aren't entering it all the time.
  A lot of people don't have passcodes because it's inconvenient to enter it to unlock your phone to glance at information (studies have shown that interaction times for phones is generally on the order of 1 minute or less). With TouchID, you can have not only just a PIN, but a "complex passcode" that's full alphanumeric+special characters + longer than 4 characters. But that's even more of a pain to enter.
  so just tap the sensor on the edge 3 times and you'll lockout TouchID.
11. Re: Other hackable things by microhax · 2014-09-24 05:10 · Score: 1
  
  That's easy, just remove the bones and wear them on your own fingers.
Indeed by Cloud+K · 2014-09-23 10:05 · Score: 4, Insightful

It should be perfectly fine for the average person protecting their credit card details from thieves and their porn from their partners.
People who go to these lengths would surely be either:
Really determined for some reason (in which case they'd probably social engineer it out of you or something)
People who'd just cut your finger off
The police (at which point they've already obtained your phone and fingerprint)
The NSA (who probably already have a backdoor)
Either way, it's more secure than your typical 4 digit PIN or pattern unlock.
If you need more than that, you'd probably use some tedious-to-type ultra secure battery horse staple thing anyway.
1. Re:Indeed by jfengel · 2014-09-23 10:28 · Score: 4, Funny
  
  If you need more than that, you'd probably use some tedious-to-type ultra secure battery horse staple thing anyway.
  Correct!
2. Re:Indeed by Charliemopps · 2014-09-23 11:08 · Score: 1
  
  It should be perfectly fine for the average person protecting their credit card details from thieves and their porn from their partners.
  People who go to these lengths would surely be either:
  Really determined for some reason (in which case they'd probably social engineer it out of you or something)
  People who'd just cut your finger off
  The police (at which point they've already obtained your phone and fingerprint)
  The NSA (who probably already have a backdoor)
  Either way, it's more secure than your typical 4 digit PIN or pattern unlock.
  If you need more than that, you'd probably use some tedious-to-type ultra secure battery horse staple thing anyway.
  No, it wont even protect you from your spouse.
  All you need is a photocopy of the owners thumb.
  Your thumb print is conveniently all over the phone.
  I've seen these cracked by placing a clear piece of plastic over the screen... stenciling the print, put the clear plastic on a copier, xerox... hold copy to phone. Viola. Finger print recognition is banned where I work for a reason.
3. Re:Indeed by AmiMoJo · 2014-09-23 13:18 · Score: 1
  
  You shouldn't keep your credit card details on your phone in plaintext anyway. Contactless payments don't need to store them in a readable format.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
4. Re: Indeed by Anonymous Coward · 2014-09-23 17:29 · Score: 1
  
  There are different fingerprint sensors. Your method wouldn't work on an iPhone as it would need an optical scanner. The iPhone scanner works by measuring electrical field variations.
5. Re:Indeed by Cloud+K · 2014-09-24 22:33 · Score: 1
  
  If your spouse is going to the lengths of covertly grabbing your phone, placing plastic over your screen, making sure you don't notice it, grabbing it again when you've used it, removing the plastic and taking it to a copier..
  1) What an awesomely geeky spouse, where do I find one? Or do I just marry a copper?
  2) You have much bigger problems to worry about than the security of your fingerprint scanner. But you might want to search for your divorce solicitors using Private Browsing on a throwaway pay-as-you-go phone and throw it into the canal afterwards. Just in case.
Law Enforcement by organgtool · 2014-09-23 10:16 · Score: 4, Insightful

This will likely make life even easier for law enforcement as they can easily get the owner's fingerprints to unlock the device as opposed to a password which requires cooperation from the suspect (or a back door or password cracker).
1. Re:Law Enforcement by rsborg · 2014-09-23 10:54 · Score: 1
  
  This will likely make life even easier for law enforcement as they can easily get the owner's fingerprints to unlock the device as opposed to a password which requires cooperation from the suspect (or a back door or password cracker).
  Exactly - those prints they have on file for you from many years ago should perfectly translate into TouchID-compliant proofs. They likely already stocked up on latex milk and the various things that CCC used.
  
  --
  Make sure everyone's vote counts: Verified Voting
2. Re:Law Enforcement by pushing-robot · 2014-09-23 10:56 · Score: 1
  
  Per XKCD, it's far more likely they'd forcibly put each of your fingers on the phone than do something elaborate with your printed fingerprints.
  However— IIRC there's a lockout after a certain number of attempts, and IIRC from the first video it can take several tries to fool the sensor. So with ten fingerprints to choose from, not to mention different *parts* of each finger you could have used, it's less than probable they would succeed.
  (And the look on the officer's face when he realizes you used your nose: Priceless.)
  
  --
  How can I believe you when you tell me what I don't want to hear?
3. Re:Law Enforcement by santiago · 2014-09-23 11:02 · Score: 4, Interesting
  
  They better hurry, too. TouchID gets locked out after powering off the phone, 48 hours of inactivity, or a few failed attempts. After any of those, it will only respond to the passcode.
4. Re:Law Enforcement by vux984 · 2014-09-23 11:21 · Score: 1
  
  This will likely make life even easier for law enforcement
  Your right.
  I can either go with a 4 digit PIN which is far more vulnerable to the look-over-the-shoulder or look at the dirty screen attack that low level criminals will use.
  Or I can go with a fingerprint which will defeat them, but can be extracted from me by law enforcement.
  Or I can go with a 40 key passphrase and be pretty safe from both groups -- but then I have to enter a 40 key passphrase before I can reply to a text message or check a new email.
  What do you propose?
5. Re:Law Enforcement by praxis · 2014-09-23 11:33 · Score: 2
  
  I propose setting a nine digit password, enabling touch ID and disabling responding to texts on a lock screen.
  Nine digit password is better than four because it is quick to enter when you need to enter it, the length is unknown to an attacker and is less vulnerable to the dirty screen attack. The touch ID can be extracted by law enforcement but using the left middle finger or other less-common touch ID finger means they might run into the failed attempt limit before they get the right finger. Not having to unlock your phone to respond to a text message is convenient but I would disable that because you don't want someone pretending to be you (e.g. a cop responding to a text with "I have the dope ready for delivery" and then using that as probable cause to arrest you).
6. Re:Law Enforcement by Anonymous Coward · 2014-09-23 11:41 · Score: 1
  
  This will likely make life even easier for law enforcement as they can easily get the owner's fingerprints to unlock the device as opposed to a password which requires cooperation from the suspect (or a back door or password cracker).
  I'm curious to know how many non-techy people actually set PINs. When TouchID was announced, it was claimed by Apple that most folks don't / didn't.
  Also, it is mandatory to enter the PIN if your iPhone has been restarted (since the PIN is tied into the crypto key), if it's been more that 48 hours since it's been unlocked, or when entering the Touch ID & Passcode settings area.
  I don't think anyone is claiming TouchID is good enough to protect nuclear launch codes, but it's better than nothing, which is what a lot of folks supposedly had previously.
7. Re:Law Enforcement by viperidaenz · 2014-09-23 11:54 · Score: 1
  
  You could just get a users finger prints from the screen of the device.
8. Re:Law Enforcement by vux984 · 2014-09-23 11:55 · Score: 1
  
  I actually use a galaxy s5, I've already got a good reasoable length 'alternate passphrase'.
  I do very much like your advice about using a less frequent finger. Not only does that make it take longer, but one of the obvious sources for a fingerprint to use for the phone is the surface of the phone itself. So using your main index finger to unlock it, and then tapping it all over your screen ... the modern equivalent of putting a bunch of post-it notes with your password on your phone. With a less used finger, the print might still be there... but odds have shifted in your favor.
  The s5 however does not require passphrase afterboot up. (I'm not sure how much of a big deal that is.) Nor do I see a setting to adjust the number of failed tries, or the lockout timer -- as it stands I get 5 tries, and then a 30 second lockout...then 5 more tries... it doesn't appear to ever fail completely over to pass phrase. (Anyone else know otherwise?!)
9. Re:Law Enforcement by jxander · 2014-09-23 12:17 · Score: 1
  
  Keyboard password with an altered letter... é ò ñ... one of those or something similar.
  
  --
  This signature is false.
10. Re:Law Enforcement by brantondaveperson · 2014-09-23 12:30 · Score: 1
  
  The s5 however does not require passphrase afterboot up. (I'm not sure how much of a big deal that is.)
  I take this to mean that if you can reboot the thing, which you can always do by letting the battery run flat and then charging it, you can access the device without the passphrase. If true, this would be a huge deal. Have I misunderstood?
11. Re:Law Enforcement by John+Bokma · 2014-09-23 12:40 · Score: 1
  
  not to mention different *parts* of each finger you could have used
  or penis...
  
  --
  
  Perl Programmer for hire
12. Re:Law Enforcement by Noah+Haders · 2014-09-23 12:43 · Score: 1
  
  he likely meant that upon reboot you can use the fingerprint thing right away, whereas on the iphone upon reboot you need to put in your pin before the fingerprint thing will work. although i like the tone of your mesage.
13. Re:Law Enforcement by AmiMoJo · 2014-09-23 13:21 · Score: 1, Informative
  
  Law enforcement use special bags to keep the phone powered up. The bag is basically a Faraday cage so that the phone can't be remote wiped, and has a charging cable built in to prevent the phone being powered off.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
14. Re:Law Enforcement by Wrath0fb0b · 2014-09-23 14:32 · Score: 2
  
  Do these bags simultaneously keep the phone powered on while preventing the internal clock from advancing? If so, I think there's some folks in Sweden that would like to award the creator some very nice jewelry.
15. Re:Law Enforcement by vux984 · 2014-09-23 19:01 · Score: 1
  
  I take this to mean that if you can reboot the thing, which you can always do by letting the battery run flat and then charging it, you can access the device without the passphrase
  After a reboot I can login either by fingerprint or by passphrase. With the iphone my understanding is that the passphrase must be used the first time before it will allow a fingerprint.
  Again, I am not sure exactly what exactly the real security advantage of that is though.
16. Re:Law Enforcement by gnasher719 · 2014-09-24 00:28 · Score: 1
  
  This will likely make life even easier for law enforcement as they can easily get the owner's fingerprints to unlock the device as opposed to a password which requires cooperation from the suspect (or a back door or password cracker).
  I quite suspect that taking a fingerprint by force will make any evidence found impermissible. And it is very easy to prove that you took a fingerprint by force: All the accused has to do is say that you did in court, hand over their phone, and if the police don't have the passcode (which they wouldn't) the accused's story must be true.
Laser? Try Gummy Bears by Anonymous Coward · 2014-09-23 10:17 · Score: 1, Interesting

About 10 years ago I read a story about a Jr. High school in Australia (ages 13-15) that had set up finger print readers at all the computers. Attendance was taken by students logging into a classrooms computers. This was all fine until one day the teacher needed a number of students to do a task. The attendance showed everyone there, but in reality more than half were truant. One student was covering up something, and the nosy teacher pulled off the paper to find..... candy gummy bears. "I was hungry" But that wasn't it at all. The teacher noticed the bears were half round with names beside them. Press finger into bear, then flip inside out and wrap around another finger (or a pencil). Insert into reader, logged in. Use lasers if you want, but that's doing it the hard way.
Re:Laser? Try Gummy Bears by rsborg · 2014-09-23 10:56 · Score: 1

About 10 years ago...
Clearly technology in fingerprint scanners could never have improved since then.

--
Make sure everyone's vote counts: Verified Voting
Yes by Anonymous Coward · 2014-09-23 11:00 · Score: 2, Interesting

and it is much easier to take a peek at my screen one of the 20 times a day I type in my 4 digit code than to fake the fingerprint.
Re:Laser? Try Gummy Bears by narcc · 2014-09-23 11:10 · Score: 1

Well, it doesn't appear to have improved...

--
Required reading for internet skeptics
Don't use the forefinger or thumb by rolfwind · 2014-09-23 11:17 · Score: 1

And a different hand than you usually hold it with. Should be good enough if the phone is just randomly lost.
I wonder if you have to use the end of a finger or could use the "print" on the middle or proximal phalanx?
Sudden outbreak of common sense by sootman · 2014-09-23 11:24 · Score: 4, Insightful

"We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats."
Thank you, submitter and Slashdot, for not going for sensationalism and leaving this out of the summary.

--
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
1. Re:Sudden outbreak of common sense by Anonymous Coward · 2014-09-23 17:55 · Score: 1
  
  Yes, exactly. That's why it's important to have a society where laws cover these situations. My house happens to have a glass door on the patio that could be "hacked" with a simple medium-sized rock. And I bet most people have easily accessible windows. But there's a reason why we don't worry about people easily breaking our windows and taking our stuff.
Re:Laser? Try Gummy Bears by praxis · 2014-09-23 11:34 · Score: 1

Well, it doesn't appear to have improved...
Why does it not appear that way? It's much more difficult to fool a fingerprint scanner today than it was ten years ago. Just because they're not perfect does not mean they're not better.
Biometrics are Not the Answer by Anonymous Coward · 2014-09-23 12:33 · Score: 1

Would you use passwords if they appeared on everything you touched and could never be changed?
1. Re:Biometrics are Not the Answer by jklovanc · 2014-09-23 12:58 · Score: 1
  
  and could never be changed
  You actually have ten different one that can be rotated. Replicating a good enough fingerprint for TouchID is not easy. The cracker would not know if the fingerprint reproduction was faulty or the wrong finger was used. Since TouchID is disabled after a few tries it is not a bad choice for a device with the security need of a cell phone. It is a balance between convenience and security. As the submitter said, only a few people can do it and the chance of failure is high. Not everything needs top level security.
  If biometrics is not the answer for this level of security, what is?
Two out of three.... by mark-t · 2014-09-23 13:02 · Score: 1

"We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats."
There is a third reason that such locks are practical, and it is something that cannot be satisfied by any kind of biometric authentication.
Failure of the security system provided by locks, however infrequent, can still be mitigated enough to carry on with no less effectiveness to meet security threats in the future as you had before the failure. IE, you can go ahread and change a lock

--
File under 'M' for 'Manic ranting'
Re:Laser? Try Gummy Bears by diamondmagic · 2014-09-23 13:20 · Score: 1

I can't find any actual instances of it happening, but this appears to mention the rumor you're talking about: http://whatis.techtarget.com/d...

--
Wonder what the public key field is for?
8 or 40, wtf? by s.petry · 2014-09-23 13:49 · Score: 1

I use a longer passcode on my phone than 4 characters, but not even close to 40. If you need to use bad/broken logic to justify the use of something, it probably does not deserve justification.

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
1. Re:8 or 40, wtf? by vux984 · 2014-09-23 18:56 · Score: 1
  
  I use a longer passcode on my phone than 4 characters, but not even close to 40.
  On a phone keypad I'd rather enter a phrase then a complicated shorter password due to the clutzyness of smartphone keyboards and the tedious of switching cases, and accessing punctuation symbols.
  If you need to use bad/broken logic to justify the use of something, it probably does not deserve justification.
  10-12 characters, including numbers and punctuation marks would still be beyond annoying to have to enter every time I access my phone.
2. Re:8 or 40, wtf? by s.petry · 2014-09-24 02:51 · Score: 1
  
  My point was, and is, that there are options between 4 and 40 characters so you are not stuck with one or the other as you implied. In fairness, you may not have intentionally made this implication, but nevertheless it was made.
  I agree a 4 number PIN is a horrible idea if you are worried at all about security. A 9 character PIN is going to be much harder to break into and still easy enough to manage. My screen is auto-locking at 5 minutes and I have the option of pressing a very fast access button to immediately lock the phone at a touch.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Re:Laser? Try Gummy Bears by s.petry · 2014-09-23 13:58 · Score: 1

Jello works just as well. Working at the Department of Defense we annually had to reject the latest greatest "biometric wonder" finger print ID systems because we could easily spoof people's identity lifting prints with Jello, then log in with the same Jello. Obviously a truly malicious person could eat the tasty evidence and ensure nobody knew what happened..

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Different problem by nbahi15 · 2014-09-23 16:34 · Score: 1

So... get an iPhone, set a complex passcode, and use your fingerprint the rest of the time?
You can hold home+power for a few seconds to reboot the phone, and your passcode is required to unlock the phone after a reboot/shutdown.
The problem being solved here isn't one of ubiquitous use of complex passcodes. The problem is people not using passcodes at all because they are inconvenient. TouchID is a middle-ground between a complex passcode and no passcode.
Physical access... by RyuuzakiTetsuya · 2014-09-23 16:43 · Score: 1

If you have the device in hand, you've pretty much won.
I'm worried more about the "secure enclave."
It has been a year and it's still not broken. I hope it stays that way.

--
Non impediti ratione cogitationus.
Eh... so? by binary+paladin · 2014-09-23 16:58 · Score: 1

Unless I'm missing something, three failed attempts and you have to enter the passcode. Reboot and you have to enter the passcode. 48 hours of not being used and you have to enter the passcode.
I just got a 5S and the TouchID is okay, but even when using the correct finger it doesn't always work and I have to enter my passcode (which is quite long). It wouldn't be hard to guess which finger I used but even then... everything would have to go perfectly to get into the phone using that method.
laugh by koan · 2014-09-24 02:02 · Score: 1

What moron is storing anything to worry about their?
Oh yeah Apples "wallet", good luck with that.

--
"If any question why we died, Tell them because our fathers lied."