Apple's TouchID Fingerprint Scanner: Still Hackable

electronic convict writes: A year ago, security researcher Marc Rogers demonstrated how to spoof the TouchID sensor in the iPhone 5S using some Elmer's glue and glycerol — oh, and a high resolution camera and a laser printer. Has TouchID security improved at all on the iPhone 6? Not really, Rogers reports in his latest post, in which he again hacks the iPhone 6's TouchID sensors using the same method as before. "Fake fingerprints created using my previous technique were able to readily fool both devices [the 6 and the 5S]," he reports. Rogers, however, says there's no reason to panic, as the attack requires substantial skill, patience and a good clear fingerprint. As he writes: "We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats."

Other hackable things

[BasilBrush]

The summary mentions locks and keys as also being hackable. Also combination locks, face recognition, mag stripes, signatures, DRM, many forms of encryption, passwords, captchas, PINs, ATMs Online banking, credit cards. In fact there is precious little security that isn't hackable.

Of course this isn't going to stop people here ragging on TouchID.

Re: Other hackable things

[DocSavage64109]

If you don't know which finger, you'd have to bring all 10 of them and hope nobody in line behind you gets impatient while you keep trying different ones.

Re: Other hackable things

[pushing-robot]

So... get an iPhone, set a complex passcode, and use your fingerprint the rest of the time?

You can hold home+power for a few seconds to reboot the phone, and your passcode is required to unlock the phone after a reboot/shutdown.

Re: Other hackable things

[Noah+Haders]

well yes, that works, but it's a two handed task that is hard to do on-the-sly. Also takes a couple seconds longer that is ideal when you have a knife to your chest or a tazer in your eye.

Re: Other hackable things

[tlhIngan]

well yes, that works, but it's a two handed task that is hard to do on-the-sly. Also takes a couple seconds longer that is ideal when you have a knife to your chest or a tazer in your eye.

Actually, given you must use a passcode if you fail TouchID 3 times in a row, all you need to do is use the tip of your finger or palm of your hand 3 times.

Remember, the rules for TouchID:

1) Must use passcode on boot
2) Must use passcode if TouchID not used within previous 48 hours
3) Must use passcode if TouchID fails 3 times in a row.

The passcode is always the fallback and always good to make more secure than 4 digits because you aren't entering it all the time.

A lot of people don't have passcodes because it's inconvenient to enter it to unlock your phone to glance at information (studies have shown that interaction times for phones is generally on the order of 1 minute or less). With TouchID, you can have not only just a PIN, but a "complex passcode" that's full alphanumeric+special characters + longer than 4 characters. But that's even more of a pain to enter.

so just tap the sensor on the edge 3 times and you'll lockout TouchID.

Indeed

[Cloud+K]

It should be perfectly fine for the average person protecting their credit card details from thieves and their porn from their partners.
People who go to these lengths would surely be either:
Really determined for some reason (in which case they'd probably social engineer it out of you or something)
People who'd just cut your finger off
The police (at which point they've already obtained your phone and fingerprint)
The NSA (who probably already have a backdoor)
Either way, it's more secure than your typical 4 digit PIN or pattern unlock.

If you need more than that, you'd probably use some tedious-to-type ultra secure battery horse staple thing anyway.

Re:Indeed

[jfengel]

If you need more than that, you'd probably use some tedious-to-type ultra secure battery horse staple thing anyway.

Correct!

Law Enforcement

[organgtool]

This will likely make life even easier for law enforcement as they can easily get the owner's fingerprints to unlock the device as opposed to a password which requires cooperation from the suspect (or a back door or password cracker).

Re:Law Enforcement

[santiago]

They better hurry, too. TouchID gets locked out after powering off the phone, 48 hours of inactivity, or a few failed attempts. After any of those, it will only respond to the passcode.

Re:Law Enforcement

[praxis]

I propose setting a nine digit password, enabling touch ID and disabling responding to texts on a lock screen.

Nine digit password is better than four because it is quick to enter when you need to enter it, the length is unknown to an attacker and is less vulnerable to the dirty screen attack. The touch ID can be extracted by law enforcement but using the left middle finger or other less-common touch ID finger means they might run into the failed attempt limit before they get the right finger. Not having to unlock your phone to respond to a text message is convenient but I would disable that because you don't want someone pretending to be you (e.g. a cop responding to a text with "I have the dope ready for delivery" and then using that as probable cause to arrest you).

Re:Law Enforcement

[Wrath0fb0b]

Do these bags simultaneously keep the phone powered on while preventing the internal clock from advancing? If so, I think there's some folks in Sweden that would like to award the creator some very nice jewelry.

Yes

and it is much easier to take a peek at my screen one of the 20 times a day I type in my 4 digit code than to fake the fingerprint.

Sudden outbreak of common sense

[sootman]

"We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats."

Thank you, submitter and Slashdot, for not going for sensationalism and leaving this out of the summary.