Fake Fingerprint Stickers Let You Access a Protected Phone While Wearing Gloves

A new Kickstarter campaign aims to sell you fingerprint stickers that, when applied to a pair of gloves, allow you to unlock a mobile device that's protected with a fingerprint scanner. The sticker is powered by Nanotips and is "made with an extremely adhesive conductive material that can be applied to any surface for touch capability." Gizmodo reports: You can of course still access a fingerprint-secured smartphone using regular touchscreen-friendly gloves by simply punching in your passcode on-screen, but why should we have to give up the convenience of a feature like Touch ID for months on end just because it's cold outside? We shouldn't, and these Taps stickers will allow you to use your mobile device's touchscreen and fingerprint reader, for unlocking your phone or making a purchase, even while your actual fingers (and fingerprints) are being kept warm and toasty inside a glove. After applying a textured stick to the tip of your glove, you just have to register it as an approved fingerprint using your smartphone's security settings. You might assume this would mean that anyone with a Taps sticker on their gloves could access anyone else's protected phone. But according to its creators, using nanoparticle technology every single Taps sticker has an individual and unique artificial print ensuring that only your gloves can access your device. That being said, there is still the risk of someone stealing your gloves, which is easier than stealing your fingerprints, so you'll have to weigh the security risks introduced versus the added convenience these offer.

Made in America

[110010001000]

These gloves will be made in America because Trump promised to force manufacturers to make them in America. Great for grabbing women by the you-know-what too.

Re:Made in America

I will concede that those gloves have a distinct smell to them.
As if someone stuck their finger in some chick's asshole while wearing them.
But those gloves are not mine and they don't fit.
And if the glove doesn't fit, you must acquit!

Re:Made in America

[Gussington]

They'll be made in America and they'll all have Donald Trump's fingerprints preprinted on them. And it won't be an offence to grab women by the pussy as long as you use these gloves.

Re:Made in America

[irrational_design]

hand?

pick one: convenience, privacy

[fahrbot-bot]

You can of course still access a fingerprint-secured smartphone using regular touchscreen-friendly gloves by simply punching in your passcode on-screen, but why should we have to give up the convenience of a feature like Touch ID for months on end just because it's cold outside?

Because this: Feds Walk Into a Building, Demand Everyone's Fingerprints To Open Phones

Using a pass code is protected by the Fifth Amendment, using a fingerprint is not.

Re: pick one: convenience, privacy

[justcauseisjustthat]

Every time I get pulled over or whatever, I force reboot my phone to require passcode.

Re: pick one: convenience, privacy

Another good tip is to keep all your passwords in plain text in a word document on your desktop. That way you never have to remember your passwords and you can have different ones for each site/account. Of course someone could just open it and look at it / copy it, but the convenience! /sarcasm what a stupid product. Take your glove off for the 2 seconds it takes to scan your finger or, like the article says, just out in your passcode.

Re: pick one: convenience, privacy

[mysidia]

Every time I get pulled over or whatever, I force reboot my phone to require passcode.

I'm guessing there's probably an App for that to add an "I've been pulled over" button to the lock screen for forcing a reboot.

Re: pick one: convenience, privacy

New headline: Fake Pussy Lets You Jizz Without Paying Alimony & Child Support!

Re: pick one: convenience, privacy

[Gussington]

Seems a bit OTT. Why not just have a passcode or swipe pattern as the standard lock?

Re: pick one: convenience, privacy

I push 1 button on my iPhone to lock it. Android really does not have the same?

Re: pick one: convenience, privacy

[dotancohen]

Because this: Feds Walk Into a Building, Demand Everyone's Fingerprints To Open Phones

Using a pass code is protected by the Fifth Amendment, using a fingerprint is not.

Why not use the 'sticker' part of the glove _instead_ of one of your actual fingers? Then you could visibly try every finger and plausibly deny that the phone is yours.

Re: pick one: convenience, privacy

They've got a point, the fingerprint is the username not the password.

'Because it's convenient' does not make it security.

Re: pick one: convenience, privacy

You retard. He's talking about i devices.

Every few days or every reboot you need to enter your pwd or pin just in case someone did steal your prints.

Re: pick one: convenience, privacy

[murdocj]

Just how often do you get pulled over?

Re: pick one: convenience, privacy

[Big+Hairy+Ian]

Never did get why the FBI took Apple to court when they could have just taken the IPhone to the morgue.

Re: pick one: convenience, privacy

You can of course still access a fingerprint-secured smartphone using regular touchscreen-friendly gloves by simply punching in your passcode on-screen, but why should we have to give up the convenience of a feature like Touch ID for months on end just because it's cold outside?

Because this: Feds Walk Into a Building, Demand Everyone's Fingerprints To Open Phones

Using a pass code is protected by the Fifth Amendment, using a fingerprint is not.

I think most people have forgotten the presentation / keynote where Touch ID was introduced:

In that segment Jobs pulled out a statistic that something like over 70% of people don't put a PIN on their iPhone, Why didn't they? Because it was a pain in the ass. Touch ID allows you to conveniently unlock your phone, but to activate it, you need to enter a PIN. Now, with newer iPhones, probably something like 100% of people have PINs.

I don't anyone reasonable is saying that fingerprints are the be-all and end-all of security, but PIN+Touch is better than no-PIN. Apple was trying to move the ball forward when it comes to protecting people's private data.

Semi-recently they also changed some defaults: previously if you didn't unlock your phone in the last 24 hours, you had to enter you PIN; now, you have to do it every 8 hours, others the PIN is necessary. They recognized that attackers were adapting to the new situation, and so tightened the the security a bit.

There are fair criticisms to be leveled at Apple on a number of topics, but their crypto and privacy policies are way down the list IMHO.

Re: pick one: convenience, privacy

[kbdd]

Actually, I print them in bold letters and stick then on the back of the display, it is even more convenient that way.

Re: pick one: convenience, privacy

[houghi]

And it is less secure, because if I can put these on a glove, so can somebody else.

Re: pick one: convenience, privacy

[rgbatduke]

Using a pass code is NOT protected by the fifth amendment. Nor is using encryption. A judge can require you to give up your pass code and/or your encryption key, and if you refuse, you can go to jail for contempt of court forever (until you reconsider and comply). Just like your DNA is not protected -- you can be compelled to give it up. Just like your writings in general are not protected. The only thing that is protected is your right not to be compelled to testify in a court room if your honest testimony MIGHT be incriminating, extended to your spouse who cannot be compelled to testify against you ditto. Although he or she can do it voluntarily.

With that said, sure, relying on fingerprints alone to secure a phone -- or any biometric measure -- is stupid. What the US is not permitted to do is use coercion beyond putting you in jail forever if you fail to cough up an encryption key, and if it is a GOOD key not even NSA is likely to be able to break it. If your phone contains evidence of a capital crime for which you would likely receive the death penalty, you might rationally prefer life in prison for contempt to giving up the key and facing near certain death.

Of course writers of fiction, conspiracy theorists, and even some pragmatists who are neither might believe that the US security organizations are willing to ignore the constitution and use torture or drugs to extract the keys of device believed to contain information about a major terrorist attack (say, a nuclear device deployed somewhere in the US and they'd really like to know where in time to prevent it).

Biometrics aren't terrible, but they should always be biometrics AND a sound means of protection of data, because biometrics presume ownership and inaccessibility of your own biometric parameters, and that is obviously false on the inaccessibility, quite possibly even after you are dead. A 24 character pass key on 4096-bit encryption might not suffice to protect data if somebody has attached electrodes to your testicles or burn off body parts with a welding torch an inch at a time, but at least if you die, access to the data dies with you.

4 digit phone codes are also obviously a waste of time in the first place. So are six digit codes. Or eight digit codes. Eight CHARACTER keys on strong encryption is a weak opener -- maybe the feeb can't crack that with in-house resources, but I wouldn't bet against the NSA, and in principle the feeb can call on the NSA in any circumstances that would warrant it.

Re: pick one: convenience, privacy

[Ol+Olsoc]

Seems a bit OTT. Why not just have a passcode or swipe pattern as the standard lock?

You have a choice. If you don't want to use fingerprints, you don't have to. I use fingerprint access on my iPhone and it's about as opt-in a feature as you could want. They changed from 4 letter passcode to 6 now.

Can it be spoofed? Sure. But they'll have to know which finger or body part I used to set up, and there is so little of interest on my phone that it would be a waste of time to even try. I mean I texted the word "poop" once. But that's about it.

Re: pick one: convenience, privacy

[Ol+Olsoc]

I think most people have forgotten the presentation / keynote where Touch ID was introduced:

In that segment Jobs pulled out a statistic that something like over 70% of people don't put a PIN on their iPhone, Why didn't they? Because it was a pain in the ass. Touch ID allows you to conveniently unlock your phone, but to activate it, you need to enter a PIN. Now, with newer iPhones, probably something like 100% of people have PINs.

A person who finds entering a 4 digit passcode (now 6) is going to really have issues with setting up touch ID.

But you are right, peeps be lazy.

My wife doesn't even want a passcode or TouchID. I told her in that case, no ApplePay or any purchases with it until you do.

Re: pick one: convenience, privacy

[Ol+Olsoc]

4 digit phone codes are also obviously a waste of time in the first place. So are six digit codes. Or eight digit codes. Eight CHARACTER keys on strong encryption is a weak opener -- maybe the feeb can't crack that with in-house resources, but I wouldn't bet against the NSA, and in principle the feeb can call on the NSA in any circumstances that would warrant it.

We see this sort of thing with old school locks. They are secure in minutes, so to speak. An accomplished cracker can break into a certain lock in a certain amount of time.

So its kind of like a two factor authentification. You have the device that delays entry, and you have the person checking on it every so often. Yeah, someone is going to be able to crack a four digit code without too much trouble. But given that the phone locks after X number of failed inputs and they have to wait a while before trying again, I'm probably going to find them long before they break in.

Re: pick one: convenience, privacy

[rgbatduke]

Or, they could just take the data out of the phone, put it into a special OS shell that doesn't have the lockout feature, and rip through all 10000 four digit codes in the time wasted between keystrokes in this reply. Or they could look at the smudges on the screen, make an educated guess as to the numbers being pressed, and reduce the search space to the permutation of 4 or fewer digits.

The point is that 4 digits is very, very fundamentally insecure. Oh, it's probably fine to protect your data from a phone thief, but all they want to do is replace the SIM and resell the phone anyway.

Re: pick one: convenience, privacy

[myowntrueself]

Just how often do you get pulled over?

They may be African-American and it could be a daily occurrence.

Re: pick one: convenience, privacy

If you bothered to spend 5 seconds reading and thinking, you would know it was an older iphone without a fingerprint reader.

Re: pick one: convenience, privacy

Except that you cant, because the pin simply accesses (via a secure hardware device) a much stronger key that encrypts the filesystem. Stop talking out of your ass.

Re: pick one: convenience, privacy

[Ol+Olsoc]

Or, they could just take the data out of the phone, put it into a special OS shell that doesn't have the lockout feature, and rip through all 10000 four digit codes in the time wasted between keystrokes in this reply.

Or, or, and or. I'd be the last person to argue for or against any so called security features on a phone. I do not consider anything about a phone to be secure at all ever. So if I were to be doing something illegal, I sure as hell wouldn't put it on my phone.

The whole thing is people demanding an inherently non-secure device to be secure. It's like buying a billboard, putting something classified on it, or kiddie porn, and demanding that people not see what is on it because you demand your right to privacy.

It simply is not secure.

Re: pick one: convenience, privacy

[allo]

Which is a black box to you, but very transparent to apple.

Re: pick one: convenience, privacy

[walterhpdx]

Using a pass code is protected by the Fifth Amendment, using a fingerprint is not.

Someone just told me this a couple of weeks ago, and it blew my mind. Not hard to do, but still.

Re: pick one: convenience, privacy

[Gussington]

Can it be spoofed? Sure. But they'll have to know which finger or body part I used to set up,

Security 101. Any security system is only as strong as the likelihood of volunteering the password when an attacker jams a screwdriver in your ear.
You wouldn't be the first person to refuse to co-operate with the cops. I'm pretty sure they have well worn methods for extracting information from uncooperative suspects.

Re: pick one: convenience, privacy

[Plumpaquatsch]

And it is less secure, because if I can put these on a glove, so can somebody else.

Well, I'm sure no Kickstarter campaign ever made unrealistic claims about their product.

Re: pick one: convenience, privacy

[Plumpaquatsch]

Which is a black box to you, but very transparent to apple.

You mean the encryption is bad because it isn't "by obscurity"? Apple is very open about how it works, and people who know more about the matter than you say its fine.

Re: pick one: convenience, privacy

[allo]

Because IT IS by obscurity. The hardware is a black box, which i need to trust, while i have very little reason to do so.

You have two options:
- Make it secure in software. Everyone can verify this. Example: Key-Stretching, which is implemented in software still slows down brute-force attacks very good.
- Make it secure in hardware (example: apple secure enclave). It can be secure, you can publish the specs openly. But the actual part in my iphone is a black box. I do not know, if it matches a given spec. And when somebody finds out, that the spec isn't secure, i cannot "just update" it.

Okay, there is another factor, that apple may publish their crypto, but only runs signed binaries, which means that even their software-crypto can only be checked by reverse engineering and not by building the crucial parts from source.

Related: Never trust a "self encrypting hard disk". Too much which can be insecure, too little trust. Use a safe software encryption.

Obligatory Mythbusters

[ClickOnThis]

Fingerprint locks can be foiled.

Re: Obligatory Mythbusters

Did you figure this out by reading the headline, or did you already know it from before?

Re: Obligatory Mythbusters

[ClickOnThis]

I already knew it from before. And shared the link, because Mythbusters.

Re: Obligatory Mythbusters

better see the c3 presentations about it. I bet you will get some new biometry hacks in december. Do not miss it.

Fingerprint stealing made easy

[justcauseisjustthat]

How dumb is this, so instead of making someone steal your fingerprints and make copies , they can just steal your gloves. Bad idea, but I bet it will get play in the tech community just because it's so bad.

Re:Fingerprint stealing made easy

[flyingfsck]

You already leave your fingerprints everywhere you go, including all over your phone. So using a print scanner only inconveniences an honest user and does nothing to stop a determined criminal.

Re:Fingerprint stealing made easy

[hey!]

Easier, then.

Re:Fingerprint stealing made easy

[Mateorabi]

That's OK, after your gloves are stolen just make sure to reset to a new fingerprint quickly.

Re:Fingerprint stealing made easy

Don't get a glove with YOUR fingerprint. My phone can accept multiple fingerprints, the glove can be a new one. If I lose the glove, I reset the fingerprints to mine without the glove.

--XYZZY--

Re:Fingerprint stealing made easy

[Coisiche]

Probably don't have to steal them. I reckon gloves must be among the most misplaced or lost items in places where winter is cold enough to require wearing them. Of course finding gloves with attached fingerprint sticker doesn't help link them to an owner and a device to unlock, but it does give you a fingerprint to leave around somewhere to say, mess up a crime scene investigation. Has a cast-iron alibi ever been overturned in court because of fingerprint evidence?

Re:Fingerprint stealing made easy

[alphatel]

Don't get a glove with YOUR fingerprint. My phone can accept multiple fingerprints, the glove can be a new one. If I lose the glove, I reset the fingerprints to mine without the glove.

Logic...

A rare yet beautiful thing.

Re:Fingerprint stealing made easy

[rgbatduke]

Or, just stealing your fingers. They are removable, after all...

Re:Fingerprint stealing made easy

Not really any worse than using fingerprints in general.

TouchID is more secure than having the passcode features disabled, but is close to the level of convenience of having no security (one button to open the device). The target is not people who want security but people who want convenience. For them it is a step up as in stead of anyone being able to unlock their phone, it now takes somone with the ability to spoof fingerprints. The glove opens some options for spoofing the fingerprints but it's probably lateral move over all as while swiping a glove requires less expertise than fabricating a spoofed print, it's also easer to detect a missing glove than the existence of an independently fabricated spoofed print. The exception is if you tend to leave your gloves and phone in your coat pocket and walk away or practice similar sloppy physical security.

If you want security you use a long passcode with the settings set to prompt every time you do anything sensitive rather than use any grace period, and have Touch ID disabled.

Key chain finger

[not_surt]

What would be really handy is a simulated finger I can keep on my key chain.

Re:Key chain finger

[flyingfsck]

My key chain is the one with the plastic (you hope) fingers and eyeballs on it.

Re:Key chain finger

Your finger or someone elses?

Re:Key chain finger

When he said he was giving you the finger, it meant something else entirely.

commentsubject

[Falos]

>A new Kickstarter campaign
Stopped reading here. A new record.

its ok

how about adhesive and create micro prints of it. finger prints have never been perfect but gives ease and reasonable security

Why sacrifice

Security for convenience? Why give any phone your fingerprint. It is only a user name, still a password is needed

unique

[ChoGGi]

I'm sure they're made them unique, but is it unique for touch devices or just in the lab?

"there is still the risk of someone stealing your gloves, which is easier than stealing your fingerprints"
I think I pay less attention to where my finger prints are left compared to a pair of gloves.

Knows nose

[cwatts]

In cold weather I register the end of my nose as a fingerprint. It works! And the feds will never figure it out, they can try all my fingers and still not get in.

If you want to keep finger functionality, use your imagination- the back of a knuckle or the side of a thumb are just as unique as a fingerprint, and work just as well.

Unlocking ones phone with one's nose will occasionally be met with wisecracks- trying to operate a phone with a nose will probably get you beaten up or arrested. So be careful :)

cw

Re:Knows nose

[ledow]

It just makes me question the uniqueness being measured (we know fingerprints are "unique" enough for convictions, but if your nose passes muster to a fingerprint reader as a valid fingerprint, surely it's not measuring that much uniqueness in the first place?). Noses just don't have unique, large, raised, patterning like fingerprints do. You can SEE and FEEL fingerprints, that's how large the features are. You can't see much difference between one squished nose and another.

All this tells me is that fingerprint readers on smartphones are naff toys. And I don't for a second buy the "it depends on the glove used" tripe either.

I looked into a fingerprint reader that schools were using for access. It turns out to be a scanner. With some Linux tools and jiggery-pokery you can pull out a black-and-white scanned TIFF from the sensor, which just feeds it into software which does the "uniqueness" bit (finding edges and comparing corner points, mostly).

So I printed out the TIFF, swiped that, and it accepted it. I'm sure they've come on leaps and bounds since, but they are still susecptible to the same old attacks. You don't need to find "a finger that's correct", just a sufficiently convincing model of that finger. That can be anything from a flat piece of paper, to a PCB-etched one, to some gummi bears moulded from that. But still, outside of humongously expensive things, nothing really that good at detecting fakes.

The heartbeat sensor in my phone uses the colour of the skin to measure heartrate "accurately enough". It's literally just a colour sensor, like a scanner, with sufficient red illumination to make your pulse "visible". That could easily form another part of a smartphone fingerprint sensor. And would STILL be just as susceptible to, say, a smartphone display showing the fingerprint and red-pulse that it expects.

It's the analogue hole all over again. If you can copy the data stream sufficiently, you don't need the original any more.

And that just makes fingerprints worthless.

Re:Knows nose

[xtoolbearx]

your a genius, it really works.

Easy

[nospam007]

"but why should we have to give up the convenience of a feature like Touch ID for months on end just because it's cold outside?"

Why? So that the police can't get at your phone's contents. Your fingerprint can be forced onto the phone, a password can't.

How long will it take for the real deal?

[eibo]

There already exist flexible materials which can be made to change shape under an applied current, it should be possible to make them small enough to display haptically at the tip of a gloves finger a fingerprint taken by a fingerprint sensor on the inside of the glove.This would solve the problem of the stolen glove as well as the mistaken belief in biometric access control.

Would you print your PIN on your gloves?

[kbdd]

That has to be the stupidest idea I have heard of in a while.

Re:Would you print your PIN on your gloves?

Depends on the goal. If the goal is to scam a bunch of people then this is a success. If the goal is to make a good product then not so much.

I can change my PIN whenever I want

[kbdd]

Can you change your fingerprints when you want?

Re:I can change my PIN whenever I want

[jittles]

Can you change your fingerprints when you want?

I don't believe it is a digital print out of your actual finger. Based on what I have read, it looks like it's just a unique pattern you can use as a fingerprint on your device. Then, if you lose the sticker, you just remove it from your security settings and use a new one.

Are you kidding me?

"which is easier than stealing your fingerprints"
This is ridiculous. You leave your fingerprints behind everywhere you go. It is trivial to get anyone's fingerprints.

fingerprints are stupid

Fingerprints are stupid security. If someone steals your password, you can change it. If someone steals your fingerprints,,,

This is a robbery....

[breaddoughrising]

Give me your wallet, phone and gloves, please.

nice

i can wear gloves when i have to enter the data center

Useful stickers

[allo]

Those stickers sound useful, as they are the only safe way (when available without gloves) to use a fingerprint scanner. You leave your fingerprint everywhere and cannot change it. So it's useless as pass code. But you can buy new stickers, if you want to change your "fingerprint" login.

What could possibly go wrong

Your fingerprints on a sticker, don't see any problems with that. Right?

This is plagiarism

This is plagiarized off my work done in RISD
http://motherboard.vice.com/read/i-replaced-my-fingerprints-with-prosthetics-to-avoid-surveillance
My version is a lot more secure though. The surface is flat and leaves no trace, and it can be easily destroyed.
The composition also makes it impossible to copy.
Since they plagiarized it, and intend to sell. I'm going to open source it, so anyone can make one.
(Btw: my version can work on gloves too)