MacNN Forums (http://forums.macnn.com/)
-   Tech News (http://forums.macnn.com/tech-news/)
-   -   'Fake finger' successfully used to bypass Touch ID on iPhone 5s (http://forums.macnn.com/113/tech-news/504244/fake-finger-successfully-used-bypass-touch/)

 
NewsPoster Sep 22, 2013 08:33 PM
'Fake finger' successfully used to bypass Touch ID on iPhone 5s
A group in German claims to have successfully <a href="http://macnn.com/rd/294525==http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid" rel='nofollow'>worked around</a> Apple's new <a href="http://macnn.com/rd/294531==http://www.apple.com/iphone-5s/videos/#video-touch" rel='nofollow'>Touch ID</a> biometric system, albeit using an <a href="http://macnn.com/rd/294525==http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid" rel='nofollow'>extremely elaborate system</a> to do so, involving a high-resolution lifted fingerprint and creating a "fake finger" that mimics a real one that has the lifted fingerprint printed onto latex milk or wood glue and then applied -- and of course physical access to the iPhone that utilizes that particular fingerprint. A different hacker group is offering <a href="http://macnn.com/rd/294527==http://istouchidhackedyet.com/" rel='nofollow'>a reward</a> for such a solution, including cash, Bitcoins, liquor and books as a reward.<br />
<br />
The German group issued a statement <a href="http://macnn.com/rd/294528==http://www.cnn.com/2013/09/22/tech/mobile/iphone-5s-hack-bounty/" rel='nofollow'>criticizing the biometric industry</a> for making false claims about how secure fingerprint-based locking is, <em>CNN</em> reports. For most people, however, the group would seem to have undermined its own arguments with the elaborateness and extent of the work involved to bypass the Touch ID lock.<br />
<br />
Apple automatically disables the Touch ID system and reverts back to a (simple or complex) passcode if the finger hasn't been used to unlock the iPhone within the last 48 hours. This means thieves would have to obtain the iPhone and the fingerprint, make the "fake finger" sheet and get it to the point where it could successfully unlock the phone very quickly.<br />
<br />
Users who actually have classified or highly-sensitive information on their iPhone are likely to use complex passcodes, remote management or wipe, Activation Lock, Find My iPhone and many other safeguards in addition to Touch ID. Such measures make the possibility of an actual "sensitive" iPhone getting bypassed in this manner even more remote -- though the group makes a fair point that fingerprints can often be recovered fairly easily in real-world situations and aren't an end-all solution for security (nor has Apple attempted to market the Touch ID feature in that manner).<br />
<br />
Senator Al Franken noted some shortcomings of using fingerprints as passwords in <a href="http://macnn.com/rd/294532==http://www.electronista.com/articles/13/09/20/company.asked.to.explain.future.plans/" rel='nofollow'>his letter</a> to Apple CEO Tim Cook, saying that while passwords can be secret and easily changed if they are discovered, fingerprints are permanent and public." Franken's letter included some other questions regarding the future of the technology (such as whether it would be available to third parties, which would introduce further risks).<br />
<br />
However, Franken's letter didn't acknowledge that Apple has <a href="http://macnn.com/rd/294533==http://www.apple.com/pr/library/2013/09/10Apple-Announces-iPhone-5s-The-Most-Forward-Thinking-Smartphone-in-the-World.html" rel='nofollow'>already published</a> safeguards and explanations of how the technology works, including fallbacks -- and the fact that TouchID is not required nor warranted to be foolproof. It is simply designed to be another obstacle for potential thieves and hackers to overcome compared to the security built into most other modern smartphones.<br />
<br />
It is unclear if the workaround devised by the German group qualifies for the $16,000 prize from istouchidhackedyet.com, but the site has said that it seeks a reliable and repeatable way to "break into an iPhone 5s by lifting prints." with the community offering items and cash to sweeten the prize. <em>Reuters</em> reports that a venture capital firm has put up <a href="http://macnn.com/rd/294529==http://www.reuters.com/article/2013/09/20/us-iphone-hackers-idUSBRE98I10I20130920" rel='nofollow'>$10,000 towards the reward</a>, saying it wants to help fix any problems found with Touch ID "before it becomes a problem" and that the competition will help "make things safer." The co-founder of the istouchidhackedyet website has said that he believes Apple has done a good job on making the new technology secure, but wants to engage the hacker community to be sure.<br />
<br />
But lest anyone believe that the technology is impervious, a Minnesota man has <a href="http://macnn.com/rd/294530==http://www.cnn.com/2013/09/20/tech/mobile/iphone-dog-paw-print-ireport/index.html?" rel='nofollow'>posted a video</a> setting the record straight. The Touch ID system works with animals as well as humans, he discovered, demonstrating that a chihuahua with a captured "pawprint" can also unlock the iPhone 5s<br />
<br />
Neither group has shown any interest in trying to unlock the captured digital image information captured by the sensor, which is said by Apple to be stored in a "secure enclave" within the A7 processor. Presuming the data is strongly encrypted as Cook has said, it should be nearly impossible for even those with sufficient time and unlimited access to the workings of the chip to recreate the fingerprint data -- though ironically it may be possible to lift at least a partial high-resolution print of the users' preferred digit right from the sapphire glass used to protect the sensor on the iPhone 5s' home button.<br />
<br />
<br />
<div align="center"><iframe width="500" height="375" src="//www.youtube-nocookie.com/embed/HM8b8d8kSNQ?rel=0" frameborder="0" allowfullscreen></iframe></div>
 
macjockey Sep 22, 2013 09:47 PM
you know, who really gives a crap
 
muadibe10 Sep 22, 2013 10:10 PM
No matter how much I protest, people just follow me everywhere lifting my fingerprints!! I mean, who doesn't have this problem.

Dweebs.
 
Sebastien Sep 23, 2013 12:18 AM
Of course if this was happening to an Android, Blackberry or Windows device you two would be all over it. #doubleStandard
 
djbeta Sep 23, 2013 12:26 AM
What a waste of brain cells.. don't you idiots get it? Better security is better security. The people I am protecting myself against will NOT have the ability to do what you did in this video.. Why don't you spend your time on something that benefits people and doesn't try to simply "poke holes" ???
 
djbeta Sep 23, 2013 12:29 AM
And.. @Sebastien, you're wrong.. Touch ID is a truly useful method of protecting your device. MUCH better than a passcode.. which people can see you entering. Android has not provided us anything nearly that intuitive and useful.
 
Rapscallion Sep 23, 2013 12:50 AM
Previous story was door locks now unsafe, multiple copies of keys now possible...
 
BLAZE_MkIV Sep 23, 2013 01:03 AM
Myth-busters spoofed finger print readers years ago.
 
hansmickle Sep 23, 2013 01:24 AM
Myth Busters were working with the only technology then available, which is a far cry from that which Apple is using. Their results have absolutely no relation to the current issue. Technology has changed radially.
 
besson3c Sep 23, 2013 02:06 AM
What's with these emotional reactions? People trying to thwart the security of something is how you make that security stronger. This is a good thing, no matter how you feel about Apple.
 
Spheric Harlot Sep 23, 2013 02:35 AM
^ agreed.

What I find annoying is deliberate misinformation, like the tripe about the chihuahua meaning that the system is "not impervious". If you profile the dog's paw, it will work with the dog's paw. If you don't, it won't. How does that sort of shit help clarify anything? It's an amusing curiosity with zero relevance to the security of a system.
 
besson3c Sep 23, 2013 02:41 AM
Quote, Originally Posted by Spheric Harlot (Post 4249198)
^ agreed.

What I find annoying is deliberate misinformation, like the tripe about the chihuahua meaning that the system is "not impervious". If you profile the dog's paw, it will work with the dog's paw. If you don't, it won't. How does that sort of booze help clarify anything? It's an amusing curiosity with zero relevance to the security of a system.

How do you tell the difference between deliberate misinformation for ideological purposes, and ignorance with no particular ideological agenda? Does the ideology bother you, or the simple inaccuracy, or both?
 
mr100percent Sep 23, 2013 02:43 AM
Video aside, I'm still skeptical. Apple said that their sensor uses conduction sensors, so the old "gummy finger" hack to bypass old fingerprint scanners was no longer effective. I'm wondering how the cover somehow was in the same conductive range as skin.
 
mr100percent Sep 23, 2013 03:49 AM
Easy solution; don't program it to unlock with your finger. Use something else that isn't leaving prints everywhere.
Good luck figuring out which body part you need to scan to unlock my phone.
 
Spheric Harlot Sep 23, 2013 04:16 AM
Quote, Originally Posted by besson3c (Post 4249199)
How do you tell the difference between deliberate misinformation for ideological purposes, and ignorance with no particular ideological agenda? Does the ideology bother you, or the simple inaccuracy, or both?
The misuse of inaccurately presented information to further sensationalism.

"OMG SECURITY BREACH" proven by the mechanism presented working exactly as designed (talking about the animal paws thing here, not the CCC hack) is either intentional misinformation, or ignorance. Either way, it is misleading to the reader, and whoever used it to support claims of insecurity needs to be taken out back and slapped with an eel.
 
besson3c Sep 23, 2013 04:28 AM
Quote, Originally Posted by Spheric Harlot (Post 4249204)
The misuse of inaccurately presented information to further sensationalism.

"OMG SECURITY BREACH" proven by the mechanism presented working exactly as designed (talking about the animal paws thing here, not the CCC hack) is either intentional misinformation, or ignorance. Either way, it is misleading to the reader, and whoever used it to support claims of insecurity needs to be taken out back and slapped with an eel.

So it's more of a bad journalism thing that irritates you more than a tech specific thing?
 
besson3c Sep 23, 2013 04:37 AM
The other part of this that is sensationalized is the fact that on many phones no password at all is required to access the phone once you have physical access to it. Once you have physical access to a desktop/laptop there is a good chance you'll be able to do stuff too.

For those that know better and need some actual security to prevent sensitive data, chances are over 99% of the time a thief is probably going to not bother with trying to get around your fingerprint security, it will be more than adequate deterrent. For those that need to protect sensitive info such as intellectual property or something that would have secret agents specifically gunning for your stuff (as opposed to whatever phone they can find), you probably shouldn't have any sensitive like your email on your phone anyway, because if somebody wants your stuff bad enough they can just crack upon the case and hook your hard drive up to something.

The summary: nothing new... Once you have physical access to something all bets are off.
 
Spheric Harlot Sep 23, 2013 04:53 AM
Quote, Originally Posted by besson3c (Post 4249205)
So it's more of a bad journalism thing that irritates you more than a tech specific thing?
It's a misuse of evidence to prove things that cannot be inferred from the data, if you will.

It's what pisses me off about those conspiracy assholes, as well: a deliberate misrepresentation of evidence to present the illusion of coherence and credibility. Which is ironic, considering what they claim to be countering.
 
besson3c Sep 23, 2013 04:56 AM
Quote, Originally Posted by Spheric Harlot (Post 4249207)
It's a misuse of evidence to prove things that cannot be inferred from the data, if you will.

It's what pisses me off about those conspiracy assholes, as well: a deliberate misrepresentation of evidence to present the illusion of coherence and credibility. Which is ironic, considering what they claim to be countering.

This doesn't anger me really. This goes with the territory of being top dog in just about anything. Everybody wants to put a chink in the armor of the top dog.

That's right, dogs wearing armor.
 
YangZone Sep 23, 2013 06:40 AM
Liquor? Nobody told *me*.
 
Wingsy Sep 23, 2013 07:05 AM
What's going to torque my jaws is when the mainstream media reports this. They will NOT go into any detail as to the process used to fake the finger. Quite the opposite; they will imply just how easy it is for anyone to do in just a few minutes, and will totally skip the part about how a thief is going to acquire your fingerprint (the one you used to teach the sensor). Just wait and see. CNBC, I'm looking at you.
 
Wingsy Sep 23, 2013 07:14 AM
Think it's easy to get your fingerprint off your phone? Try this. Get a strong magnifying glass and go over your phone very carefully, tilting it against the light. See any non-smudged fingerprints? If you do, is it the one you would have used to unlock your phone? All I could see on mine that were not smeared were small pieces of prints here and there.
 
shifuimam Sep 23, 2013 10:59 AM
Quote, Originally Posted by djbeta (Post 4249185)
And.. @Sebastien, you're wrong.. Touch ID is a truly useful method of protecting your device. MUCH better than a passcode.. which people can see you entering. Android has not provided us anything nearly that intuitive and useful.
Android has facial recognition for unlock, as well as the ability to use a pattern (which can be as complicated as you want, using as large as a 6x6 grid).

Both are quite intuitive and useful.

TouchID is fine for home users and their phones, but it's not fine for enterprise use. Biometric alone is NOT secure, and no security professional with any qualifications is going to tell you otherwise.
 
DiabloConQueso Sep 23, 2013 11:49 AM
I'm sure the oleophobic coating that is used on most smartphone touchscreens/bodies these days helps to obscure fingerprints as well.

I think the takeaway is that NO security is 100% secure. If you want to protect your phone against accidental 18-month-old access, put a short password on there. If you want to protect your phone against casual thieves, put a 4-digit or longer passcode on there. If you want to protect your phone against more advanced thieves, put a fingerprint code and/or complex password on there, and enable data-wiping.

If you want to protect your phone against those who will stop at nothing to get at your phone and its data, then you're SOL. There is nothing short of restricting physical access to your phone by putting it in a safe deposit box or encasing it in a square foot of lead that will stop them.

People don't put Fort Knox-style security on their homes, because that's not the level of intruder they're trying to protect their home against. The actual Fort Knox, on the other hand, uses crazy levels of security, because they ARE protecting themselves against that level of intruder. Point being that the intruder that breaks into residential homes and the intruder trying to get into Fort Knox are two very different types of intruder.

Differing levels of security exist to keep differing levels/severity of unauthorized access at bay -- not to completely secure your device against any and all threats that may exist. If a news outlet or someone advertises this technology as such ("unbreakable" or "completely secure"), then they've committed a grave journalistic sin, which is adding unverified information to the story for excitement, interest, and/or gravity.

Fingerprints aren't the ultimate security implementation ever, but they're a step in the right direction.
 
bjojade Sep 23, 2013 02:09 PM
Cue the class action lawsuit. Apple will be required to provide free finger caps to users so they can protect their prints from ending up in unwanted areas.

In reality, fingerprint scanning is part of the third trifecta of security. 1. What you have, 2. What you know and 3. Who you are. High security would use all three methods.

What you have would be a physical key, or device of some sort for unlocking. Someone gets a hold of that key, and they can get in. Lost keys, duplicated keys, photos of keys, etc, could be used to breach this method.

What you know is usually a password that you're supposed to keep in your brain. It can be breached by guessing, by interrogation, or by observation of the user.

Who you are is usually the most difficult to copy, but once you can copy, it's the hardest one to change. Things like facial scans, fingerprint scans, etc., can be fooled. Some are easier than others. Facial recognition can sometimes be fooled by simply showing the device a PHOTO of the user. It may not be able to know the difference between a photo and the real thing. Older fingerprint scanners could be fooled by a simple photocopy of a fingerprint. At least Apple's system is fairly complex and to fool it, you have to create a finger that mimics the electronic properties of a finger, and that has to be done within 48 hours of the last time the phone was unlocked. Secure enough for MOST users. If you're dealing with information that would be worth the effort to create this false finger, then chances are you've got additional security measures in place.
 
besson3c Sep 23, 2013 02:32 PM
Quote, Originally Posted by shifuimam (Post 4249248)
Android has facial recognition for unlock, as well as the ability to use a pattern (which can be as complicated as you want, using as large as a 6x6 grid).

Both are quite intuitive and useful.

TouchID is fine for home users and their phones, but it's not fine for enterprise use. Biometric alone is NOT secure, and no security professional with any qualifications is going to tell you otherwise.
If you physically obtain a device, your goose is cooked. Somebody that wants your data can just take your HD/motherboard out and hook it up to something. This is probably going to be easier than bypassing the fingerprint stuff anyway, no?
 
hayesk Sep 23, 2013 06:23 PM
@shifuimam, security experts have already told me otherwise. Unless you are a "targeted" individual, nobody is going to use this method on your phone. That includes "enterprise users." And if they are targeted, one would simply force them to enter their passcode with threats of violence, anyway. So the question is, who is going to target you enough to make a fingerprint of you ahead of time?

And real security experts understand that security is a compromise between it and convenience, and the perceived threat level. It's the poser security experts who demand security over all else - the ones requiring PGP encryption when emailing their grandma.

Do you lock your car when you park it at the mall? Of course you do. Even though you know locks and car windows can easily be broken.
 
Charles Martin Sep 23, 2013 06:33 PM
I agree that the facial recognition and pattern software are also barriers to help prevent theft and unauthorized use, but have to point out that the facial recognition software is WAY more easily defeated than Touch ID, and the pattern software is generally used like the passcode software -- the simplest pattern possible for most people, and easily observable like passcodes.

But again the point is not that there are *potential* ways to overcome such measures, it's about throwing up more roadblocks to deter thieves. You can't stop ALL theft, you can just make it more unpalatable. With Activation Lock, Find My iPhone and now the Touch ID, I'd argue that Apple has taken strong steps to deter theft.
 
Spheric Harlot Sep 23, 2013 07:30 PM
Quote, Originally Posted by shifuimam (Post 4249248)
Android has facial recognition for unlock, as well as the ability to use a pattern (which can be as complicated as you want, using as large as a 6x6 grid).

Both are quite intuitive and useful.
Sorry, but unless something has changed, the face recognition is useless (since it can be thwarted with a photograph displayed on a smartphone screen, and patterns are no less tedious than passcodes.

The point of Touch ID is that it's (potentially) more secure AND less annoying than a passcode.
 
Sebastien Sep 23, 2013 11:52 PM
Quote, Originally Posted by djbeta (Post 4249185)
And.. @Sebastien, you're wrong.. Touch ID is a truly useful method of protecting your device. MUCH better than a passcode.. which people can see you entering. Android has not provided us anything nearly that intuitive and useful.
WTH are you talking about!? I never mentioned the Touch ID thing - only how the usual fanbois would have a field day if this was any other platform.

Everyone reading this knows I'm right - they just won't admit it.
 
Sebastien Sep 23, 2013 11:54 PM
Quote, Originally Posted by shifuimam (Post 4249248)
Android has facial recognition for unlock, as well as the ability to use a pattern (which can be as complicated as you want, using as large as a 6x6 grid).

Both are quite intuitive and useful.

TouchID is fine for home users and their phones, but it's not fine for enterprise use. Biometric alone is NOT secure, and no security professional with any qualifications is going to tell you otherwise.
That's true - in actual fact, the best thing for security would be body heat signature - that's truly unique to an individual (even twins will have different heat signatures), and it's apparently very difficult to 'fake' or simulate, especially for the face.
 
BLAZE_MkIV Sep 24, 2013 12:08 AM
To make it truly poetic you'd use the front facing camera to take a picture of the users retina.
 
besson3c Sep 24, 2013 02:25 AM
Quote, Originally Posted by Sebastien (Post 4249442)
WTH are you talking about!? I never mentioned the Touch ID thing - only how the usual fanbois would have a field day if this was any other platform.

Everyone reading this knows I'm right - they just won't admit it.
Anybody emotionally and ideologically invested in anything would have a field day if something happened to their opponent.
 
Spheric Harlot Sep 24, 2013 02:30 AM
Quote, Originally Posted by besson3c (Post 4249456)
Anybody emotionally and ideologically invested in anything would have a field day if something happened to their opponent.
Quote, Originally Posted by Sebastien (Post 4249442)
WTH are you talking about!? I never mentioned the Touch ID thing - only how the usual fanbois would have a field day if this was any other platform.

Everyone reading this knows I'm right - they just won't admit it.
Truth in both posts.
 
besson3c Sep 24, 2013 02:35 AM
Do you guys know people that are emotionally/ideologically invested in a platform that they use as their primary source of income?
 
Spheric Harlot Sep 24, 2013 03:36 AM
Sure. I know a couple of support techs/firms that are Mac-only.


As for myself, I base large parts of my work on the Mac platform because it's what I'm accustomed to and because I'll gladly pay to have technology get out of my way when it can. Path of Least Annoyance, if you will. Not sure whether that constitutes "emotional/ideological investment."

My current annoyance factor is pretty high (dealing with performance issues and seeing how those will pan out if I throw RAM at them).

But the Mac-based work is only part of what I do. Most of it is dedicated instrument/processing hardware.
 
besson3c Sep 24, 2013 06:46 AM
Quote, Originally Posted by Spheric Harlot (Post 4249462)
Sure. I know a couple of support techs/firms that are Mac-only.


As for myself, I base large parts of my work on the Mac platform because it's what I'm accustomed to and because I'll gladly pay to have technology get out of my way when it can. Path of Least Annoyance, if you will. Not sure whether that constitutes "emotional/ideological investment."

My current annoyance factor is pretty high (dealing with performance issues and seeing how those will pan out if I throw RAM at them).

But the Mac-based work is only part of what I do. Most of it is dedicated instrument/processing hardware.

I feel the same way.

To me the ideological investment thing is when you feel compelled to evangelize and convert other people to the platform, or you feel compelled to defend the platform when attacked just to preserve its positive reputation. Me, I don't give the slightest hint of a rat's ass what people use to do their stuff on, and I'd gladly switch to anything that can help me do my work better (or cheaper, providing that my productivity wasn't jeopardized). There was a time when I used to encourage people to use a Mac, or switch to one.

Some of the Newsposter responses from people that want to bash Apple or defend Apple fall into this category, in my opinion. I don't and can't judge since I was that way, but in retrospect it now seems pretty silly.

Maybe a part of the old days of evangelizing was the thought that more platform adoption would prolong Apple's existence, where of course these days Apple doesn't need any of our help on this front.
 
djbeta Oct 5, 2013 10:27 PM
@shifuimam -- Facial recognition, really?
That bullsh** facial recognition crap on the Android side is 1000x easier to fake than a finger print..

My point is that the fingerprint is a much better idea to use as a passcode..
 
subego Oct 6, 2013 04:49 PM
Quote, Originally Posted by Spheric Harlot (Post 4249400)
Sorry, but unless something has changed, the face recognition is useless (since it can be thwarted with a photograph displayed on a smartphone screen, and patterns are no less tedious than passcodes.

The point of Touch ID is that it's (potentially) more secure AND less annoying than a passcode.
In terms of the "annoyance factor" I've mastered unlocking my phone as it comes out of my pocket. Don't really see facial recognition or a passcode accomplishing that. Like, ever.
 
subego Oct 6, 2013 05:41 PM
That said, shif sort of has a point. A fingerprint (and other biometric data) is inherently a user ID.

The platonic ideal of a password is a hidden, giant random number.

A fingerprint is actually a decent simulation of a giant random number, so it can do double duty as a password. It's basically impossible to brute force.

On the other hand, the ability to effectively hide it is limited, so people with the determination can copy it.

It's similar to having your user ID and password being the same, but the user ID being something no one could realistically guess.
 
All times are GMT -4. The time now is 09:02 PM.

Copyright © 2005-2007 MacNN. All rights reserved.
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2014, vBulletin Solutions, Inc.


Content Relevant URLs by vBSEO 3.3.2