dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
674
share rss forum feed


Octavean
Premium,MVM
join:2001-03-31
New York, NY
kudos:1

Apple Touch ID Fingerprint Reader Circumvented?

quote:
Chaos Computer Club says it's beaten Apple's Touch ID fingerprint reader (video)

Already feeling secure about using just your fingerprint to unlock the new iPhone 5S? European hacker association Chaos Computer Club claims it can be circumvented with "easy everyday means." According to CCC hacker "Starbug", tactics laid out in a how-to from 2004 are all that are required, with just a higher res fake needed to beat the Touch ID reader. The process, requires a 2400 DPI photograph of someone's fingerprint from a glass surface, which is then laser printed at 1200 DPI and used to create a thin latex sheet that serves as the fake. Simple, right? It's a bit more labor intensive than the old way (just watching someone input their passcode or pattern) but users may want to consider fingerprint access as a measure intended more for convenience than security.
»www.engadget.com/2013/09/22/chao···erprint/


buckingham
Buckingham Pa
Premium
join:2005-07-17
Buckingham, PA
I'm thinking that someone would really have to want super bad to break into a specific phone to go to all that trouble to circumvent the fingerprint reader! The average "apple picker" isn't going to be prone to doing that kind of work...


AppleGuy
Premium
join:2013-09-08
Canada
reply to Octavean
From what I read, it needs a living, breathing soul at the other end...and not just a finger. Not sure how a picture with latex could work.


mityfowl
Premium
join:2000-11-06
Dallas, TX

1 recommendation

Haven't you ever watched Mission Impossible?


Ctrl Alt Del
Premium
join:2002-02-18
kudos:1
reply to AppleGuy
Watch the video. A living, breathing person inputs his pointer finger into TouchID, then slips a latex scan over his middle finger and unlocks the phone on his second try.
--
less talk, more music


skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
Reviews:
·Clear Wireless
·Cox HSI
·Verizon FiOS
reply to Octavean
So all you need is the person's phone AND a clean fingerprint AND take a picture of it AND some latex...etc...

Why not just chop off the finger or put a gun to the phone owner's head and tell him/her to unlock the phone?
--
Nocchi rules.

The Dv8or
Just call me Dong Suck Oh, M.D.
Premium
join:2001-08-09
Denver, CO
reply to Octavean
It seems like there needs to be some 3D fingerprint copy to do this properly. You cant just lift a print off a surface--the person would need to imprint their finger in a material you can then replicate.
--
You're so vain... I bet you think this post is about you.


Mike
Premium,Mod
join:2000-09-17
Pittsburgh, PA
kudos:1
Reviews:
·Verizon FiOS
reply to Octavean
"users may want to consider fingerprint access as a measure intended more for convenience than security."

Biometric technology is a farce for stuff that matters. That's known.

CCC stated they found a way around it by.. reproducing a fingerprint. Besides no such thing as security with physical access to a device, this is applied twice to biometric.

However for Joe Public, it's better and quicker than nothing. That's the entire point for a fingerprint reader. CCC is getting press because tech writers have no idea what they're talking about 99% of the time and just want site traffic.

You can unlock android phones with pictures of people if they are using photo-unlock. BM is a bad technology for stuff that matters. These things are for Joe Public who would rather use nothing or something as fast as nothing.

--
"If something about the human body disgusts you, complain to the manufacturer" - Lenny Bruce
What this country needs is a good five dollar plasma weapon.


justin
..needs sleep
Australian
join:1999-05-28
kudos:15
Reviews:
·iiNet

1 recommendation

It was meant to stop "apple picking", if circumventing the security means having to know the fingerprint of the user, or their iris, or their exact voice print, then the user concerned has some powerful enemies and they should also be using encryption.

Wake me up when someone works out how to make locked stolen 5S phones valuable by wiping them of whatever biometric protections have been set.

Losing ones phone is quite traumatic I'd be very happy to own a phone that locks itself when I lose it and is junk until I get it back, failing that is junk unless it can be wiped, failing that is junk until it is opened up and the flash chip and circuit board is extracted and then someone has to spend $2000 to get the flash read and put on a CDROM.

Won't all phones except the 5S spill their guts with the use of a free software tool, if found in the street?


Flagger
Premium
join:2001-08-10
Weimville

2 recommendations

reply to Octavean
Having watched videos of people using cat and dog's paws as well as nipples, it does make for some interesting applications.

I guess meetings will be a lot more fun when someone takes out his penis to unlock his phone!
--
Like our page on Facebook * See the world by following our travel BLOG

andrewc2

join:2011-06-05
Matamoras, PA
Send it off to the mythbusters, let them try and beat it, they've already beat door locks.


neuronbob
THERE ARE NO SHORT CUTS. NONE.

join:2000-03-30
Bedford, OH
reply to Octavean
I'll still use a fingerprint reader. Someone has to find my fingerprint to get around the fingerprint lock.

I don't see this as a big deal.
--
neuronbob.com


pflog
Bueller? Bueller?
Premium,MVM
join:2001-09-01
El Dorado Hills, CA
kudos:3
said by neuronbob:

I don't see this as a big deal.

It isn't a big deal, as long as you are using it as a convenience and not expecting it to be truly secure.
--
"I drank what?" -Socrates


justin
..needs sleep
Australian
join:1999-05-28
kudos:15
so far it seems it is as secure as your fingerprint. how many people have a high fidelity copy of the finger you use to unlock the phone or could get one?

Dodge
Premium
join:2002-11-27
reply to neuronbob
said by neuronbob:

.....Someone has to find my fingerprint to get around the fingerprint lock.

I don't see this as a big deal.

This is from the article: "The process, requires a 2400 DPI photograph of someone's fingerprint from a glass surface,", now correct me if I'm wrong, but isn't at least the front surface of your phone glass? Make sure to wipe your phone after every use, or you are risking leaving the valuable fingerprint on there.


justin
..needs sleep
Australian
join:1999-05-28
kudos:15
Reviews:
·iiNet
if they took the print from the iPhone glass they would have said that. I look at my screen in the right light: there is nothing usable on it. perhaps because I tap with the end not the pad or perhaps because of the oil repel tech or the other motions mix everything up I don't know.


haroldo

join:2004-01-16
united state
kudos:1
reply to Octavean
I know the media loves to find fault with products (especially from successful companies), but I dont think this is a 'big deal.
First, it requires physical access to phone. Most users are keenly aware of where their phone is and if it's missing for an extended period of time, I think they'd remote wipe (or at least folks that are tech savvy, would).
Next, the intrusion would be conducted within 24 hours as the Touch Lock requires a pin code after that time frame.
This combination...IMHO...makes this 'threat' (to the average user) much lower than the risk that someone can guess their four digit lock screen PIN (more likely they'd watch the user enter the PIN and get the number).
I think the biggest risk would be a jealous spouse, who could easily access the phone.


haroldo

join:2004-01-16
united state
kudos:1
reply to Octavean
»www.foxnews.com/tech/2013/09/24/···features

Apple’s Touch ID lets you unlock your new iPhone 5S with more than just your fingerprint. One writer from the site DigitalTrends.com tested the limits of the Touch ID feature -- and claims he could his private part to unlock his new phone.


Nezmo
The name's Bond. James Bond.
Premium,MVM
join:2004-11-10
Coppell, TX
kudos:1

1 recommendation

said by haroldo:

»www.foxnews.com/tech/2013/09/24/···features

Apple’s Touch ID lets you unlock your new iPhone 5S with more than just your fingerprint. One writer from the site DigitalTrends.com tested the limits of the Touch ID feature -- and claims he could his private part to unlock his new phone.

We can always rely on Fox to report the real news.
--
My Gallery
Formerly Nezmo

daveinpoway
Premium
join:2006-07-03
Poway, CA
kudos:3
reply to Octavean
Here are some more discussions on this topic: »iPhones fingerprint sensor hacked 48 hours after release

iknow_t

join:2012-05-03
reply to Octavean
mythbusters beat fingerprint ID at least a year ago, this is nothing new.


justin
..needs sleep
Australian
join:1999-05-28
kudos:15
they beat "a" fingerprint reader, or did they beat all?


sk1939
Premium
join:2010-10-23
Mclean, VA
kudos:10
Reviews:
·T-Mobile US
·Verizon FiOS
reply to Mike
said by Mike:

"users may want to consider fingerprint access as a measure intended more for convenience than security."

Biometric technology is a farce for stuff that matters. That's known.

CCC stated they found a way around it by.. reproducing a fingerprint. Besides no such thing as security with physical access to a device, this is applied twice to biometric.

However for Joe Public, it's better and quicker than nothing. That's the entire point for a fingerprint reader. CCC is getting press because tech writers have no idea what they're talking about 99% of the time and just want site traffic.

You can unlock android phones with pictures of people if they are using photo-unlock. BM is a bad technology for stuff that matters. These things are for Joe Public who would rather use nothing or something as fast as nothing.

Still impossible to fake retina scans.


justin
..needs sleep
Australian
join:1999-05-28
kudos:15
Reviews:
·iiNet

2 recommendations

the only biometric scan that I'm impressed with this the one in the incredibles:

Hand Scanner.
Iris Scanner.
"Edna. Mode." (said in purposefully flat voice)
Then there is a camera (IR?) that identified an additional visitor - judging by the machine gun that springs from the ceiling.
".. and guest".

This is smart because if she is being forced at gunpoint to surrender all her biometrics, the bad guy then has to deal with the weapon pointing at his head as well.


sk1939
Premium
join:2010-10-23
Mclean, VA
kudos:10
Reviews:
·T-Mobile US
·Verizon FiOS
said by justin:

the only biometric scan that I'm impressed with this the one in the incredibles:

Hand Scanner.
Iris Scanner.
"Edna. Mode." (said in purposefully flat voice)
Then there is a camera (IR?) that identified an additional visitor - judging by the machine gun that springs from the ceiling.
".. and guest".

This is smart because if she is being forced at gunpoint to surrender all her biometrics, the bad guy then has to deal with the weapon pointing at his head as well.

There are some secure facilities that use a slightly different arrangement. It's a self contained plexiglass chamber, and you surrender your retina pattern, while the floor plate determines exact weight of things present on the floor. Combined you gain access. Yes, for those who eat lots or are on diets there are problems, and for equipment, I think there needs to be some kind of override, I"m not sure.


wmcbrine
213 251 145 96

join:2002-12-30
Laurel, MD
kudos:1

1 edit
reply to andrewc2
said by andrewc2:

Send it off to the mythbusters, let them try and beat it, they've already beat door locks.

They "beat" the door lock in the exact same way: by copying an actual fingerprint. IMHO, neither of these constitutes a circumvention; just the opposite, really. It looks like a good, secure technology. Of course you can get around it if you have the fingerprint -- because the fingerprint is the key, by design. What's been shown is just that the key is copyable (and not particularly easily).

P.S. Don't get me wrong -- I was impressed with what the Mythbusters did. But what they did not do was to show that this was a weak or easily exploited system.
--
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0


Octavean
Premium,MVM
join:2001-03-31
New York, NY
kudos:1
reply to Octavean
I think the media is probably making more of this then there really is. If I buy a 5S some time in the future this isn't something that I would be concerned about. Law enforcement could probably use such methods if they felt they needed to assuming they didn't have another in. Thats not a concern for me or most people though.

I see it more as a convenience on a security future then anything else.

I wouldn't be surprised if future versions of iOS and the iPhone included the use of the camera (facial recognition) in conjunction with the the fingerprint reader. As an option, adding the need for a Passcode should satisfy the needs of the more paranoid among us.

Some may say that the extra measures defeat the purpose of the convenience of the fingerprint reader but I don't agree. Its more an issue of how much security you want or need.