Defeating Apple’s Touch ID: It’s easier than you may think
- Thread starter JournalBot
- Start date
I guess in retrospect, fingerprints aren't the best idea for biometrics on a phone since the prints themselves are left on the device with typical use. So basically, steal the phone and you have the print. I wonder if they could have you image your knuckles or something like that instead.
Upvote
14
(17
/
-3)
People saying this also have to remember that this technique was developed less than 48 hours after they got their hands on the device -- I'm sure there will be easier hacks out there soon enough.
Hopefully an Android handset maker implements a Touch ID equivalent, doesn't get sued by Apple, and a custom lock screen can be added into a custom ROM -- cyanogenmod et al. -- to do just this.
Upvote
2
(18
/
-16)
How about using only the tip of your thumb? Also not frequently left on a beer glass?
For me, I think the convenience still outweighs the risks (assuming I can get my claws on an actual 5s).
For me, I think the convenience still outweighs the risks (assuming I can get my claws on an actual 5s).
Upvote
2
(7
/
-5)
Upvote
14
(16
/
-2)
"...Touch ID is a truly "secure" way to unlock phones, as Apple's own press release announcing the new feature claimed."
Well, at least the person who stole the phone and can duplicate the fingerprint will be able to securely unlock it...
Well, at least the person who stole the phone and can duplicate the fingerprint will be able to securely unlock it...
Upvote
9
(12
/
-3)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25348427#p25348427:1clyr8jt said:
There isn't even any retrospect. This is obvious. It is like the picture password on Win8 devices. It doesn't make sense because once you have the device you have the print.
The author's suggestion is a very good one as most people won't use anything other than a thumb or a forefinger to press the home button aside from unlocking it.
The long and the short of it really is to not lose control of your device. Physical compromise is almost a guarantee that your information will be disclosed.
Upvote
25
(27
/
-2)
Another tip is to validate prints only from the left fingers if you're right-handed or vice versa. If you always open doors or drink using the right hand, you'll hardly ever donate your usable print info to anyone.
Upvote
18
(18
/
0)
When you using a pinky or ring finger it might be wise to use the hand you least hold it with.
Upvote
4
(4
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25348497#p25348497:3jvrhdof said:
If you touch the screen you are going to leave a print, doesn't matter if its the fingertip, thumb tip, toe print, nose print, ear print, genital print....
They are lifting what ever the print is from the screen, duplicating that print, then using it to get into the phone. So if, for example, someone steals the phone and is able to lift and duplicate the print they will still be able to get into the phone.
Upvote
-14
(4
/
-18)
It amazes me that Touch ID was not implemented along side of a two factor system on the debut. Apple has a very well thought out UI with a lot of features that have stood the test of time and considering their market penetration, having thoughtful security should be at the top of their priorities now.
Upvote
9
(11
/
-2)
I don't understand this reaction to a fingerprint sensor not being perfect. Isn't that obvious? If apple had invented a perfect fingerprint sensor then a lot of three letter agencies would have been interested.
A lot of this seems to me to be missing the point. This was intended to be an easy and convenient way to secure a phone that otherwise would not have been secured. Loads of people do not bother with a PIN, and even then tend to use short four digit pins which are as dubious as a touch sensor. To me, anything that persuades more people to at least lock their phone is a win.
Having said that, the apple marketing could have done a better job at communicating this, and I sorely wish there was an option for two factor authentication all the time, rather that just at restarts.
A lot of this seems to me to be missing the point. This was intended to be an easy and convenient way to secure a phone that otherwise would not have been secured. Loads of people do not bother with a PIN, and even then tend to use short four digit pins which are as dubious as a touch sensor. To me, anything that persuades more people to at least lock their phone is a win.
Having said that, the apple marketing could have done a better job at communicating this, and I sorely wish there was an option for two factor authentication all the time, rather that just at restarts.
Upvote
32
(41
/
-9)
Any sufficiently determined attacker can crack 4-digit PIN codes as well. All they need to do is stealthily shoulder-surf as you type it in. Touch ID works better against average thieves than a PIN, as a thief needs to spend time taking a high resolution photo of your fingerprint, touching up the photo, getting to a laser printer, applying the latex, and letting the latex film settle. That gives the victim some time to remotely disable their phone from the Find My iPhone app.
Yes, it's true that a thief can perform these steps before stealing the phone, but that's a targeted attack. And with mobile devices, all bets are off in targeted attacks.
Upvote
16
(22
/
-6)
How fresh was the fingerprint - Apple claims TouchID gets better at discerning your finger print with each use. I'm curious if this only fools Touch ID because it was a newly registered finger; as opposed to fooling TouchID after a fingerprint been used for a week, month, year. Time will tell. Still better than not having any security at all.
Upvote
20
(22
/
-2)
If someone is running around trying to lift my print to access my iPhone that's a pretty targeted attack. It's far easier to look over my shoulder.
Besides, I read the iPhone 6 will authenticate by peering into your very soul and require the spirit of Steve Jobs to personally approve each unlock. No comment on if this uses cellular data yet.
Besides, I read the iPhone 6 will authenticate by peering into your very soul and require the spirit of Steve Jobs to personally approve each unlock. No comment on if this uses cellular data yet.
Upvote
29
(32
/
-3)
Coming next TONGUE prints!
Lick your phone to unlock....
"Why does my phone taste like fish?"
Lick your phone to unlock....
"Why does my phone taste like fish?"
Upvote
-3
(5
/
-8)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25348611#p25348611:20k7zwcz said:
On the other hand, they can unlock your phone using TouchID without ever looking over your shoulder or figuring out your password. Your fingerprint is likely all over the screen, so if they want in, they just swipe your device immediately and go to work.
Upvote
-7
(16
/
-23)
God, recommending using an inconvenient finger for unlocking is a really ugly workaround...
What I would like Apple to do: Add a configurable timeout for TouchID after which it requires a PIN:
Immediately
5 minutes
15 minutes
1 hour
2 hours
6 hours
Make it default to 1 hour.
This would mean that
a) whatever you set it to you'd need to type your PIN at least once a day (in the morning, if you sleep more than 6 hours) which at least means you will remember it. The current timeout of 48 hours (or a reboot of the phone) basically means that most people will have forgotten their PIN when they need it.
b) the default of one hour would mean that a thief would need to be really fast with nicking your device and faking a finger.
c) if you REALLY need security set the timeout to "Immediately" and presto, you have two-factor authentication.
If Apple would have done that right away nobody would have to complain about all of this.
TouchID is a convenience feature, no more, no less. It's much better than not having a PIN and much more convenient than a PIN (or even a complex password). Apple should have marked it as this by choosing defaults wisely and allowing an option to turn it into a security feature (by using it for two-factor authentication without a timeout).
What I would like Apple to do: Add a configurable timeout for TouchID after which it requires a PIN:
Immediately
5 minutes
15 minutes
1 hour
2 hours
6 hours
Make it default to 1 hour.
This would mean that
a) whatever you set it to you'd need to type your PIN at least once a day (in the morning, if you sleep more than 6 hours) which at least means you will remember it. The current timeout of 48 hours (or a reboot of the phone) basically means that most people will have forgotten their PIN when they need it.
b) the default of one hour would mean that a thief would need to be really fast with nicking your device and faking a finger.
c) if you REALLY need security set the timeout to "Immediately" and presto, you have two-factor authentication.
If Apple would have done that right away nobody would have to complain about all of this.
TouchID is a convenience feature, no more, no less. It's much better than not having a PIN and much more convenient than a PIN (or even a complex password). Apple should have marked it as this by choosing defaults wisely and allowing an option to turn it into a security feature (by using it for two-factor authentication without a timeout).
Upvote
37
(38
/
-1)
In all honesty, the notion that this was going to be particularly secure never should have been forwarded - it's a secondary convenience feature that keeps the honest people out of your phone (much like the function the door locks on most private dwelling do for its security). One can hope that Apple put enough thought into the design that the fingerprints left on the button time after time don't trigger it...
Purpose-built biometric scanners costing more than the (unsubsidised) price of this phone can be defeated with access to prints, irises, blood vessel patterns on the back of your hand, etc. Even those that purport to detect live fingers, hands, whatnot have been defeated. There's no magic bullet factor of security - biometrics would ideally simply become part of the authentication. I've often heard it said that the ideal authentication scheme consists of something you know, something you have, and something you are - ie a password, a token, and a biometric.
Purpose-built biometric scanners costing more than the (unsubsidised) price of this phone can be defeated with access to prints, irises, blood vessel patterns on the back of your hand, etc. Even those that purport to detect live fingers, hands, whatnot have been defeated. There's no magic bullet factor of security - biometrics would ideally simply become part of the authentication. I've often heard it said that the ideal authentication scheme consists of something you know, something you have, and something you are - ie a password, a token, and a biometric.
Upvote
12
(13
/
-1)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25348647#p25348647:ru0ymoab said:
I took Apple's statement to mean it unlocks easier over time since it's seen more of your finger with each use. I think the hack would get easier over time, not harder.
Upvote
9
(10
/
-1)
If I have sufficient access to take a high res picture of someone's fingerprint and duplicate it, then I have sufficient access to record that person entering their PIN with a buttoncam, camera in the frame of my eyeglasses, or even just holding up my camera and seemingly recording a video of a party while I'm actually capturing someone unlocking their phone.
Touch ID is no less secure than a 4 digit PIN code and this "hack" is the very definition of social engineering.
Touch ID is no less secure than a 4 digit PIN code and this "hack" is the very definition of social engineering.
Upvote
2
(13
/
-11)
I think it would have been more interesting if it was actually bypassed and not just fooled with a cloned finger print.
Still, this is something. But you'd need to get your hands on a 3D printer and something to image the fingerprint at high res.
I certainly wouldn't call this a "hack" though. You're still using the fingerprint.
Still, this is something. But you'd need to get your hands on a 3D printer and something to image the fingerprint at high res.
I certainly wouldn't call this a "hack" though. You're still using the fingerprint.
Upvote
7
(9
/
-2)
I bet this will be available on Cydia shortly after the jailbreak for the 5s is discovered. Hopefully Apple can be brought around to adding it to the phone as well, it seems like it should be pretty easy to implement.
Upvote
5
(5
/
0)
I amazes me that a half baked, incomplete video is taken at face value and everything that Apple and Authentec has published is trashed as a lie.
Granted, someone will likely find a workable hack around the fingerprint reader in the iPhone 5S, but I simply don't believe that what these guys in Germany did (just a more complicated form of fingerprint lifting) is all it takes to circumvent the sub epidemal, 3D capacitive topology mapping technology of the Authentec sensor.
This type of hack would surely have been among the FIRST things that Apple would have attempted as part of their technical due diligence prior to purchasing Authentec.
Until a COMPLETE video, with absolute timeline integrity, starting with an iPhone devoid of ALL fingerprint training, that documents the ENTIRE process AND the process is replicated by numerous others using the same process, this is nothing more than an attempt to claim a prize, NOT defeat Touch ID.
Apple is NOT infallible, but they are far from stupid and they have hundreds of millions invested in this technology as well as their reputation on the line, so I call BS on this purported hack until it is absolutely proven.
David T.
Granted, someone will likely find a workable hack around the fingerprint reader in the iPhone 5S, but I simply don't believe that what these guys in Germany did (just a more complicated form of fingerprint lifting) is all it takes to circumvent the sub epidemal, 3D capacitive topology mapping technology of the Authentec sensor.
This type of hack would surely have been among the FIRST things that Apple would have attempted as part of their technical due diligence prior to purchasing Authentec.
Until a COMPLETE video, with absolute timeline integrity, starting with an iPhone devoid of ALL fingerprint training, that documents the ENTIRE process AND the process is replicated by numerous others using the same process, this is nothing more than an attempt to claim a prize, NOT defeat Touch ID.
Apple is NOT infallible, but they are far from stupid and they have hundreds of millions invested in this technology as well as their reputation on the line, so I call BS on this purported hack until it is absolutely proven.
David T.
Upvote
1
(29
/
-28)
I think I can safely predict a new Apple product on the horizon: the iThumb prophylactic. You use it when you don't want to leave your thumbprint around. You use the handy patented flip clip to quickly plant your print on the home button.
Upvote
-5
(3
/
-8)
Utildayael
Ars Tribunus Angusticlavius
All you have to do is wear gloves. All the time. Like ALL the time. Always. Very practical.
Upvote
0
(3
/
-3)
I'm curious as to the source for the claim that "it seems unlikely that this option will ever be available".
Yes, I can tell that this option isn't there now, but I, for one, think it'll be in an update to iOS 7 shortly: ability to require both fingerprint and password. It seems like low-hanging fruit.
Passwords and fingerprints are equivalent: if you share them with someone then they can use them. Sure, fingerprints are "easy" to share (accidentally), so it seems obvious that the system has a built-in flaw. As many have said, it's almost impossible to keep your retina or fingerprint truly "secret" (when I got my green card, they took all my fingerprints, so the government could easily use this method to access my phone (if I had a 5s)).
I don't understand the "surprise" here. Lifting fingerprints and generating a "fake" finger is not new, why is anyone surprised that it works?
Yes, I can tell that this option isn't there now, but I, for one, think it'll be in an update to iOS 7 shortly: ability to require both fingerprint and password. It seems like low-hanging fruit.
Passwords and fingerprints are equivalent: if you share them with someone then they can use them. Sure, fingerprints are "easy" to share (accidentally), so it seems obvious that the system has a built-in flaw. As many have said, it's almost impossible to keep your retina or fingerprint truly "secret" (when I got my green card, they took all my fingerprints, so the government could easily use this method to access my phone (if I had a 5s)).
I don't understand the "surprise" here. Lifting fingerprints and generating a "fake" finger is not new, why is anyone surprised that it works?
Upvote
2
(5
/
-3)
Author, the sky is not falling. The sort of hack over the weekend required physical access to the phone and the phone's fingerprint-registered owner himself. He was complicit. That's a bit much. If I lose my phone at Disneyland and return home 1,000 away, will this hack work?
Upvote
4
(10
/
-6)
Well, that last at least would put your phone at much lower risk of theft, admittedly for different reasons.[url=http://meincmagazine.com/civis/viewtopic.php?p=25348573#p25348573:259ugadm said:
Upvote
7
(7
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25348685#p25348685:2n5hvst4 said:
+1000
Upvote
6
(8
/
-2)
I think for the average Joe TouchID is good enough. My brother has a passcode on his phone, because he doesn't trust that the people he hangs out with aren't going to grab his phone and post fake messages to Facebook, etc. Nobody is going to go through the trouble lifting prints and generating a fake finger so they can get onto a friend's phone to snoop around or pull pranks.
The only people who might have a reason to be worried would be the sort of people in occupations where they have lots of confidential information and contacts stored on the phone, which I suspect is actually the minority of iPhone 5s owners.
The only people who might have a reason to be worried would be the sort of people in occupations where they have lots of confidential information and contacts stored on the phone, which I suspect is actually the minority of iPhone 5s owners.
Upvote
17
(18
/
-1)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25348609#p25348609:1y2nb3wh said:
Apple fudged the marketing and implementation of the fingerprint reader. I think it's fair to complain at this point, especially with solid evidence in hand of what everyone who knew anything about fingerprint scanning tech already suspected: that for all they dressed it up, this was not substantially better than any of the other easily beaten consumer grade fingerprint tech.
If they hadn't sold it as some amazing and perfectly secure thing (Apple really played it up quite a bit), there would have simply been statements of "well of course it's hackable, but it's better than swipe to unlock at least, and the newer tech at least makes it more difficult to hack than just using a piece of tape" and it would have been left at that.
Apple shot their own foot on this one, honestly. They were practically ASKING for someone to demonstrate a hack and in turn to have a big deal made of it. Especially by not having 2 factor as an always available option (or even via time-out as suggested above).
Upvote
12
(31
/
-19)
More pertinently, I think, why would someone too lazy to use a PIN bother with swiping their fingers?[url=http://meincmagazine.com/civis/viewtopic.php?p=25348583#p25348583:46fncnly said:
The bald fact of the matter is that a lot of people just don't get why we should maximize security. One of my coworkers straight up said "If someone wants in my phone, they'll just get in anyway"; I've seen that basic sentiment from pretty much every walk of life, including geeks who have a better than average understanding of the situation. It rather baffles me.
Also, it annoys me; I know at least one person has had their device stolen, and I ended up on mailing lists and shit because I was on the contact list. Now it's stopped being their problem, and become mine.
Upvote
-1
(3
/
-4)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25348663#p25348663:gj0ismaj said:
I had the same thought. (patent pending)
Upvote
-2
(1
/
-3)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25348685#p25348685:3gnbltpe said:
just to point out, apple did do something about in that you don't have to use the feature at all.
if a person was in a high risk information situation, i'd recommend not to i suppose.
for a joe blow like me, i look forward to the feature.
would like to see how a fingerprint is gained though and what is needed.
Upvote
5
(6
/
-1)
The author does not give Apple sufficient credit when implying they would not be interested in making two-factor authentication an option. They did with iCloud. IF this proves to be a problem with people getting hacked, you can bet they will implement it. It would be a minor tweak to the Touch ID API.
Lots of people have pointed out the critically flawed video to begin with. The media for the fingerprint is transparent. How do we know it wasn't actually reading through the media and getting an actual fingerprint of the hacker? I think more scrutiny is justified before declaring this a "decisive" defeat of Touch ID.
A lot of this hand-wringing and hysterical headline writing is a bit premature and will only become a legitimate concern if someone comes up with a way to hack a phone in less time than a person takes to figure their phone is missing and wiping it. And anyone who can wipe it using the tools in iCloud who has a tiny bit of savvy is going to have already set up the two-factor security setup for unbricking a bricked phone in this process.
Lots of people have pointed out the critically flawed video to begin with. The media for the fingerprint is transparent. How do we know it wasn't actually reading through the media and getting an actual fingerprint of the hacker? I think more scrutiny is justified before declaring this a "decisive" defeat of Touch ID.
A lot of this hand-wringing and hysterical headline writing is a bit premature and will only become a legitimate concern if someone comes up with a way to hack a phone in less time than a person takes to figure their phone is missing and wiping it. And anyone who can wipe it using the tools in iCloud who has a tiny bit of savvy is going to have already set up the two-factor security setup for unbricking a bricked phone in this process.
Upvote
4
(7
/
-3)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25348495#p25348495:2btpk697 said:
Its inaccurate to imply this hack method was developed in 48 hours, this approach to spoofing fingerprint readers has been around a long time. It just took 48 hours for someone to make a video of using it on an iPhone 5S.
Upvote
6
(9
/
-3)
I want to see this "hack" verified by another party. If successful then it means that capacitive sensors differ from optical sensors in that they simply require a 3D replication of the fingerprint. However, its hard to imagine that you could properly create a 3D replica of a fingerprint from a 2D smudge left on glass unless the sensor is not sensitive enough to the microscopic distance between hills and valleys on your fingerprints.
The other thing I want to know is "how long" it takes to produce the 3D replica of the fingerprint. If it takes more than 48 hours, then Touch ID's automatic deactivation will prevent access without a password after 48 hours. If Apple let me control how long that timeout was then I would feel even better. For me, I would set it closer to 12 hours.
Also, keep in mind that there is still Find My iPhone on the device. Certainly, a thief could steal the device but if they shut it down to prevent remote wiping then rebooting would cause Touch ID to require a password again. So unless you are dumb enough to enable Control Center on lock screen and give the thief access to Airplane Mode, then the thief had better bring something to shield the device from radio signals while they are working on removing your fingerprints from it.
It certainly seems like a whole lot of hoops to go through and not nearly as easy as Graham implies in this article. It also seems like a couple of steps like allowing users to configure their Touch ID timeout or even requiring a simple "second factor" like proximity and connection to another device like an iWatch would easily take Touch ID to the level it needs to be for corporate security.
The other thing I want to know is "how long" it takes to produce the 3D replica of the fingerprint. If it takes more than 48 hours, then Touch ID's automatic deactivation will prevent access without a password after 48 hours. If Apple let me control how long that timeout was then I would feel even better. For me, I would set it closer to 12 hours.
Also, keep in mind that there is still Find My iPhone on the device. Certainly, a thief could steal the device but if they shut it down to prevent remote wiping then rebooting would cause Touch ID to require a password again. So unless you are dumb enough to enable Control Center on lock screen and give the thief access to Airplane Mode, then the thief had better bring something to shield the device from radio signals while they are working on removing your fingerprints from it.
It certainly seems like a whole lot of hoops to go through and not nearly as easy as Graham implies in this article. It also seems like a couple of steps like allowing users to configure their Touch ID timeout or even requiring a simple "second factor" like proximity and connection to another device like an iWatch would easily take Touch ID to the level it needs to be for corporate security.
Upvote
10
(11
/
-1)
http://www.anandtech.com/show/7335/the- ... s-review/8
"Having a passcode is a mandatory Touch ID requirement. You can’t choose to only use Touch ID to unlock your device. In the event that your fingerprint isn’t recognized, you can always manually type in your passcode."
"If you’ve restarted your phone, you need to manually type in your passcode once before you can use Touch ID. If you haven’t unlocked your phone in 48 hours, you’ll need to supply your passcode before Touch ID is an option. Repeated failed attempts (5) to access your 5s via Touch ID will force you to enter a passcode as well."
"Having a passcode is a mandatory Touch ID requirement. You can’t choose to only use Touch ID to unlock your device. In the event that your fingerprint isn’t recognized, you can always manually type in your passcode."
"If you’ve restarted your phone, you need to manually type in your passcode once before you can use Touch ID. If you haven’t unlocked your phone in 48 hours, you’ll need to supply your passcode before Touch ID is an option. Repeated failed attempts (5) to access your 5s via Touch ID will force you to enter a passcode as well."
Upvote
14
(18
/
-4)
- Status