German hacker Starbug tells Ars how he bypassed the fingerprint lock on new iPhones.
Read the whole story
Read the whole story
“There was no challenge at all,” it was “trivial,” Touch ID h
- Thread starter JournalBot
- Start date
I love how every time there is a new fingerprint reader out, the manufacturer claims that "This one won't be defeated by a simple printer! We now analyze below the skin and measure heartbeats and check your blood's personality before unlocking!"
Then it is defeated by the guy with the fingerprint kit and printer again. Every time.
I literally said to myself "I've heard that before" when Tim Cook talked about the fingerprint reader during the liveblog.
That said, Apple's message has shifted from "it's security" to "it convinces more people to turn on the basic security features of their phone", which I guess is true but probably could have been achieved by simply having them enabled by default and have you set a pin when you first setup your phone.
Then it is defeated by the guy with the fingerprint kit and printer again. Every time.
I literally said to myself "I've heard that before" when Tim Cook talked about the fingerprint reader during the liveblog.
That said, Apple's message has shifted from "it's security" to "it convinces more people to turn on the basic security features of their phone", which I guess is true but probably could have been achieved by simply having them enabled by default and have you set a pin when you first setup your phone.
Upvote
63
(71
/
-8)
Considering I knew somebody that could make credit cards from numbers he downloaded off the internet using a $4 toy he bought at the good will (Plus laptop), I'm not surprised by anything.
Also, the third sentence of the second interview answer in the article has the the word "Compared" written twice.
Also, the third sentence of the second interview answer in the article has the the word "Compared" written twice.
Upvote
5
(7
/
-2)
I wasn't really surprised I guess. These things are there for a convenient way to keep casual folks from poking around on your device. Same as Android's face unlock. You can use these kinds of things to keep your friend from posting dumb shit on your Facebook page when you aren't looking but they're no substitute for more robust security measures.
Upvote
18
(19
/
-1)
These are old, well-known attacks on fingerprint scanning. Similar techniques are known to exist on everything from the Thinkpad scanner to commercial lock systems. My question is, why is anyone surprised that fingerprint duplication techniques work on the new iPhone?? It's a gimmick feature built into a cellphone at the lowest possible cost. It also requires that attackers obtain your fingerprint. If they are doing that without your knowledge then you have more to worry about than your text messages...
Upvote
-3
(18
/
-21)
He's right about that.
A 4 digit pin absolutely is not good enough. It's far too easy to crack (it takes minutes), and once cracked you have access to the owner's email account which allows access to their entire digital life.
Purchases on the App Store are much less of an issue, since Apple has a good refund policy. The real danger is someone stealing your phone and then stealing your identity.
Upvote
3
(11
/
-8)
"Hacking Touch ID relies upon a combination of skills, existing academic research, and the patience of a Crime Scene Technician,"
And... wood glue, don't forget the wood glue....
And... wood glue, don't forget the wood glue....
Upvote
52
(52
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25358379#p25358379:d50cwbbi said:
You had me agreeing with you until you said "it also requires the attackers obtain your fingerprint." -- Your phone has your fingerprints all over it. It only requires that the attacker has possession of your phone.
Upvote
28
(35
/
-7)
I think watching the video, rather than making this attack look "trivial", makes it clear that this is *not* something that will be casually used to defeat Touch ID. Sure, the scanning and printing of the high contrast inverted print is something that most technically proficient people would be able to do, but the other steps clearly required specialized equipment (even if the process of UV etching etc, is conceptually simple).
There is also the issue of knowing that the print you lift is one that will unlock the phone. You are potentially left scanning and laboriously creating multiple fake prints to find one that is actually registered on the phone... to break into something formerly protected by a simple 4 digit pin (few users use the alphanumeric option).
There is also the issue of knowing that the print you lift is one that will unlock the phone. You are potentially left scanning and laboriously creating multiple fake prints to find one that is actually registered on the phone... to break into something formerly protected by a simple 4 digit pin (few users use the alphanumeric option).
Upvote
34
(45
/
-11)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25358379#p25358379:ur3krixv said:
Well, they would likely get the fingerprints from your phone. Why do you assume the fingerprint is more valuable than the phone?
Upvote
12
(12
/
0)
If 50% of iPhone users don't even use a passcode lock, then Touch ID is already an improvement in security. It doesn't have to be unbreakable to confer benefits.
Upvote
61
(65
/
-4)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25358413#p25358413:30jn86ze said:
actually, they don't need your phone to get the fingerprint... anything you touched that has your fingerprints on it and the print can hold "fingerprint powder" would work. Get a toner cartridge from a photocopy machine, get some of the toner from it, mix in a small amount of some very finely crushed graphite (use standard lock graphite and just grind it up a little more) and you have a good fingerprint powder. Spread a little on a fingerprint on something the target touched and take a picture, feed it into some photo software and remove the background and any color except for the black "powder", adjust the color scale a little to make the black "powder" print stand out, then do the rest of what's in the video after the phone scan part. You end up with the same thing. That's how a person in a case of ours managed to bypass a biometric fingerprint scanner lock at a residence.
Upvote
5
(8
/
-3)
Upvote
25
(26
/
-1)
Apple has never claimed TouchID to be anything more than the digital equivalent of a bicycle lock.
Are you saying we're better off without it just because a guy with a bolt cutter got through it?
Are you saying we're better off without it just because a guy with a bolt cutter got through it?
Upvote
29
(49
/
-20)
My impression is that this guy took down the iPhone sensor just for giggles (and because the fanboys trotted out a rather hysterical line of nonsense about how this time fingerprint reading was totally going to be insanely secure and stuff; but that his real concern is what would happen if something as shoddy (and hard to change) as fingerprints were adopted on a wider scale and for more purposes (think back to when the Chaos Computer Club shot down a politician who was looking to push biometrics by lifting his prints and distributing thousands of copies).
Is somebody going to lift your prints just to get into your phone? Maybe if you are important, or if that divorce is getting really bitter; but those cases aren't wildly common, and it's not as though the PIN you haven't set is any stronger. Would somebody lift your prints if some actually-important function were tied to biometrics (eg. bank accounts, opening a new CC, some national ID document, etc.)? Oh hell yeah. Low risk, not difficult, and a set of prints from a 'desirable' person could easily be worth real money, to somebody who needs to biometrically prove ID and isn't so keen to be themselves at that time. Grabbing prints in the hopes of getting those of somebody useful would probably be like planting skimmers on ATMs or building botnets: worth doing opportunistically, even with mediocre success rates, because the risks are low and the rewards are sometimes high.
Is somebody going to lift your prints just to get into your phone? Maybe if you are important, or if that divorce is getting really bitter; but those cases aren't wildly common, and it's not as though the PIN you haven't set is any stronger. Would somebody lift your prints if some actually-important function were tied to biometrics (eg. bank accounts, opening a new CC, some national ID document, etc.)? Oh hell yeah. Low risk, not difficult, and a set of prints from a 'desirable' person could easily be worth real money, to somebody who needs to biometrically prove ID and isn't so keen to be themselves at that time. Grabbing prints in the hopes of getting those of somebody useful would probably be like planting skimmers on ATMs or building botnets: worth doing opportunistically, even with mediocre success rates, because the risks are low and the rewards are sometimes high.
Upvote
20
(25
/
-5)
This is much more trouble than just swiping the lock . I guess that is the idea behind the fingerprint reader. The system is secure in the sense that you still need physical access to the device, the finger data is protected against remote access.( I wonder if this makes sense at all LOL)
Upvote
2
(5
/
-3)
this is so silly. Of course a silicone based, printer copy of a fingerprint will be able to replicate the original. LETS BE HONEST here people, i'm not trying to hide my fingerprint, its simply a deterrent to the average friend or peer.
Upvote
13
(23
/
-10)
"Trivial."
Provided I know which part of which finger, have the phone, a computer, a scanner, a PCB etching kit, a decent print, a decent amount of time, and the phone's owner doesn't know.
Either I don't know what trivial means, or he doesn't.
Seems like it would be easier to just try the passcode starting with "0000." Looks like you'd have better luck, especially on his phone.
Provided I know which part of which finger, have the phone, a computer, a scanner, a PCB etching kit, a decent print, a decent amount of time, and the phone's owner doesn't know.
Either I don't know what trivial means, or he doesn't.
Seems like it would be easier to just try the passcode starting with "0000." Looks like you'd have better luck, especially on his phone.
Upvote
19
(38
/
-19)
I guess the real security on a smartphone is the ability to remotely disable/wipe your phone when you realize it's not in your possession. If someone has enough time with your device, fingerprints and 4 digit pins just don't cut it, and as the hacker admits, stronger passwords would be a pain on a frequently locked and unlocked device.
At first, I thought that a "smartwatch" was a redundant and pointless piece of hardware, but imagine pairing your smartwatch to your devices, and when they are in close proximity to the watch, security requirements can be reduced. If the watch is not actively paired (meaning you are not in proximity to the other device), you must use a higher security method (long password or 2 stage security) to access the device. This could be used on phones, tablets and PCs. It could actually help solve the security versus convenience issue.
At first, I thought that a "smartwatch" was a redundant and pointless piece of hardware, but imagine pairing your smartwatch to your devices, and when they are in close proximity to the watch, security requirements can be reduced. If the watch is not actively paired (meaning you are not in proximity to the other device), you must use a higher security method (long password or 2 stage security) to access the device. This could be used on phones, tablets and PCs. It could actually help solve the security versus convenience issue.
Upvote
27
(27
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25358481#p25358481:gloib4a3 said:
They do need your phone. What good is a fingerprint, with no fingerprint reader to bypass? You're right that your fingerprint can be lifted elsewhere, but for the purposes of this discussion, they need to be in physical possession of your phone anyway.
Upvote
19
(19
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25358505#p25358505:35nufwc2 said:
Can someone actually point some fanbois who actually said this? All I see are posters derisively claiming fanbois said this, as opposed to fanbois who actually said this.
Heck, even Apple hasn't been selling it as a security solution, but as being more secure than the 50% who dont have any security on their phone whatsoever.
Upvote
32
(43
/
-11)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25358521#p25358521:p4dq0wjk said:bkieffer[/url]"4dq0wjk]"Trivial."
Provided I know which part of which finger, have the phone, a computer, a scanner, a PCB etching kit, a decent print, a decent amount of time, and the phone's owner doesn't know.
Either I don't know what trivial means, or he doesn't.
Perhaps trivial in this context is referring to someone that practices in the art.
For example, I think the concept of generics and lambdas to be trivial, but I'm pretty sure if I explained it to some of my non-engineering friends, they wouldn't have the foggiest clue what I'm talking about.
Upvote
19
(19
/
0)
The point is most people don't use any passcode. An imperfect fingerprint scanner is infinitely better than no protection.
Upvote
22
(25
/
-3)
Thinkpad does the "swipe" fingerprint scanner for a reason. Doesn't leave a print.
Upvote
-6
(7
/
-13)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25358513#p25358513:2b8y0blt said:
The biggest point he was making is that its more for convenience not security. I think when they said security he thought BS and called them on it. Yes his technique was is a bit more complex than most might think but I'd be willing to bet the other researchers that are trying to play his technique down are just mad they didn't think of idea that simple first. Essentially he got his own fingerprint of his phone and made a rubber 3 dimensional version of it. This required no coding and a handful of things that all can probably be purchased off of amazon for $200 or less or the parts purchased and assembled (minus the apple products, and printers)
edit: grammar and add second thought
Second thought: the average person hasn't made a PCB that they flashed and etched either...i have once when making a guitar pedal PCB. The supplies was all stuff i found at radioshack for relatively cheap
Upvote
0
(8
/
-8)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25358547#p25358547:299joocg said:
Well of course they need the phone to bypass it but they don't need the phone to get a usable print, that was pretty obvious and didn't think I needed to say that but if you need every little step and word; They can get a print previous to taking the phone and have it ready to go.
Upvote
-1
(3
/
-4)
The obvious solution is to use a biometric print which you don't leave all over the place, and this explains the interest in using nipples and the like.
Upvote
10
(10
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25358521#p25358521:2v81ngnm said:
You don't.
Assuming access to the supplies - and it's not unreasonable stuff to have around, the required PCB etching materials can be picked up at any Radio Shack - the whole thing could be done start to finish in roughly an hour. Maybe less.
Obtaining the phone would be the most difficult part. After that, it's cake.
Upvote
-10
(17
/
-27)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25358551#p25358551:2615zt9f said:
Apple's own press release called Touch ID a "secure" way to unlock the iPhone. https://www.apple.com/pr/library/2013/0 ... World.html
Upvote
32
(39
/
-7)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25358599#p25358599:1flmuopt said:
I don't want to live in a future of everyone rubbing their phones to their nipples.
My gut reaction to fingerprint scanners was "noooooooooooooo!" because basically they're a terrible form of security. It seems Apple's position is "it's less terrible and more convenient than a 4 digit pin", which is fairly true. It's this reason that if I want to use an iPhone to hook into work email, I have to use a proper password and have encryption involved.
Upvote
6
(8
/
-2)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25358281#p25358281:hjdaxp0n said:
I don't recall Apple making the claims you claim they made. They've said it was more secure than no pass code, indicated the low chance of false positives (unlocking with a different print) and explained how it worked (sub-epidermal scanning). I don't recall them indicating how difficult it was to defeat through creating a copy of the fingerprint, nor would I expect them to.
Even the guy that bypassed the system didn't think Apple was lying about how their sensor worked:
Considering that this is a consumer device, that would make sense.
Upvote
2
(14
/
-12)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25358553#p25358553:1dlfq663 said:
It wasn't trivial because he practices the art. It was trivial because he practices the art and had total control over the process. Same reason programmers shouldn't be the last person to test code they themselves wrote.
Get back to me when he's able to take a phone hasn't been in control of, and get by using a fingerprint he hasn't himself set. Then I'll concede to the triviality of this "hack"
Upvote
4
(27
/
-23)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25358619#p25358619:38usrbl5 said:
So if I leave my keys lying around and someone grabs them, runs to the Canadian Tire and gets a copy made of my house key, door locks are considered insecure?
Upvote
9
(27
/
-18)
The best use I can think of, security-wise, for this is to reduce password inputs. I think someone mentioned the idea in a previous Ars article.
You type your password in, and for the next hour (or whatever period of time) you can access it via fingerprint. Each successful login resets the counter to another hour.
Users could probably go all day and enter a password once. But it seems that given current technology it's unlikely someone could steal the phone, get to a location with the appropriate equipment, and create a good fingerprint within that window.
You type your password in, and for the next hour (or whatever period of time) you can access it via fingerprint. Each successful login resets the counter to another hour.
Users could probably go all day and enter a password once. But it seems that given current technology it's unlikely someone could steal the phone, get to a location with the appropriate equipment, and create a good fingerprint within that window.
Upvote
15
(15
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=25358631#p25358631:24ztqh56 said:
Worst case it appears he'd just need the phone long enough to do a couple high resolution scans of the front and back.
After that the phone could be returned with the owner none the wiser, and the individual dummies could be created from the scans and used at a later date.
And trying all of the dummies would still probably be much faster than trying to guess a 4 digit PIN, unless the owner were dumb enough to make them sequential (1234) or all the same number (1111).
So in practice, it means that the phone probably would only need to be out of the owner's control for a total of perhaps 5 minutes to be cracked wide open.
Upvote
-3
(10
/
-13)
I don't care what one hacker or another claims.
If Ars wants to show that defeating the Apple fingerprint sensor with a stolen iPhone 5S is feasible, then Ars should set up its own test.
- In my experience stolen iPhones are taken in public places when the owner mistakenly leaves the phone.
The thief knows nothing about the owner at first. The thief only has the phone and then leaves with just the phone very quickly.
Considering that typical theft situation, here is how a fair test of the sensor should be done imo.
1. Get an iPhone 5S that has been in regular use with the ususal abundance of fingerprint smudges.
2. The iPhone 5S should have been set up for fingerprint unlocking.
3. The Ars team must get its fingerprints from the iPhone 5S without knowing which finger was used.
4. As soon as the Ars test team gets the iPhone 5S then the clock begins.
* The Ars team will only have 48 hours to defeat the fingerprint sensor.
- Because in 48 hours the iPhone will switch to the passcode to be unlocked.
4. In the 48 hours the Ars team must defeat the sensor.
Simple. Otherwise all of these comments about the sensor being easy to fool WITH A STOLEN IPHONE 5S is hearsay.
- Why? Because in the CCC video a fingerprint copy could have been made days before the CCC video was done.
- A major part of the difficulty in fooling the iPhone 5S sensor WITH A STOLEN PHONE is that typically at first the fingerprint used to unlock it is unknown.
That was not shown in the CCC video. In the CCC video, the tester used his own fingerprint to unlock the phone.
* Again my suggestion, Ars do your own test and set up the conditions as if the phone was stolen.
If Ars wants to show that defeating the Apple fingerprint sensor with a stolen iPhone 5S is feasible, then Ars should set up its own test.
- In my experience stolen iPhones are taken in public places when the owner mistakenly leaves the phone.
The thief knows nothing about the owner at first. The thief only has the phone and then leaves with just the phone very quickly.
Considering that typical theft situation, here is how a fair test of the sensor should be done imo.
1. Get an iPhone 5S that has been in regular use with the ususal abundance of fingerprint smudges.
2. The iPhone 5S should have been set up for fingerprint unlocking.
3. The Ars team must get its fingerprints from the iPhone 5S without knowing which finger was used.
4. As soon as the Ars test team gets the iPhone 5S then the clock begins.
* The Ars team will only have 48 hours to defeat the fingerprint sensor.
- Because in 48 hours the iPhone will switch to the passcode to be unlocked.
4. In the 48 hours the Ars team must defeat the sensor.
Simple. Otherwise all of these comments about the sensor being easy to fool WITH A STOLEN IPHONE 5S is hearsay.
- Why? Because in the CCC video a fingerprint copy could have been made days before the CCC video was done.
- A major part of the difficulty in fooling the iPhone 5S sensor WITH A STOLEN PHONE is that typically at first the fingerprint used to unlock it is unknown.
That was not shown in the CCC video. In the CCC video, the tester used his own fingerprint to unlock the phone.
* Again my suggestion, Ars do your own test and set up the conditions as if the phone was stolen.
Upvote
35
(50
/
-15)
Not much of a hack. If I were to mail him my 5s, would he be able to use his technique to hack it? No.
Upvote
-5
(12
/
-17)
- Status