Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

CCC Says Apple iPhone 5S TouchID Broken

timothy posted 1 year,28 days | from the well-if-that's-all dept.

Security 481

hypnosec writes with word that the Chaos Computer Club claims to have "managed to break Apple's TouchID using everyday material and methods available on the web. Explaining their method on their website, the CCC hackers have claimed that all they did was photograph a fingerprint from a glass surface, ramped up the resolution of the photographed fingerprint, inverted and printed it using thick toner settings, smeared pink latex milk or white woodglue onto the pattern, lifted the latex sheet, moistened it a little and then placed it on the iPhone 5S's fingerprint sensor to unlock the phone." Update: 09/22 21:32 GMT by T :Reader mask.of.sanity adds a link to a video of the hack.

cancel ×

481 comments

Sorry! There are no comments related to the filter you selected.

Easy! (4, Funny)

amiga3D (567632) | 1 year,28 days | (#44918885)

sounds really trivial to break. I can see all kinds of kids doing this.

Re:Easy! (4, Insightful)

fuzzyfuzzyfungus (1223518) | 1 year,28 days | (#44918919)

It's a bit much for casual purposes; but it effectively demonstrates that Apple's little toy is just another fingerprint sensor (albeit a more attractive one than the usual little stripe-thing) with no more resistance to an under-a-hundred-bucks, probably a few bucks per print, in quantity, attacks than any of the others.

Still beats no passcode at all against a casual attacker; but it sounds like the CCC technique works just fine with digital reproductions (ie, you don't need the original thumbprint to use as a mold, or develop with cyanoacrylate vapor, or anything like that) so it's fuck up once, have your fingerprint on file for however long it stays roughly the same, which is never terribly encouraging.

Re:Easy! (5, Funny)

noh8rz10 (2716597) | 1 year,28 days | (#44918963)

Remember that a hacker won't know which of 5 fingers the owner uses, so that's another layer of security

Re:Easy! (0)

Anonymous Coward | 1 year,28 days | (#44918995)

Remember that a hacker won't know which of 5 fingers the owner uses, so that's another layer of security

Mod parent up +1 FUNNY

Re:Easy! (5, Insightful)

Jeremy Erwin (2054) | 1 year,28 days | (#44919163)

The cops will have copies of all 10 fingers, and will be able to add this technique to their fourth and fifth amendment circumvention strategies.

More secure. (3, Funny)

noh8rz10 (2716597) | 1 year,28 days | (#44919001)

Maybe the best use of touch Id is as a complement to a code. Something you know, something you have, something you are. They have 2 out of 3, and with their Siri they could add voice too. "My voice is my passport. Verify"

social engineering time (5, Funny)

Jeremy Erwin (2054) | 1 year,28 days | (#44919067)

You know what? I really love the sound of your voice. ... And there's this one word. I've always loved the sound of this word. ... I would really like to hear you say the word ..."passport".

Re:social engineering time (1)

iluvcapra (782887) | 1 year,28 days | (#44919197)

"Shall I phone you or nudge you?"

Re:Easy! (0)

Anonymous Coward | 1 year,28 days | (#44919005)

Knives cut most fingers easily, except possibly the thumb.

Re:Easy! (1)

Anonymous Coward | 1 year,28 days | (#44919061)

As a male, I better don't use what was thinking to use then.

Re:Easy! (1)

Sique (173459) | 1 year,28 days | (#44919007)

So we have (as we can use 10 fingers) the gigantic key length of slightly more than 3 bits.

Re:Easy! (0)

Anonymous Coward | 1 year,28 days | (#44919015)

Unless, they say, saw the target unlock their phone, ever.

Re:Easy! (4, Insightful)

ShanghaiBill (739463) | 1 year,28 days | (#44919027)

Remember that a hacker won't know which of 5 fingers the owner uses, so that's another layer of security

Actually, many people have up to ten fingers. Personally, I use my big toe.

But this shows that Apple was less than honest in their claims about pulse detection, and sub-surface tissue detection.

Re:Easy! (-1, Troll)

BasilBrush (643681) | 1 year,28 days | (#44919129)

It's a capacitative scanner. It's not a photo scanner. So the fact that the claimed hack revolves around a photocopy makes it distinctly dubious. And the included video certainly doesn't prove the claim.

But it's interesting that you are more willing to trust an anonymous hacker than a blue chip company.

Me, I'll avait confirmation one way or the other.

Re:Easy! (0)

Anonymous Coward | 1 year,28 days | (#44919179)

In Washington, D.C., they have a saying: "Nobody trusts an official story and everyone believes anonymous sources."

Re:Easy! (1)

iluvcapra (782887) | 1 year,28 days | (#44919247)

"Nobody trusts an official story and everyone believes anonymous sources."

I'd interpret this as being a statement about the tendency of politicos ("everyone") to uncritically repeat salacious gossip, and to intentionally discount "official" statements, not because they're false or irrelevant, but because they're boring and lack the whiff of exclusive, "insider" provenance.

This saying is an example of artful equivocation, in the sense that it is either critical of "an official story," or critical of "everyone" for believing it, and the listener is free to accept either.

Re:Easy! (2, Insightful)

Anonymous Coward | 1 year,28 days | (#44919255)

It's a capacitative scanner. It's not a photo scanner.

From the abstract: 'latex sheet, moistened it a little'. I see no reason why that wouldn't work on this capacitative scanner.

Re:Easy! (4, Insightful)

Nerdfest (867930) | 1 year,28 days | (#44919261)

Based on their respective histories, a sensible person would probably trust CCC over Apple.

Re:Easy! (-1, Troll)

cyber-vandal (148830) | 1 year,28 days | (#44919293)

That you can even write that is hilarious. I am never willing to trust a blue chip company's marketing department. They are paid to exaggerate and tell outright lies. Hacker groups on the other have a reputation to keep up so are far less likely to make claims like this if they're not true. It doesn't matter if Apple are dishonest when you have retards [express.co.uk] willing to queue for 4 and a half days to get a fucking phone.

Re:Easy! (0)

Anonymous Coward | 1 year,28 days | (#44919229)

But this shows that Apple was less than honest in their claims about pulse detection, and sub-surface tissue detection.

The original Slashdot discussion about this topic was FULL of posters showing off their mighty intellect, proclaiming that the sensor uses "the tissue under the fingerprint".

It wasn't long ago, maybe it's still possible commenting....

Re:Easy! (1)

Zero__Kelvin (151819) | 1 year,28 days | (#44919029)

Yes. It isn't like Microsoft developed the phone, in which case it would be a relative certainty which one [tqn.com] the owner used.

Re: Easy! (0)

Anonymous Coward | 1 year,28 days | (#44919277)

Everyone will use their thumb

Re: Easy! (0)

Anonymous Coward | 1 year,28 days | (#44919289)

I have 10!

Re:Easy! (1)

lgw (121541) | 1 year,28 days | (#44919049)

Just like the "unlock gesture" in the new Windows stuff, this is a replacement for a 4 digit PIN, not for a real password. This break seems harder and more time consuming than brute forcing a 4 digit PIN, so it's fine.

Anyone who actually cares will have forensic tools that will just immediately present the data anyhow - for any consumer device, physical access is access to the data, eventually.

Re:Easy! (1)

sribe (304414) | 1 year,28 days | (#44919077)

...have your fingerprint on file for however long it stays roughly the same...

Yes, but to be clear: setting up TouchID on an iPhone does not result in your fingerprint being on file, as it, like ALL fingerprint-matching software as far as I know, stores what is essentially a hash derived from landmark features of your prints, not your actual prints. So the on-file data would have to come from somewhere else in order to use this method.

So, it's not super-secure, but at least you can't unlock it by breathing on it ;-)

Re:Easy! (4, Insightful)

dinfinity (2300094) | 1 year,28 days | (#44919085)

Still beats no passcode at all against a casual attacker

Also beats pattern or password unlocks, which can be 'beaten' by just a bit of careful spying.

To me, the only things that are of real concern with this technology are false negatives and durability (I'm pretty sure putting the scanner on the home button is going to end up being a bad idea).

Re:Easy! (-1, Troll)

BasilBrush (643681) | 1 year,28 days | (#44919107)

It might, if it were true. The included video certainly doesn't prove the claim.

Re:Easy! (2)

Intrepid imaginaut (1970940) | 1 year,28 days | (#44919125)

Indeed, what happened to all the posters insisting it read the blood vessels under the skin instead?

I'll tell you what though, the security of my phone wouldn't be a concern if I was a new iphone owner, it's where my fingerprints might end up that would worry me. And to think that concern might have been tinfoil hattery only a short while ago.

Re:Easy! (-1, Troll)

BasilBrush (643681) | 1 year,28 days | (#44919223)

It's a capacitative scanner. Whether you like it or not, that's not imaging the surface layer of skin, but the complexity of what's behind it. And yes that includes blood vessels.

It's far easier to see how the video in the TFA could be faked than a capacitative image of a finger could be.

Re:Easy! (4, Interesting)

maccodemonkey (1438585) | 1 year,28 days | (#44919283)

It's a bit much for casual purposes; but it effectively demonstrates that Apple's little toy is just another fingerprint sensor (albeit a more attractive one than the usual little stripe-thing) with no more resistance to an under-a-hundred-bucks, probably a few bucks per print, in quantity, attacks than any of the others.

Still beats no passcode at all against a casual attacker; but it sounds like the CCC technique works just fine with digital reproductions (ie, you don't need the original thumbprint to use as a mold, or develop with cyanoacrylate vapor, or anything like that) so it's fuck up once, have your fingerprint on file for however long it stays roughly the same, which is never terribly encouraging.

I think every Slashdotter's wet dream is that they need to keep to keep their phones safe against a CSI style government interrogation, but this is really just for anti-theft or corporate secrets. The passcode expires in 48 hours anyway, and a business has remote wipe, so it's just a backup in another chain of security measures. And the fingerprint ready is really meant as a convenience for people who are too lazy to set a passcode at all, which is undeniably less safe.

You know what a government is going to do if they have you and your phone? Take your finger, and press it to your phone, which legally they can compel (or physically force) you to do. All this talk about "Oh, what if the government has your fingerprint on file?" Please. That's overthinking it.

Re:Easy! (0)

Anonymous Coward | 1 year,28 days | (#44918929)

As they say in cryptography, breaks only get better, never worse.

Re:Easy! (-1)

Anonymous Coward | 1 year,28 days | (#44918947)

Who cares if it is trivial or hard -- touchID's security is just for appearance's sake. The real purpose of TouchID is to gather fingerprints of sheeple into a big database.

Re:Easy! (5, Insightful)

Dins (2538550) | 1 year,28 days | (#44918987)

I was with you until you said "sheeple".

Re:Easy! (0)

Anonymous Coward | 1 year,28 days | (#44919095)

He's a cryptozoologist. TouchID, like Anonymous Coward #44918947, is convinced that there exist crossovers of men and sheep. In order to gather evidence, TouchID has managed to get their technology placed into one of the most widespread consumer devices. They expect sheeple to have telltale markers markers on the tips of their fingers. As the data comes in, they'll send out scouts to surreptitiously collect genetic samples from suspected sheeple.

Re:Easy! (1)

noh8rz10 (2716597) | 1 year,28 days | (#44919025)

We'll that means they can gather it even if you don't use it, because it's built into the home button. If you feel strongly about it, better stick to iPhone 5 and earlier!

In CA it doesn't matter because they take everybody's fingerprint when you get a drivers license. So the NSA already has it.

Only a thumb print. (0)

Anonymous Coward | 1 year,28 days | (#44919081)

And only from your right hand.

Unless they've changed something.

Sure beats Nevada. You have to give full handprints for both hands, plus Birth Certificate, plus SSN to get a license there, coming from California.

And keep in mind I looked into this back in 2005 or so, so it could be even worse today.

Guess the criminals there don't like competition eh?

Re:Easy! (1)

Desler (1608317) | 1 year,28 days | (#44919169)

They can get your fingerprint without needing to go through this route.

acompanhantes (-1)

Anonymous Coward | 1 year,28 days | (#44919127)

Você deve esta precisando se diverti mais com lindas mulheres acompanhantes rio de janeiro [scortrio.com.br]

Re:Easy! (4, Insightful)

Jane Q. Public (1010737) | 1 year,28 days | (#44919133)

"sounds really trivial to break. I can see all kinds of kids doing this."

It's straight out of the Mythbusters fingerprint scanning episode.

They didn't find one they couldn't defeat, and many of them were ridiculously easy. They used exactly this technique.

I've been saying it for years: at our currently level of technology, relying on fingerprints for security (or nearly any biometric for that matter) is asking for trouble. It's just not good enough.

Re:Easy! (-1, Troll)

BasilBrush (643681) | 1 year,28 days | (#44919303)

Yes it was an interesting episode of Mythbusters. SEVEN years ago.

Capacitative finger print scanners are a bit more of a challenge. And the included video doesn't prove it's been defeated yet. As photocopiers don't tend to deal in capacitative imaging, neither input nor output, I'm dubious.

But I await confirmation one way or the other.

Re:Easy! (3, Insightful)

Anonymous Coward | 1 year,28 days | (#44919239)

This is far short of the lengths a crazy ex girlfriend or suspicious spouse would go to.

If true (3, Funny)

djupedal (584558) | 1 year,28 days | (#44918887)

new iPhone owner's should get their money back. This was supposed to be updated tech that resisted decade's old spoofing.

Re:If true (1)

Pinky's Brain (1158667) | 1 year,28 days | (#44918939)

Maybe the original authentec technology was just too bulky and form won over function?

Re:If true (5, Interesting)

Lehk228 (705449) | 1 year,28 days | (#44918981)

fingerprint identification is fundamentally and irredeemably broken. no other authentication method leaves copies of itself all over the place.

everything else is an arms race between verifying it is a finger and pretending to be a finger.

Re:If true (-1, Redundant)

BasilBrush (643681) | 1 year,28 days | (#44919103)

Congratulations for using the word "if". TFA does include a video, but it doesn't prove the hack. The demonstrator shows the training of his index finger, then uses his second finger, covered with a bit of what looks like latex to unlock the phone.

Yet you can train the iPhone 5S to use multiple fingers, so we don't know that he hadn't previously trained the phone with this second finger/latex combo previously.

The 5S Touch ID sensor uses capacitative imaging, which means it's taking biometrics from below the skins surface, so it's highly unlikely the claimed procedure would work. But the obvious hoax method I describe probably would.

So we should await confirmation one way or the other.

Re:If true (0)

Anonymous Coward | 1 year,28 days | (#44919267)

you could try it yourself rather than waiting for confirmation from some authority figure?

Re:If true (-1)

Anonymous Coward | 1 year,28 days | (#44919117)

> get their money back

That's premature considering this idiot admitted to have "never even been in the same room as an iPhone 5S." Maybe we should wait to see if his proposed attack actually works rather than going off on some half-cocked, irrational attack on Apple. Nah. You people would rather eat shit than think clearly.

Am I missing something? (1)

TheRealMindChild (743925) | 1 year,28 days | (#44918889)

Isn't this the same attack vector that can be used with any finger print scanner?

Re:Am I missing something? (4, Insightful)

fuzzyfuzzyfungus (1223518) | 1 year,28 days | (#44918933)

Pre-release hype was that Insanely Great Magic Innovation or something used OMG capacitance to magically foil the classic attacks. I don't think that Apple was dumb enough to promise any such thing; but their drooling fans certainly did.

Hype? For a new product? No way!!! (2)

Kohath (38547) | 1 year,28 days | (#44919055)

New products are never hyped. That would be dishonest. Gadget slogans are all like:

- "We like it well enough, but you should make up your own mind."
- "We tried to improve it over last year's model. We think we succeeded -- at least partially."
- "It has some benefits for some people. It has some drawbacks for some other people. Be careful buying it to make sure it's good for you."

It's the new Internet-forum-approved marketing trend! Internet forum whining and moralizing about dubious gadget hype finally won everyone over!

Re:Hype? For a new product? No way!!! (1)

Nerdfest (867930) | 1 year,28 days | (#44919217)

Not for Apple. Your list doesn't contain any of the following: amazing, insanely, or magical.

Re:Am I missing something? (2, Interesting)

Anonymous Coward | 1 year,28 days | (#44918977)

Isn't this the same attack vector that can be used with any finger print scanner?

There are a number of things to check to make sure that the fingerprint actually belongs to a human:
- Pulse
- Temperatur
- Conductivity (probably worked around by moisturizing the printed fingerprint)

But at the end of the day, fingerprints are just too easy to fake and not a good method of authentication.

Re:Am I missing something? (-1)

Anonymous Coward | 1 year,28 days | (#44919009)

Maybe. We've been hearing for days this attack would either be very hard or simply wouldn't work because "the sensor reads the sub-epidermal skin layers" and what not.

Schneier mentions in his post about TouchID how the most secure fingerprint scanner he ever saw involved an armed marine making sure you couldn't try anything funny. Considering the whole purpose of this is protecting the phone when it's not in your control, it seems to be less safe than the pattern lock.

The thing is just a gimmick, it wasn't motivated by security, only by the novelty factor.

Re: Am I missing something? (2)

EGSonikku (519478) | 1 year,28 days | (#44919209)

Pattern lock is hardly secure considering they can see the smudge on your screen. And the NSA has said they can easily get into any Android device.

TouchID is still harder to trick than that. It's meant to deter common thieves, not James Bond. If the government has your phone they can easily compel you to unlock it or use existing forensic tools combined with warrants to your cellular provider.

Re:Am I missing something? (-1)

Anonymous Coward | 1 year,28 days | (#44919011)

Any attacker would already have physical access to the device.

I still think the main purpose of the fingerprint scanner is to prevent ^H^H^H make it harder for babies and toddlers from making in-game purchases on their parent's iPhone.

Re:Am I missing something? (1)

ShanghaiBill (739463) | 1 year,28 days | (#44919063)

Isn't this the same attack vector that can be used with any finger print scanner?

No. Many modern fingerprint scanners check for a pulse, and/or detect subsurface structures that do not show up in a lifted print. Apple claimed that this scanner did both of these checks, but apparently they were lying, and it actually does neither.

Re:Am I missing something? (5, Insightful)

Desler (1608317) | 1 year,28 days | (#44919187)

Has anyone else verified that the suppose hack really does work? Isn't a bit premature to claim Apple is lying off a single youtube video?

Re:Am I missing something? (1)

gtall (79522) | 1 year,28 days | (#44919257)

I thought I'd repeat what Desier said since there was no reason to piss on his karma:

"Has anyone else verified that the suppose hack really does work? Isn't a bit premature to claim Apple is lying off a single youtube video?"

Did they hack any Android phones, as well? (-1)

Anonymous Coward | 1 year,28 days | (#44918891)

n/a

More time than it takes to get a (-1)

Anonymous Coward | 1 year,28 days | (#44918895)

first post!

It's all relative. (0)

Anonymous Coward | 1 year,28 days | (#44918937)

That sounds like quite a bit more trouble than guessing a 4 digit PIN.

Re:It's all relative. (1)

noh8rz10 (2716597) | 1 year,28 days | (#44918953)

Especially when 90% of pins are 0000, and 9% are 1234

Re:It's all relative. (0)

Anonymous Coward | 1 year,28 days | (#44918971)

Most people don't leave their PIN on everything they touch, such as their phone.

Re:It's all relative. (1)

Kohath (38547) | 1 year,28 days | (#44919069)

Because no one could ever guess a pin from fingerprint smears on a phone surface.

Re:It's all relative. (1)

Zero__Kelvin (151819) | 1 year,28 days | (#44919093)

How much effort do you think it takes to try to enter a PIN up to 1000 times?

Re:It's all relative. (1)

Desler (1608317) | 1 year,28 days | (#44919211)

About 2 minutes [forbes.com] with physical access.

Re:It's all relative. (1)

Zero__Kelvin (151819) | 1 year,28 days | (#44919237)

Think again, and consider learning to read maybe:

FTA:

" I’ve clarified two aspects of this story below. First, Micro Systemation’s XRY tool often requires more than two minutes to crack the iPhone’s password. The two minutes I originally cited were a reference to the time shown in the video (now removed by Micro Systemation) below. Given that, as I originally wrote, the phone in the video used the simplest possible password (0000), the process often takes far longer." - Emphasis Added

facepalm (0)

Anonymous Coward | 1 year,28 days | (#44918941)

yeah that's really practical... God save us!

Time? (0)

Anonymous Coward | 1 year,28 days | (#44918989)

The real question is can you pull this off before I remote wipe the phone.

Re:Time? (1)

EmagGeek (574360) | 1 year,28 days | (#44919039)

You can only remote-wipe the phone if the phone is on a network that allows it to phone home.

Risk to Security Algorithm (3, Interesting)

retroworks (652802) | 1 year,28 days | (#44919017)

Interesting. We do have to remind ourselves that security needs to be proportionate to risk. The first rule is value, or what the potential for loss is. I want a really really difficult password for my credit card account, I get angry when a newspaper login requests the same password algorithm (how much should I care if someone reads the news site using my login account?) The second factor is proximity. If you steal the president's laptop from off the president's desk, you should face unheard of security. If the president's digital needle lies anonymously at the bottom of a city haystack, the statistical risk shrinks. The fingerprint app, like Android's code generator, seems like an appropriate level of security for a lost or stolen cell phone.

Re:Risk to Security Algorithm (2)

je ne sais quoi (987177) | 1 year,28 days | (#44919151)

We do have to remind ourselves that security needs to be proportionate to risk.

Exactly. You can make your phone the most secure thing in the world, requiring a randomized string of alphanumerics umpteen characters long that you recite from memory, but you've also made it utterly impractical to use.

One thing I noticed about this method is that they didn't get their fingerprints from the iphone itself, on the site they got them from a glass bottle. There's a lot of residue from fingerprints on my screen and a lot of potential fingerprints, but some of them are smudged from where I moved my finger, but I'd like to see if someone can use prints from an actual phone, everything else requires that the attacker have physical access to places you've been, but by far the most likely scenario where this will be useful will be to keep people out if I leave my phone somewhere unintentionally.

Re:Risk to Security Algorithm (0)

Anonymous Coward | 1 year,28 days | (#44919183)

If you wish to protect your contacts from a police search, a biometric only solution will not do it (in U.S). Courts have held that 5th amendment protects things you know (thoughts in your head), not something like an attribute of your physical body. You can be ordered to unlock your phone with your fingerprint.

It is an entirely inappropriate level of security given the current overreach by police.

(you must also encrypt your phone's contents, for its contents to be protected under the 4th amendment against unreasonable search and seizure)

So, don't use the same finger for (3, Interesting)

The Cisco Kid (31490) | 1 year,28 days | (#44919031)

the security sender that you use for the touchscreen..

How hard is that?

In fact I'm surprised that wouldn't already be part of the advice for users of this.

Either that or require a swipe from two different fingers, in a specified order.

Re:So, don't use the same finger for (1)

Above (100351) | 1 year,28 days | (#44919111)

I bet most people unlock with a thumb, but use an index finger on the screen.

Re:So, don't use the same finger for (1)

Misagon (1135) | 1 year,28 days | (#44919189)

I bet that most people type with both thumbs in landscape mode.

Re:So, don't use the same finger for (1)

xombo (628858) | 1 year,28 days | (#44919215)

You can pick up the thumb from other sources.

I have a solution! (5, Funny)

Anonymous Coward | 1 year,28 days | (#44919035)

Instead of using a fingerprint, use a Nipple print! [kotaku.com]

So what? (0)

Anonymous Coward | 1 year,28 days | (#44919041)

This is for casual security for a device you keep in your pocket and everyone sees you use. With a 4 digit passcode that anyone can see you enter, did it really matter? The 4-digit code and your fingerprint were for when you LOST the device, keeping random strangers out of the device. This was never a good defense against a targeted or determined attacker.

That's enormously more difficult... (0)

Anonymous Coward | 1 year,28 days | (#44919073)

than unlocking my iPhone, which involves sliding the "unlock" slider from left to right.

Easier for law enforcement (1)

AaronW (33736) | 1 year,28 days | (#44919083)

I'm sure law enforcement loves this. While they may not be able to force someone to give up their password, getting a fingerprint is easy.

Re:Easier for law enforcement (1)

Joshua Shaffer (2895571) | 1 year,28 days | (#44919213)

If you think it's at all difficult to break a 4 digit pin code I hope you don't leave evidence on your phone.

But we all use 12+ character alphanumeric passwords for our phones right...?

Re:Easier for law enforcement (2)

Desler (1608317) | 1 year,28 days | (#44919227)

You realize that law enforcement can already gain access to a password locked phone already, right? Why would they bother with recreating a latex fingerprint over just using the software they already have to unlock them?

So what they proved is... (4, Funny)

NoKaOi (1415755) | 1 year,28 days | (#44919089)

...the iPhone's fingerprint scanner works well. I was expecting it to be a gimmick that would give more false negatives or false positives than real results. That these guys had to use the same methods they would use for a high-quality expensive fingerprint scanner, and that those methods actually worked, tells me the iPhone's fingerprint scanner has potential.

Different fingers (0)

Anonymous Coward | 1 year,28 days | (#44919097)

I notice that he uses a different finger to unlock the iPhone with the "fake" fingerprint.

How do we know that he didn't already program in that second finger, and the strip is really doing nothing?

He should have demonstrated that the second finger wasn't already programmed in to the phone, or used something other than a finger, or other object which could be used to program in a "fingerprint".

Re:Different fingers (2)

93 Escort Wagon (326346) | 1 year,28 days | (#44919115)

I wondered that as well. It would have been more conclusive if he'd had a second person come in and use the fake to unlock the phone.

Re:Different fingers (1)

Anonymous Coward | 1 year,28 days | (#44919135)

Even that wouldn't have proven anything, since you can program in as many fingerprints as you wish into the phone. They need to demonstrate that the finger with the "fake" fingerprint (or whatever they use to hold the fake fingerprint to the sensor) won't unlock the phone on its own.

Re:Different fingers (5, Insightful)

Zero__Kelvin (151819) | 1 year,28 days | (#44919193)

No. It wouldn't matter. No matter what they did there would always be the next thing they could have just done. How do we know that the phone wasn't programmed to unlock with the second guys fingerprint? How do we know they didn't edit the video? etc, ad infinitum. What makes it highly believable is none of that. It is the reputation of the Chaos Computer Club that makes it believable. They aren't about to sacrifice a reputation it took them more than 30 years to build, especially for essentially no gain. If it was an unknown group I'd say maybe they are looking for 15 minutes of fame. But this is the CCC [wikipedia.org] we are talking about here.

So what? (1)

lennier1 (264730) | 1 year,28 days | (#44919105)

Sounds like the standard procedure to fake consumer-grade readers.

Not exactly new (4, Insightful)

TejWC (758299) | 1 year,28 days | (#44919121)

I remember Mythbusters doing something similar [youtube.com] with a multi thousand dollar computer secruity system.

Use the other less popular limb (0)

Anonymous Coward | 1 year,28 days | (#44919131)

Fingerprints are left behind all the time so it would be trivial for someone to obtain.

For those who prefer the convenience of a fingerprint, but don't mind taking a while more to authenticate, I'm sure a Toe would be much more secure.

Toes are usually covered in socks or shoes so the possibility of getting the print is much less.

Now we just have to make it less of a taboo to take shoes and socks off in public space to check one's phone messages.

See how easy this was?

basically... (0)

Anonymous Coward | 1 year,28 days | (#44919139)

What mythbuster did.

Gee (3, Funny)

msobkow (48369) | 1 year,28 days | (#44919147)

Something you leave lying around on everything you touch is a poor key for security.

Who'd a thunk it?

Re:Gee (1)

Desler (1608317) | 1 year,28 days | (#44919241)

It's far better than the people who don't even set a 4 digit pin.

The only viable solution (0)

Anonymous Coward | 1 year,28 days | (#44919149)

I think the only solution would be to have some sort of mechanism to prick your finger and check for blood. You can calibrate when you first buy it for blood type and anything else that tends to stay consistent. Maybe in the far future the phone could actually feed off your blood to power itself.

Fingerprint scanners are rarely secure (2)

ThunderBird89 (1293256) | 1 year,28 days | (#44919155)

Surprise, surprise. Fingerprint identification is rarely secure, some implementations can even be tricked using gummy bears. Really secure ones usually have rather steep costs and bulky supporting hardware associated (usually to check for blood flow to ensure the finger is a live one). Anything in a laptop or smartphone has no chance at real security whatsoever.

But guess what? This probably wasn't an exercise in security, but ease-of-use: being able to unlock your phone with a touch is easier than slide-to-unlock or passcodes. And it was a good exercise (not to mention fun when it was discovered that the software can even interpret a cat's pawprint). It was successful. So what if it can be broken easily, almost all of fingerprinting is the same.

using common household materials (1)

xombo (628858) | 1 year,28 days | (#44919157)

Am I the only person these days without a slide printer? Jeez.

You're missing the point. (5, Insightful)

EGSonikku (519478) | 1 year,28 days | (#44919273)

Fingerprints are good because they replace ZERO security. Most people don't PIN lock their phones. Finger Print lock is too convenient not to use.

It is meant as a deterrent to common thieves, and works well as such. A robber isn't going to grab your phone, ask for a nice clear print, and then run home to his laser printer and latex (and you could remote wipe the device in the mean time anyway).

If its the government you're worried about...well, if they have physical access to your device they probably have you in custody and can compel you to unlock it anyway, or just use existing forensic tools and warrants to get what they want. Even then we're talking about the unlikely scenario of you being arrested and having anything more interesting on your phone than funny cat pictures.

I'm trying to imagine a "real world" scenario where TouchID is less secure than a 4 digit passcode or no security at all...and I got nothing.

Did ya try it?? (0)

Anonymous Coward | 1 year,28 days | (#44919281)

How do any of you know this hack actually works? Did any of you actually try it? Or is it true just because the internet says so? Because we all know everything put out on the internef must be true!!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?