Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

CCC Says Apple iPhone 5S TouchID Broken

timothy posted about a year ago | from the well-if-that's-all dept.

Security 481

hypnosec writes with word that the Chaos Computer Club claims to have "managed to break Apple's TouchID using everyday material and methods available on the web. Explaining their method on their website, the CCC hackers have claimed that all they did was photograph a fingerprint from a glass surface, ramped up the resolution of the photographed fingerprint, inverted and printed it using thick toner settings, smeared pink latex milk or white woodglue onto the pattern, lifted the latex sheet, moistened it a little and then placed it on the iPhone 5S's fingerprint sensor to unlock the phone." Update: 09/22 21:32 GMT by T :Reader mask.of.sanity adds a link to a video of the hack.

Sorry! There are no comments related to the filter you selected.

Easy! (4, Funny)

amiga3D (567632) | about a year ago | (#44918885)

sounds really trivial to break. I can see all kinds of kids doing this.

Re:Easy! (4, Insightful)

fuzzyfuzzyfungus (1223518) | about a year ago | (#44918919)

It's a bit much for casual purposes; but it effectively demonstrates that Apple's little toy is just another fingerprint sensor (albeit a more attractive one than the usual little stripe-thing) with no more resistance to an under-a-hundred-bucks, probably a few bucks per print, in quantity, attacks than any of the others.

Still beats no passcode at all against a casual attacker; but it sounds like the CCC technique works just fine with digital reproductions (ie, you don't need the original thumbprint to use as a mold, or develop with cyanoacrylate vapor, or anything like that) so it's fuck up once, have your fingerprint on file for however long it stays roughly the same, which is never terribly encouraging.

Re:Easy! (5, Funny)

noh8rz10 (2716597) | about a year ago | (#44918963)

Remember that a hacker won't know which of 5 fingers the owner uses, so that's another layer of security

Re:Easy! (0)

Anonymous Coward | about a year ago | (#44918995)

Remember that a hacker won't know which of 5 fingers the owner uses, so that's another layer of security

Mod parent up +1 FUNNY

Re:Easy! (5, Insightful)

Jeremy Erwin (2054) | about a year ago | (#44919163)

The cops will have copies of all 10 fingers, and will be able to add this technique to their fourth and fifth amendment circumvention strategies.

More secure. (3, Funny)

noh8rz10 (2716597) | about a year ago | (#44919001)

Maybe the best use of touch Id is as a complement to a code. Something you know, something you have, something you are. They have 2 out of 3, and with their Siri they could add voice too. "My voice is my passport. Verify"

social engineering time (5, Funny)

Jeremy Erwin (2054) | about a year ago | (#44919067)

You know what? I really love the sound of your voice. ... And there's this one word. I've always loved the sound of this word. ... I would really like to hear you say the word ..."passport".

Re:social engineering time (1)

iluvcapra (782887) | about a year ago | (#44919197)

"Shall I phone you or nudge you?"

Re:Easy! (0)

Anonymous Coward | about a year ago | (#44919005)

Knives cut most fingers easily, except possibly the thumb.

Re:Easy! (1)

Anonymous Coward | about a year ago | (#44919061)

As a male, I better don't use what was thinking to use then.

Re:Easy! (1)

Sique (173459) | about a year ago | (#44919007)

So we have (as we can use 10 fingers) the gigantic key length of slightly more than 3 bits.

Re:Easy! (0)

Anonymous Coward | about a year ago | (#44919015)

Unless, they say, saw the target unlock their phone, ever.

Re:Easy! (4, Insightful)

ShanghaiBill (739463) | about a year ago | (#44919027)

Remember that a hacker won't know which of 5 fingers the owner uses, so that's another layer of security

Actually, many people have up to ten fingers. Personally, I use my big toe.

But this shows that Apple was less than honest in their claims about pulse detection, and sub-surface tissue detection.

Re:Easy! (-1, Troll)

BasilBrush (643681) | about a year ago | (#44919129)

It's a capacitative scanner. It's not a photo scanner. So the fact that the claimed hack revolves around a photocopy makes it distinctly dubious. And the included video certainly doesn't prove the claim.

But it's interesting that you are more willing to trust an anonymous hacker than a blue chip company.

Me, I'll avait confirmation one way or the other.

Re:Easy! (0)

Anonymous Coward | about a year ago | (#44919179)

In Washington, D.C., they have a saying: "Nobody trusts an official story and everyone believes anonymous sources."

Re:Easy! (1)

iluvcapra (782887) | about a year ago | (#44919247)

"Nobody trusts an official story and everyone believes anonymous sources."

I'd interpret this as being a statement about the tendency of politicos ("everyone") to uncritically repeat salacious gossip, and to intentionally discount "official" statements, not because they're false or irrelevant, but because they're boring and lack the whiff of exclusive, "insider" provenance.

This saying is an example of artful equivocation, in the sense that it is either critical of "an official story," or critical of "everyone" for believing it, and the listener is free to accept either.

Re:Easy! (2, Insightful)

Anonymous Coward | about a year ago | (#44919255)

It's a capacitative scanner. It's not a photo scanner.

From the abstract: 'latex sheet, moistened it a little'. I see no reason why that wouldn't work on this capacitative scanner.

Re:Easy! (4, Insightful)

Nerdfest (867930) | about a year ago | (#44919261)

Based on their respective histories, a sensible person would probably trust CCC over Apple.

Re:Easy! (-1, Troll)

cyber-vandal (148830) | about a year ago | (#44919293)

That you can even write that is hilarious. I am never willing to trust a blue chip company's marketing department. They are paid to exaggerate and tell outright lies. Hacker groups on the other have a reputation to keep up so are far less likely to make claims like this if they're not true. It doesn't matter if Apple are dishonest when you have retards [express.co.uk] willing to queue for 4 and a half days to get a fucking phone.

Re:Easy! (0)

Anonymous Coward | about a year ago | (#44919229)

But this shows that Apple was less than honest in their claims about pulse detection, and sub-surface tissue detection.

The original Slashdot discussion about this topic was FULL of posters showing off their mighty intellect, proclaiming that the sensor uses "the tissue under the fingerprint".

It wasn't long ago, maybe it's still possible commenting....

Re:Easy! (1)

Zero__Kelvin (151819) | about a year ago | (#44919029)

Yes. It isn't like Microsoft developed the phone, in which case it would be a relative certainty which one [tqn.com] the owner used.

Re: Easy! (0)

Anonymous Coward | about a year ago | (#44919277)

Everyone will use their thumb

Re: Easy! (0)

Anonymous Coward | about a year ago | (#44919289)

I have 10!

Re:Easy! (1)

lgw (121541) | about a year ago | (#44919049)

Just like the "unlock gesture" in the new Windows stuff, this is a replacement for a 4 digit PIN, not for a real password. This break seems harder and more time consuming than brute forcing a 4 digit PIN, so it's fine.

Anyone who actually cares will have forensic tools that will just immediately present the data anyhow - for any consumer device, physical access is access to the data, eventually.

Re:Easy! (1)

sribe (304414) | about a year ago | (#44919077)

...have your fingerprint on file for however long it stays roughly the same...

Yes, but to be clear: setting up TouchID on an iPhone does not result in your fingerprint being on file, as it, like ALL fingerprint-matching software as far as I know, stores what is essentially a hash derived from landmark features of your prints, not your actual prints. So the on-file data would have to come from somewhere else in order to use this method.

So, it's not super-secure, but at least you can't unlock it by breathing on it ;-)

Re:Easy! (4, Insightful)

dinfinity (2300094) | about a year ago | (#44919085)

Still beats no passcode at all against a casual attacker

Also beats pattern or password unlocks, which can be 'beaten' by just a bit of careful spying.

To me, the only things that are of real concern with this technology are false negatives and durability (I'm pretty sure putting the scanner on the home button is going to end up being a bad idea).

Re:Easy! (-1, Troll)

BasilBrush (643681) | about a year ago | (#44919107)

It might, if it were true. The included video certainly doesn't prove the claim.

Re:Easy! (2)

Intrepid imaginaut (1970940) | about a year ago | (#44919125)

Indeed, what happened to all the posters insisting it read the blood vessels under the skin instead?

I'll tell you what though, the security of my phone wouldn't be a concern if I was a new iphone owner, it's where my fingerprints might end up that would worry me. And to think that concern might have been tinfoil hattery only a short while ago.

Re:Easy! (-1, Troll)

BasilBrush (643681) | about a year ago | (#44919223)

It's a capacitative scanner. Whether you like it or not, that's not imaging the surface layer of skin, but the complexity of what's behind it. And yes that includes blood vessels.

It's far easier to see how the video in the TFA could be faked than a capacitative image of a finger could be.

Re:Easy! (4, Interesting)

maccodemonkey (1438585) | about a year ago | (#44919283)

It's a bit much for casual purposes; but it effectively demonstrates that Apple's little toy is just another fingerprint sensor (albeit a more attractive one than the usual little stripe-thing) with no more resistance to an under-a-hundred-bucks, probably a few bucks per print, in quantity, attacks than any of the others.

Still beats no passcode at all against a casual attacker; but it sounds like the CCC technique works just fine with digital reproductions (ie, you don't need the original thumbprint to use as a mold, or develop with cyanoacrylate vapor, or anything like that) so it's fuck up once, have your fingerprint on file for however long it stays roughly the same, which is never terribly encouraging.

I think every Slashdotter's wet dream is that they need to keep to keep their phones safe against a CSI style government interrogation, but this is really just for anti-theft or corporate secrets. The passcode expires in 48 hours anyway, and a business has remote wipe, so it's just a backup in another chain of security measures. And the fingerprint ready is really meant as a convenience for people who are too lazy to set a passcode at all, which is undeniably less safe.

You know what a government is going to do if they have you and your phone? Take your finger, and press it to your phone, which legally they can compel (or physically force) you to do. All this talk about "Oh, what if the government has your fingerprint on file?" Please. That's overthinking it.

Re:Easy! (0)

Anonymous Coward | about a year ago | (#44918929)

As they say in cryptography, breaks only get better, never worse.

Re:Easy! (-1)

Anonymous Coward | about a year ago | (#44918947)

Who cares if it is trivial or hard -- touchID's security is just for appearance's sake. The real purpose of TouchID is to gather fingerprints of sheeple into a big database.

Re:Easy! (5, Insightful)

Dins (2538550) | about a year ago | (#44918987)

I was with you until you said "sheeple".

Re:Easy! (0)

Anonymous Coward | about a year ago | (#44919095)

He's a cryptozoologist. TouchID, like Anonymous Coward #44918947, is convinced that there exist crossovers of men and sheep. In order to gather evidence, TouchID has managed to get their technology placed into one of the most widespread consumer devices. They expect sheeple to have telltale markers markers on the tips of their fingers. As the data comes in, they'll send out scouts to surreptitiously collect genetic samples from suspected sheeple.

Re:Easy! (1)

noh8rz10 (2716597) | about a year ago | (#44919025)

We'll that means they can gather it even if you don't use it, because it's built into the home button. If you feel strongly about it, better stick to iPhone 5 and earlier!

In CA it doesn't matter because they take everybody's fingerprint when you get a drivers license. So the NSA already has it.

Only a thumb print. (0)

Anonymous Coward | about a year ago | (#44919081)

And only from your right hand.

Unless they've changed something.

Sure beats Nevada. You have to give full handprints for both hands, plus Birth Certificate, plus SSN to get a license there, coming from California.

And keep in mind I looked into this back in 2005 or so, so it could be even worse today.

Guess the criminals there don't like competition eh?

Re:Easy! (1)

Desler (1608317) | about a year ago | (#44919169)

They can get your fingerprint without needing to go through this route.

acompanhantes (-1)

Anonymous Coward | about a year ago | (#44919127)

Você deve esta precisando se diverti mais com lindas mulheres acompanhantes rio de janeiro [scortrio.com.br]

Re:Easy! (4, Insightful)

Jane Q. Public (1010737) | about a year ago | (#44919133)

"sounds really trivial to break. I can see all kinds of kids doing this."

It's straight out of the Mythbusters fingerprint scanning episode.

They didn't find one they couldn't defeat, and many of them were ridiculously easy. They used exactly this technique.

I've been saying it for years: at our currently level of technology, relying on fingerprints for security (or nearly any biometric for that matter) is asking for trouble. It's just not good enough.

Re:Easy! (-1, Troll)

BasilBrush (643681) | about a year ago | (#44919303)

Yes it was an interesting episode of Mythbusters. SEVEN years ago.

Capacitative finger print scanners are a bit more of a challenge. And the included video doesn't prove it's been defeated yet. As photocopiers don't tend to deal in capacitative imaging, neither input nor output, I'm dubious.

But I await confirmation one way or the other.

Re:Easy! (3, Insightful)

Anonymous Coward | about a year ago | (#44919239)

This is far short of the lengths a crazy ex girlfriend or suspicious spouse would go to.

If true (3, Funny)

djupedal (584558) | about a year ago | (#44918887)

new iPhone owner's should get their money back. This was supposed to be updated tech that resisted decade's old spoofing.

Re:If true (1)

Pinky's Brain (1158667) | about a year ago | (#44918939)

Maybe the original authentec technology was just too bulky and form won over function?

Re:If true (5, Interesting)

Lehk228 (705449) | about a year ago | (#44918981)

fingerprint identification is fundamentally and irredeemably broken. no other authentication method leaves copies of itself all over the place.

everything else is an arms race between verifying it is a finger and pretending to be a finger.

Re:If true (-1, Redundant)

BasilBrush (643681) | about a year ago | (#44919103)

Congratulations for using the word "if". TFA does include a video, but it doesn't prove the hack. The demonstrator shows the training of his index finger, then uses his second finger, covered with a bit of what looks like latex to unlock the phone.

Yet you can train the iPhone 5S to use multiple fingers, so we don't know that he hadn't previously trained the phone with this second finger/latex combo previously.

The 5S Touch ID sensor uses capacitative imaging, which means it's taking biometrics from below the skins surface, so it's highly unlikely the claimed procedure would work. But the obvious hoax method I describe probably would.

So we should await confirmation one way or the other.

Re:If true (0)

Anonymous Coward | about a year ago | (#44919267)

you could try it yourself rather than waiting for confirmation from some authority figure?

Re:If true (-1)

Anonymous Coward | about a year ago | (#44919117)

> get their money back

That's premature considering this idiot admitted to have "never even been in the same room as an iPhone 5S." Maybe we should wait to see if his proposed attack actually works rather than going off on some half-cocked, irrational attack on Apple. Nah. You people would rather eat shit than think clearly.

Am I missing something? (1)

TheRealMindChild (743925) | about a year ago | (#44918889)

Isn't this the same attack vector that can be used with any finger print scanner?

Re:Am I missing something? (4, Insightful)

fuzzyfuzzyfungus (1223518) | about a year ago | (#44918933)

Pre-release hype was that Insanely Great Magic Innovation or something used OMG capacitance to magically foil the classic attacks. I don't think that Apple was dumb enough to promise any such thing; but their drooling fans certainly did.

Hype? For a new product? No way!!! (2)

Kohath (38547) | about a year ago | (#44919055)

New products are never hyped. That would be dishonest. Gadget slogans are all like:

- "We like it well enough, but you should make up your own mind."
- "We tried to improve it over last year's model. We think we succeeded -- at least partially."
- "It has some benefits for some people. It has some drawbacks for some other people. Be careful buying it to make sure it's good for you."

It's the new Internet-forum-approved marketing trend! Internet forum whining and moralizing about dubious gadget hype finally won everyone over!

Re:Hype? For a new product? No way!!! (1)

Nerdfest (867930) | about a year ago | (#44919217)

Not for Apple. Your list doesn't contain any of the following: amazing, insanely, or magical.

Re:Am I missing something? (2, Interesting)

Anonymous Coward | about a year ago | (#44918977)

Isn't this the same attack vector that can be used with any finger print scanner?

There are a number of things to check to make sure that the fingerprint actually belongs to a human:
- Pulse
- Temperatur
- Conductivity (probably worked around by moisturizing the printed fingerprint)

But at the end of the day, fingerprints are just too easy to fake and not a good method of authentication.

Re:Am I missing something? (-1)

Anonymous Coward | about a year ago | (#44919009)

Maybe. We've been hearing for days this attack would either be very hard or simply wouldn't work because "the sensor reads the sub-epidermal skin layers" and what not.

Schneier mentions in his post about TouchID how the most secure fingerprint scanner he ever saw involved an armed marine making sure you couldn't try anything funny. Considering the whole purpose of this is protecting the phone when it's not in your control, it seems to be less safe than the pattern lock.

The thing is just a gimmick, it wasn't motivated by security, only by the novelty factor.

Re: Am I missing something? (2)

EGSonikku (519478) | about a year ago | (#44919209)

Pattern lock is hardly secure considering they can see the smudge on your screen. And the NSA has said they can easily get into any Android device.

TouchID is still harder to trick than that. It's meant to deter common thieves, not James Bond. If the government has your phone they can easily compel you to unlock it or use existing forensic tools combined with warrants to your cellular provider.

Re:Am I missing something? (-1)

Anonymous Coward | about a year ago | (#44919011)

Any attacker would already have physical access to the device.

I still think the main purpose of the fingerprint scanner is to prevent ^H^H^H make it harder for babies and toddlers from making in-game purchases on their parent's iPhone.

Re:Am I missing something? (1)

ShanghaiBill (739463) | about a year ago | (#44919063)

Isn't this the same attack vector that can be used with any finger print scanner?

No. Many modern fingerprint scanners check for a pulse, and/or detect subsurface structures that do not show up in a lifted print. Apple claimed that this scanner did both of these checks, but apparently they were lying, and it actually does neither.

Re:Am I missing something? (5, Insightful)

Desler (1608317) | about a year ago | (#44919187)

Has anyone else verified that the suppose hack really does work? Isn't a bit premature to claim Apple is lying off a single youtube video?

Re:Am I missing something? (1)

gtall (79522) | about a year ago | (#44919257)

I thought I'd repeat what Desier said since there was no reason to piss on his karma:

"Has anyone else verified that the suppose hack really does work? Isn't a bit premature to claim Apple is lying off a single youtube video?"

Did they hack any Android phones, as well? (-1)

Anonymous Coward | about a year ago | (#44918891)

n/a

More time than it takes to get a (-1)

Anonymous Coward | about a year ago | (#44918895)

first post!

It's all relative. (0)

Anonymous Coward | about a year ago | (#44918937)

That sounds like quite a bit more trouble than guessing a 4 digit PIN.

Re:It's all relative. (1)

noh8rz10 (2716597) | about a year ago | (#44918953)

Especially when 90% of pins are 0000, and 9% are 1234

Re:It's all relative. (0)

Anonymous Coward | about a year ago | (#44918971)

Most people don't leave their PIN on everything they touch, such as their phone.

Re:It's all relative. (1)

Kohath (38547) | about a year ago | (#44919069)

Because no one could ever guess a pin from fingerprint smears on a phone surface.

Re:It's all relative. (1)

Zero__Kelvin (151819) | about a year ago | (#44919093)

How much effort do you think it takes to try to enter a PIN up to 1000 times?

Re:It's all relative. (1)

Desler (1608317) | about a year ago | (#44919211)

About 2 minutes [forbes.com] with physical access.

Re:It's all relative. (1)

Zero__Kelvin (151819) | about a year ago | (#44919237)

Think again, and consider learning to read maybe:

FTA:

" I’ve clarified two aspects of this story below. First, Micro Systemation’s XRY tool often requires more than two minutes to crack the iPhone’s password. The two minutes I originally cited were a reference to the time shown in the video (now removed by Micro Systemation) below. Given that, as I originally wrote, the phone in the video used the simplest possible password (0000), the process often takes far longer." - Emphasis Added

facepalm (0)

Anonymous Coward | about a year ago | (#44918941)

yeah that's really practical... God save us!

Time? (0)

Anonymous Coward | about a year ago | (#44918989)

The real question is can you pull this off before I remote wipe the phone.

Re:Time? (1)

EmagGeek (574360) | about a year ago | (#44919039)

You can only remote-wipe the phone if the phone is on a network that allows it to phone home.

Risk to Security Algorithm (3, Interesting)

retroworks (652802) | about a year ago | (#44919017)

Interesting. We do have to remind ourselves that security needs to be proportionate to risk. The first rule is value, or what the potential for loss is. I want a really really difficult password for my credit card account, I get angry when a newspaper login requests the same password algorithm (how much should I care if someone reads the news site using my login account?) The second factor is proximity. If you steal the president's laptop from off the president's desk, you should face unheard of security. If the president's digital needle lies anonymously at the bottom of a city haystack, the statistical risk shrinks. The fingerprint app, like Android's code generator, seems like an appropriate level of security for a lost or stolen cell phone.

Re:Risk to Security Algorithm (2)

je ne sais quoi (987177) | about a year ago | (#44919151)

We do have to remind ourselves that security needs to be proportionate to risk.

Exactly. You can make your phone the most secure thing in the world, requiring a randomized string of alphanumerics umpteen characters long that you recite from memory, but you've also made it utterly impractical to use.

One thing I noticed about this method is that they didn't get their fingerprints from the iphone itself, on the site they got them from a glass bottle. There's a lot of residue from fingerprints on my screen and a lot of potential fingerprints, but some of them are smudged from where I moved my finger, but I'd like to see if someone can use prints from an actual phone, everything else requires that the attacker have physical access to places you've been, but by far the most likely scenario where this will be useful will be to keep people out if I leave my phone somewhere unintentionally.

Re:Risk to Security Algorithm (0)

Anonymous Coward | about a year ago | (#44919183)

If you wish to protect your contacts from a police search, a biometric only solution will not do it (in U.S). Courts have held that 5th amendment protects things you know (thoughts in your head), not something like an attribute of your physical body. You can be ordered to unlock your phone with your fingerprint.

It is an entirely inappropriate level of security given the current overreach by police.

(you must also encrypt your phone's contents, for its contents to be protected under the 4th amendment against unreasonable search and seizure)

So, don't use the same finger for (3, Interesting)

The Cisco Kid (31490) | about a year ago | (#44919031)

the security sender that you use for the touchscreen..

How hard is that?

In fact I'm surprised that wouldn't already be part of the advice for users of this.

Either that or require a swipe from two different fingers, in a specified order.

Re:So, don't use the same finger for (1)

Above (100351) | about a year ago | (#44919111)

I bet most people unlock with a thumb, but use an index finger on the screen.

Re:So, don't use the same finger for (1)

Misagon (1135) | about a year ago | (#44919189)

I bet that most people type with both thumbs in landscape mode.

Re:So, don't use the same finger for (1)

xombo (628858) | about a year ago | (#44919215)

You can pick up the thumb from other sources.

I have a solution! (5, Funny)

Anonymous Coward | about a year ago | (#44919035)

Instead of using a fingerprint, use a Nipple print! [kotaku.com]

So what? (0)

Anonymous Coward | about a year ago | (#44919041)

This is for casual security for a device you keep in your pocket and everyone sees you use. With a 4 digit passcode that anyone can see you enter, did it really matter? The 4-digit code and your fingerprint were for when you LOST the device, keeping random strangers out of the device. This was never a good defense against a targeted or determined attacker.

That's enormously more difficult... (0)

Anonymous Coward | about a year ago | (#44919073)

than unlocking my iPhone, which involves sliding the "unlock" slider from left to right.

Easier for law enforcement (1)

AaronW (33736) | about a year ago | (#44919083)

I'm sure law enforcement loves this. While they may not be able to force someone to give up their password, getting a fingerprint is easy.

Re:Easier for law enforcement (1)

Joshua Shaffer (2895571) | about a year ago | (#44919213)

If you think it's at all difficult to break a 4 digit pin code I hope you don't leave evidence on your phone.

But we all use 12+ character alphanumeric passwords for our phones right...?

Re:Easier for law enforcement (2)

Desler (1608317) | about a year ago | (#44919227)

You realize that law enforcement can already gain access to a password locked phone already, right? Why would they bother with recreating a latex fingerprint over just using the software they already have to unlock them?

So what they proved is... (4, Funny)

NoKaOi (1415755) | about a year ago | (#44919089)

...the iPhone's fingerprint scanner works well. I was expecting it to be a gimmick that would give more false negatives or false positives than real results. That these guys had to use the same methods they would use for a high-quality expensive fingerprint scanner, and that those methods actually worked, tells me the iPhone's fingerprint scanner has potential.

Different fingers (0)

Anonymous Coward | about a year ago | (#44919097)

I notice that he uses a different finger to unlock the iPhone with the "fake" fingerprint.

How do we know that he didn't already program in that second finger, and the strip is really doing nothing?

He should have demonstrated that the second finger wasn't already programmed in to the phone, or used something other than a finger, or other object which could be used to program in a "fingerprint".

Re:Different fingers (2)

93 Escort Wagon (326346) | about a year ago | (#44919115)

I wondered that as well. It would have been more conclusive if he'd had a second person come in and use the fake to unlock the phone.

Re:Different fingers (1)

Anonymous Coward | about a year ago | (#44919135)

Even that wouldn't have proven anything, since you can program in as many fingerprints as you wish into the phone. They need to demonstrate that the finger with the "fake" fingerprint (or whatever they use to hold the fake fingerprint to the sensor) won't unlock the phone on its own.

Re:Different fingers (5, Insightful)

Zero__Kelvin (151819) | about a year ago | (#44919193)

No. It wouldn't matter. No matter what they did there would always be the next thing they could have just done. How do we know that the phone wasn't programmed to unlock with the second guys fingerprint? How do we know they didn't edit the video? etc, ad infinitum. What makes it highly believable is none of that. It is the reputation of the Chaos Computer Club that makes it believable. They aren't about to sacrifice a reputation it took them more than 30 years to build, especially for essentially no gain. If it was an unknown group I'd say maybe they are looking for 15 minutes of fame. But this is the CCC [wikipedia.org] we are talking about here.

So what? (1)

lennier1 (264730) | about a year ago | (#44919105)

Sounds like the standard procedure to fake consumer-grade readers.

Not exactly new (4, Insightful)

TejWC (758299) | about a year ago | (#44919121)

I remember Mythbusters doing something similar [youtube.com] with a multi thousand dollar computer secruity system.

Use the other less popular limb (0)

Anonymous Coward | about a year ago | (#44919131)

Fingerprints are left behind all the time so it would be trivial for someone to obtain.

For those who prefer the convenience of a fingerprint, but don't mind taking a while more to authenticate, I'm sure a Toe would be much more secure.

Toes are usually covered in socks or shoes so the possibility of getting the print is much less.

Now we just have to make it less of a taboo to take shoes and socks off in public space to check one's phone messages.

See how easy this was?

basically... (0)

Anonymous Coward | about a year ago | (#44919139)

What mythbuster did.

Gee (3, Funny)

msobkow (48369) | about a year ago | (#44919147)

Something you leave lying around on everything you touch is a poor key for security.

Who'd a thunk it?

Re:Gee (1)

Desler (1608317) | about a year ago | (#44919241)

It's far better than the people who don't even set a 4 digit pin.

The only viable solution (0)

Anonymous Coward | about a year ago | (#44919149)

I think the only solution would be to have some sort of mechanism to prick your finger and check for blood. You can calibrate when you first buy it for blood type and anything else that tends to stay consistent. Maybe in the far future the phone could actually feed off your blood to power itself.

Fingerprint scanners are rarely secure (2)

ThunderBird89 (1293256) | about a year ago | (#44919155)

Surprise, surprise. Fingerprint identification is rarely secure, some implementations can even be tricked using gummy bears. Really secure ones usually have rather steep costs and bulky supporting hardware associated (usually to check for blood flow to ensure the finger is a live one). Anything in a laptop or smartphone has no chance at real security whatsoever.

But guess what? This probably wasn't an exercise in security, but ease-of-use: being able to unlock your phone with a touch is easier than slide-to-unlock or passcodes. And it was a good exercise (not to mention fun when it was discovered that the software can even interpret a cat's pawprint). It was successful. So what if it can be broken easily, almost all of fingerprinting is the same.

using common household materials (1)

xombo (628858) | about a year ago | (#44919157)

Am I the only person these days without a slide printer? Jeez.

You're missing the point. (5, Insightful)

EGSonikku (519478) | about a year ago | (#44919273)

Fingerprints are good because they replace ZERO security. Most people don't PIN lock their phones. Finger Print lock is too convenient not to use.

It is meant as a deterrent to common thieves, and works well as such. A robber isn't going to grab your phone, ask for a nice clear print, and then run home to his laser printer and latex (and you could remote wipe the device in the mean time anyway).

If its the government you're worried about...well, if they have physical access to your device they probably have you in custody and can compel you to unlock it anyway, or just use existing forensic tools and warrants to get what they want. Even then we're talking about the unlikely scenario of you being arrested and having anything more interesting on your phone than funny cat pictures.

I'm trying to imagine a "real world" scenario where TouchID is less secure than a 4 digit passcode or no security at all...and I got nothing.

Did ya try it?? (0)

Anonymous Coward | about a year ago | (#44919281)

How do any of you know this hack actually works? Did any of you actually try it? Or is it true just because the internet says so? Because we all know everything put out on the internef must be true!!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?