Time To Change Your Fingerprints: Apple's Fingerprint Scanner Already Hacked
from the no-problem,-just-change-your...-oh-wait dept
While Apple has been touting its new TouchID fingerprint scanner as more secure, many people with experience in biometrics are quick to note that the problem with biometric security is once it's cracked, you're kind of in trouble, since you can't just change your fingerprint/retina/voice etc. And, indeed, it took almost no time at all for the biometrics hacking team of the Chaos Computer Club to crack TouchID "using everyday means." You can see a video of them getting into a new iPhone with a different finger:The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone.The only "difference" here is that they needed to use a higher resolution in the printing to match the higher resolution of Apple's scanner. CCC points out, as others have in the past, that this should remind people that fingerprint scanning is not very secure.
"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token", said Frank Rieger, spokesperson of the CCC. "The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access." Fingerprint biometrics in passports has been introduced in many countries despite the fact that by this global roll-out no security gain can be shown.It wasn't difficult to assume that this would happen. What's surprising is that Apple doesn't seem to have considered this fact.
iPhone users should avoid protecting sensitive data with their precious biometric fingerprint not only because it can be easily faked, as demonstrated by the CCC team. Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: biometrics, chaos computer club, fingerprint, fingerprint scanner, fingerprints, hacked, ios, iphone 5
Companies: apple
Reader Comments
The First Word
“Identification, not authentication
I wish people would understand that there are two different roles at work here, and fingerprints really should only be used for one of them: identification and authentication. Your fingerprint should only be used as an identifier of who you are. IE: present a list of users, and swiping your fingerprint picks the right user from the list. Then, and only then, should you provide a token that authenticates you to the system, such as a PIN code, password, or secure key card.The fact that companies the world over continue to use fingerprints as a method of authentication shows a lack of understanding how easy it is hack, and the difficulty required in "changing your fingerprint".
Remember, if someone has your phone, they have your fingerprint, but they don't necessarily have your PIN or password. Too bad Apple didn't recognize this.
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
I don't hear any "THUD, BANG, CRASH", just "KA-CHING, KA-CHING, KA-CHING".
Let's be real for a minute here. No matter how shitty an Apple product is (remember? "You're holding it wrong"), people will buy it. Because people are stupid and don't care about functionality, just bling.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
Apple products have a history of insecurity, overpricing, coupled-sales, forced lock-in, and all kinds of crap that 'the invisible hand of the market' *should* have gotten rid of. And they still line up to get their new models.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Apple doesn't seem to have considered this fact
Apple doesn't care about the security of your device or your data.
All they care about is a catchy marketing slogan and another "great and indispensable" (=absolutely useless) feature they can boast over their competition.
[ link to this | view in chronology ]
Re: Apple doesn't seem to have considered this fact
This just in. The deadbolt on your storage locker can be cut immediately with bolt cutters!
Security isn't about absolutes, it's about what is secure enough for the price and purpose. Apple's method is fine for 99% of their users. If the CIA wants an iPhone, they'll have to write some additional code.
(I can't believe I'm defending Apple...)
[ link to this | view in chronology ]
Re: Re: Apple doesn't seem to have considered this fact
[ link to this | view in chronology ]
Re: Re: Apple doesn't seem to have considered this fact
"It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token"
[ link to this | view in chronology ]
Re: Re: Apple doesn't seem to have considered this fact
Probably no time at all. This is the standard way to defeat fingerprint scanners, so it's probably the firs thing they thought of. It certainly was the first thing that I thought of.
BTW, this method, or a variant, can be used to defeat literally any fingerprint scanner -- which is why using fingerprints as a form of security is not just stupid, but brain-dead.
The really high end fingerprint scanners are slightly more difficult to defeat, although it's the same basic technique. The modification is that you have to put the fake fingerprint onto a gelatin sheet and wear it on your own finger.
[ link to this | view in chronology ]
TouchID - broken day one, patched.
patched TouchID not secure.
People able to make calls from a locked screen.
Some people reporting worse battery life.
What did work?
Blocking 3rd party charging cables.
Corporate priorities in action, secure our revenue stream and then maybe get around to protecting customers.
[ link to this | view in chronology ]
Re:
Pretty gold color sold out in seconds.
[ link to this | view in chronology ]
Would Frankenwinnie be the perfect user for this type of security?
[ link to this | view in chronology ]
Everyday means?
Newsflash: nothing is 100% secure. That said, it's reasonably secure. Like most any other form of security, it's susceptible to social engineering.
[ link to this | view in chronology ]
Re: Everyday means?
[ link to this | view in chronology ]
Re: Everyday means?
[ link to this | view in chronology ]
Re: Re: Everyday means?
[ link to this | view in chronology ]
Re: Everyday means?
I wouldn't classify something that uses a key that you inherently leave all over the place for copying as something secure...
[ link to this | view in chronology ]
Easy fix: use your nipple.
[ link to this | view in chronology ]
Re:
Hey! I leave my nipple prints everywhere .. now what am I gonna do .. *sigh*
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Nipple
[ link to this | view in chronology ]
Re: Everyday means?
In fact their "hack" requires a good deal of fabrication time. I would go out on a limb and say that to execute this hack effectively, you would need to have full physical access to the phone. And any security specialist worth their salt know that the game is over once you have full physical access anyway.
Fingerprint scanning is security against someone swiping and immediately accessing your phone. Conflating the fingerprint scanner with actual secret or top secret level device controls is disingenuous.
[ link to this | view in chronology ]
Re: Re: Everyday means?
The problem with the $5 wrench method of accessing a device is that it alerts the user that you have gained access to the device. It is therefore no good for attackers that, for whatever reason, wish to procure more clandestine access.
[ link to this | view in chronology ]
Re: Everyday means?
Yes, they cracked in in a 'lab', but a lot of things happen 'in a lab' before they happen int he real world.
[ link to this | view in chronology ]
Re: Everyday means?
[ link to this | view in chronology ]
Re: Everyday means?
But it's not. This is a well-known technique that's been around for years. It is in common use.
[ link to this | view in chronology ]
Re: Everyday means?
[ link to this | view in chronology ]
Re: Re: Everyday means?
The concequences of breaking a biometric are more severe. If a passcode becomes broken you can change it. If your fingerprint becomes known, you're a bit stuck.
I have no idea whether the iPhone can use any other type of security apart from fingerprints (Apple SOP means I guess not but I don't care to find out), but it seems daft to put front and centre a technology with obvious limitations.Yes indeed it would likely along with many other methods such as Gummy Bears, which kinda goes to show how flawed it is but Apple is claiming to be more secure is it not?
[ link to this | view in chronology ]
Re: Re: Everyday means?
Unless the device locks (bricks, factory resets, whatever) after a certain number of failed attempts. With the fingerprint technique, it may take a few hours, but you're in on the first attempt if you do it right. There's no guarding against that.
[ link to this | view in chronology ]
Re: Re: Everyday means?
Given that one leaves one prints all over the phone and pretty much everything else one touches, that won't be too difficult.
[ link to this | view in chronology ]
Re: Everyday means?
That's right, anyone who steals your phone already has a copy of your finger prints, potentially even in tact, that they can copy. That's like keeping a copy of your password stuck to the back of device.
[ link to this | view in chronology ]
And what about the Apple TV?
[ link to this | view in chronology ]
Identification, not authentication
The fact that companies the world over continue to use fingerprints as a method of authentication shows a lack of understanding how easy it is hack, and the difficulty required in "changing your fingerprint".
Remember, if someone has your phone, they have your fingerprint, but they don't necessarily have your PIN or password. Too bad Apple didn't recognize this.
[ link to this | view in chronology ]
Re: Identification, not authentication
[ link to this | view in chronology ]
Re: Identification, not authentication
3 is better:
Something you have (token of some kind)
Something you are (biometric of some kind)
Something you know (password of some kind)
[ link to this | view in chronology ]
Passwords>>>>>>>>>>>>>>>>Fingerprints for security
When fingerprint security is compromised, you can't very well change your fingerprints.
[ link to this | view in chronology ]
Re: Passwords>>>>>>>>>>>>>>>>Fingerprints for security
[ link to this | view in chronology ]
Re: Re: Passwords>>>>>>>>>>>>>>>>Fingerprints for security
And if you could do it legitimately and you had to carry around a box full of wearable fingerprint gloves to operate your phone, what would be the point of having a biometric in the first place?
[ link to this | view in chronology ]
Not to rain on your parade.....
I am a fan of the multiple layer of security. The first layer that opens up the screen and some apps making it look as if the phone has unlocked, and a second layer that allows to useful functions like making phone calls/texts.
It a bit like having a wallet full of worthless notes and cards o give to the thief whilst you make your getaway.
[ link to this | view in chronology ]
Re: Not to rain on your parade.....
The answer is a lot. A lot of cat photos.
[ link to this | view in chronology ]
Re: Not to rain on your parade.....
[ link to this | view in chronology ]
Borrow a friends phone and try to lift any clean print off it (let alone the exact one you need). You are watching too much CSI if you think you can pull that off.
This "hack" starts with the owner providing them a perfect smudge free print on a clean glass.
I know it is fashionable for some to bash Apple at every turn, but I hoped we could have a reasoned discussion about how likely it is someone could pull this off in the real world, by surreptitiously trying to pull a print from a phone or other surfaced in the home/office.
I would say that chances are approaching zero.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
if you are say someone from a 3 letter agency, you can easily either intercept the scanner or just make a lock screen app that would be exact as the original. Or may e just activate the scanner when you are playing a game. Either way, its no better than face unlock. Thank goodness its gone from android. No wait I know how face unlock can be secured and revolutionary. Why not put a 41 mega pixel front facing camera. That way only people who can take a 41 mp picture of you can unlock it. It will be revolutionary and evolutionary. Most of all it will be secured.....
[ link to this | view in chronology ]
Re:
Unless users actually clean off the scanner each time they use use it to unlock the phone, then the chances of being able to pull this off on a random phone approaches 100%.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I suppose you thought the club was absolute???
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
'It's not a bug, it's a feature...'
[ link to this | view in chronology ]
So...just get a HI-RES copy of someone's fingerprint?
While the technique used here is basic, the very first step is the security of the whole process.
[ link to this | view in chronology ]
Kudos, Apple, you DRM'd it.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
It hasn't been *hacked*.
Hacking it would mean you've found a way to get it to respond to someone else's finger.
[ link to this | view in chronology ]
Also a video is not proof.
Also, unless someone (at least one other researcher) independent from the CCC shows that they can bypass the authentication in the same manner. i.e. it is repeatable then I shall believe it.
Otherwise it's just a video!
[ link to this | view in chronology ]
Re: Also a video is not proof.
only the fanatics didn't know. the rest of the informed population knew this would be broken in a bronx minute.
Otherwise, you're just fanboi.
[ link to this | view in chronology ]
Or perhaps they did. Government's been wanting to bypass that pesky 5th Amendment and get into everyone's smartphones for quite some time now. Maybe they paid Apple a bundle to make that happen.
[ link to this | view in chronology ]
What I wonder about
Fingerprint scanners are not, and with today's technology cannot be, secure. Period. They're far too easy to fool.
[ link to this | view in chronology ]
Law suit in 3...2....1....
Seriously, when they announced it I was thinking "damn, how did they get past the known issues of fingerprint readers?" I guess that answers my question. They made it so you need to have a higher resolution (BTW most company printers that we have here for printing manuals have a higher resolution than the Iphone. I would assume most companies do hence the ease of being able to do this.
[ link to this | view in chronology ]
This isn't a hack...
Someone has to make a dedicated effort to get in to your phone specifically. How easy is it really to get the "high res scan" of a person's fingerprint?
In any case, this isn't a uniquely Apple screwup. It's a failure of *any* system using this type of authentication.
No code or hardware is being compromised. The method would work on any fingerprint-scanning system, so it seems disingenuous to bash Apple specifically about it.
Especially when they even admit that to get into an iPhone they have to have an even higher res print than usual when spoofing these systems.
This is a FUD non-story, except to point out the weaknesses of biometric authentication in general.
[ link to this | view in chronology ]
Re: This isn't a hack...
and, of course, appl's stupidity for including it in their product.
all is proceeding as I have forseen...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
That said, as long as you don't have somebody following you around collecting fingerprints and waiting to steal your phone, it's simple enough to defeat. Just use, say, your off-hand pinky for the scan, and put a matte case on the phone.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
unreal criticism
[ link to this | view in chronology ]
Re: unreal criticism
It is not fantastic technology. It is misapplied technology. BTW, the criticism isn't against Apple as such. It's against fingerprint scanners. The problems with them are well-known.
How is an authentication system that is objectively worse than passwords a "good alternative"?
True, but nobody needs to. This is simple to accomplish. That's rather the point.
Unless you clean off the scanner after every use, your fingerprint is easy to lift from it to be used to unlock the phone. So, this is only marginally better than leaving your phone unlocked. It's inferior to even using the (also dumb) four digit unlock code.
Including this feature is worse than not including security at all - it gives you the illusion of being effective when, in fact, it is not. The illusion of security is worse than knowing that you're unsecured.
[ link to this | view in chronology ]
Re: Re: unreal criticism
The is perfectly applied technology, unless you honestly think that phone thieves have the knowledge and capabilities to pull off this hack. This is a simple to use and unobtrusive way to create relative security on a product you use many times a day.
No, this won't be secure enough for super duper top secret stuff, but if you are walking around with that on your phone, you are going to have a bad time regardless of your password. What it will do, is secure your data from random prying eyes, people who find your phone when you misplace it, or common thieves (you know, the types of threats that those of us in the real world are worried about).
The hack shows nothing like this happening and looking at my phone I would be shocked if you could get a decent print at all, let alone one clear enough to use for this. Even if this was possible, what kind of fantasy world do you live in where common criminals (people desperate enough to steal phones) have the capability and knowledge to do this (not to mention what would they expect to get out of it, as someone mentioned above, they are going to go through all this effort to get access to cat pics?).
[ link to this | view in chronology ]
Re: Re: Re: unreal criticism
I heard the cops say just that last night when they were investigating a house robbery. "Looking at the house, I didn't see any fingerprints."
[ link to this | view in chronology ]
I need some fake fingers!!!
[ link to this | view in chronology ]
Re: I need some fake fingers!!!
[ link to this | view in chronology ]
There is a simple solution to this...
You should be able to use any part of such digit as the source (and even other body parts as well), so a practical source would be your second knuckle. It's print isn't left everywhere around you and on the device itself. That, and it's also a less obvious source point upping the security level through its randomness. There are the drawbacks though, one being there may be a chance of higher false positives by using your knuckle. Also, you won't be able to unlock the phone with just one hand like someone who uses their thumb as the key.
[ link to this | view in chronology ]
Re: There is a simple solution to this...
It's left on the scanner window.
[ link to this | view in chronology ]
Re: Re: There is a simple solution to this...
Since the scanner is on the home button, that particular print will likely get covered by thumb or index finger prints over the course of normal use. Not sure that would get a clean print.
[ link to this | view in chronology ]
Can we agree this wasn't the TouchID 'hacked'?
There is a difference.
They figured out how to create a copy of the index finger and use it in a way that they could fool the sensor. In a controlled environment.
I'd like to see them get a volunteer to use the phone, register their finger print of choice, and then after 24 hours of use give the phone to the team and see if they can go through that again.
They could easily patch and fix this, and add a second layer of security. Pin + Finger etc.
Not everyone cares about their data as much as some of us. On my personal phone I barely use I'd probably want to use this, however on my work phone I would stick with a password, using all the characters available.
Annoying as hell to enter, but much less guessable.
[ link to this | view in chronology ]
Not the case, but sadly most will never know until it's too late.
[ link to this | view in chronology ]
Apple and the NSA could be the sole authors of the security standard. It would be just like old times!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
And next up ...
[ link to this | view in chronology ]
Exclusive: Apple admits, ‘iPhone 5s Fingerprint Database To Be Shared With NSA’
Tim Richardson, District Manager of Apple’s North America Marketing Department:
http://hackersnewsbulletin.com/2013/09/apple-admits-iphone-5s-fingerprint-database-s hared-nsa.html
Man, that's the corporatist view short and plain! BEWARE OF CORPORATIONS!
[ link to this | view in chronology ]
Re: Exclusive: Apple admits, ‘iPhone 5s Fingerprint Database To Be Shared With NSA’
I had this whole rebuttal typed up and then noticed this is ootb. Just look at http://nationalreport.net/, you'll see the whole thing is a joke.
[ link to this | view in chronology ]
Every law has its loophole
[ link to this | view in chronology ]