Time To Change Your Fingerprints: Apple's Fingerprint Scanner Already Hacked

from the no-problem,-just-change-your...-oh-wait dept

While Apple has been touting its new TouchID fingerprint scanner as more secure, many people with experience in biometrics are quick to note that the problem with biometric security is once it's cracked, you're kind of in trouble, since you can't just change your fingerprint/retina/voice etc. And, indeed, it took almost no time at all for the biometrics hacking team of the Chaos Computer Club to crack TouchID "using everyday means." You can see a video of them getting into a new iPhone with a different finger:
It appears that they've used the same basic method as has been used to hack fingerprint scanners in the past -- get a high quality image of the user's fingerprint and then:
The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone.
The only "difference" here is that they needed to use a higher resolution in the printing to match the higher resolution of Apple's scanner. CCC points out, as others have in the past, that this should remind people that fingerprint scanning is not very secure.
"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token", said Frank Rieger, spokesperson of the CCC. "The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access." Fingerprint biometrics in passports has been introduced in many countries despite the fact that by this global roll-out no security gain can be shown.

iPhone users should avoid protecting sensitive data with their precious biometric fingerprint not only because it can be easily faked, as demonstrated by the CCC team. Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.
It wasn't difficult to assume that this would happen. What's surprising is that Apple doesn't seem to have considered this fact.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: biometrics, chaos computer club, fingerprint, fingerprint scanner, fingerprints, hacked, ios, iphone 5
Companies: apple


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Ninja (profile), 23 Sep 2013 @ 5:19am

    Do I hear the cry of thousands of Apple fanbois and the sound of Apple executives banging their heads on their desks?

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 23 Sep 2013 @ 5:36am

    Re:

    "...the sound of Apple executives banging their heads on their desks?"

    I don't hear any "THUD, BANG, CRASH", just "KA-CHING, KA-CHING, KA-CHING".

    Let's be real for a minute here. No matter how shitty an Apple product is (remember? "You're holding it wrong"), people will buy it. Because people are stupid and don't care about functionality, just bling.

    link to this | view in thread ]

  3. identicon
    relghuar, 23 Sep 2013 @ 5:45am

    Apple doesn't seem to have considered this fact

    Not really suprising :-/
    Apple doesn't care about the security of your device or your data.
    All they care about is a catchy marketing slogan and another "great and indispensable" (=absolutely useless) feature they can boast over their competition.

    link to this | view in thread ]

  4. icon
    That Anonymous Coward (profile), 23 Sep 2013 @ 5:52am

    So...
    TouchID - broken day one, patched.
    patched TouchID not secure.
    People able to make calls from a locked screen.
    Some people reporting worse battery life.

    What did work?
    Blocking 3rd party charging cables.

    Corporate priorities in action, secure our revenue stream and then maybe get around to protecting customers.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 23 Sep 2013 @ 5:53am

    So long fingers, now I have to change my fingers.

    Would Frankenwinnie be the perfect user for this type of security?

    link to this | view in thread ]

  6. identicon
    SeanSatori, 23 Sep 2013 @ 6:01am

    Everyday means?

    Sorry, but this procedure isn't exactly 'everyday means.' Sure, if you have access to someone you can somehow figure out how to get a high resolution copy of their fingerprint, then invest the time and effort to make your latex copy of their fingerprint. But come on, for the average user, worrying about an attack along this vector is ridiculous.

    Newsflash: nothing is 100% secure. That said, it's reasonably secure. Like most any other form of security, it's susceptible to social engineering.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 23 Sep 2013 @ 6:03am

    Re: Everyday means?

    Does cutting off your finger count as social engineering?

    link to this | view in thread ]

  8. identicon
    missingxtension, 23 Sep 2013 @ 6:07am

    Re: Everyday means?

    Yeah smart guy, how about your prints are all over your phone. Someone else pointed it out on another post.

    link to this | view in thread ]

  9. icon
    streetlight (profile), 23 Sep 2013 @ 6:08am

    And what about the Apple TV?

    A new update to Apple TV, the hockey puck TV plug in, causes it to be bricked. Folks are going to Apple stores to get hardware replacements. I guess it just works.

    link to this | view in thread ]

  10. icon
    Ninja (profile), 23 Sep 2013 @ 6:10am

    Re: Everyday means?

    Newsflash: nothing is 100% secure. That said, it's reasonably secure.

    I wouldn't classify something that uses a key that you inherently leave all over the place for copying as something secure...

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 23 Sep 2013 @ 6:12am

    Re:

    seriously, I don't think they care.

    Apple products have a history of insecurity, overpricing, coupled-sales, forced lock-in, and all kinds of crap that 'the invisible hand of the market' *should* have gotten rid of. And they still line up to get their new models.

    link to this | view in thread ]

  12. identicon
    Aaron Toponce, 23 Sep 2013 @ 6:14am

    Identification, not authentication

    I wish people would understand that there are two different roles at work here, and fingerprints really should only be used for one of them: identification and authentication. Your fingerprint should only be used as an identifier of who you are. IE: present a list of users, and swiping your fingerprint picks the right user from the list. Then, and only then, should you provide a token that authenticates you to the system, such as a PIN code, password, or secure key card.

    The fact that companies the world over continue to use fingerprints as a method of authentication shows a lack of understanding how easy it is hack, and the difficulty required in "changing your fingerprint".

    Remember, if someone has your phone, they have your fingerprint, but they don't necessarily have your PIN or password. Too bad Apple didn't recognize this.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 23 Sep 2013 @ 6:19am

    Re: Re:

    Indeed, I lost all respect for Apple when they continued to deny for weeks that there was a problem with the iPhone dropping calls if you held it the wrong (as in 'normal') way. Not that I had much respect for them to begin with, but that made me a big Apple hater.

    link to this | view in thread ]

  14. icon
    Zakida Paul (profile), 23 Sep 2013 @ 6:20am

    Passwords>>>>>>>>>>>>>>>>Fingerprints for security

    When a password is compromised, it can be changed to something that is more difficult to crack.

    When fingerprint security is compromised, you can't very well change your fingerprints.

    link to this | view in thread ]

  15. icon
    Tim Griffiths (profile), 23 Sep 2013 @ 6:30am

    Re:

    The response seems to have largely have been "it's just meant to

    link to this | view in thread ]

  16. identicon
    peter, 23 Sep 2013 @ 6:32am

    Not to rain on your parade.....

    but everyone seems to forget that the easiest method of getting your pin/swipe is to threaten you with the same knife that they used to steal your phone.

    I am a fan of the multiple layer of security. The first layer that opens up the screen and some apps making it look as if the phone has unlocked, and a second layer that allows to useful functions like making phone calls/texts.

    It a bit like having a wallet full of worthless notes and cards o give to the thief whilst you make your getaway.

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 23 Sep 2013 @ 6:35am

    Re: Passwords>>>>>>>>>>>>>>>>Fingerprints for security

    I don't know about changing your fingerprints. It would not take much to make the copies now being made wearable, at least for an hour or so.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 23 Sep 2013 @ 6:40am

    Re: Not to rain on your parade.....

    The pin to decrypt my phone is different than the pin to unlock my phone. I'm assuming that anyone that steals it from me at knife point is probably going to turn it off pretty quick so it can't be tracked, effectively turning it into a brick. While this may not stop me from getting stabbed in the face, it brings me a certain joy that no one will be able to look at how many cat photos I've taken.

    The answer is a lot. A lot of cat photos.

    link to this | view in thread ]

  19. icon
    PeterScott (profile), 23 Sep 2013 @ 6:45am

    @"Yeah smart guy, how about your prints are all over your phone. "

    Borrow a friends phone and try to lift any clean print off it (let alone the exact one you need). You are watching too much CSI if you think you can pull that off.

    This "hack" starts with the owner providing them a perfect smudge free print on a clean glass.

    I know it is fashionable for some to bash Apple at every turn, but I hoped we could have a reasoned discussion about how likely it is someone could pull this off in the real world, by surreptitiously trying to pull a print from a phone or other surfaced in the home/office.

    I would say that chances are approaching zero.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 23 Sep 2013 @ 6:48am

    Re: Re: Everyday means?

    So use a pinky or ring finger, so your usable print is less likely to be on the device itself

    link to this | view in thread ]

  21. icon
    Ninja (profile), 23 Sep 2013 @ 6:48am

    Re: Re:

    Apple created something that often is more important to a brand than the real benefits their products may offer: brand worshiping.

    link to this | view in thread ]

  22. icon
    Ninja (profile), 23 Sep 2013 @ 6:51am

    Re:

    I thought of it but you don't need to get the print from a phone. A glass or any other surface. Or, let's say, the fingerprints you gave the Govt when making your passport. There are tons of possibilities for a determined person.

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 23 Sep 2013 @ 6:59am

    Re: Re:

    The bigger question is not, "How secure is this?", it is, "Will Apple deliver on its promise that anyone who could successfully bypass the security gets money, donuts and chicks?"

    link to this | view in thread ]

  24. identicon
    Anonymous Coward, 23 Sep 2013 @ 7:04am

    Re:

    Watch the Mythbusters episode where they break a couple of different fingerprint systems and you will see how easy it is.

    link to this | view in thread ]

  25. identicon
    Michael, 23 Sep 2013 @ 7:12am

    Re: Not to rain on your parade.....

    Plus, if they guy that just stole your phone is carrying bolt cutters - just swipe it before you hand it to him.

    link to this | view in thread ]

  26. icon
    herbturbo (profile), 23 Sep 2013 @ 7:19am

    If you've got someone going to these lengths to get the data on your iPhone, you're probably screwed anyway.

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 23 Sep 2013 @ 7:21am

    This is ridiculous and in a very controlled setting. And...You're ignorant if you expected a fingerprint scanner to truly stop a thief.

    I suppose you thought the club was absolute???

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 23 Sep 2013 @ 7:24am

    Re: Everyday means?

    Yep, exactly right. The XKCD $5 hacking scheme still way way easier than what they did here.

    In fact their "hack" requires a good deal of fabrication time. I would go out on a limb and say that to execute this hack effectively, you would need to have full physical access to the phone. And any security specialist worth their salt know that the game is over once you have full physical access anyway.

    Fingerprint scanning is security against someone swiping and immediately accessing your phone. Conflating the fingerprint scanner with actual secret or top secret level device controls is disingenuous.

    link to this | view in thread ]

  29. identicon
    avideogameplayer, 23 Sep 2013 @ 7:26am

    What's the infamous saying?

    'It's not a bug, it's a feature...'

    link to this | view in thread ]

  30. identicon
    Dave Xanatos, 23 Sep 2013 @ 7:27am

    I wouldn't classify something that uses a key that you inherently leave all over the place for copying as something secure...

    Easy fix: use your nipple.

    link to this | view in thread ]

  31. identicon
    Anonymous Coward, 23 Sep 2013 @ 7:32am

    Re:

    The technology to get finger prints will only get better as time goes on. They're so good at DNA that they can grab it off of the leftovers of a slice of pizza you had.

    link to this | view in thread ]

  32. identicon
    Anonymous Coward, 23 Sep 2013 @ 7:38am

    Re: Re: Everyday means?

    The XKCD $5 hacking scheme still way way easier than what they did here.

    The problem with the $5 wrench method of accessing a device is that it alerts the user that you have gained access to the device. It is therefore no good for attackers that, for whatever reason, wish to procure more clandestine access.

    link to this | view in thread ]

  33. identicon
    Jack-Jack, 23 Sep 2013 @ 7:40am

    So...just get a HI-RES copy of someone's fingerprint?

    I think the point that's being missed is, just how easy is it for someone to get a HI-RES scan of MY fingerprint? I'm not exactly handing them out, and they aren't on the web (yet, lol).
    While the technique used here is basic, the very first step is the security of the whole process.

    link to this | view in thread ]

  34. identicon
    Anonymous Coward, 23 Sep 2013 @ 7:42am

    preventing the useful scenarios (family/friends needing to use your phone for whatever reason) while not preventing the illegit ones.

    Kudos, Apple, you DRM'd it.

    link to this | view in thread ]

  35. identicon
    Anonymous Coward, 23 Sep 2013 @ 7:43am

    I'm not impressed

    link to this | view in thread ]

  36. identicon
    PRMan, 23 Sep 2013 @ 7:46am

    Re: Apple doesn't seem to have considered this fact

    So, how long did they spend to break this? I'm sure if a team spent 10 hours they could figure out how to get your unlock code as well.

    This just in. The deadbolt on your storage locker can be cut immediately with bolt cutters!

    Security isn't about absolutes, it's about what is secure enough for the price and purpose. Apple's method is fine for 99% of their users. If the CIA wants an iPhone, they'll have to write some additional code.

    (I can't believe I'm defending Apple...)

    link to this | view in thread ]

  37. icon
    Jeremy Lyman (profile), 23 Sep 2013 @ 7:52am

    Re: Re: Apple doesn't seem to have considered this fact

    I'm more concerned about the local cops than the CIA. They have significant precedent to extract physical identifiers from your person (DNA, fingerprints) but it's less clear that they can coerce you to divulge a pass-code.

    link to this | view in thread ]

  38. identicon
    Michael, 23 Sep 2013 @ 7:55am

    Re:

    I hit a guy with one of those things once - trust me, he's never going to try to steal a car again.

    link to this | view in thread ]

  39. identicon
    Anonymous Coward, 23 Sep 2013 @ 7:56am

    It hasn't been *hacked*.

    Using a fake finger isn't hacking the fingerprint scanner - it's spoofing it.
    Hacking it would mean you've found a way to get it to respond to someone else's finger.

    link to this | view in thread ]

  40. identicon
    Anonymous Coward, 23 Sep 2013 @ 7:57am

    Re: Re: Re:

    Apple will probably sue them claiming defamation of their products and profit losses or some such nonsense.

    link to this | view in thread ]

  41. icon
    techflaws (profile), 23 Sep 2013 @ 8:02am

    Re: Re: Apple doesn't seem to have considered this fact

    Your not very good at defending Apple since the main point still stands:

    "It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token"

    link to this | view in thread ]

  42. identicon
    Anonymous Coward, 23 Sep 2013 @ 8:06am

    Re: Everyday means?

    I love the 'this will never work in the real world'. It always ends up working in the real world.

    Yes, they cracked in in a 'lab', but a lot of things happen 'in a lab' before they happen int he real world.

    link to this | view in thread ]

  43. icon
    Not an Electronic Rodent (profile), 23 Sep 2013 @ 8:10am

    Re: Everyday means?

    Newsflash: nothing is 100% secure. That said, it's reasonably secure. Like most any other form of security, it's susceptible to social engineering.
    Last time I needed to look into biometric security, about 95% of fingerprint readers available at the time could be broken with a Gummy Bear and possibly an LED light. I don't image that's changed much.

    link to this | view in thread ]

  44. identicon
    Anonymous Coward, 23 Sep 2013 @ 8:10am

    Also a video is not proof.

    A video of someone claiming to do something is not proof that they did it.

    Also, unless someone (at least one other researcher) independent from the CCC shows that they can bypass the authentication in the same manner. i.e. it is repeatable then I shall believe it.

    Otherwise it's just a video!

    link to this | view in thread ]

  45. identicon
    jackn, 23 Sep 2013 @ 8:16am

    Re: Also a video is not proof.

    This was proven to be a weakness before the phone even came out. It was shown to be weak several years ago.

    only the fanatics didn't know. the rest of the informed population knew this would be broken in a bronx minute.

    Otherwise, you're just fanboi.

    link to this | view in thread ]

  46. icon
    missingxtension (profile), 23 Sep 2013 @ 8:21am

    Re:

    This begs for a man in the middle attack.
    if you are say someone from a 3 letter agency, you can easily either intercept the scanner or just make a lock screen app that would be exact as the original. Or may e just activate the scanner when you are playing a game. Either way, its no better than face unlock. Thank goodness its gone from android. No wait I know how face unlock can be secured and revolutionary. Why not put a 41 mega pixel front facing camera. That way only people who can take a 41 mp picture of you can unlock it. It will be revolutionary and evolutionary. Most of all it will be secured.....

    link to this | view in thread ]

  47. icon
    John Fenderson (profile), 23 Sep 2013 @ 8:43am

    Re: Re: Apple doesn't seem to have considered this fact

    So, how long did they spend to break this


    Probably no time at all. This is the standard way to defeat fingerprint scanners, so it's probably the firs thing they thought of. It certainly was the first thing that I thought of.

    BTW, this method, or a variant, can be used to defeat literally any fingerprint scanner -- which is why using fingerprints as a form of security is not just stupid, but brain-dead.

    The really high end fingerprint scanners are slightly more difficult to defeat, although it's the same basic technique. The modification is that you have to put the fake fingerprint onto a gelatin sheet and wear it on your own finger.

    link to this | view in thread ]

  48. icon
    John Fenderson (profile), 23 Sep 2013 @ 8:45am

    Re: Everyday means?

    for the average user, worrying about an attack along this vector is ridiculous.


    But it's not. This is a well-known technique that's been around for years. It is in common use.

    link to this | view in thread ]

  49. identicon
    Androgynous Cowherd, 23 Sep 2013 @ 8:46am

    Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.

    It wasn't difficult to assume that this would happen. What's surprising is that Apple doesn't seem to have considered this fact.


    Or perhaps they did. Government's been wanting to bypass that pesky 5th Amendment and get into everyone's smartphones for quite some time now. Maybe they paid Apple a bundle to make that happen.

    link to this | view in thread ]

  50. icon
    John Fenderson (profile), 23 Sep 2013 @ 8:49am

    Re:

    I would say that chances are approaching zero


    Unless users actually clean off the scanner each time they use use it to unlock the phone, then the chances of being able to pull this off on a random phone approaches 100%.

    link to this | view in thread ]

  51. icon
    John Fenderson (profile), 23 Sep 2013 @ 8:51am

    What I wonder about

    When I first heard about the phones using a fingerprint scanner, I wondered how it could be that a company filled with really smart engineers could possible bring a feature like this to market without anyone stopping and saying "hey guys, this is stupid."

    Fingerprint scanners are not, and with today's technology cannot be, secure. Period. They're far too easy to fool.

    link to this | view in thread ]

  52. icon
    Berenerd (profile), 23 Sep 2013 @ 9:01am

    Law suit in 3...2....1....

    I suspect Apple already had this planned and it's lawyers were waiting in the bushes to pounce on anyone stealing their trade secrets on how not to do security on a phone.

    Seriously, when they announced it I was thinking "damn, how did they get past the known issues of fingerprint readers?" I guess that answers my question. They made it so you need to have a higher resolution (BTW most company printers that we have here for printing manuals have a higher resolution than the Iphone. I would assume most companies do hence the ease of being able to do this.

    link to this | view in thread ]

  53. icon
    raf (profile), 23 Sep 2013 @ 9:27am

    Re: Identification, not authentication

    Right...really the fingerprint is just a way of filling in the "username" field...but as implemented it's being used for both username and password which seems kind of a bad idea...

    link to this | view in thread ]

  54. icon
    akp (profile), 23 Sep 2013 @ 9:31am

    This isn't a hack...

    Nor is it a "crack." As someone else said, it's a spoof, and not a particularly easy one to pull off.

    Someone has to make a dedicated effort to get in to your phone specifically. How easy is it really to get the "high res scan" of a person's fingerprint?

    In any case, this isn't a uniquely Apple screwup. It's a failure of *any* system using this type of authentication.

    No code or hardware is being compromised. The method would work on any fingerprint-scanning system, so it seems disingenuous to bash Apple specifically about it.

    Especially when they even admit that to get into an iPhone they have to have an even higher res print than usual when spoofing these systems.

    This is a FUD non-story, except to point out the weaknesses of biometric authentication in general.

    link to this | view in thread ]

  55. identicon
    jackn, 23 Sep 2013 @ 9:34am

    Re: This isn't a hack...

    This is a FUD non-story, except to point out the weaknesses of biometric authentication in general.

    and, of course, appl's stupidity for including it in their product.

    all is proceeding as I have forseen...

    link to this | view in thread ]

  56. identicon
    Anonymous Coward, 23 Sep 2013 @ 9:59am

    Isn't the easiest way to bypass security is to do a hard reset? I mean I want the phone not the data.

    link to this | view in thread ]

  57. icon
    Brad C (profile), 23 Sep 2013 @ 10:22am

    Fingerprints for authentication isn't broken, this just isn't the right place to use it. Think about the scene in True Lies where they are going into the headquarters: it's the combination of biometrics and the lady with the gun that makes it work :)

    link to this | view in thread ]

  58. icon
    Jeffrey Nonken (profile), 23 Sep 2013 @ 10:50am

    I think the fingerprint thing is more of a gimmick than real security. Especially since the phone is specifically designed to encourage you to leave your fingerprint on the glass.

    That said, as long as you don't have somebody following you around collecting fingerprints and waiting to steal your phone, it's simple enough to defeat. Just use, say, your off-hand pinky for the scan, and put a matte case on the phone.

    link to this | view in thread ]

  59. identicon
    Anonymous Coward, 23 Sep 2013 @ 10:52am

    unreal criticism

    Nothing but sour grapes. This is fantastic technology. I find it fascinating that so many people here are criticizing Apple for developing *only* a damn good alternative to freaking annoying passwords -- such a good and seamless alternative that literally tens or hundreds of millions of phones will be more secure in the future compared to today (unsecured, no password) as this technology gets traction. Is it unhackable? Obviously not. Am I worried? Heck no - nobody is going to break their balls to work this hack on my phone, period - which means the 0.01% chance that someone would gain unauthorized access to my phone just dropped to 0.00001% and I saved a helluva lot of time and hassle in the process. Huge win for me - and Apple. If you don't get the value add you're not living in the real world.

    link to this | view in thread ]

  60. identicon
    not an idiot, 23 Sep 2013 @ 11:25am

    Re: Everyday means?

    Don't waste your time. No one here understands the concepts. The scanner is at least as secure as the 4 digit code that already existed. Guessing a 4 digit number would probably take a day or two. This would also take at least that given that you'd have to somehow find a very high quality copy of the target's finger print! Also, this would probably work for any finger print scanner out there, but we wouldn't want to bring that up on this POS site.

    link to this | view in thread ]

  61. icon
    Atkray (profile), 23 Sep 2013 @ 11:25am

    Re:

    What did work?

    Pretty gold color sold out in seconds.

    link to this | view in thread ]

  62. identicon
    Christenson, 23 Sep 2013 @ 11:27am

    I need some fake fingers!!!

    Gimme a decent fake finger, put a peace symbol and some others in the "fingerprint". I can replace that as often as I need!!!

    link to this | view in thread ]

  63. identicon
    Anonymous Coward, 23 Sep 2013 @ 11:39am

    There is a simple solution to this...

    Don't use your finger tip as the source for the print!

    You should be able to use any part of such digit as the source (and even other body parts as well), so a practical source would be your second knuckle. It's print isn't left everywhere around you and on the device itself. That, and it's also a less obvious source point upping the security level through its randomness. There are the drawbacks though, one being there may be a chance of higher false positives by using your knuckle. Also, you won't be able to unlock the phone with just one hand like someone who uses their thumb as the key.

    link to this | view in thread ]

  64. icon
    John Fenderson (profile), 23 Sep 2013 @ 12:01pm

    Re: unreal criticism

    This is fantastic technology


    It is not fantastic technology. It is misapplied technology. BTW, the criticism isn't against Apple as such. It's against fingerprint scanners. The problems with them are well-known.

    developing *only* a damn good alternative to freaking annoying passwords


    How is an authentication system that is objectively worse than passwords a "good alternative"?

    nobody is going to break their balls to work this hack on my phone, period


    True, but nobody needs to. This is simple to accomplish. That's rather the point.

    Unless you clean off the scanner after every use, your fingerprint is easy to lift from it to be used to unlock the phone. So, this is only marginally better than leaving your phone unlocked. It's inferior to even using the (also dumb) four digit unlock code.

    Including this feature is worse than not including security at all - it gives you the illusion of being effective when, in fact, it is not. The illusion of security is worse than knowing that you're unsecured.

    link to this | view in thread ]

  65. icon
    John Fenderson (profile), 23 Sep 2013 @ 12:02pm

    Re: I need some fake fingers!!!

    This is actually a reasonable suggestion. it wouldn't help make it any more secure, but it would help the other deep flaws of the technology (being unable to change the fingerprint if it's compromised, and the problem of what happens when your fingerprint is unexpectedly changed due to injury.)

    link to this | view in thread ]

  66. icon
    John Fenderson (profile), 23 Sep 2013 @ 12:03pm

    Re: There is a simple solution to this...

    It's print isn't left everywhere around you and on the device itself


    It's left on the scanner window.

    link to this | view in thread ]

  67. icon
    Tom B. (profile), 23 Sep 2013 @ 12:29pm

    Can we agree this wasn't the TouchID 'hacked'?

    They did not hack the TouchID system itself.
    There is a difference.

    They figured out how to create a copy of the index finger and use it in a way that they could fool the sensor. In a controlled environment.

    I'd like to see them get a volunteer to use the phone, register their finger print of choice, and then after 24 hours of use give the phone to the team and see if they can go through that again.

    They could easily patch and fix this, and add a second layer of security. Pin + Finger etc.

    Not everyone cares about their data as much as some of us. On my personal phone I barely use I'd probably want to use this, however on my work phone I would stick with a password, using all the characters available.

    Annoying as hell to enter, but much less guessable.

    link to this | view in thread ]

  68. identicon
    Anonymous Coward, 23 Sep 2013 @ 12:30pm

    Re: Re: unreal criticism

    It is not fantastic technology. It is misapplied technology. BTW, the criticism isn't against Apple as such. It's against fingerprint scanners. The problems with them are well-known.

    The is perfectly applied technology, unless you honestly think that phone thieves have the knowledge and capabilities to pull off this hack. This is a simple to use and unobtrusive way to create relative security on a product you use many times a day.

    No, this won't be secure enough for super duper top secret stuff, but if you are walking around with that on your phone, you are going to have a bad time regardless of your password. What it will do, is secure your data from random prying eyes, people who find your phone when you misplace it, or common thieves (you know, the types of threats that those of us in the real world are worried about).

    Unless you clean off the scanner after every use, your fingerprint is easy to lift from it to be used to unlock the phone. So, this is only marginally better than leaving your phone unlocked. It's inferior to even using the (also dumb) four digit unlock code.

    The hack shows nothing like this happening and looking at my phone I would be shocked if you could get a decent print at all, let alone one clear enough to use for this. Even if this was possible, what kind of fantasy world do you live in where common criminals (people desperate enough to steal phones) have the capability and knowledge to do this (not to mention what would they expect to get out of it, as someone mentioned above, they are going to go through all this effort to get access to cat pics?).

    link to this | view in thread ]

  69. icon
    Not an Electronic Rodent (profile), 23 Sep 2013 @ 12:32pm

    Re: Identification, not authentication

    Remember, if someone has your phone, they have your fingerprint, but they don't necessarily have your PIN or password. Too bad Apple didn't recognize this.
    Yep, anything involving a biometric should be a minimum of 2-factor authentication.
    3 is better:
    Something you have (token of some kind)
    Something you are (biometric of some kind)
    Something you know (password of some kind)

    link to this | view in thread ]

  70. icon
    Not an Electronic Rodent (profile), 23 Sep 2013 @ 12:41pm

    Re: Re: Everyday means?

    The scanner is at least as secure as the 4 digit code that already existed.
    Perhaps yes, I honestly can't be bothered to work out the maths, but that's not the point.
    The concequences of breaking a biometric are more severe. If a passcode becomes broken you can change it. If your fingerprint becomes known, you're a bit stuck.
    I have no idea whether the iPhone can use any other type of security apart from fingerprints (Apple SOP means I guess not but I don't care to find out), but it seems daft to put front and centre a technology with obvious limitations.
    Also, this would probably work for any finger print scanner out there
    Yes indeed it would likely along with many other methods such as Gummy Bears, which kinda goes to show how flawed it is but Apple is claiming to be more secure is it not?

    link to this | view in thread ]

  71. icon
    nasch (profile), 23 Sep 2013 @ 1:06pm

    Re: Re: Everyday means?

    Guessing a 4 digit number would probably take a day or two.

    Unless the device locks (bricks, factory resets, whatever) after a certain number of failed attempts. With the fingerprint technique, it may take a few hours, but you're in on the first attempt if you do it right. There's no guarding against that.

    link to this | view in thread ]

  72. identicon
    jackn, 23 Sep 2013 @ 1:16pm

    Re:

    I guess that is the "You're holding it wrong" defense.

    link to this | view in thread ]

  73. icon
    Not an Electronic Rodent (profile), 23 Sep 2013 @ 2:47pm

    Re: Re: Passwords>>>>>>>>>>>>>>>>Fingerprints for security

    It would not take much to make the copies now being made wearable, at least for an hour or so.
    Which kinda illustrates the point - a security measure that's easy to change for illegitimate purposes but not legitimately is hardly great.

    And if you could do it legitimately and you had to carry around a box full of wearable fingerprint gloves to operate your phone, what would be the point of having a biometric in the first place?

    link to this | view in thread ]

  74. identicon
    Anonymous Coward, 23 Sep 2013 @ 3:28pm

    It doesn't matter because the majority of people will be duped into thinking it's far more secure than other methods.

    Not the case, but sadly most will never know until it's too late.

    link to this | view in thread ]

  75. identicon
    Anonymous Coward, 23 Sep 2013 @ 4:17pm

    I'm surprised the National Institute of Standards and Technology (NIST), hasn't recommended Apple's fingerprint scanner as an international security standard by now.

    Apple and the NSA could be the sole authors of the security standard. It would be just like old times!

    link to this | view in thread ]

  76. identicon
    Anonymous Coward, 23 Sep 2013 @ 4:46pm

    Best title ever. :)

    link to this | view in thread ]

  77. identicon
    Anonymous Coward, 23 Sep 2013 @ 7:55pm

    Re:

    "use your nipple"

    Hey! I leave my nipple prints everywhere .. now what am I gonna do .. *sigh*

    link to this | view in thread ]

  78. identicon
    Anonymous Coward, 23 Sep 2013 @ 8:03pm

    And next up ...

    NSA, GCHQ, NZ's SIS, the Royal Mounties, etc collect all fingerprints which were inadvertently "collected" by Apple ... pics to follow

    link to this | view in thread ]

  79. identicon
    Anonymous Coward, 24 Sep 2013 @ 5:40am

    Re: Re: Everyday means?

    This would also take at least that given that you'd have to somehow find a very high quality copy of the target's finger print!

    Given that one leaves one prints all over the phone and pretty much everything else one touches, that won't be too difficult.

    link to this | view in thread ]

  80. identicon
    Anonymous Coward, 24 Sep 2013 @ 5:48am

    Re: Re: There is a simple solution to this...

    It's left on the scanner window.

    Since the scanner is on the home button, that particular print will likely get covered by thumb or index finger prints over the course of normal use. Not sure that would get a clean print.

    link to this | view in thread ]

  81. icon
    Lachlan Hunt (profile), 24 Sep 2013 @ 7:20am

    Re: Everyday means?

    Yeah, if only a phone theif had access to something the victim may have touched. Maybe something smooth made of glass so it's really easy to lift a finger print. Oh, right. the phone itself!

    That's right, anyone who steals your phone already has a copy of your finger prints, potentially even in tact, that they can copy. That's like keeping a copy of your password stuck to the back of device.

    link to this | view in thread ]

  82. identicon
    out_of_the_blue, 24 Sep 2013 @ 6:57pm

    Exclusive: Apple admits, ‘iPhone 5s Fingerprint Database To Be Shared With NSA’

    I don't usually bother with Apple, but ALREADY this is out:

    Tim Richardson, District Manager of Apple’s North America Marketing Department:
    “Frankly, if a person is foolish enough to allow something as specific and criminally implicit as their fingerprints to be cataloged by faceless corporations and Government officials… Well, you can’t exactly blame us for capitalizing upon it, can you? Personally, I believe this effort will support a greater good. Some of the folks they’re hoping to apprehend are quite dangerous. Besides, it’s not like this is covered in the Constitution.”

    http://hackersnewsbulletin.com/2013/09/apple-admits-iphone-5s-fingerprint-database-s hared-nsa.html

    Man, that's the corporatist view short and plain! BEWARE OF CORPORATIONS!

    link to this | view in thread ]

  83. icon
    btrussell (profile), 25 Sep 2013 @ 2:04am

    Re: Re: Re: unreal criticism

    "...and looking at my phone I would be shocked if you could get a decent print at all..."

    I heard the cops say just that last night when they were investigating a house robbery. "Looking at the house, I didn't see any fingerprints."

    link to this | view in thread ]

  84. icon
    nasch (profile), 25 Sep 2013 @ 6:05am

    Re: Exclusive: Apple admits, ‘iPhone 5s Fingerprint Database To Be Shared With NSA’

    Absolutely the databases will be merged.

    I had this whole rebuttal typed up and then noticed this is ootb. Just look at http://nationalreport.net/, you'll see the whole thing is a joke.

    link to this | view in thread ]

  85. icon
    Leonardo Balliache (profile), 25 Sep 2013 @ 12:19pm

    Every law has its loophole

    It's really funny! Every law has its loophole.

    link to this | view in thread ]

  86. identicon
    Chunky lafunga, 16 Oct 2013 @ 12:05am

    Re:

    that will make an awkward dinner with your inlaws if you have to make a call

    link to this | view in thread ]

  87. identicon
    Anonymous Coward, 10 Nov 2013 @ 12:42am

    Re: Nipple

    Not sure if that's usable. Noseprint, yes. (My son had to test that one!) This means even one handed people can hold their phone in their hand and authenticate.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.