or Connect
AppleInsider › Forums › Mobile › iPhone › Crowd-sourced site offers cash, wine, Bitcoins for hackers to crack iPhone 5s' Touch ID
New Posts  All Forums:Forum Nav:

Crowd-sourced site offers cash, wine, Bitcoins for hackers to crack iPhone 5s' Touch ID

post #1 of 67
Thread Starter 
Even as the iPhone 5s sells out in stores, a collaboration between a micro venture capital firm and a group of security researchers is offering a mix of cash, alcohol, and other goods to the first hacker that can crack the biometric security feature built into the device's Touch ID sensor.



The website istouchithacketyet.com is aimed at getting the hacking community devoted to demonstrating a method to "reliably and repeatedly break into an iPhone 5s by lifting prints (like from a beer mug)." To that end, a number of contributors have pitched in hundreds of dollars in cash, Bitcoins, wine, patent applications, whiskey, tequila, and books as an incentive to crack Apple's security feature.

The largest donation, according to Reuters, comes from Arturas Rosenbacher, founding partner of Chicago's IO Capital. Rosenbacher has pledged $10,000 to the competition, and he says his aim is noble.

"This is to fix a problem before it becomes a problem," Rosenbacher said. "This will make things safer."

Since it was unveiled, the Touch ID biometric sensor has been the subject of much speculation and commentary. A number of public advocates and officials have expressed concern over the privacy implications inherent in using fingerprints to secure a device.

"There are reasons to think that an individual's fingerprint is not 'one of the best passwords in the world,'" Senator Al Franken (D-Minn.) wrote in a letter to Apple CEO Tim Cook. "Passwords are secret and dynamic; fingerprints are public and permanent. If you don't tell anyone your password, no one will know what it is. If someone hacks your password, you can change it ? as many times as you want. You can't change your fingerprints."

Apple has already detailed the technology behind its biometric sensor, noting that it does not send gathered data to Apple servers, instead keeping it in a secure enclave in Apple's A7 SoC. Apple also points out that the device is not perfect, and it may give inaccurate readings due to moisture, conductive debris, and scarring on fingers.

Touch ID is not the only target for hackers and tinkerers, though. One recent finding showed that the iOS 7 lockscreen can be bypassed relatively easily due to a new iOS 7 feature, potentially giving up access to a user's Mail, Photos, and Twitter apps. Apple has promised a fix for the vulnerability in the near future.
post #2 of 67

Well that's bound to happen.

 

I guess it's better to have a group that's not necessarily criminals working on this in the open. I hope Apple appreciates all the hard work that they're getting for free! 

 

We will see..

post #3 of 67
Anyone hack into the Fingerprint sensor?
post #4 of 67
Wow.

this is the measure of success.

I can't even touch my iPhone 5S yet and these haters are luring hackers with rewards?

Who's behing the front? Samsung? Google?

Sheesh.

Anything can be hacked. Anything.

But can it be hacked in REALISTIC, REAL WORLD setting (ie: getting up to go to the restroom, but forgetting your phone on the desk for 5 minutes)?

And even so, the scanner is an alternative to password. And Apple has already said it is not perfect.

So funny how I never see this kind of thing happen to MS, Google, etc.

Probably because then, nobody would even care. It's expected of them to fail.
post #5 of 67
Quote:
Originally Posted by 9secondko View Post

Wow.

this is the measure of success.

I can't even touch my iPhone 5S yet and these haters are luring hackers with rewards?

Who's behing the front? Samsung? Google?

Sheesh.

Anything can be hacked. Anything.

But can it be hacked in REALISTIC, REAL WORLD setting (ie: getting up to go to the restroom, but forgetting your phone on the desk for 5 minutes)?

And even so, the scanner is an alternative to password. And Apple has already said it is not perfect.

So funny how I never see this kind of thing happen to MS, Google, etc.

Probably because then, nobody would even care. It's expected of them to fail.

 

Anything can be hacked. Including fingers!

 
Sorry, couldn't resist. 
 
I think you're right, our (the public) perception of Apple is 'better' and when MS or any of the Droid stuff have mis-steps it seems to be a much less of a 'big deal.' Heck, I'd say a lot of the public expect MS to suck now... in anything else but X-Box. Why they don't do a Toyota/Scion move and leverage x-box I don't know. X-box should make their next phone. 
post #6 of 67
This seems unlikely to me based on descriptions of how the enclave works. Besides which how do you get the hacking software onto the device without physical or admin access?

Even then, the enclave will not communicate with anything other than the hardware of the sensor itself, so you'd have to get software on the device that can somehow present itself as a fake hardware sensor and communicate with the enclave.

Even then, what you'd get out is a bunch of hashed encrypted data, not actual fingerprint images at all.

It would be easier to create a "fake finger" than it would be to hack into the enclave in the traditional manner of hackers.
post #7 of 67
Quote:
Originally Posted by Rich Gregory View Post

I guess it's better to have a group that's not necessarily criminals working on this in the open. I hope Apple appreciates all the hard work that they're getting for free! 

I'm guessing Apple may be behind the site, which is a smart effort if so. There's questions about how secure TouchID is and putting up a challenge is a great way to prove it.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #8 of 67
Quote:
Originally Posted by 9secondko View Post

But can it be hacked in REALISTIC, REAL WORLD setting (ie: getting up to go to the restroom, but forgetting your phone on the desk for 5 minutes)?

Anandtech said it was a learning sensor, that if login failed, but then succeeded right after, it would take the failure as really you, but the side of your finger or something. 

 

The solution in the case you mention might be, wait outside the bathroom, and when you see them come out, run back to their desk and scan the side of your finger. It will fail. Then they come back soon after, log in correctly to see if they got any messages while in the bathroom, and the system "learns" the side of your finger is the side of their finger, and later you log in as you please.

 

It all depends on the detail really, nothing to do but buy one and experiment.

post #9 of 67
Quote:
Originally Posted by 9secondko View Post

Wow.

this is the measure of success.

I can't even touch my iPhone 5S yet and these haters are luring hackers with rewards?

Who's behing the front? Samsung? Google?

Sheesh.

Anything can be hacked. Anything.

But can it be hacked in REALISTIC, REAL WORLD setting (ie: getting up to go to the restroom, but forgetting your phone on the desk for 5 minutes)?

And even so, the scanner is an alternative to password. And Apple has already said it is not perfect.

So funny how I never see this kind of thing happen to MS, Google, etc.

Probably because then, nobody would even care. It's expected of them to fail.

 

It's not a "front" for Samsung or anything ridiculous like that. It's extremely important to establish whether it's possible to extract fingerprint data remotely or with physical access to the phone, and the reason is simple. A fingerprint never changes: it's a far more significant compromise than an easily changed password, particularly if other devices move towards similar authentication methods in the future. Even if it takes three hours and physical access to the phone, it's still a major concern simply because of the fact that it's permanent. This is going to be something of great interest to black hats, and they're not exactly going to share any compromises with Apple. If there are any holes, they need to be found and plugged as soon as possible before they can be discovered by more malicious people and abused.

 
There's also another somewhat related concern here that centers around data seizure by law enforcement. If the police / government are able to extract (or force Apple to extract) your fingerprint data for your phone, that's again another significant issue for the reasons above. Equally, if they can somehow get log data from your phone that says "Fingerprint #2 unlocked this device on 04:11:23 10/10/13" then that lets them prove who unlocked the phone. 
 
It's important to know what data is stored by Touch ID, and whether any of it can be accessed by outside parties. Both so that people know what they're getting into, and so that any issues can be fixed.
 
And probably the reason you "never see this happen to MS, Google etc." is because none of them are authenticating users via biometrics yet. When they are, then you will.
post #10 of 67
Al Franken is just as funny as he was on SNL, only now he doesn't realize that he's being funny.

"If you don't tell anyone your password, no one will know what it is." - No one has ever had their password stolen? Might as well say that as long as you don't ever use your password it's totally secure

"If someone hacks your password, you can change it ? as many times as you want." - Wait a minute. Didn't he just tell me my password was safe as long as I didn't tell anybody? Now I'm confused. At least his solution makes sense - close the gate after the cows get out (and I can close the gate again after every time they get out). Great.

I'm glad he found work in comedy again.
Edited by diplication - 9/20/13 at 10:58am

We've always been at war with Eastasia...

Reply

We've always been at war with Eastasia...

Reply
post #11 of 67
Quote:
Originally Posted by DarkLite View Post
 

 

It's not a "front" for Samsung or anything ridiculous like that. It's extremely important to establish whether it's possible to extract fingerprint data remotely or with physical access to the phone, and the reason is simple. A fingerprint never changes: it's a far more significant compromise than an easily changed password, particularly if other devices move towards similar authentication methods in the future. Even if it takes three hours and physical access to the phone, it's still a major concern simply because of the fact that it's permanent. This is going to be something of great interest to black hats, and they're not exactly going to share any compromises with Apple. If there are any holes, they need to be found and plugged as soon as possible before they can be discovered by more malicious people and abused.

 
There's also another somewhat related concern here that centers around data seizure by law enforcement. If the police / government are able to extract (or force Apple to extract) your fingerprint data for your phone, that's again another significant issue for the reasons above. Equally, if they can somehow get log data from your phone that says "Fingerprint #2 unlocked this device on 04:11:23 10/10/13" then that lets them prove who unlocked the phone. 
 
It's important to know what data is stored by Touch ID, and whether any of it can be accessed by outside parties. Both so that people know what they're getting into, and so that any issues can be fixed.
 
And probably the reason you "never see this happen to MS, Google etc." is because none of them are authenticating users via biometrics yet. When they are, then you will.

 

PCs have had fingerprint scanners for awhile and even other cell phones. I think the NSA leaks have really brought this to the front of everyone's attention as well as Apple being one of if not the biggest consumer electronics companies.

 
I look forward to the results, it will be interesting to see what all they can do.
post #12 of 67
Quote:
Originally Posted by DarkLite View Post
 

 

It's not a "front" for Samsung or anything ridiculous like that. It's extremely important to establish whether it's possible to extract fingerprint data remotely or with physical access to the phone, and the reason is simple. A fingerprint never changes: it's a far more significant compromise than an easily changed password, particularly if other devices move towards similar authentication methods in the future. Even if it takes three hours and physical access to the phone, it's still a major concern simply because of the fact that it's permanent. This is going to be something of great interest to black hats, and they're not exactly going to share any compromises with Apple. If there are any holes, they need to be found and plugged as soon as possible before they can be discovered by more malicious people and abused.

 
There's also another somewhat related concern here that centers around data seizure by law enforcement. If the police / government are able to extract (or force Apple to extract) your fingerprint data for your phone, that's again another significant issue for the reasons above. Equally, if they can somehow get log data from your phone that says "Fingerprint #2 unlocked this device on 04:11:23 10/10/13" then that lets them prove who unlocked the phone. 
 
It's important to know what data is stored by Touch ID, and whether any of it can be accessed by outside parties. Both so that people know what they're getting into, and so that any issues can be fixed.
 
And probably the reason you "never see this happen to MS, Google etc." is because none of them are authenticating users via biometrics yet. When they are, then you will.

 

I have seen fingerprint readers on portables, haven't I? They're like a strip and you drag your finger across them. Not the same thing as the 5s, but they're out there.

 
There seems to be a concern about fingerprints that's bigger than just 'Apple' this time around. Why this didn't happen with the laptops with the finger print strip is beyond me, perhaps the iPhone is simply more ubiquitous. 
post #13 of 67
Quote:
Originally Posted by DarkLite View Post
 

 

It's not a "front" for Samsung or anything ridiculous like that. It's extremely important to establish whether it's possible to extract fingerprint data remotely or with physical access to the phone, and the reason is simple. 

 

The second part of your question is irrelevant. Of course you can extract fingerprints with physical access to the iPhone. It's called dusting for prints. In fact you can extract fingerprints with physical access to anything you touched.

 

The government has been through this already with the PIV standard. Perhaps Al Franken should ask why the government fingerprints all of their workers and contractors and stores their fingerprint images, and in some cases retinal scans, on their RFID cards.

post #14 of 67
Quote:
Originally Posted by ascii View Post
 

Anandtech said it was a learning sensor, that if login failed, but then succeeded right after, it would take the failure as really you, but the side of your finger or something. 

 

The solution in the case you mention might be, wait outside the bathroom, and when you see them come out, run back to their desk and scan the side of your finger. It will fail. Then they come back soon after, log in correctly to see if they got any messages while in the bathroom, and the system "learns" the side of your finger is the side of their finger, and later you log in as you please.

 

It all depends on the detail really, nothing to do but buy one and experiment.

 

 
It's not about a complete failure, it's more a less "it could be the same finger, but not sure - I need another look" type of thing. And if it can verify that is from the same finger, it'll "learn" that new position just as it did when you originally scanned your finger and saved it.
 
The sensor doesn't just guess at what's going on, it still has to verify that it is the same finger based on previous scans, therefor, you can't use another finger to trick it. Something about that other finger has to match what's in the sensor's database. The system intelligently pieces together all scans into one big print. If this latest "piece" doesn't fit anywhere with what's already been pieced together, then it will fail, if it does fit, then the system will "learn" it by filling in more of the print. This is how forensics today can match a print even if it's just a partial print, but there has to be a minimum "hit" percentage before it can even be considered to be a possible match.
Disclaimer: The things I say are merely my own personal opinion and may or may not be based on facts. At certain points in any discussion, sarcasm may ensue.
Reply
Disclaimer: The things I say are merely my own personal opinion and may or may not be based on facts. At certain points in any discussion, sarcasm may ensue.
Reply
post #15 of 67

You know, if I wanted to "steal your fingerprint" (presumably so I could use it to hack into something else secured by your fingerprint) I wouldn't need to (somehow) extract the data from the chip I would... lift it off the device that has your fingerprint all over it.  Or from your mouse or keyboard or door handle etc. etc.

post #16 of 67
Do not do it for money.
post #17 of 67

In all probability the folks at NSA could "hack" the sensor in no time at all.  They may not want to inform whomever that they did it, no matter how much cash, wine, or Bitcoins are offered.

post #18 of 67

I think the key would be to make the sensor read a fingerprint even though there isn't a human finger there.

 

So, basically you need a material that is moldable into a fingerprint like plastic and yet mildly conductive and fools the sensor into thinking it is a human finger. This depends on how exactly the RF in the sensor detects that it is the sub-epidermal, and then finding a way to fool it.

 

It is probably possible if enough effort is put in. Will be interesting to see how long it takes.

 

BTW, hackers will probably just stick to breaking your password which is easier than trying to fake the fingerprint. So, then will just give 5 false fingerprint readings, and then work on the lock screen that comes up after that.

post #19 of 67

Assuming someone can break the code, what can they do with it? get into your iTunes account or your iPhone?  Unless there is a wide adoption of this fingerprint tech by apps, there are not much use for it.

post #20 of 67
Quote:
Originally Posted by mjtomlin View Post
 

 

 
It's not about a complete failure, it's more a less "it could be the same finger, but not sure - I need another look" type of thing. And if it can verify that is from the same finger, it'll "learn" that new position just as it did when you originally scanned your finger and saved it.
 
The sensor doesn't just guess at what's going on, it still has to verify that it is the same finger based on previous scans, therefor, you can't use another finger to trick it. Something about that other finger has to match what's in the sensor's database. The system intelligently pieces together all scans into one big print. If this latest "piece" doesn't fit anywhere with what's already been pieced together, then it will fail, if it does fit, then the system will "learn" it by filling in more of the print. This is how forensics today can match a print even if it's just a partial print, but there has to be a minimum "hit" percentage before it can even be considered to be a possible match.

 

That may be so, I got the impression from the Anandtech article that temporal proximity made it more forgiving than usual,

"I deliberately picked a weird angle and part of [my emphasis] my thumb to unlock the 5s, which was immediately rejected. I then followed it up with a known good placement and was successful. I then repeated the weird attempt from before and had it immediately succeed."
 
But as I said there's nothing to do but experiment, and try and try until you find a way that works.
post #21 of 67
Quote:
Originally Posted by ascii View Post

That may be so, I got the impression from the Anandtech article that temporal proximity made it more forgiving than usual,
"I deliberately picked a weird angle and part of [my emphasis] my thumb to unlock the 5s, which was immediately rejected. I then followed it up with a known good placement and was successful. I then repeated the weird attempt from before and had it immediately succeed."
http://www.anandtech.com/show/7335/the-iphone-5s-review/8
 
But as I said there's nothing to do but experiment, and try and try until you find a way that works.

The piece of article you quoted does not imply temporal proximity. For all we know the process could have been exactly as mjtomlin described.

Now if they were able to teach the sensor to recognize a different finger altogether (not just the same one at a different angle) then that would imply temporal proximity.
post #22 of 67
Quote:
Originally Posted by 9secondko View Post

So funny how I never see this kind of thing happen to MS, Google, etc.

Probably because then, nobody would even care. It's expected of them to fail.

Of course it happens with MS and Google. You just haven't been paying attention. Google actually held their own contest.

http://www.forbes.com/sites/andygreenberg/2013/01/28/google-offers-3-14159-million-in-total-rewards-for-chrome-os-hacking-contest/
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
post #23 of 67

According to http://support.apple.com/kb/HT5949

Quote:
Every fingerprint is unique, so it is rare that even a small section of two separate fingerprints are alike enough to register as a match for Touch ID. The probability of this happening is 1 in 50,000 for one enrolled finger. This is much better than the 1 in 10,000 odds of guessing a typical 4-digit passcode. Although some passcodes, like "1234", may be more easily guessed, there is no such thing as an easily guessable fingerprint pattern. Instead, the 1 in 50,000 probability means it requires trying up to 50,000 different fingerprints until potentially finding a random match. But Touch ID only allows five unsuccessful fingerprint match attempts before you must enter your passcode, and you cannot proceed until doing so.

 

The problem here is that once a 1 to 50,000 match is found, the phone is going to be compromised for a lifetime.

post #24 of 67

I went in vacations in United States. Had to give my fingerprints... Not really afraid to "give" my fingerprints to an iPhone! :p

post #25 of 67
Quote:
Originally Posted by TonyPie View Post

In all probability the folks at NSA could "hack" the sensor in no time at all.  They may not want to inform whomever that they did it, no matter how much cash, wine, or Bitcoins are offered.

There's nothing unique about NSA employees. If they can, there is someone else with similar skill sets who can. The "reward" is intended to draw this other person out into the open.
post #26 of 67

Let that be a lesson to all.  Liberals like Senator Franken are never happy.  You could invent a secure mechanism even God couldn't crack, and Al Franken still wouldn't be satisfied.  For folks like that, it's not about security, it's about control - and a desire to hear themselves talk...  

 

TouchID is a convenience Al, not the be-all, end-all to security.  And it's optional, you don't have to use it.  But, due to the convenience of it, people who aren't using any security at all, might choose to adopt at least this level of security.

 

You can still choose to use a passcode if you desire.  I think the fingerprint sensor [TouchID] is awesome.  Time will tell, but at first blush, it looks pretty robust, since it's capacitive instead of optical and it reads the sub epidermal layer, that means lifted prints from public records, or say, a coffee mug, aren't going to unlock the device (in theory).  

 

Ideally, the best security is two-factor authentication, in the sense that you provide an item you have, like a key-card or fingerprint, and then something you know, like a password.  I don't know if Apple provides that option (I haven't played with an iPhone 5s yet), but that should be easy to implement if it isn't already - combine the fingerprint scan and prompt for a passcode.  There.  Happy now?


Edited by mytdave - 9/20/13 at 12:17pm
post #27 of 67
Quote:
Originally Posted by jason98 View Post
 

According to http://support.apple.com/kb/HT5949

 

The problem here is that once a 1 to 50,000 match is found, the phone is going to be compromised for a lifetime.

 

That's not true. With biometrics, the key is the entry method, having to live scan the fingerprint on a trusted sensor, rather than the actual fingerprint itself. The security comes from not what you are entering, but how you are entering it.

 

Take for example a fingerprint left at a crime scene. Anybody can get your fingerprint by lifting it from something you touch, but the key to it is that you left a fingerprint in the form of oils. It would be totally different if somebody left a computer printout of an image of your fingerprint at a murder scene.

post #28 of 67
Quote:
Originally Posted by jason98 View Post

According to http://support.apple.com/kb/HT5949

The problem here is that once a 1 to 50,000 match is found, the phone is going to be compromised for a lifetime.

First of all, nobody is ever going to brute force a match. The chances of guessing at 1/50,000 odds in five tries is so low it's not even worth trying.

Secondly, even if it did happen, being "compromised for a lifetime" is totally irrelevant. If a thief breaks into your phone he doesn't need a lifetime; he is going to download all the data he can get immediately. What do you expect him to do? Give it back so that he can steal it again later and get whatever new data you might have put on it?
post #29 of 67
Quote:
Originally Posted by konqerror View Post

That's not true. With biometrics, the key is the entry method, having to live scan the fingerprint on a trusted sensor, rather than the actual fingerprint itself. The security comes from not what you are entering, but how you are entering it.

I was implying that a match can be found randomly assuming a hacker has a big enough pool of (stolen) iPhones and big enough number of people to check them against.

So that means a person who's iphone is hacked would be random too. Would it be considered as a successful hack?
post #30 of 67
Quote:
Originally Posted by iaeen View Post

Secondly, even if it did happen, being "compromised for a lifetime" is totally irrelevant.

Ok let's rephrase it. The finger is going to be compromised for a lifetime, not the phone 1wink.gif
post #31 of 67
Quote:
Originally Posted by iaeen View Post


If a thief breaks into your phone he doesn't need a lifetime; he is going to download all the data he can get immediately. What do you expect him to do? Give it back so that he can steal it again later and get whatever new data you might have put on it?

 

A thief does not care about your data. He wants to sell your hardware.

Please update the AppleInsider app to function in landscape mode.

Reply

Please update the AppleInsider app to function in landscape mode.

Reply
post #32 of 67
Quote:
Originally Posted by jason98 View Post

I was implying that a match can be found randomly assuming a hacker has a big enough pool of (stolen) iPhones and big enough number of people to check them against.
At some point in your process, are unicorns involved? Seems just as likely.

We've always been at war with Eastasia...

Reply

We've always been at war with Eastasia...

Reply
post #33 of 67
Quote:
Originally Posted by diplication View Post

At some point in your process, are unicorns involved? Seems just as likely.

It's not far from 4 digit pin guessing - just 5x more complicated. Still 4 digit pin password is considered weak?
post #34 of 67
I think all this is a bit overblown... I'm not looking for military grade security in my phone. I just want to make sure the casual passer-by in my office isn't perusing my phone at will.

If I was looking for higher security then i would turn to multi-factor authentication. The old adage is to be secure you have to have something (ie, a badge, fingerprint, etc) and you have to know something (like a password).

I think the fingerprint scanner is great for the simple security cases that most of us have and a good start at higher security that companies or the government may demand.
post #35 of 67
I think there's a lot of misunderstanding about how this technology works, it seems many think it functions like a password where the password is secret and it's security depends on it remaining a secret.  I think the password analogy is wrong when it comes to biometric security, instead the security comes not from a secret but from the difficulty of duplication of biometric information.
 
A better analogy would be this.  It's like the iPhone is your house and its processor is you.  When somebody touches the finger scanner it's like someone visiting your house and ringing the door bell and you going to look to see who it is.  If you don't recognize the person you won't let them in, but if you see your friend out there you'll let them in.  So complaining that anyone can grab your fingerprint somehow and then gain access to your phone is like complaining that anyone can duplicate your friends' faces, voices and mannerisms  (because they're always out there in public for anyone to access) and then use them to impersonate your friends to "hack into" your house.  Now, I haven't ever heard of anyone complaining that because their friends are out there in public someone could impersonate them and doors to all houses should also require a password for people to enter to prove to the owner that those people really are their friends. 
 
Quote:
Originally Posted by AppleInsider View Post

"There are reasons to think that an individual's fingerprint is not 'one of the best passwords in the world,'" Senator Al Franken (D-Minn.) wrote in a letter to Apple CEO Tim Cook. "Passwords are secret and dynamic; fingerprints are public and permanent. If you don't tell anyone your password, no one will know what it is. If someone hacks your password, you can change it ? as many times as you want. You can't change your fingerprints."
 

 

Your friends are also public and permanent, and generally you can't change your friends.

 

Quote:
Originally Posted by jason98 View Post


Ok let's rephrase it. The finger is going to be compromised for a lifetime, not the phone 1wink.gif

 

If someone manages to create an uncanny likeness to one of your friends, then your friend will also be "compromised for a lifetime".  Anyone could then fool you time and time again into thinking that they're your friend when in fact they're not.

 

Of course this analogy applying to the iPhone's sensor depends on how hard it is to duplicate the finger biometric information that the sensor scans.  It's probably not going to be as hard to duplicate as an entire person, but it will still be pretty hard to duplicate.  For one thing some one would have to trick you into scanning your fingers with a rogue iPhone sensor and then somehow recreate a finger that simulates and generates the same scan as the real finger.  That's a lot of trouble to go through to get into someone's phone.  It would be far easier to snoop at someone entering their passcode.  And by the way, the fact that passcodes can be easily changed is irrelevant if you're not aware that someone has stolen the passcode.  On top of that most people don't change their passcodes regularly because then it will be much easier to forget them.

post #36 of 67
Quote:
Originally Posted by jason98 View Post


Ok let's rephrase it. The finger is going to be compromised for a lifetime, not the phone 1wink.gif

 

How is your fingerprint compromised? It's not an image, it's data.

 
Please create a scenario where your "fingerprint" being compromised would cause disaster.
post #37 of 67
Quote:
Originally Posted by jason98 View Post


It's not far from 4 digit pin guessing - just 5x more complicated. Still 4 digit pin password is considered weak?

 

A 4 digit password is weak if there is no limit to the number of attempts. It doesn't take that long to brute force it, or guess common strings. If you have an uncommon string and enable, say, only 10 entries before the device is wiped, then yes, it's pretty secure.

 
TouchID only allows 5 attempts before switching to password entry. Nearly impossible to brute force 1:50,0000 odds when you only have 5 attempts. You'd have to be very, very, lucky. Which means the method wouldn't be likely enough to merit consideration.
 
TouchID won't be the weak link. The weak link will, as it usually is, the password. If you utilize TouchID in conjunction with a strong complex password (not 4 digits) and limit the allowable attempts, I'd say it's 99% secure for most uses. 
 
Are you a spy? You seem paranoid, or under the impression your fingerprint is valuable.
post #38 of 67
Quote:
Originally Posted by jd_in_sb View Post

A thief does not care about your data. He wants to sell your hardware.

We are talking about data security , so we are starting with the assumption that we are dealing with someone who wants to get your data. As for the hardware being more valuable than the data or the thief being to lazy to attempt to break the encryption, that's probably true, but it's totally irrelevant to this conversation.
post #39 of 67
Quote:
Originally Posted by jason98 View Post

I was implying that a match can be found randomly assuming a hacker has a big enough pool of (stolen) iPhones and big enough number of people to check them against.

So that means a person who's iphone is hacked would be random too. Would it be considered as a successful hack?

I have some free time this afternoon, so I broke out the old statistics book. The probability of brute forcing any single iPhone assuming there are 50k different combinations in 5 tries is 0.0001 (0.01%). If our thief had a pool of iPhones to draw from, each individual attempt would be an independent experiment thus the number of devices required for success Is X~geom(0.0001). Now according to my calculations, in order for a thief to have even a 50% chance of success, he would need nearly 7000 iPhones.

Think about it. You are a thief with 7000 iPhones. Are you going to spend the time and energy trying to crack all these phones? And even if you did and you were lucky enough to win that coin toss, are you going to bother tracking down that one person whose fingerprint you now have on the off chance that he might have acquired a new device and placed new data on it? The answer to both questions is obviously no. No, the fact a fingerprint would be compromised for life is nothing to lose sleep over.
post #40 of 67

Shut this site down. There’s no way it’s legal. Put these morons in jail or something.

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
  • Crowd-sourced site offers cash, wine, Bitcoins for hackers to crack iPhone 5s' Touch ID
AppleInsider › Forums › Mobile › iPhone › Crowd-sourced site offers cash, wine, Bitcoins for hackers to crack iPhone 5s' Touch ID