or Connect
AppleInsider › Forums › Mobile › iPhone › Crowd-sourced site offers cash, wine, Bitcoins for hackers to crack iPhone 5s' Touch ID
New Posts  All Forums:Forum Nav:

Crowd-sourced site offers cash, wine, Bitcoins for hackers to crack iPhone 5s' Touch ID - Page 2

post #41 of 67
Quote:
Originally Posted by DarkLite View Post

 
And probably the reason you "never see this happen to MS, Google etc." is because none of them are authenticating users via biometrics yet. When they are, then you will.

Google is using biometrics in Android and it was hacked in minutes.

Most of your post is from the tin foil hats club given we are all leaving our fingerprints all over the place all of the time. If someone wants your fingerprint, it is very easy to get.
post #42 of 67
Wouldn't they be crackers, and not hackers.
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
post #43 of 67
Quote:
Originally Posted by iaeen View Post


I have some free time this afternoon, so I broke out the old statistics book. The probability of brute forcing any single iPhone assuming there are 50k different combinations in 5 tries is 0.0001 (0.01%). If our thief had a pool of iPhones to draw from, each individual attempt would be an independent experiment thus the number of devices required for success Is X~geom(0.0001). Now according to my calculations, in order for a thief to have even a 50% chance of success, he would need nearly 7000 iPhones.

Think about it. You are a thief with 7000 iPhones. Are you going to spend the time and energy trying to crack all these phones? And even if you did and you were lucky enough to win that coin toss, are you going to bother tracking down that one person whose fingerprint you now have on the off chance that he might have acquired a new device and placed new data on it? The answer to both questions is obviously no. No, the fact a fingerprint would be compromised for life is nothing to lose sleep over.

 

Better order some pizza... this is going to take a while.  I still think the use of a mythical horned horse-like creature might be of some benefit.

We've always been at war with Eastasia...

Reply

We've always been at war with Eastasia...

Reply
post #44 of 67
Quote:
Originally Posted by Steven N. View Post


Google is using biometrics in Android and it was hacked in minutes.

Well its been minutes now.  Heard anything?  

We've always been at war with Eastasia...

Reply

We've always been at war with Eastasia...

Reply
post #45 of 67
Quote:
Originally Posted by diplication View Post

Well its been minutes now.  Heard anything?  

As of 7:27 PM EST there's a big fat NO on the website.
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
post #46 of 67
Really interesting, thanks%u200B!%u200B

I think that you would be really interested in some recent research that I have come across about crowds and citizen science.%u200B %u200BIn particular I feel you may find these two emerging pieces of research very relevant:

- The Theory of Crowd Capital
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2193115

- The Contours of Crowd Capability
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2324637

Powerful stuff!
post #47 of 67
Quote:
Originally Posted by Gazoobee View Post

This seems unlikely to me based on descriptions of how the enclave works. Besides which how do you get the hacking software onto the device without physical or admin access?

Even then, the enclave will not communicate with anything other than the hardware of the sensor itself, so you'd have to get software on the device that can somehow present itself as a fake hardware sensor and communicate with the enclave.

Even then, what you'd get out is a bunch of hashed encrypted data, not actual fingerprint images at all.

It would be easier to create a "fake finger" than it would be to hack into the enclave in the traditional manner of hackers.

Yap, but with more 3D printing with right components....

post #48 of 67

Should've offered quality porn.  

post #49 of 67
Funny that Touch ID doesn't depend solely on fingerprints.
Waste of Samsung's "Dirty Tricks Marketing Fund."
Or whatever it's internal name is.

Sent from my iPhone Simulator

Reply

Sent from my iPhone Simulator

Reply
post #50 of 67
Quote:
Originally Posted by rsdofny View Post

Assuming someone can break the code, what can they do with it? get into your iTunes account or your iPhone?  Unless there is a wide adoption of this fingerprint tech by apps, there are not much use for it.
Once your in the phone you have access to email. Once you have access to email you can start going through sites like amazon doing password resets and change your email address. They can also delete the emails these sites send out before you pick them up on another device.

So far all you know is that you've lost your phone. You didnt realise that the person who store your phone while you were drunk also took the glass you drunk from. Right now all your concerned with is the fact you've lost your phone and trying to remember if you have phone insurance.

Unfortunately at the same time the guy who stole your phone is busy ordering stuff on your credit card thats been saved on multiple accounts.

I hope they cant hack the scanner, but the fact is most finger print scanners can be fooled.
post #51 of 67
Originally Posted by lawofficer View Post
Show me a law in any state that says this is not "legal." So long as they have permission to use the property for the purpose of testing the security measures, there is nothing you or anyone else can (or should) be able to do about it.

 

This is for general purpose hacking, not a single person’s.

 

Imagine a bank allowing someone to test the security of its outdoor ATM. Person does this, finds a flaw, tells the bank about it and how to fix it. Boom. That’s what YOU are saying, and that’s what is legal.

 

Now imagine this person just releases the flaw and its instructions publicly, stating that all models of this ATM should have the same flaw; have at it. That’s what this website is. That’s why it’s illegal.

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply
post #52 of 67
Quote:
Originally Posted by lawofficer View Post

Apple is not the only target, though they have fared pretty poorly in these competitions and in government tests.

Source?
Quote:
Originally Posted by timgriff84 View Post

Once your in the phone you have access to email. Once you have access to email you can start going through sites like amazon doing password resets and change your email address. They can also delete the emails these sites send out before you pick them up on another device.

So far all you know is that you've lost your phone. You didnt realise that the person who store your phone while you were drunk also took the glass you drunk from. Right now all your concerned with is the fact you've lost your phone and trying to remember if you have phone insurance.

Unfortunately at the same time the guy who stole your phone is busy ordering stuff on your credit card thats been saved on multiple accounts.

I hope they cant hack the scanner, but the fact is most finger print scanners can be fooled.

I agree that in the past biometric sensors have been primitive, but the 5s has a state of the art sensor from the best sensor makers in the business. Everything I have read says that it only reads living tissue under the surface pattern of dead tissue, jus lifting a print from a glass would not be helpful in defeating the sensor.
post #53 of 67
Quote:
Originally Posted by iaeen View Post

I agree that in the past biometric sensors have been primitive, but the 5s has a state of the art sensor from the best sensor makers in the business. Everything I have read says that it only reads living tissue under the surface pattern of dead tissue, jus lifting a print from a glass would not be helpful in defeating the sensor.
Every fingerprint sensor at some point was state of the art, and I don't doubt its a lot harder to fool than previous sensors. But it ultimately has the flaw that there will be groups of people that want to get passed it.

Once someone does and I dont doubt they will, then its the worst form of security. Like the quote in the article says, you cant change your fingerprint. You also cant keep it a secret as you leave it behind on everything you touch.
post #54 of 67
Quote:
Originally Posted by timgriff84 View Post

Once your in the phone you have access to email. Once you have access to email you can start going through sites like amazon doing password resets and change your email address. They can also delete the emails these sites send out before you pick them up on another device.

So far all you know is that you've lost your phone. You didnt realise that the person who store your phone while you were drunk also took the glass you drunk from. Right now all your concerned with is the fact you've lost your phone and trying to remember if you have phone insurance.

Unfortunately at the same time the guy who stole your phone is busy ordering stuff on your credit card thats been saved on multiple accounts.

I hope they cant hack the scanner, but the fact is most finger print scanners can be fooled.
You missed the part about creating a clone with the same exact finger print from the bar glass.

You need a new story.
post #55 of 67
Quote:
Originally Posted by timgriff84 View Post

Every fingerprint sensor at some point was state of the art, and I don't doubt its a lot harder to fool than previous sensors. But it ultimately has the flaw that there will be groups of people that want to get passed it.

Once someone does and I dont doubt they will, then its the worst form of security. Like the quote in the article says, you cant change your fingerprint. You also cant keep it a secret as you leave it behind on everything you touch.

Like I said: the surface pattern left behind when you touch something is not what this sensor is reading. This is just BS spouted by a clown senator who doesn't know what the hell he is talking about.

Also, the fact that you can't change it is also irrelevant. If someone cracks your password it is already too late to change it. He is going to download the data from your device and do whatever he wants with it. In order to take advantage of the fact that he now has your "permanent password" he would have to track you down and steal whatever other device you have that uses touch ID.
post #56 of 67
Like I said at some point security stuff that is now insecure at one point was. There was a point where people thought you couldn't recreate a fingerprint for any scanner.

Now we're at a point where if you go to a security conference you get next to nobody selling fingerprint based solutions whereas 4 years ago 50% of the solutions were fingerprint based.

the senator may not have a clue what he's talking about, but he has managed to recite the main reason fingerprint scanners arn't used for a lot of things any more.
post #57 of 67
Reportedly hacked now. This group claims a photo of a print can be used to break TouchID.
http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #58 of 67
Initial video here:
http://www.youtube.com/watch?v=HM8b8d8kSNQ

They're reportedly filming a better one that meets the specifics for collecting the bounty

Edit: Still waiting on final confirmation.
https://twitter.com/nickdepetrillo
Edited by Gatorguy - 9/22/13 at 12:41pm
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #59 of 67
Quote:
Originally Posted by Gatorguy View Post

Reportedly hacked now. This group claims a photo of a print can be used to break TouchID.
http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid

The photo isn't being used to bypass the sensor directly but your usual reporting style is expected. They used a high resolution scan of a fingerprint to make a rubber finger:



It may be possible to lift such a print from the phone and create a rubber finger from it but it's not as trivial as using a photo of a fingerprint. It's also not clear in that video whether they registered one of the other fingers but no doubt there will be further tests. When Android devices catch up and have sensors, I'm sure you'll be just as anxious to see them bypassed:

http://www.trustedreviews.com/news/samsung-galaxy-note-3-will-feature-fingerprint-scanner-insiders-claim
post #60 of 67
Quote:
Originally Posted by Marvin View Post

The photo isn't being used to bypass the sensor directly but your usual reporting style is expected. They used a high resolution scan of a fingerprint to make a rubber finger:

Yeah, "my reporting style". Directly from their blog entry, which I linked:

" First, the fingerprint of the enroled user is photographed with 2400 dpi resolution."

Edit: The rest of the paragraph as follows.

"The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market."

I don't see anything misleading about my sentence. I was aware of it because it's been reported on other Apple-centric websites already.
Edited by Gatorguy - 9/22/13 at 1:10pm
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #61 of 67
Quote:
Originally Posted by Gatorguy View Post

Reportedly hacked now. This group claims a photo of a print can be used to break TouchID.
http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid

Same person so the biometrics are the same. They should've used a second person, so color me unconvinced.
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
post #62 of 67
Originally Posted by Marvin View Post
your usual reporting style is expected.
When the intention is this obvious, why not just be rid of it?

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone] exists, it doesn’t deserve to.
Reply
post #63 of 67
Quote:
Originally Posted by dasanman69 View Post

Same person so the biometrics are the same. They should've used a second person, so color me unconvinced.

That's what the second video is supposedly showing. The twitter link is in my post too or you can follow the other half of the site team @ErrataRob also on twitter. Agreed it's not yet confirmed and it's possible the report is a scam or if not still may not meet the terms for paying the bounty.
Edited by Gatorguy - 9/22/13 at 1:15pm
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #64 of 67
Quote:
Originally Posted by Marvin View Post

When Android devices catch up and have sensors, I'm sure you'll be just as anxious to see them bypassed:

http://www.trustedreviews.com/news/samsung-galaxy-note-3-will-feature-fingerprint-scanner-insiders-claim

I may very well be the first to report it if/when it happens. I've been the first to report other unfavorable Google or Android news before, for instance Google being sued for scanning Gmail. Still no mention by AI even after I posted it here two or three weeks ago. I also send news articles to AI including some that might not cast Google or Android in the best light but they're not acted on until other sites start reporting it. I'll still make the effort tho.
Edited by Gatorguy - 9/22/13 at 1:41pm
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #65 of 67

A team claims to have defeated the TouchID system.  If anyone ever watched the MythBusters episode where they took on fingerprint scanners, the method to defeat the fingerprint scanner will sound very familiar.

 

Quote:
First, the fingerprint of the enroled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.

 

http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid

post #66 of 67
Quote:
Originally Posted by DroidFTW View Post

A team claims to have defeated the TouchID system using a photograph of the users fingerprint to create a "thin latex sheet" that can be used to beat it.  If anyone ever watched the MythBusters episode where they took on fingerprint scanners, the method to defeat the fingerprint scanner will sound very familiar.

http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid

You're a little late to the party.
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
post #67 of 67

Quote:

Originally Posted by dasanman69 View Post


You're a little late to the party.

 

So I am.  You guys are fast!

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
  • Crowd-sourced site offers cash, wine, Bitcoins for hackers to crack iPhone 5s' Touch ID
AppleInsider › Forums › Mobile › iPhone › Crowd-sourced site offers cash, wine, Bitcoins for hackers to crack iPhone 5s' Touch ID