or Connect
AppleInsider › Forums › Mobile › iPhone › Apple's Touch ID already bypassed with established 'fake finger' technique
New Posts  All Forums:Forum Nav:

Apple's Touch ID already bypassed with established 'fake finger' technique

post #1 of 319
Thread Starter 
A hacker group in Germany claims to have defeated Apple's new Touch ID biometric security system by using a modified fingerprint lifting and "fake finger" creation technique.

Touch ID


In a post to its website on Sunday, the Chaos Computer Club claimed to have bypassed the iPhone 5s' Touch ID sensor hardware, just two days after the smartphone was released on Friday.

According to a detailed walkthrough of the bypass provided by the group's biometrics hacking team, the iPhone 5s' Touch ID hardware is, in effect, merely a higher resolution version of existing sensors. This means the system can be defeated using common fingerprint lifting techniques, albeit at a more refined level.

"In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake", said a CCC hacker nicknamed Starbug. "As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."

While the process is somewhat complex, the thinking behind it is straightforward. In this case, a high-resolution 2400 dpi photo of a user's fingerprint was harvested from a glass surface using graphite dust or cyanoacrylate (the main ingredient in Super Glue) and a camera. The resulting image was cleaned up and inverted with photo editing software, then laser printed at 1200 dpi onto a transparent sheet.

To create the fake fingerprint, pink latex milk or white wood glue is laid over the printout and allowed to set. Once cured, the dummy can be peeled off the transparency, breathed on to produce a thin layer of moisture, and applied to a finger. This will grant access to a Touch ID protected device, CCC claims.

A video of the unlocking process was uploaded to YouTube:



"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can?t change and that you leave everywhere every day as a security token", said CCC spokesman Frank Rieger. "The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access."

It should be noted that Apple never claimed Touch ID was a new technology, nor did the company say the method was foolproof. As seen above, there are many caveats in the production of a "fake finger," from latent fingerprint quality to digitization and printing. In addition, a would-be thief would need access to the iPhone itself after the fake is produced.

Also not taken into account is Apple's Find My iPhone app, which allows a lost or stolen phone to be wiped remotely. This leaves the window for breaking into the 5s very small, and would likely thwart all but the most dedicated criminals.

Apple's Touch ID is the company's first attempt at including a biometric security method in its consumer products. The technology comes from AuthenTec, a biometrics firm specializing in fingerprint hardware, that Apple purchased in 2012 for $356 million.

The extent to which Apple plans to incorporate biometric technology is unclear, though as it stands, Touch ID is used to unlock the iPhone 5s and make iTunes purchases. Third parties do not have access to the sensor's API, but that may change if the tech becomes a larger part of the iOS ecosystem.
post #2 of 319
Anyone with a level head probably realized the TouchID system would be defeated in quick order. That said, it still may still prove to be an effective deterrent for crimes of opportunity (which I'd imagine most phone thefts are). Only time will tell.
post #3 of 319
I'm pretty sure I don't recall Apple ever saying it was uncrackable. But it sure does beat havin to enter a PIN or password away too often.
post #4 of 319
By the time a thief steals my phone, and SOMEHOW also gets my fingerprint (OK, maybe there's one unsmudged print left on my phone, but odds are 1-in-10 that it's my recorded print), and scans it at 2400dpi, prints it with a good printer at very high resolution, puts a layer of latex over it and WAITS for that to dry, I will have already set a passcode and/or wiped the phone. Not to mention I have activation lock enabled so he (or anyone he sells it to) would need my passcode to activate it.

Not worried. It's more than enough protection for little ole me.
post #5 of 319
Let me guess...this CCC outfit as an agenda and will use Apple to further it.
post #6 of 319
Is there a complete video from beginning to end? Without seeing the steps involved it's kinda pointless.

Anything can be hacked. It's whether the time and effort to perform the hack are worth the end result (getting access to a phone). Creating a fake finger to open a safe or get access to a secure area might be worthwhile. I really doubt anyone would go through the effort to get the data that's on your phone.
post #7 of 319
And here we go, FingerGate begins 1wink.gif

But seriously what's up with the SUBepidermal reading claims if this can be hacked with simple visual pattern scan?
post #8 of 319
My front door lock can be picked. Guess I am foolish. Will leave my doors open from now on.
A.k.a. AppleHead on other forums.
Reply
A.k.a. AppleHead on other forums.
Reply
post #9 of 319
This video is misleading.

Assuming that the screen for setting up a second finger is the same as the first...

1. Notice he doesn't try the middle (unlocking) finger FIRST, to show that it CANNOT unlock the phone by itself.
2. Thus, the film he puts on his finger could be anything, because the middle finger could already be set up to unlock. The phone unlocks because it might already be set up.

And that doesn't even address if it's possible to get a complete enough print on a phone surface to photograph at the 2400dpi. Doubtful.

Way too much NOT shown in this clip.
post #10 of 319
So which is easier to defeat and in how short a time?

A four digit PIN that can be hacked relatively easily and fast?

Or the Touch ID sensor... after going through the tedious process described by the hackers?

I'll use the Touch ID because it's "secure enough" and easier than entering the PIN every time. This feature will become insanely popular for the general public and you can bet your paycheck the competition will follow suit. And when the competition follows suit you'll suddenly see all the "ha, ha, this is so easy to defeat" comments disappear into thin air. Why do we pay attention to anonymous tech types who make ridiculous statements about things they know little about, including some German with incredibly shaky hands.

For the average Joe User, who would take the time to do this? I can see the police or government agencies doing it but the common thief who lifts your iPhone on the street?

I really can't take seriously those who make a big deal out of these security hacks. In this day and age your only real protection is the safety of large numbers. Like a school of fish herded by Dolphins, your chances of actually getting eaten are small.
post #11 of 319

crap! oh well, i can't say it was fun while it lasted because it hasn't lasted!!

post #12 of 319
Cracked within a couple of days! This is not good for Apple, basically they've been promoting a security technology that it turns out, isn't all that secure! Their finger-print sensor now is nothing more than a convenient way for unlocking an iPhone. I really hope they can fix it (doubtful) because the haters are going to be all over this. This is something they should of looked into before purchasing AuthenTec in the first place. I remember at the time it was a rather rushed purchase - they maybe paying the price for that now. I wonder how Apple's damage control is going to handle this?
Edited by 1983 - 9/22/13 at 3:24pm
post #13 of 319
Quote:
Originally Posted by jason98 View Post

And here we go, FingerGate begins 1wink.gif

But seriously what's up with the SUBepidermal reading claims if this can be hacked with simple visual pattern scan?

 

Care to provide a link where Apple claims this? As far as I know this nonsense was pulled out of some anonymous ass.

post #14 of 319
Quote:
Originally Posted by DroidFTW View Post

Anyone with a level head probably realized the TouchID system would be defeated in quick order. That said, it still may still prove to be an effective deterrent for crimes of opportunity (which I'd imagine most phone thefts are). Only time will tell.

 

Yes, but Apple wanted much more from this technology over the long run. That seems to be quashed now. 

post #15 of 319
If you're working for MI6 or something then I can understand the concern.

For the average user this level if security is more than enough.

The average thief will simply wipe your phone and try to resell it.
iPad, Macbook Pro, iPhone, heck I even have iLife! :-)
Reply
iPad, Macbook Pro, iPhone, heck I even have iLife! :-)
Reply
post #16 of 319
Quote:
Originally Posted by EricTheHalfBee View Post

Is there a complete video from beginning to end? Without seeing the steps involved it's kinda pointless.

Anything can be hacked. It's whether the time and effort to perform the hack are worth the end result (getting access to a phone). Creating a fake finger to open a safe or get access to a secure area might be worthwhile. I really doubt anyone would go through the effort to get the data that's on your phone.

In a recent article Mr Cook commented on iPhones being used for secure payments. In that case it could be worth the effort.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #17 of 319
I'll believe it when a random, unregistered person puts the "copied" fingerprint on their finger and bypasses the scanner.

Till then stop drinking so much German dude. It's not even October.
post #18 of 319

It's a bit disappointing that it was beaten with established techniques, I thought Authentec had something new, and Apple paid a lot for it.

post #19 of 319
Quote:
Originally Posted by 1983 View Post

Cracked within a couple of days! This is not good for Apple, basically they've been promoting a security technology that it turns out, isn't secure! Their finger-print sensor now is just a convenient gimmick for unlocking an iPhone. I really hope they can fix it (doubtful) because the haters are going to be all over this! This is something they should of looked into before purchasing AuthenTec in the first place! I remember at the time it was a rather rushed purchase - they maybe paying the price for that now! I wonder how Apple's damage control is going to handle this?

 

Yeah the damage is the headlines on tomorrow's front page. Almost no one's security will ever be exploited by this hack.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #20 of 319
Quote:
Originally Posted by 1983 View Post

Cracked within a couple of days! This is not good for Apple, basically they've been promoting a security technology that it turns out, isn't secure! Their finger-print sensor now is just a convenient gimmick for unlocking an iPhone. I really hope they can fix it (doubtful) because the haters are going to be all over this! This is something they should of looked into before purchasing AuthenTec in the first place! I remember at the time it was a rather rushed purchase - they maybe paying the price for that now! I wonder how Apple's damage control is going to handle this?

I completely disagree with your assessment. If it is true (and based on my experience I think it is) that 50% of users include NO lock, this is many times more secure especially the true effort it takes to get around it. In no way does it support the claim from CCC: "Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access."
post #21 of 319
This is a meaningless video. For this to be a verified crack of the Touch ID technology, the fake fingerprint should of been put on a person that wasn't the owner of the print. What verifiable means is there that the sensor didn't ready THROUGH the fake finger print to the persons finger.

Until that happens I call this busted.
post #22 of 319
OK,is it possible to return the new iPhone 5s to Apple until this hard issue is solved?
post #23 of 319

corrections in spelling :

 

This is a meaningless video. For this to be a verified crack of the Touch ID technology, the fake fingerprint should of been put on a person that wasn't the owner of the print. What verifiable means is there that the sensor didn't read THROUGH the fake finger print to the persons finger.

Until that happens I call this busted.

post #24 of 319

Locks keep honest people honest.

 

As a practical matter, this means nothing to virtually everyone.

post #25 of 319
Quote:
Originally Posted by 1983 View Post

Cracked within a couple of days! This is not good for Apple, basically they've been promoting a security technology that it turns out, isn't secure! Their finger-print sensor now is just a convenient gimmick for unlocking an iPhone. I really hope they can fix it (doubtful) because the haters are going to be all over this! This is something they should of looked into before purchasing AuthenTec in the first place! I remember at the time it was a rather rushed purchase - they maybe paying the price for that now! I wonder how Apple's damage control is going to handle this?

 

Take yourself and your "This is not good for Apple" nonsense and jump off a bridge. Apple never said anything remotely indicating this was unbeatable. YOU and your ilk blew it up into something it wasn't. You tell me which is easier to hack, a 4 digit PIN or Touch ID. You tell me how ANY device is secure once someone has physical possession of it.  YOU tell me how your ex-wife or girlfriend is going to do this. YOU tell me how the common thief is going to accomplish this. It's a step UP from the PIN and not a gimmick. Lots of people run around with no lock code at all because they don't like punching numbers. Touch ID will let them have some real security because it's easy to use.

 

I'll tell you what. When I get my iPhone 5s I'll let you have it and YOU into it hack it. And let's put some serious money up too. Otherwise shut up.

 
Just go away and play with yourself.
post #26 of 319
I'm sorry, but everyone is using the word "bypassed" to describe this "hack" and it is NOT that.

"Already bypassed" implies an easy workaround.

First, get the owner of a Touch ID locked phone to let you take a very high resolution (2400dpi) photo of the fingertip (containing the fingerprint) used to encode the lock.

After that, go through a bunch of arcane steps involving 1200dpi scanners, and other "everyday" items only used by special industry professionals (you've got to get the set and the thickness just right), and finally, stick that onto your finger, moisten it with your breath...

Oh wait, we forgot the other important part. ALSO get the phone from the person who's identity you're trying to steal or whatever.

The contents of that phone would have to be awfully important and valuable. Doing this just to "steal" a handset sure isn't worth it.

Finally, how is this method "news"? It's an old and established method for replicating fingerprints that can "fool" a fingerprint reader. This has never actually made fingerprint scanners any less secure.

It's a barrier to entry that is more secure than a credit card in a wallet (or any other form of payment we currently use), that's for sure!

But there's the key. It, like any other form of security or lock is not 100% unbreakable. It just provides a high enough level of security that overcoming it is an effort usually not worth the reward.

Now, when someone illustrates one of those "tilt it this way, press that, hold the power button and move ten feet west, etc. and THEN you can bypass the fingerprint scanner" methods, THEN I'll agree it has been bypassed. Until then? Nah.

The biggest plus for me with Touch ID, aside from being very secure, is that it's FAST. nearly instant, 99.999% accurate scanning.

Which should be plenty for 99.999% of people and applications, in my book.
Edited by tribalogical - 9/22/13 at 3:31pm
post #27 of 319
Quote:
Originally Posted by ILM1997 View Post

This is a meaningless video. For this to be a verified crack of the Touch ID technology, the fake fingerprint should of been put on a person that wasn't the owner of the print. What verifiable means is there that the sensor didn't ready THROUGH the fake finger print to the persons finger.

Until that happens I call this busted.

 

The original article says a complete step by step video has been submitted by the CCC for verification.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #28 of 319

I think TouchID requires a complete fingerprint.  With an incomplete fingerprint the phone can not be unlocked. 

post #29 of 319
Notice how the headline states it as a fact but the article reveals it's a claim?

Also, the method is not exactly convenient, and it doesn't undermine touchID's purpose- which is more convenient authentication, not some sort of ultra-secure perfect security method.
post #30 of 319
Okay, that's it.

TouchID on the iPhone has failed!

Everybody swap across to Android for security.

1wink.gif
There's nothing your wife/girlfriend/partner wouldn't like more than a 6 Plus...
Reply
There's nothing your wife/girlfriend/partner wouldn't like more than a 6 Plus...
Reply
post #31 of 319
Quote:
Originally Posted by Gatorguy View Post

In a recent article Mr Cook commented on iPhones being used for secure payments. In that case it could be worth the effort.

Please. Thieves can already get your CC data to commit fraud without having to go through the process of stealing a phone, bypassing its security, and then HOPING it might actually be set up for making payments (or that the phones owner has a high enough credit limit to purchase something worthwhile). And that the phone wouldn't get locked before this took place.


These guys won't get the $16,000 prize for being first. To win you have to show everything in your video from leaving the print on a glass or other object to lifting the print to producing the mold to unlocking the phone. When I see that then I might be impressed.

For all we know these guys used a perfectly clean sheet of glass and had the person leave a perfect print (like getting fingerprinted as opposed to getting a print from an everyday item). And they might have had to repeat the process numerous times before they got a mold that worked. This is why the guys offering the reward require a complete video.


Now that they described their process it should only be a day at most before someone collects the prize, right? Because it's so easy that anyone can do it, therefore that money is just waiting for someone to collect. /S
post #32 of 319
Quote:
Originally Posted by lkrupp View Post
 

 

Take yourself and your "This is not good for Apple" nonsense and jump off a bridge. Apple never said anything remotely indicating this was unbeatable. YOU and your ilk blew it up into something it wasn't. You tell me which is easier to hack, a 4 digit PIN or Touch ID. You tell me how ANY device is secure once someone has physical possession of it.  YOU tell me how your ex-wife or girlfriend is going to do this. YOU tell me how the common thief is going to accomplish this. It's a step UP from the PIN and not a gimmick.

 

I'll tell you what. When I get my iPhone 5s I'll let you have it and YOU into it hack it. And let's put some serious money up too. Otherwise shut up.

 
Just go away and play with yourself.

 

Just go somewhere and relax, you rude zealot! I'm not going anywhere, and while I'm an Apple fan, I'm not going to shut up when they make the occasional mistake.

post #33 of 319
Quote:
Originally Posted by tzeshan View Post
 

I think TouchID requires a complete fingerprint.  With an incomplete fingerprint the phone can not be unlocked. 

 

Actually, I think the way Touch ID works is it samples portions of the fingerprint, and creates a pattern which alone would be equally unique as the fingerprint itself. You'd probably be right that it needs a full fingerprint to encode first. But what it "reads" each time is probably not a complete fingerprint, but the encoded "highlights".

 
Now that there are over 7 billion humans on the planet, I'm wondering if it's not possible to have a pair of fingerprints so similar a scanner might not be able to tell them apart?
 
Time will tell I guess...
post #34 of 319

Why not just hold a gun to somebody's head? Why bother with all of this nonsense? :lol:

post #35 of 319
Quote:
Originally Posted by EricTheHalfBee View Post


These guys won't get the $16,000 prize for being first. To win you have to show everything in your video from leaving the print on a glass or other object to lifting the print to producing the mold to unlocking the phone. When I see that then I might be impressed.

BTW, the guy offering the $10K is reneging. He was scamming from the get-go and was only after the publicity.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #36 of 319

The finger vs pin isn´t completely relevant, I don´t use my pin to purchase stuff on the iTunes store.

 

A bit disappointed it´s been crack which also busts a few of Apple´s "inside finger scan" promotions. I would like to hear Apple explain this.

 

Still getting a 5S though.

post #37 of 319
The guys offering the reward put up a notice about CCC on their site. I hope they don't accept an edited video - it needs to be a complete video of the entire process in real time. This is important as it shows just what's involved.
post #38 of 319
Quote:
Originally Posted by 1983 View Post

Just go somewhere and relax, you rude zealot! I'm not going anywhere, and while I'm an Apple fan, I'm not going to shut up when they make the occasional mistake.
No one has proven touch id is a mistake. All that's been proven is the Internet will run with anything if it might put Apple in a bad light.
post #39 of 319
Quote:
Originally Posted by tribalogical View Post

Actually, I think the way Touch ID works is it samples portions of the fingerprint, and creates a pattern which alone would be equally unique as the fingerprint itself. You'd probably be right that it needs a full fingerprint to encode first. But what it "reads" each time is probably not a complete fingerprint, but the encoded "highlights".
 
Now that there are over 7 billion humans on the planet, I'm wondering if it's not possible to have a pair of fingerprints so similar a scanner might not be able to tell them apart?
 
Time will tell I guess...

True. There's already been at least one guy using his nipple to unlock his 5s, and another who used his nose. Even a cat's paw presumably works
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #40 of 319
Quote:
Originally Posted by MacHarry de View Post

OK,is it possible to return the new iPhone 5s to Apple until this hard issue is solved?
Or you can not use touch ID. Or a pass code 'cause that can be hacked/socially guessed.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
  • Apple's Touch ID already bypassed with established 'fake finger' technique
AppleInsider › Forums › Mobile › iPhone › Apple's Touch ID already bypassed with established 'fake finger' technique