or Connect
AppleInsider › Forums › Mobile › iPhone › Apple's Touch ID already bypassed with established 'fake finger' technique
New Posts  All Forums:Forum Nav:

Apple's Touch ID already bypassed with established 'fake finger' technique - Page 5

post #161 of 319
Quote:
Originally Posted by pan101 View Post
 

I do think it could be planned better than that. If I wanted to gain access to someone's email, Facebook or buy things on iTunes, etc. here's what could be done - would be easy for a work colleague/spouse/etc.:

1. Get the fingerprint (I'm guessing it's going to be the thumb for 90% of people) from a glass or something else.

2. Prepare the fake print (taking all the time you need)

 

You can't take "all the time you need"  if the phone goes 48 hours without being unlocked, the password kicks in.  Nevermind the fact the owner can always do a remote wipe as well. 

post #162 of 319
Quote:
Originally Posted by Gatorguy View Post


True. There's already been at least one guy using his nipple to unlock his 5s, and another who used his nose. Even a cat's paw presumably works

 

But it only works on THE guy nipple? So what is your point?

post #163 of 319
First, I can't believe that gomer going on and on about gloves—who are you, Scrooge McDuck? You wear spats, too?

Secondly, anybody who thinks first AuthenTec and than Apple didn't try this technique six ways from Sunday...well, all I can say is I hear there's a really neat bridge for sale in New York.

Thirdly, the sensor is reading the guy's print through the fake film print. It doesn't matter which finger he's using. The prints on your fingers aren't identical, but they're very, very similar. If you set up Touch ID with your index finger, I'll bet there's about a 95% chance your middle finger would work, too. Of course. 95% wasn't good enough for Apple—the Atrix's crummy reader probably worked 95% of the time—so they encourage you to register all the fingers you're going to use.

To me it's very suspicious that they didn't register the thumb, which most people will use, probably because the size difference made it less likely that another finger would work.

And lastly, this is Germany, where Apple-hatred is exceptionally virulent. I wouldn't give this propaganda piece a second thought.
post #164 of 319
Quote:
Originally Posted by Bishop of Southwark View Post

These two bits in the article really undermine any pretence that AI is a balanced (or indeed sensible) publication:

"In addition, a would-be thief would need access to the iPhone itself after the fake is produced."

No kidding. But the same is true of getting past any security element - you to have a way to access a specific lock to pick it. Since we are talking about lock picking here, rather than getting around lock without opening it.

"Also not taken into account is Apple's Find My iPhone app, which allows a lost or stolen phone to be wiped remotely. This leaves the window for breaking into the 5s very small, and would likely thwart all but the most dedicated criminals."

What1?!? How about anyone who kept the iPhone it in a signal procf environment, or removed the SIM card, or ....
Again Find My iPhone has no relevance to finger print security. It has relevance to overall iPhone security.
The existance of Find My iPhone functionality will not deter anyone. The hastle of faking the print, that will deter casual people.

This group are talking about the use of finger prints as a security method in general.
Regardless of device.
They are not talking about the security of the iPhone (as a collection of elements or in comparison to anything else).

The article would be far more interesting and relevant without these two crackpot bits.
Oh well, have to give up on AI for balance and sense....

 

Me thinks you know nothing about a new Find My Phone feature in iOS 7.

post #165 of 319

I think that it is curious that there is not more detail in the video, why they did not use a third party person to test the hacked fingerprint and why they needed to have the fingerprint on a translucent backing - stuck to a real finger. I think we need more proof. If they did this as they have depicted, it re-enforces that this can not be ultimate security for iPhone users.

 

If they scammed us by a bogus video to take the prize money through a lie - well I think someone at Apple may want to mail some CCC fingers to the lab for further testing...

 

Finally, what kind of idiot would post his fingerprint for the world to see, record, trace, use....?


Edited by TeeJay2012 - 9/22/13 at 9:09pm
post #166 of 319

This test is not accurate.

The sensor also senses for live tissue and scans sub-epidermal layer. If you use your finger with the high-resolution impression of your own fingerprint on a film (which is kind of weird because you might as well just use your finger) it is going to open alright. But if you use someone else's fingerprint, first of all it won't open because there is no live human tissue. If you place your finger on the back of the film, it will scan sub-epidermal layer as well, which will result in an incorrect scan.

post #167 of 319
I want to see that replicated with a strangers phone just handed to them. Highly doubt it. Where would they get the hir-es fingerprint when they don't even know the owners identity, as would be the case with a stolen phone. Far more secure than a casually observable pin. Not that half of all phone users even bother with pins.
post #168 of 319
Quote:
Originally Posted by Taniwha View Post
 

"It's not like Apple ever claimed touch id would work with gloves", no but they DO claim that it is highly secure, which now seems to be uncertain at best, and untrue at worst.

 

So you can crack it now?

post #169 of 319
Quote:
Originally Posted by Tallest Skil View Post
 

 

Are you really in any sort of position to be pulling this (perpetually meaningless) card?

Reading his posts all I can say is yet another pimpled face Android teenager zealot joining AI. They're so full of THAT level of intelligence. :sigh:

post #170 of 319
Quote:
Originally Posted by Arlor View Post
 
Alternatively, if they can lift the print right off the touch sensor itself, they can be sure to have the right print!

 

Then why they didn't do that in the video? Why did they use glass? Are you assuming too much?


Edited by matrix07 - 9/22/13 at 9:39pm
post #171 of 319
Quote:
Originally Posted by ceek74 View Post

But what if I wear my mittens? What then?
Ramrod is just being a complete tool. Case in point, I don't even have to wait for winter. I ride my motorcycle almost every day and when I have to use my phone, I instinctively take my gloves off.

Not ONCE did I ever think "this sucks, I should not have to take my gloves off. Shame on Apple."

People like him think Apple should revolve around their specific needs and if Apple can't achieve the needs of 100% of all users, then Apple shouldn't even try.
post #172 of 319

 

"Ya, I have defeated your puny touch id.  There is no security on your phone.

Ve are doomed and I am filled with remorse, and it is most delicious.

Vould you like to touch my monkey?"

post #173 of 319
Quote:
Originally Posted by jameskatt2 View Post

All you have to do is to require both a fingerprint and a password. That would be an ultimate security method.

 

No. All you need to do is use your nipple instead. LOL.

post #174 of 319
Not just any "hacking" group. Chaos Computer Club is a pretty elitist group of computer tech enthusiasts.

These are the same guys that proved to the German Gov that the finger print technology is passports is brain dead by hijacking one of the ministers finger prints from his own passport.

If they say they have done it I'd say it's 99.999% legit. Fingerprint anything is stupid anyways, much easier to unlock your phone by placing you handcuffed fingers on the sensor than to force you to surrender your password.
post #175 of 319
Quote:
Originally Posted by MrBowfinger View Post

Congratulations to the submitter that said in the time it would take to go through the proces the phone would be wiped. Correct me if I'm wrong. The person who cracks the phone shouldn't be able to gain access unless he or she has the ID and the passcode.

From http://support.apple.com/kb/HT5949

 

"To configure Touch ID, you must first set up a passcode. Touch ID is designed to minimize the input of your passcode; but your passcode will be needed for additional security validation, such as:

  • After restarting your iPhone 5s
  • When more than 48 hours have elapsed from the last time you unlocked your iPhone 5s
  • To enter the Passcode & Fingerprint setting

Since security is only as secure as its weakest point, you can choose to increase the security of a 4-digit passcode by using a complex alphanumeric passcode. To do this, go to Settings > General > Passcode & Fingerprint and turn Simple Passcode off. This will allow you to create a longer, more complex passcode that is inherently more secure. Security is further strengthened by using a mixture of uppercase and lowercase letters, numbers, and symbols."

If you have find my iphone on, you will not be able to wipe the device unless you know the password that is associated with the icloud account on the device, so a passcode or fingerprint alone will not be enough to wipe the device.

post #176 of 319
Quote:
Originally Posted by Marcel655 View Post
much easier to unlock your phone by placing you handcuffed fingers on the sensor than to force you to surrender your password.

When there is a gun pointed to your head, what is the difference?

post #177 of 319
Quote:
Originally Posted by cutykamu View Post
 

try the new android door… the customization is too good and you can also select the door bells, sneak a peak from eyepiece with fish eye angle with some instagram filters (with some advertisements ofcourse), you can change the color of the doors and select many default themes.

 

/s

The android door has been discontinued for being too open.  SInce most purchasers did not want a "walled garden" they removed the "door" part of the android door and it's just a knob and a deadbolt that are both lying on the floor. Also the Keylime keys don't work with the Jellybean keys and the kitkat keys melt in your pocket. :lol:

post #178 of 319
can they add another check for something like blood flow or heart beat

the iWatch can do it
post #179 of 319
Quote:
Originally Posted by lkrupp View Post

I can see the police or government agencies doing it but the common thief who lifts your iPhone on the street?

Note, that if the phone is shut off of 48 hours have passed without unlocking, the phone will require the password to unlock. So, whoever takes the phone, they should be fast in unlocking. Apple should make the 48 hours period is configurable to say 4 hours to decrease the window of opportunity.

 

Also, Touch ID actually allows the owner to set really long and strong password since they'll be using it rarely. At present I use a 4-digit passcode, for convenience. Once I get the 5s, I'm changing it with a password.

post #180 of 319
Quote:
Originally Posted by capasicum View Post

Note, that if the phone is shut off of 48 hours have passed without unlocking, the phone will require the password to unlock. So, whoever takes the phone, they should be fast in unlocking. Apple should make the 48 hours period is configurable to say 4 hours to decrease the window of opportunity.

Also, Touch ID actually allows the owner to set really long and strong password since they'll be using it rarely. At present I use a 4-digit passcode, for 
convenience. Once I get the 5s, I'm changing it with a password.

You can do that now. Go to passcode lock and change the Simple passcode to off. Now you can make an alphanumeric passcode.
post #181 of 319
Quote:
Originally Posted by HammerofTruth View Post


You can do that now. Go to passcode lock and change the Simple passcode to off. Now you can make an alphanumeric passcode.

 

I know how to do it, I've used a password for a few days, and it is pretty annoying entering 12+ symbols every time I need my phone.


What I'm saying is that the Touch ID will allow me to have quick access while the actual password is strong enough.

post #182 of 319
Quote:
Originally Posted by Gatorguy View Post
 
Quote:
Originally Posted by JDW View Post

I simply don't understand how this can be possible if one takes Apple's "sub-epidermal" statement at face value. Watch the following video on Apple's site, starting at 1:20...

http://www.apple.com/iphone-5s/videos/#video-touch

The way I understood it when presented at the keynote was that it reads the print on the surface of the skin as well as penetrating deeper into the skin to ensure the print could not be faked.

I don't write this to attack Apple. I write this to know if any of you can explain in technical detail how Apple's sensor reads sub-epidermal details of one's finger.

Or could this be a bug that prevents the sub-epidermal scan from taking place?

Thanks.

"Sub-dermal scanning" just refers to verifying the electrical activity that would be expected in live tissue. That way a plastic item or other "dead" object doesn't pass muster. If the CCC mock print isn't thin enough the electrical activity in the real finger underneath couldn't be read. That's the way I understand Authentec's tech anyway.

 

From the publicly available information on Authentec's E-field scanning I would have to conclude that you have misunderstood the technology. If it works as presented then it is actually measuring electrical equipotentials between a conductive reference plane in the sensor and the RF-modulated non-planar (3-D) conductive target surface - the moist subdermal skin layer. As such it differs from regular capacitative scanning in that it does not even see the (relatively) non-conductive surface skin layer or the air gaps between ridges. To fool it would necessitate the creation of a conductive 3-D replica of the fingerprint, not just a 2-D image. I can't see any part of the asserted hack that satisfies that requirement, so it will be interesting to see if this proves to be real.

post #183 of 319
Quote:
Originally Posted by MacHarry de View Post

OK,is it possible to return the new iPhone 5s to Apple until this hard issue is solved?

I wish there were more people like you; they're all sold out at my end!
How to enter the Apple logo  on iOS:
/Settings/Keyboard/Shortcut and paste in  which you copied from an email draft or a note. Screendump
Reply
How to enter the Apple logo  on iOS:
/Settings/Keyboard/Shortcut and paste in  which you copied from an email draft or a note. Screendump
Reply
post #184 of 319

So, at least now we have found a real-life purpose for the 20.something-Gaziilion-Pixel camera of this new Nokia-thingy....

Yeah, well, you know, that's just, like, my opinion, man.
Reply
Yeah, well, you know, that's just, like, my opinion, man.
Reply
post #185 of 319

Does Find My iPhone work if the SIM has been removed? (And the phone is not within range of a trusted WIFI network)

post #186 of 319

The video shows clearly enough that the phone was trained to recognize only a single finger (the index finger) and that the middle finger was used to lift the fake print and unlock the phone.

The video does not show how the fake print was created, which is key. The video also doesn't show that the person has a normal fingerprint on the index finger and, for instance, isn't wearing a fake piece of latex that is easily replicated.

post #187 of 319
Touch ID verifies the fingerprint on the interior sub dermal layer and confirms the finger has a pulse. This is why the tech is great since it shouldn't work if your finger was cut off and should work even if the fingerprint was burned off with acid. It doesn't use the old method of reading the print off the outer skin layer like others do. This is why I call BS on the video since the user is testing with his living finger covered by a piece of paper. Instead if he can do it with the image attached to a stick then it would be proof of concept. Until then nice try but no soup for you 1smile.gif
Unity3D, Maya, Final Cut, iPhone 5S, Apple TV, Mac Pro, MBP, iPad Mini
Reply
Unity3D, Maya, Final Cut, iPhone 5S, Apple TV, Mac Pro, MBP, iPad Mini
Reply
post #188 of 319
Quote:
Originally Posted by Ramrod View Post
 

 

Oh really? So if you see a pattern left behind from oil, do you know where the patter started and what the order of the patter was? Didn't think so. You would know this if you actually used a pattern lock. And all it takes is an easy wipe to get rid of the oil pattern mark. Finger prints? Yeah go ahead and burn them off. lol. 

Oh and what's your response to my point of having to constantly take gloves on and off just to unlock your phone? Everyone that went on an on about how much time you save with this lock, doesn't want to address the glove issue. Hmmm.....

Denial is a helluva drug.

 

Try this for an exercise: Put a pen on a paper, then make whatever pattern you like without lifting the pen. How many possibilities are there to trace the original pattern? Usually two, since the start and the end of the pattern are obvious. If you use backtrace, it will become harder, but far from impossible to guess.

 

Now, easy wipe will solve the issue. And will solve the issue with the fingerprint sensor as the thief will have no way to lift your prints from the phone.

post #189 of 319

All those claiming that fingerprint ID security is OK are missing the point.

 

It is not safe and it certainly isn't extremely safe as Apple did say. Period.

 

I guess I can stick with my good ole 4s (it's working blazingly fast under iOS7. Best upgrade ever)

post #190 of 319
Quote:
Originally Posted by malax View Post

Then, more importantly, WTF leaves their phone behind when they go to the restroom?
Usually only Apple engineers field testing new iPhones right before the product launch. I hear people will pay good money for such items.

We've always been at war with Eastasia...

Reply

We've always been at war with Eastasia...

Reply
post #191 of 319
Quote:
Originally Posted by Marcel655 View Post

Fingerprint anything is stupid anyways, much easier to unlock your phone by placing you handcuffed fingers on the sensor than to force you to surrender your password.
Wouldn't that be "fingercuffed fingers"?

We've always been at war with Eastasia...

Reply

We've always been at war with Eastasia...

Reply
post #192 of 319
Quote:
Originally Posted by Blitz1 View Post

All those claiming that fingerprint ID security is OK are missing the point.

It is not safe and it certainly isn't extremely safe as Apple did say. Period.

I guess I can stick with my good ole 4s (it's working blazingly fast under iOS7. Best upgrade ever)

Actually I think that you are missing the point - namely that it is both more convenient and more secure than the regular 4-digit pin that users currently employ (if they employ anything at all).

Whether it proves to be secure enough to be trusted to handle authentication for financial transactions remains to be seen, but since that should generally be at least 2-step authentication, it doesn't seem unreasonable to imagine that it might replace one of those steps.
post #193 of 319
I'm not worried about criminals being able to copy finger prints. The time to worry would be when hackers create a TouchID virus designed to extract the fingerprint information on all devices around the world, and then collect a database of fingerprints.
post #194 of 319
So don't give your phone the finger.
post #195 of 319
So they have up to 48 hours from lifting a fingerprint of sufficiently high quality to produce the fake finger pad and they would need some fairly high tech equipment and materials by the sounds of things... That's pretty difficult. It's far easier to discretely watch or record (with hidden cameras) someone unlocking their device with a pass code or password so this technology is probably more secure than that.

Apple said that up to 50% of people don't use a pass code at all because they find entering it all the time to be too tedious, and this technology is aimed at them. Then again, these are people that are posting intimate details of their lives on FaceBook or a complete life story on LinkedIn so I'm not sure security is their biggest concern anyway.

This is no printgate. The bottom line is if you want something 100% secure don't record it in ANY form.
post #196 of 319
Quote:
Originally Posted by palegolas View Post

I'm not worried about criminals being able to copy finger prints. The time to worry would be when hackers create a TouchID virus designed to extract the fingerprint information on all devices around the world, and then collect a database of fingerprints.

 

Its storage is one way, see the Craig Federighi part:

http://www.businessweek.com/articles/2013-09-19/studio-outtakes-from-apples-cook-ive-and-federighi

post #197 of 319

I'm not buying this just yet. As others have pointed out, they could have enrolled their other finger being used. Then they put out a stupid video showing someone else doing it so that it is someone else's finger being used. That is pretty lame. I don't care who's finger they use, they should be showing the finger failing to unlock the phone a few times without the fake finger first. Showing any other finger being used with the fake finger doesn't mean anything unless we know it is not enrolled. 

post #198 of 319
 

 


Edited by pan101 - 9/22/13 at 11:32pm
post #199 of 319
Quote:
Originally Posted by the cool gut View Post
 

 

You can't take "all the time you need"  if the phone goes 48 hours without being unlocked, the password kicks in.  Nevermind the fact the owner can always do a remote wipe as well. 

 

I said that you get the fingerprint from a glass or mug or something else... not the phone!

post #200 of 319
If I was James Bond or the POTUS I'd be dead scared someone could do this to my phone.

As it is, the security risk is minimal.

As for CCC's main worry about biometrics as an instrument of control, I'm pretty sure than anyone in the EU who has obtained a passport in the last 5 years has facial biometrics on file with one or more governments, similarly any foreign traveller to the US has given their fingerprint data to the government there, and by implication their home government in many cases. You probably need to live in a shed in the woods to avoid such identification these days.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
  • Apple's Touch ID already bypassed with established 'fake finger' technique
AppleInsider › Forums › Mobile › iPhone › Apple's Touch ID already bypassed with established 'fake finger' technique