Originally Posted by muppetry
From the publicly available information on Authentec's E-field scanning I would have to conclude that you have misunderstood the technology. If it works as presented then it is actually measuring electrical equipotentials between a conductive reference plane in the sensor and the RF-modulated non-planar (3-D) conductive target surface - the moist subdermal skin layer. As such it differs from regular capacitative scanning in that it does not even see the (relatively) non-conductive surface skin layer or the air gaps between ridges. To fool it would necessitate the creation of a conductive 3-D replica of the fingerprint, not just a 2-D image. I can't see any part of the asserted hack that satisfies that requirement, so it will be interesting to see if this proves to be real.
Yes, this is the part that confused me. Given the way the touch id is supposed to work then I'm not sure how that can produce a successful reading, unless the part about reading the subdermal layer is simply to ensure that the finger is alive.
While I'm sure that CCC is not making this up, I'm not that sure how relevant it is.
To begin with, the equipment and effort required is beyond just about every casual out most iPhone users will ever encounter.
Secondly, this experiment suffers from the same problem that most of the these sensationalist demonstrations seem to exhibit: It relies on conditions that have to be rigged to work, assumptions on user behaviour, and no consideration to what happens after the exploit has been executed.
Lifting a fingerprint from a glass or a window is great, but I'm not sure how many thieves are going to be following a user around to take his fingerprint. Lifting it from a stolen phone? I'd be surprised if you could lift a clean fingerprint from the button of any iPhone; the home button sees a lot of action, and any print on it will be pretty messy. Could you lift a good one from the case? Possibly, though lots of fingerprints will overlap, others will be smudged through use and riding around in pockets. Still, that is possible.
The experiment didn't state how long this whole process took. Judging from the write-up, I think someone would have ample time to wipe the phone before it could be cracked.
It also seems that a lot of folk are gleefully clapping their hands screaming, "Apple failz!" – but I'm not sure they have just yet. Seems to me that they have cautiously released this into the wild, limiting what you can do with it. I guess folk could buy stuff from the Apple Store, but as far as I can tell, you still need to use your AppleId and password to change delivery addresses or make any other changes to the account that would be useful to a thief.
Chances are Apple will be looking carefully at this experiment and seeing how it plays out in the real world, and at the same time they'll be thinking about how to make it secure enough for online shopping without making the whole thing so inconvenient that folk won't want to use it. Perhaps they could require a second finger-print for monetary transactions: read finger1 and finger2 with no more than a two second gap.
As you say, it will be interesting to see how this plays out.