or Connect
AppleInsider › Forums › Mobile › iPhone › Apple's Touch ID already bypassed with established 'fake finger' technique
New Posts  All Forums:Forum Nav:

Apple's Touch ID already bypassed with established 'fake finger' technique - Page 6

post #201 of 319
Quote:
Originally Posted by malax View Post
 

 

The flaws are in steps 2 and 3.  First off, step 2 takes a ton of work and maybe you screw it up.  Then, more importantly, WTF leaves their phone behind when they go to the restroom?  Personally, I like to put my wallet, car keys, AND phone on the bar and leave them behind just to demonstrate my faith in humanity,

 

I understand step 2 is not easy... but apparently doable (we'll see whether it's fake and/or difficult soon I hope). People go online to do complex tasks (like fixit.com etc.) and with a definite step-by-step approach, I'm sure people will try it.

 

Regarding 'WTF leaves their phone behind when they go to the restroom'.... if you're at dinner with your wife, it looks weird that you take your phone when you go to the restroom when she's there at the table. I think most people at some point, leave their phone somewhere - especially after a few drinks. Work is another obvious place - at your desk, etc. Anyway it happens.

post #202 of 319
Quote:
Originally Posted by DroidFTW View Post

Anyone with a level head probably realized the TouchID system would be defeated in quick order. That said, it still may still prove to be an effective deterrent for crimes of opportunity (which I'd imagine most phone thefts are). Only time will tell.

I assumed the NSA cracked it first but time will never tell that story.

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #203 of 319
Quote:
Originally Posted by Ramrod View Post
 

 

Haha, what tool you are. Typical Apple apologist. Grow a pair and start thinking for yourself otherwise leave. You see, other phones like the Lumia 920 or GS4 would allow you to use your phone with your gloves on. How any fool wouldn't welcome this feature says a lot for their inability to think logically.  But hey, keep fighting the good fight. Denial is a helluva drug.

 

Getting a little feisty?  Where in my post did I mention that I wouldn't welcome this feature?  Where did I specifically say that?  Spinning your agenda again?


I would welcome anything that makes my life easier.  Who wouldn't?  However, the difference between you and me is that my expectations are in what most of us call "reality".  The tech is not here now in a reliable fashion, I accept it, I move on.  Perhaps the day will arrive, perhaps not.  I don't dwell on it.  You apparently do.  I have more important things in my life to concentrate on than bitching about why I have to spend 5 seconds to take my gloves off.  It's a TOUCH phone.  Blame Apple because it's easy for people like you, instead of blaming the glove manufacturers.

This tech is a first-step to other things.  It will mature.  What will most likely happen is Apple will kickstart it, make it mainstream, the competition copies it and suddenly trolls like you will make it sound like Apple had nothing to do with it, or it was the "obvious" thing to do.

I'm a fully independent thinker, and not some delusional fanboy that apologizes for Apple.  I have my gripes with that company.  You have zero clue who I am or what I do.  What's really sad is someone like you who thinks has a pair, when in reality you're just swinging raisins from the comfort of your keyboard.
post #204 of 319

What about having an eye scan using the FaceTime camera instead?

 

This way apple could get rid of the home/fingerprint button?

post #205 of 319
Quote:
Originally Posted by muppetry View Post
 

 

From the publicly available information on Authentec's E-field scanning I would have to conclude that you have misunderstood the technology. If it works as presented then it is actually measuring electrical equipotentials between a conductive reference plane in the sensor and the RF-modulated non-planar (3-D) conductive target surface - the moist subdermal skin layer. As such it differs from regular capacitative scanning in that it does not even see the (relatively) non-conductive surface skin layer or the air gaps between ridges. To fool it would necessitate the creation of a conductive 3-D replica of the fingerprint, not just a 2-D image. I can't see any part of the asserted hack that satisfies that requirement, so it will be interesting to see if this proves to be real.

 

Yes, this is the part that confused me. Given the way the touch id is supposed to work then I'm not sure how that can produce a successful reading, unless the part about reading the subdermal layer is simply to ensure that the finger is alive.

 
While I'm sure that CCC is not making this up, I'm not that sure how relevant it is.
 
To begin with, the equipment and effort required is beyond just about every casual  out most iPhone users will ever encounter.
 
Secondly, this experiment suffers from the same problem that most of the these sensationalist demonstrations seem to exhibit: It relies on conditions that have to be rigged to work, assumptions on user behaviour, and no consideration to what happens after the exploit has been executed.
 
Lifting a fingerprint from a glass or a window is great, but I'm not sure how many thieves are going to be following a user around to take his fingerprint. Lifting it from a stolen phone? I'd be surprised if you could lift a clean fingerprint from the button of any iPhone; the home button sees a lot of action, and any print on it will be pretty messy.  Could you lift a good one from the case? Possibly, though lots of fingerprints will overlap, others will be smudged through use and riding around in pockets. Still, that is possible.
 
The experiment didn't state how long this whole process took. Judging from the write-up, I think someone would have ample time to wipe the phone before it could be cracked. 
 
It also seems that a lot of folk are gleefully clapping their hands screaming, "Apple failz!" – but I'm not sure they have just yet. Seems to me that they have cautiously released this into the wild, limiting what you can do with it.  I guess folk could buy stuff from the Apple Store, but as far as I can tell, you still need to use your AppleId and password to change delivery addresses or make any other changes to the account that would be useful to a thief. 
 
Chances are Apple will be looking carefully at this experiment and seeing how it plays out in the real world, and at the same time they'll be thinking about how to make it secure enough for online shopping without making the whole thing so inconvenient that folk won't want to use it. Perhaps they could require a second finger-print for monetary transactions: read finger1 and finger2 with no more than a two second gap. 
 
As you say, it will be interesting to see how this plays out.
post #206 of 319
Quote:
Originally Posted by mr O View Post
 

What about having an eye scan using the FaceTime camera instead?

 

This way apple could get rid of the home/fingerprint button?

 

Apple is looking for a system that is convenient so folk have to use it. 

 

So, to unlock my phone, I have to tap the screen to crank up the camera then stand perfectly still with the phone about an inch from my face while it takes the scan.

 

I'm also not sure that the camera that the front camera is going to be good enough to make that work.

post #207 of 319
Quote:
Originally Posted by Ramrod View Post
 

 

Haha, what tool you are. Typical Apple apologist. Grow a pair and start thinking for yourself otherwise leave. You see, other phones like the Lumia 920 or GS4 would allow you to use your phone with your gloves on.

 

Or rather than getting an inferior phone, I could just buy a different pair of gloves:

 

http://www.macworld.com/article/1156543/touchscreen_gloves_review.html

post #208 of 319
Quote:
Originally Posted by 1983 View Post

Cracked within a couple of days! This is not good for Apple, basically they've been promoting a security technology that it turns out, isn't all that secure! Their finger-print sensor now is nothing more than a convenient way for unlocking an iPhone. I really hope they can fix it (doubtful) because the haters are going to be all over this. This is something they should of looked into before purchasing AuthenTec in the first place. I remember at the time it was a rather rushed purchase - they maybe paying the price for that now. I wonder how Apple's damage control is going to handle this?

Apple is touched by your concern for their image. /s

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #209 of 319

Is it choice of administration of Appleisider to end up as a gossip site?

post #210 of 319

What about combining the fingerprint sensor with the facetime camera? The facetime camera can make use of the face recognition software from iPhoto?

 

The next iPhone should be called MI6 ;) Just joking, here's hoping for "iPhone" and "iPhone mini".

post #211 of 319
Ah well, if you want to increase the difficulty to get your fingerprint, just use a left-hand finger if you are right-handed (and visa-versa) to unlock your iPhone.
And/or use your pinky with your iPhone and start drinking your beer like a snob with your pinky in the air ...
post #212 of 319
Omg not you too, macRUMORS posted this very misleading vid..,and you have a very misleading headline stating "established" when this is only a CLAIM, and, especially, very sketchy, not confirmed. You are adding credibility to a fear tactic. I'm about to dump all these crappy Mac forums, need to find one that doesn't post stupid crap like this just to get hits on your website. Ugh.

iOS 7's new Activation Lockout feature invalidates this B.S., if it were valid to begin with.
post #213 of 319
Well done hacker group in Germany. You have lived up to your reputation of being complete lifeless geeks.
post #214 of 319
Quote:
Originally Posted by Gatorguy View Post


True. There's already been at least one guy using his nipple to unlock his 5s, and another who used his nose. Even a cat's paw presumably works

 

Yeah, but they first taught the 5S to recognize that body part as their "fingerprint".

post #215 of 319
Quote:
Originally Posted by Secular Investor View Post

Apple have already explained that the Touch ID cannot be fooled by a 2-D image because the sub-epidermal image it creates is 3-D not 2-D.

Yet these Germans are claiming that a 2-D image on a thin transparent film fooled the Touch ID sensor
 

You must have missed the part where they put a layer of latex over the printed print and used that. So, it did require a certain level of thickness and not just a simple 2D printout.

post #216 of 319
Quote:
Originally Posted by Wings View Post

Yeah, but they first taught the 5S to recognize that body part as their "fingerprint".

Well of course.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #217 of 319
Quote:
Originally Posted by Wings View Post

You must have missed the part where they put a layer of latex over the printed print and used that. So, it did require a certain level of thickness and not just a simple 2D printout.

What i'm interested to know is whether a simple finger print lift from daily items that the user gets in contact with, provides enough data to create the 3D latex fingerprint copy
post #218 of 319
Despite claims to the contrary, Apple iPhone 5s with Touch ID is highly secure for the following reasons:
  • Touch ID requires a passcode for failback
  • The passcode is required after a reboot
  • The passcode is required after 48 hours of inactivity
  • The passcode is required after 5 failed authentication attempts
  • The owner can use Find my Phone to track the phone
  • The owner can use Remote Wipe
  • The iPhone provides fallback to Remote Wipe upon 10 unsuccessful authentication attempts
  • The iPhone provides fallback to iCloud account authentication after Remote Wipe
  • The iPhone has full disk encryption using 256 bit AES by default when a passcode is set
post #219 of 319

That $365,000,000 was rather a waste of money. I thought Apple would do something clever with the technology; such as the user having to tap in a pattern of four (or so) different prints in a sequence of their choosing which would result in a far more complex (and secure) lock.

 

P.s. If they didn't patent this idea I'm releasing it for free.

post #220 of 319

This isn´t pin vs. fingerprint though, as everyone is discussing. It´s password vs. fingerprint, as password is what I use to buy iTunes content with. Hopefully Apple can tweak it so it isn´t easily lifted, or they will have failure on their hands. Had high hopes for TouchID for future payment systems, this just cracked a huge hole in it.

post #221 of 319
Quote:
Originally Posted by Rayz View Post
 

To begin with, the equipment and effort required is beyond just about every casual  out most iPhone users will ever encounter.

 

 

Any scanner will do 2400x4800 scanning, and most laser printers can do 1200 dpi printing. That leaves the transparent laser printer media which I still have (used for the old-fashioned overhead-projector) and the woodglue. So no special equipment needed.

 

Note : They state a 2400dpi photograph, not scan... Don't know if that makes a difference.

post #222 of 319
Quote:
Originally Posted by hydr View Post

This isn´t pin vs. fingerprint though, as everyone is discussing. It´s password vs. fingerprint, as password is what I use to buy iTunes content with. Hopefully Apple can tweak it so it isn´t easily lifted, or they will have failure on their hands. Had high hopes for TouchID for future payment systems, this just cracked a huge hole in it.

No.

For approximately half of all iPhone users this is nothing versus authentication which is a vast improvement.

Apple could quickly and easily improve security for mobile payments and likely will.
post #223 of 319
Quote:
Originally Posted by ReiszRie View Post


What i'm interested to know is whether a simple finger print lift from daily items that the user gets in contact with, provides enough data to create the 3D latex fingerprint copy

 

Exactly! I doubt that very much. So if... and if at all, any of this claim is remotely true, this is a very valid point. Whenever I see some fingerprints on any surface, they tend to be smeared and after a lot of photoshopping, they would need to be run against a FP database to be verified and only after positive match you might have some confidence to have obtained a valid fingerprint. But what if the owner used the pinky to unlock his device (as some people here already suggested)? All that hell of a trouble for nothing.

So much to the title "Apple's iTouchID already bypassed.....".
 
Totally crap.
 
Anyhow apart from elevated security I am more exited about the advanced ease of use this feature implements into iOS7.
post #224 of 319

Now if someone steals my iPhone he would have to come back to get my fingerprint. Come on! of course he was able to crack it. He had all the time in the world to get the mold of his own finger. If someone steals your iPhone, he won't be able to unlock it unless he has a high resolution image of your fingerprint, and how the heck is he going to get it?

post #225 of 319
Damn it! Now I have to store my nuclear launch codes somewhere else!! lol
post #226 of 319
Quote:
Originally Posted by Bloodshotrollin'red View Post
 

That $365,000,000 was rather a waste of money. I thought Apple would do something clever with the technology; such as the user having to tap in a pattern of four (or so) different prints in a sequence of their choosing which would result in a far more complex (and secure) lock.

 

P.s. If they didn't patent this idea I'm releasing it for free.

 

This is a funny Idea with the 4 prints in a case where there is high security required. But to simply unlock my iPhone in a most convenient way one simple print is more secure than enough. It is certainly more secure then what 95% of iPhone users do right now.

post #227 of 319
Quote:
Originally Posted by markguam View Post

Damn it! Now I have to store my nuclear launch codes somewhere else!! lol

 

So we all have to assume, that you got your 5s already!

 
jealous!  :grumble:
post #228 of 319
Quote:
Originally Posted by markguam View Post

Damn it! Now I have to store my nuclear launch codes somewhere else!! lol

 

Yeah, I guess we're doomed somehow. 

:smokey:

 

 

post #229 of 319
As said previously the TouchID compliments and doesn't fully replace authentication on the iPhone.

Could someone take the time to go through and hack a computer? Sure... Could someone take the time to brute force a simple 10 character passcode on your iPhone? Yep.

A simple analogy to put in retrospect - putting a lock on your house's front door. Could someone pick the lock? Maybe. Could I easily break a window on the side of the house or kick down the door and come right in? Yea. It's another layer of security that deters theft. Just like what the TouchID is doing.

I don't understand why people are getting so heated on this. Any phone can be hacked one way or another if you have the right resources available. I don't see many folks going out and spending the time to rig up such a mock up unless they are determined thief or hacker.
post #230 of 319

I wonder what other body parts one can use as a finger print. First you have to know which body part was used to even have a shot at this.

post #231 of 319
Quote:
Originally Posted by lkrupp View Post
 

 

Care to provide a link where Apple claims this? As far as I know this nonsense was pulled out of some anonymous ass.

 

The technology within Touch ID is some of the most advanced hardware and software we've put in any device. To fit within the Home button, the Touch ID sensor is only 170 microns thin, not much thicker than a human hair. This high-resolution 500 ppi sensor can read extremely fine details of your fingerprint. The button itself is made from sapphire crystal—one of the clearest, hardest materials available. This protects the sensor and acts as a lens to precisely focus it on your finger. The steel ring surrounding the button detects your finger and tells Touch ID to start reading your fingerprint. The sensor uses advanced capacitive touch to take a high-resolution image from small sections of your fingerprint from the subepidermal layers of your skin. Touch ID then intelligently analyzes this information with a remarkable degree of detail and precision. It categorizes your fingerprint as one of three basic types—arch, loop, or whorl. It also maps out individual details in the ridges that are smaller than the human eye can see and even inspects minor variations in ridge direction caused by pores and edge structures. Touch ID can even read multiple fingerprints, and it can read fingerprints in 360-degrees of orientation. It then creates a mathematical representation of your fingerprint and compares this to your enrolled fingerprint data to identify a match and unlock your iPhone. Touch ID will incrementally add new sections of your fingerprint to your enrolled fingerprint data to improve matching accuracy over time. Touch ID uses all of this to provide an accurate match and a very high level of security.

 

Source: http://support.apple.com/kb/HT5949?viewlocale=en_US

post #232 of 319
Give me a break. If someone wants my content that badly then go for it. It is very unlikely for this to really happen to the average Joe. If you have stuff that is so important that they would go to this length to get at it then a 4 digit pin is not adequate either.

Even though I am not an expert on security I have to believe that this is still more secure than other options available today for the mass market.
post #233 of 319

There's an obvious missing element from the video: where did they get the fingerprint that was used to create the synthetic fake? The insinuation is that this could be done using fingerprints from the phone's touch surface, but my guess is that smudging and incomplete prints would make finding a complete print a  low probability. Also, it would require the fingerprint that unlocks the phone to come from hand that the user operates the touch screen with...which means the user could easily defeat the hack by locking the phone with a finger from the hand that they don't touch the screen with. 

post #234 of 319
Quote:
Originally Posted by lkrupp View Post
 

 

Care to provide a link where Apple claims this? As far as I know this nonsense was pulled out of some anonymous ass.

Here you have it:

http://support.apple.com/kb/HT5949?viewlocale=en_US

 

Use Ctrl+F (Windows) or Option/Alt + F (Mac) to search on the website and paste/write "subepidermal" and you'll find that Apple states this in the "About Touch ID security" text... What this VIDEO doesn't show, is that the "hacker group" hasn't scanned the finger beforehand, which quashes this claim (for now).

post #235 of 319
The idea of security is discourage break ins, not prevent them. The crackers just don't see how much work they went through, especially forgetting the odds of getting a good print. They've made a press release for the press.
post #236 of 319

This doesn't seem realistic, and the print capture is staged (and not shown).

 

There are several conveniently placed, well defined full finger prints visible on the glass of the phone in the video.  I'm assuming that these were used as the source of the print.  After all an iPhone thief would not likely have anything other than the phone to work from.

 

I could not replicate this level of print quality without purposely pressing my finger on the glass.  After normal use, I had a partial prints that looked nothing like the ones shown here.  Most of the normal prints were obscured by smudges as a result of moving my fingers.

 

This video show that it is possible to hack the sensor, but it hardly seem probable without an extremely clean source print.  As others have mentioned, I'd like to see someone using this technique with a print from a real-world device.

 

Without doing anything out of the ordinary, look at your phone right now.  Does it have a print that looks usable for a hack?

post #237 of 319

This is stupid - as others have said, the average criminal who steals your phone on the street, on the train, or picks it up if you lay it down - they will not have access to any of this and likely not have the know how. If a bunch of thieves hijack a shipment of phones, then this can come into play, but the street criminal - no. And even if they do, by time you hop on a computer to swipe it and use Find iPhone to have the police locate it, it's all for naught. This is a non-issue for 99% of the people out there.

post #238 of 319
Quote:
Originally Posted by GTR View Post

Okay, that's it.

Haha Androids the most hacked OS!!! Why would any one do that

TouchID on the iPhone has failed!

Everybody swap across to Android for security.

1wink.gif
post #239 of 319
Quote:
Originally Posted by AppleInsider View Post


"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can?t change and that you leave everywhere every day as a security token", said CCC spokesman Frank Rieger. "The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access."
 

 

Morons.  I suppose we should all start taking DNA samples of everyone we meet to make sure they're not impostors because their faces don't change and they're "left around everywhere they go" filmed by all the cameras everywhere.

post #240 of 319
I told you that it was easily bypassed and I was told I was a troll and needed to do research before posting, etc. Well, here it is... Biometric security is a joke.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
  • Apple's Touch ID already bypassed with established 'fake finger' technique
AppleInsider › Forums › Mobile › iPhone › Apple's Touch ID already bypassed with established 'fake finger' technique