or Connect
AppleInsider › Forums › Mobile › iPhone › Apple's Touch ID already bypassed with established 'fake finger' technique
New Posts  All Forums:Forum Nav:

Apple's Touch ID already bypassed with established 'fake finger' technique - Page 8

post #281 of 319
Quote:
Originally Posted by muppetry View Post

They will do all that to achieve what, exactly? Make phone calls and download some apps and music from your iTunes account?

They'll have access to one's email which could lead to access to bank accounts, online shopping accounts, etc...
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
post #282 of 319
Quote:
Originally Posted by dasanman69 View Post

Quote:
Originally Posted by muppetry View Post

They will do all that to achieve what, exactly? Make phone calls and download some apps and music from your iTunes account?

They'll have access to one's email which could lead to access to bank accounts, online shopping accounts, etc...

If your emails contain the passwords to access your financial accounts then you probably need to completely rethink your security posture.
post #283 of 319
Quote:
Originally Posted by muppetry View Post

If your emails contain the passwords to access your financial accounts then you probably need to completely rethink your security posture.

They could request a password change and through the email change it. Someone could change your PayPal password and then send money to a account that they set up.
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
post #284 of 319
Quote:
Originally Posted by jfc1138 View Post

Well that "competition" is very busy ridiculing itself eh? Motorola has one short memory... as the Atrix, IIRC, is the only cell that had a fingerprint tech unlock?

"Biometric security" via a fingerprint reader was a feature in HP iPaq's beginning in 2003.
http://pbdj.sys-con.com/node/42623
http://reviews.cnet.com/search-results/hp-ipaq-h5450-pocket/4505-5_7-20665470.html
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #285 of 319
Quote:
Originally Posted by KiltedGreen View Post
 
Quote:
Originally Posted by mstone View Post
 

Touch ID was designed to keep your wife from reading txt messages from your girlfriend while you are in the shower. If she suddenly orders a 2400 dpi laser film printer and a high resolution camera with a macro lens, then you might have something to worry about.

 

If I had a wife then I'd have something to worry about  :err: 

 

Having a wife has its good points for sure. I was just kidding about the girlfriend part. No, honestly, honey, I was just kidding, No, I was kidding. I never said I had a girlfriend... No, I didn't.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #286 of 319

this is still total FUD. their "fake finger hack" is easy to defeat conclusively.

 

maybe it has already been noted on this long thread, but you can easily use your index finger knuckle instead of finger tip as your Touch ID print. it's only slightly less ergonomic to do. and basically you do not leave your "knuckleprints" anyplace at all, anytime. certainly not on your phone. so the hackers would have nothing to start with they could ever make a copy of.

 

when are all the genius on the web going to figure this simple thing out?

post #287 of 319
Quote:
Originally Posted by MattD View Post



Here's another attempt to fill the void between your ears:

You can only GUESS passwords using brute force or word lists (assuming the password is some easy to remember name/ word) or by using a key logging software. Fortunately, key logging software would not make it through to both the App store or Google Play.

Passwords can't be hacked unless you can break encryption which is not possible in most cases as you'd need to be a genius to crack such encryption and if you can do so, you'd paid in hundred of thousands of dollars. This fingerprinting technique would cost a few hundred dollars to less than 2 grand meaning that, it can be easily bought by anyone.

 "you can socially engineer a password or phish for one too." - Social engineering and phishing only work on idiots who can't tell the difference between a real website and a fake one by looking at the URL bar and who are gullible enough to provide too much information over the phone to some "customer service rep". Fingerprint lifting can work on ANYONE and you can't change your fingerprint.

The majority of thieves CAN afford the tools to hack your fingerprint but NOT your encrypted password which you can change and is a feature available on all smartphones.


The point is about the fingerprint security by itself. Passwords, by themselves, can't be hacked.

It does not make sense to spend a few hundred dollars more for a fingerprint scanner under the pretence of it being secure. Now the iSheep argue that it's more for convenience. My point is, not locking your phone at all is just as convenient.

Perhaps you can shake those pebbles loose in your skull. Do tell me how they get a clean copy of my fingerprint after they take my phone in first place. Because really all thieves will use gloves and will be extra careful not to smudge any fingerprints on it too. And if I use my pinky finger, how would they get a copy of that. I don't touch my phone with it.
post #288 of 319
Quote:
Originally Posted by jungmark View Post

Perhaps you can shake those pebbles loose in your skull. Do tell me how they get a clean copy of my fingerprint after they take my phone in first place. Because really all thieves will use gloves and will be extra careful not to smudge any fingerprints on it too. And if I use my pinky finger, how would they get a copy of that. I don't touch my phone with it.

Ahh so you use the ol' 'cup of tea' grip? lol.gif
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
post #289 of 319
Quote:
Originally Posted by dasanman69 View Post

Ahh so you use the ol' 'cup of tea' grip? lol.gif

I'm fancy like that. The pinky holds the bottom of the phone like a shelf.
post #290 of 319
Quote:
Originally Posted by dasanman69 View Post
 
Quote:
Originally Posted by muppetry View Post

If your emails contain the passwords to access your financial accounts then you probably need to completely rethink your security posture.

They could request a password change and through the email change it. Someone could change your PayPal password and then send money to a account that they set up.

 

OK - this is getting silly and I'm rapidly losing interest in the discussion.  Does your bank let you change your password with just an email request and no further verification? None of mine do. Nor does Paypal - you need to provide extra security information in the form of answers to security questions.

post #291 of 319
Quote:
Originally Posted by jungmark View Post
 
And if I use my pinky finger, how would they get a copy of that. I don't touch my phone with it.

The hack as described is not at all easy to accomplish and they might need to process all ten fingers before they found a match. Not a likely scenario, to say the least. Perhaps there should be a time out after three successive failures.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #292 of 319
Quote:
Originally Posted by mstone View Post

The hack as described is not at all easy to accomplish and they might need to process all ten fingers before they found a match. Not a likely scenario, to say the least. Perhaps there should be a time out after three successive failures.

Plus they have to check other people's finger prints and their own.
post #293 of 319
Quote:
Originally Posted by jungmark View Post
 
Quote:
Originally Posted by dasanman69 View Post

Ahh so you use the ol' 'cup of tea' grip? lol.gif

I'm fancy like that. The pinky holds the bottom of the phone like a shelf.

 

Lots of people used to hold BlackBerrys like that and inadvertently cover the ridiculously placed microphone hole.

post #294 of 319
Quote:
Originally Posted by jungmark View Post
 
Quote:
Originally Posted by mstone View Post

The hack as described is not at all easy to accomplish and they might need to process all ten fingers before they found a match. Not a likely scenario, to say the least. Perhaps there should be a time out after three successive failures.

Plus they have to check other people's finger prints and their own.

Yeah it is not like any of the finger prints found on the phone are going to be pristine, more likely overlapping and smudged.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #295 of 319
Quote:
Originally Posted by muppetry View Post

OK - this is getting silly and I'm rapidly losing interest in the discussion.  Does your bank let you change your password with just an email request and no further verification? None of mine do. Nor does Paypal - you need to provide extra security information in the form of answers to security questions.

Many will send a text to verify a password change. I agree that it's far fetched but if it happens once it is one time too many.
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
post #296 of 319
Quote:
Originally Posted by mstone View Post

The hack as described is not at all easy to accomplish and they might need to process all ten fingers before they found a match. Not a likely scenario, to say the least. Perhaps there should be a time out after three successive failures.

I agree, the most successful 'hack' will be when a significant other takes the phone and places the home button under the finger of their sleeping mate.
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
post #297 of 319
Quote:
Originally Posted by dasanman69 View Post
 
Quote:
Originally Posted by muppetry View Post

OK - this is getting silly and I'm rapidly losing interest in the discussion.  Does your bank let you change your password with just an email request and no further verification? None of mine do. Nor does Paypal - you need to provide extra security information in the form of answers to security questions.

Many will send a text to verify a password change. I agree that it's far fetched but if it happens once it is one time too many.

 

They all seem to send an email or text to warn/verify, but that is in addition to requiring more than just access to the account holder email. With PayPal, for example, you can request a password change, but that just locks the account completely until you go to their website and provide additional verification data. Once you do that successfully, the password is changed and a notification email is sent.

 
Anything less than that is negligently insecure on the part of the financial institution, and not in any way a downside to fingerprint authentication on the phone. If this were a serious issue then imagine the number of compromised accounts due to the theft rate of completely unsecured smartphones.
post #298 of 319
Quote:
Originally Posted by dasanman69 View Post
 
Quote:
Originally Posted by mstone View Post

The hack as described is not at all easy to accomplish and they might need to process all ten fingers before they found a match. Not a likely scenario, to say the least. Perhaps there should be a time out after three successive failures.

I agree, the most successful 'hack' will be when a significant other takes the phone and places the home button under the finger of their sleeping mate.

 

Maybe, but many significant others will already know the existing passcode to unlock the phone anyway.  I'll bet this turns out to be another very infrequent occurrence.

post #299 of 319
Quote:
Originally Posted by dasanman69 View Post


LG also has a phone coming out with a fingerprint scanner and the rumor is that HTC will as well, but it was fingerprint scanners in general that were ridiculed.

 

Hey that actually makes more sense! So Motorola's promoted Tweets poking at the fingerprint tech was a pre-emptive move against they're more probable competitors? I'm still going to keep responding to them with mean tweets of my own. I really hate getting stuff from people I don't follow.

post #300 of 319

Near perfect circumstances? You've only seen the beginning... Biometric security isn't secure.

post #301 of 319
Unlocking the iPhone with a staged print - perfect print and they know this is the exact fingerprint that they need - is like telling someone which four numbers I use in my unlock code and seeing if they can unlock my iPhone. I'll say it's hacked when they do this in the wild. Until then this is just technological stage magic. Nothing to see here, move along.

We've always been at war with Eastasia...

Reply

We've always been at war with Eastasia...

Reply
post #302 of 319
Quote:
Originally Posted by diplication View Post

Unlocking the iPhone with a staged print - perfect print and they know this is the exact fingerprint that they need - is like telling someone which four numbers I use in my unlock code and seeing if they can unlock my iPhone. I'll say it's hacked when they do this in the wild. Until then this is just technological stage magic. Nothing to see here, move along.

 

Assuming there will be 100+ million TouchID devices in the nearest future, I expect affordable DIY kits to be available on eBay. 

post #303 of 319
This is so stupid. I mean, what homeless, drug-addicted, thief is going to go through the hassle of this process to unlock a stolen iPhone? Who cares if this method is successful? Unless you have extremely sensitive, private information and are a target of spies, you really shouldn't worry about this hack.

There's a difference between something being possible and something being worth doing.
post #304 of 319
Point is professional hackers can hack anyways (many ways) and unprofessional would not be able to reproduce these steps, and Apples main goal (at least for now) is not for added security, just improved.
post #305 of 319
Quote:
Originally Posted by jason98 View Post

Assuming there will be 100+ million TouchID devices in the nearest future, I expect affordable DIY kits to be available on eBay. 
I believe you may have missed my point. This is unlocking done when you hand them the keys.
They started with a perfect print. They knew where to look for it. They knew whose print it was. They didn't have to throw out other prints from other people. They didn't have to throw other prints from the other fingers of the correct person. When you give someone so many unnatural advantages, yes they will succeed. Like I said, if I tell you all four digits of my passcode, chances are you will succeed.

We've always been at war with Eastasia...

Reply

We've always been at war with Eastasia...

Reply
post #306 of 319

Apple can and will implement a fix for this hack that will render it useless and can be applied to the existing hardware with an update.

 

All the best.

Where are we on the curve? We'll know once it goes asymptotic!
Reply
Where are we on the curve? We'll know once it goes asymptotic!
Reply
post #307 of 319

Now that the hack has been independently confirmed by a number of sources and new videos published by Starbug I think it is fair to summarize the results.

 

1. The Apple implementation can be circumvented by trivial methods which have been known for many years and do not require any sophisticated special technology. Everything that is needed is readily available to millions of people.

2. In comparison with other fingerprint authentication technology, the Apple implementation does not offer a significantly higher level of security.

3. It is not sensible to think of this particular implementation as being highly secure in any reasonable interpretation of the words.

4. It is nevertheless a convenience gimmick that may be welcome by some users and is probably marginally more secure than nothing at all.

 

In my view the value of the hack is simply to make people aware that the advertized level of security and the claims associated with this, is substantially lower than people were led to believe.

 

The practical effect is simple. If one wrongly believes a particular technology or process is "highly secure" one will tend to act differently and make different assumptions in relation to security requirements than one would do knowing that the security is not high.

 

Simple really. If I know the lock on my car door is broken, I do not leave the car unattended on the roadside. I park it in a locked and/or secure parkhouse or garage. Sensible iPhone users will modify their behaviour knowing that the device is not highly secure. To me that is the take-home message, and Starbug needs to be congratulated for making this public and breaking the hype !

post #308 of 319
Quote:
Originally Posted by IQatEdo View Post
 

Apple can and will implement a fix for this hack that will render it useless and can be applied to the existing hardware with an update.

 

All the best.

 

...and yes, there is no sarcasm tag in my post because it wasn't sarcastic but my take on a near future eventuality. :)

Where are we on the curve? We'll know once it goes asymptotic!
Reply
Where are we on the curve? We'll know once it goes asymptotic!
Reply
post #309 of 319
Quote:
Originally Posted by canucklehead View Post

This is so stupid. I mean, what homeless, drug-addicted, thief is going to go through the hassle of this process to unlock a stolen iPhone? Who cares if this method is successful? Unless you have extremely sensitive, private information and are a target of spies, you really shouldn't worry about this hack.

There's a difference between something being possible and something being worth doing.

 

almost all hacks are this.   Most people don't need to worry about their yahoo account password, either.  But some do.  Caveat Emptor.

 

But, I don't think homeless, addicts are the threat... if anything they are the mules who are paid $50 to 'steal' phones.  But if it's a targetted attack ("I got a good fingerprint at my fake ATM system... now... go roll that guy in the blue hat and white jacket and bring me his iPhone... I want the rest of his money")  

 

Until someone does a 'vulcan mind meld' to copy an iPhone 5s 'over the air'  I'm less concerned about this hack, as the process of getting a good fingerprint, building it up, and applying it to MY phone is (if I'm conscious and not under bad guys control) longer than the time it takes to become aware of the loss of my phone and disabling it remotely.

 

The fact that it requires you to put a code to lock your phone is 99% better than the status quo and unlocking with a device lockec fingerprint is a ease of use step up for real security.... (me with an 8character 3 screen password, because of work requirements).

 

Apple will improve... hopefully in SW, but in future iterations...  But for now... this is better than every other phone/tablet out there.

post #310 of 319
I like to see them try this with a random phone or two after it being used for a while, Not one that was staged.
post #311 of 319
The complete video of the fingerprint spoof is here:
http://vimeo.com/75324765

Pretty much answers every doubt expressed in the thread and looks legit.

Tried embedding the video but it didn't like it.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #312 of 319
Quote:
Originally Posted by ruel24 View Post

I told you that it was easily bypassed and I was told I was a troll and needed to do research before posting, etc. Well, here it is... Biometric security is a joke.

I will correct your statement for you.

Biometric security has some issues like all forms of information security.
post #313 of 319
Quote:
Originally Posted by MattD View Post

The Touch ID, I agree is convenient as it's faster than entering a password but it's NOT secure. In other words, not having any security is also convenient because the Touch ID is as good as not having any lock enabled.

Passwords are secure which is why banks have been using them for years and would never implement a silly illusion such as this. How many videos have you seen of a password being cracked in under 10 attempts and how many years have passwords existed for? That's what I thought.
 
Also, the video might not be a complete unedited version BUT it sure proves that the whole RF signal to check the sub epidermal layer beneath your skin is all marketing talk.
 
The fact is, the majority of users don't need gimmicks. 

Passwords are not secure.
post #314 of 319
Quote:
Originally Posted by MattD View Post

 
Also, the video might not be a complete unedited version BUT it sure proves that the whole RF signal to check the sub epidermal layer beneath your skin is all marketing talk.

It may be marketing talk, but it's not coming from Apple. The problem is with sites that read more into "subdermal scanning" than what it really is. Apple never claimed it required live tissue or was any kind of new way to recognize a print. A bunch of folks simply assumed that. All it's really doing is looking beneath the top layer of skin for a clearer image of the fingerprint ridges. The top layer might have ridges filled with dirt or other debris and not be recognized as reliably.

The hack doesn't prove that iTouch doesn't scan sub layers of your skin. It just proves that a whole lotta blogs and commenters didn't know what it was. Tech-speak can make it sound like magic.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #315 of 319
Quote:
Originally Posted by Gatorguy View Post

Quote:
Originally Posted by MattD View Post

 
Also, the video might not be a complete unedited version BUT it sure proves that the whole RF signal to check the sub epidermal layer beneath your skin is all marketing talk.

It may be marketing talk, but it's not coming from Apple. The problem is with sites that read more into "subdermal scanning" than what it really is. Apple never claimed it required live tissue or was any kind of new way to recognize a print. A bunch of folks simply assumed that. All it's really doing is looking beneath the top layer of skin for a clearer image of the fingerprint ridges. The top layer might have ridges filled with dirt or other debris and not be recognized as reliably.

The hack doesn't prove that iTouch doesn't scan sub layers of your skin. It just proves that a whole lotta blogs and commenters didn't know what it was. Tech-speak can make it sound like magic.

I still disagree with your description of how it works. The key feature is that it uses the perturbation of a quasi-static planar electric field to construct a 3D image the first conductive subdermal layer. That makes it impossible to spoof with a 2D fingerprint image, and led to the interesting technique used in the hack - thick toner setting to recreate a 3D structure and then use of a conductive overlay to create a suitable conductive layer.

Though that did apparently work to fool the authentication system, I doubt that we will ever hear much of this method used in the wild. Too much effort - especially acquiring a good enough print of the correct finger - to make it worth the effort.
post #316 of 319
Quote:
Originally Posted by Gatorguy View Post

The complete video of the fingerprint spoof is here:
http://vimeo.com/75324765

Pretty much answers every doubt expressed in the thread and looks legit.

Tried embedding the video but it didn't like it.

 

Yes, it looks legit if the thief is willing to set up a small factory to scan the fingerprint (assuming there's a good one on the phone), process the image using software, transfer it to a PCB board, "develop" the PCB board, apply the glue and create the fake fingerprint.     AND...they have to do all that before the original owner goes to "Find my iPhone" and shuts down the phone.     Doesn't sound very practical to me.   You know what?   Anyone who has the intelligence and capacity to set all that up isn't going to steal my phone because they either already have a viable business or a decent job.    Most phones are stolen by addicts looking for quick cash for a quick fix or kids looking for quick cash.  

 

I suppose if the phone used an optic scan instead of a fingerprint, people would complain that thieves could cut out your eyeball and use that. 

 

My apartment can be broken into if someone sneaks past the security guard with a very large crowbar, has a large device that completely silences the sound of using a crowbar on a steel door, punches the lock out, takes all my stuff without making noise that the neighbors would notice, gets out of the building without attracting the notice of the security guard even though that's the only way out at night, etc.  But my building was built in 1954 and except for one inside job, there has never been a robbery in this building.   

 

The complaints about this remind me of clients who come up with software use case tests like, "Well if it's a blue moon on a Thursday on a Jewish holiday and it's between 90 and 92 degrees and if you turn yourself around three times and accidentally press the 6 key before pressing Enter, the screen scrolls incorrectly, but not all the time.....how come you didn't catch that?"

 

The purpose of biometric scanning is to simply keep nosy people from looking at what's on your phone without you having to punch in four digits each time.    That's all it's for.   End of story.    On my iPhone5, I don't even use a passcode because I trust my co-workers and the phone is always in my pocket anyway.    If it's lost or stolen, I'll go online and shut it down.    Being able to use a fingerprint to access the phone would be a big step up for me and I look forward to having such a feature in my next phone.      

post #317 of 319
Quote:
Originally Posted by zoetmb View Post

Yes, it looks legit. . . The purpose of biometric scanning is to simply keep nosy people from looking at what's on your phone without you having to punch in four digits each time.    That's all it's for.   End of story.    On my iPhone5, I don't even use a passcode because I trust my co-workers and the phone is always in my pocket anyway.    If it's lost or stolen, I'll go online and shut it down.    Being able to use a fingerprint to access the phone would be a big step up for me and I look forward to having such a feature in my next phone.      

I completely agree. The fingerprint scanner is a great addition IMO and as soon as Android or Windows users have it they'll think so too.

As shown by the comments in this thread showing serious doubts that it could be done there were a lot of misconceptions about just how it worked and the level of security it provides. Way too much misinformation was floating around about iTouch, the technology it used, and how it worked on iPhones. There's no serious doubt that it adds to the value of your iPhone tho.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #318 of 319

The video does not completely show a successful hack.  In order for this hack to be 100 percent they need a good print of all ten fingers,  and it still does not guarantee success.  Let me explain:

 

1.  I notice that IOS7 allow 5 attempts before asking you to enter your passcode.

2.  If the phone is turned off (to stop GPS location or remote wipe)  IOS7 will asked you for the pass code after power up.  

 

 

 

Several interesting point about the technique used crate the fake finger print:

1.  The print is scanned directly from the phone.  It is not lifted.  I assume this will provide the best print. There was only one perfectly placed print.  

2.  they used a PCB photo etching process to created a deeper "3d" mold of the print.  A specialized skill set.

3. They use some sort of conductive paint to simulate human skin.  Can you buy that anywhere?

4.  In the video it look like the hacker took several attempts using the same fake print.  So each miss scan would  reduce from the maximum count.

 

Because of the maximum of 5 attempt permitted by IOS7 the hacker has a small window of opportunity, so each step must be exact because each miss step reduces the chance of success.  The phone can't be turned off, just incase the user decide to remote wipe.  So the video should include a Faraday cage just to be safe.  

 

I only trained one finger and only on the tip where I do not use for grip.  There should be multiple prints, one on top of another on my home button. That where a useful will be left.  I am sure that some hacker will come up with a vision software to extract  a good print sometime in the future.  The rest of the prints on the  phone should be useless.  

 

So I have the hacker to thank for showing me the hack, so now I can use that information to guard against it.  Keep up the good work!

post #319 of 319
Quote:
Originally Posted by zid1977 View Post

So I have the hacker to thank for showing me the hack, so now I can use that information to guard against it.  Keep up the good work!

That's why he did it.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
  • Apple's Touch ID already bypassed with established 'fake finger' technique
AppleInsider › Forums › Mobile › iPhone › Apple's Touch ID already bypassed with established 'fake finger' technique