I have some free time this afternoon, so I broke out the old statistics book. The probability of brute forcing any single iPhone assuming there are 50k different combinations in 5 tries is 0.0001 (0.01%). If our thief had a pool of iPhones to draw from, each individual attempt would be an independent experiment thus the number of devices required for success Is X~geom(0.0001). Now according to my calculations, in order for a thief to have even a 50% chance of success, he would need nearly 7000 iPhones.
Think about it. You are a thief with 7000 iPhones. Are you going to spend the time and energy trying to crack all these phones? And even if you did and you were lucky enough to win that coin toss, are you going to bother tracking down that one person whose fingerprint you now have on the off chance that he might have acquired a new device and placed new data on it? The answer to both questions is obviously no. No, the fact a fingerprint would be compromised for life is nothing to lose sleep over.
Better order some pizza... this is going to take a while. I still think the use of a mythical horned horse-like creature might be of some benefit.
I think that you would be really interested in some recent research that I have come across about crowds and citizen science.%u200B %u200BIn particular I feel you may find these two emerging pieces of research very relevant:
This seems unlikely to me based on descriptions of how the enclave works. Besides which how do you get the hacking software onto the device without physical or admin access?
Even then, the enclave will not communicate with anything other than the hardware of the sensor itself, so you'd have to get software on the device that can somehow present itself as a fake hardware sensor and communicate with the enclave.
Even then, what you'd get out is a bunch of hashed encrypted data, not actual fingerprint images at all.
It would be easier to create a "fake finger" than it would be to hack into the enclave in the traditional manner of hackers.
Yap, but with more 3D printing with right components....
Many of you seem to be discussing two separate subjects. There is the question of how secure the system is in terms of getting into the phone, but there is also the question of hacking in to somehow remove the biometric data from the phone. I find the latter to be the more interesting question. With that said, Google, Microsoft, and others have in the past hosted events to boast about the strides made in the area of security, and all have also been the target of competitions hosted independently to put their security to the test. Apple is not the only target, though they have fared pretty poorly in these competitions and in government tests.
Shut this site down. There’s no way it’s legal. Put these morons in jail or something.
Lol, you cannot be serious. Show me a law in any state that says this is not "legal." So long as they have permission to use the property for the purpose of testing the security measures, there is nothing you or anyone else can (or should) be able to do about it.
Assuming someone can break the code, what can they do with it? get into your iTunes account or your iPhone? Unless there is a wide adoption of this fingerprint tech by apps, there are not much use for it.
Once your in the phone you have access to email. Once you have access to email you can start going through sites like amazon doing password resets and change your email address. They can also delete the emails these sites send out before you pick them up on another device.
So far all you know is that you've lost your phone. You didnt realise that the person who store your phone while you were drunk also took the glass you drunk from. Right now all your concerned with is the fact you've lost your phone and trying to remember if you have phone insurance.
Unfortunately at the same time the guy who stole your phone is busy ordering stuff on your credit card thats been saved on multiple accounts.
I hope they cant hack the scanner, but the fact is most finger print scanners can be fooled.
Show me a law in any state that says this is not "legal." So long as they have permission to use the property for the purpose of testing the security measures, there is nothing you or anyone else can (or should) be able to do about it.
This is for general purpose hacking, not a single person’s.
Imagine a bank allowing someone to test the security of its outdoor ATM. Person does this, finds a flaw, tells the bank about it and how to fix it. Boom. That’s what YOU are saying, and that’s what is legal.
Now imagine this person just releases the flaw and its instructions publicly, stating that all models of this ATM should have the same flaw; have at it. That’s what this website is. That’s why it’s illegal.
Once your in the phone you have access to email. Once you have access to email you can start going through sites like amazon doing password resets and change your email address. They can also delete the emails these sites send out before you pick them up on another device.
So far all you know is that you've lost your phone. You didnt realise that the person who store your phone while you were drunk also took the glass you drunk from. Right now all your concerned with is the fact you've lost your phone and trying to remember if you have phone insurance.
Unfortunately at the same time the guy who stole your phone is busy ordering stuff on your credit card thats been saved on multiple accounts.
I hope they cant hack the scanner, but the fact is most finger print scanners can be fooled.
I agree that in the past biometric sensors have been primitive, but the 5s has a state of the art sensor from the best sensor makers in the business. Everything I have read says that it only reads living tissue under the surface pattern of dead tissue, jus lifting a print from a glass would not be helpful in defeating the sensor.
I agree that in the past biometric sensors have been primitive, but the 5s has a state of the art sensor from the best sensor makers in the business. Everything I have read says that it only reads living tissue under the surface pattern of dead tissue, jus lifting a print from a glass would not be helpful in defeating the sensor.
Every fingerprint sensor at some point was state of the art, and I don't doubt its a lot harder to fool than previous sensors. But it ultimately has the flaw that there will be groups of people that want to get passed it.
Once someone does and I dont doubt they will, then its the worst form of security. Like the quote in the article says, you cant change your fingerprint. You also cant keep it a secret as you leave it behind on everything you touch.
Once your in the phone you have access to email. Once you have access to email you can start going through sites like amazon doing password resets and change your email address. They can also delete the emails these sites send out before you pick them up on another device.
So far all you know is that you've lost your phone. You didnt realise that the person who store your phone while you were drunk also took the glass you drunk from. Right now all your concerned with is the fact you've lost your phone and trying to remember if you have phone insurance.
Unfortunately at the same time the guy who stole your phone is busy ordering stuff on your credit card thats been saved on multiple accounts.
I hope they cant hack the scanner, but the fact is most finger print scanners can be fooled.
You missed the part about creating a clone with the same exact finger print from the bar glass.
Every fingerprint sensor at some point was state of the art, and I don't doubt its a lot harder to fool than previous sensors. But it ultimately has the flaw that there will be groups of people that want to get passed it.
Once someone does and I dont doubt they will, then its the worst form of security. Like the quote in the article says, you cant change your fingerprint. You also cant keep it a secret as you leave it behind on everything you touch.
Like I said: the surface pattern left behind when you touch something is not what this sensor is reading. This is just BS spouted by a clown senator who doesn't know what the hell he is talking about.
Also, the fact that you can't change it is also irrelevant. If someone cracks your password it is already too late to change it. He is going to download the data from your device and do whatever he wants with it. In order to take advantage of the fact that he now has your "permanent password" he would have to track you down and steal whatever other device you have that uses touch ID.
Like I said at some point security stuff that is now insecure at one point was. There was a point where people thought you couldn't recreate a fingerprint for any scanner.
Now we're at a point where if you go to a security conference you get next to nobody selling fingerprint based solutions whereas 4 years ago 50% of the solutions were fingerprint based.
the senator may not have a clue what he's talking about, but he has managed to recite the main reason fingerprint scanners arn't used for a lot of things any more.
The photo isn't being used to bypass the sensor directly but your usual reporting style is expected. They used a high resolution scan of a fingerprint to make a rubber finger:
[VIDEO]
It may be possible to lift such a print from the phone and create a rubber finger from it but it's not as trivial as using a photo of a fingerprint. It's also not clear in that video whether they registered one of the other fingers but no doubt there will be further tests. When Android devices catch up and have sensors, I'm sure you'll be just as anxious to see them bypassed:
Comments
I have some free time this afternoon, so I broke out the old statistics book. The probability of brute forcing any single iPhone assuming there are 50k different combinations in 5 tries is 0.0001 (0.01%). If our thief had a pool of iPhones to draw from, each individual attempt would be an independent experiment thus the number of devices required for success Is X~geom(0.0001). Now according to my calculations, in order for a thief to have even a 50% chance of success, he would need nearly 7000 iPhones.
Think about it. You are a thief with 7000 iPhones. Are you going to spend the time and energy trying to crack all these phones? And even if you did and you were lucky enough to win that coin toss, are you going to bother tracking down that one person whose fingerprint you now have on the off chance that he might have acquired a new device and placed new data on it? The answer to both questions is obviously no. No, the fact a fingerprint would be compromised for life is nothing to lose sleep over.
Better order some pizza... this is going to take a while. I still think the use of a mythical horned horse-like creature might be of some benefit.
Google is using biometrics in Android and it was hacked in minutes.
Well its been minutes now. Heard anything?
As of 7:27 PM EST there's a big fat NO on the website.
I think that you would be really interested in some recent research that I have come across about crowds and citizen science.%u200B %u200BIn particular I feel you may find these two emerging pieces of research very relevant:
- The Theory of Crowd Capital
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2193115
- The Contours of Crowd Capability
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2324637
Powerful stuff!
This seems unlikely to me based on descriptions of how the enclave works. Besides which how do you get the hacking software onto the device without physical or admin access?
Even then, the enclave will not communicate with anything other than the hardware of the sensor itself, so you'd have to get software on the device that can somehow present itself as a fake hardware sensor and communicate with the enclave.
Even then, what you'd get out is a bunch of hashed encrypted data, not actual fingerprint images at all.
It would be easier to create a "fake finger" than it would be to hack into the enclave in the traditional manner of hackers.
Yap, but with more 3D printing with right components....
Should've offered quality porn.
Waste of Samsung's "Dirty Tricks Marketing Fund."
Or whatever it's internal name is.
Lol, you cannot be serious. Show me a law in any state that says this is not "legal." So long as they have permission to use the property for the purpose of testing the security measures, there is nothing you or anyone else can (or should) be able to do about it.
So far all you know is that you've lost your phone. You didnt realise that the person who store your phone while you were drunk also took the glass you drunk from. Right now all your concerned with is the fact you've lost your phone and trying to remember if you have phone insurance.
Unfortunately at the same time the guy who stole your phone is busy ordering stuff on your credit card thats been saved on multiple accounts.
I hope they cant hack the scanner, but the fact is most finger print scanners can be fooled.
This is for general purpose hacking, not a single person’s.
Imagine a bank allowing someone to test the security of its outdoor ATM. Person does this, finds a flaw, tells the bank about it and how to fix it. Boom. That’s what YOU are saying, and that’s what is legal.
Now imagine this person just releases the flaw and its instructions publicly, stating that all models of this ATM should have the same flaw; have at it. That’s what this website is. That’s why it’s illegal.
Source?
I agree that in the past biometric sensors have been primitive, but the 5s has a state of the art sensor from the best sensor makers in the business. Everything I have read says that it only reads living tissue under the surface pattern of dead tissue, jus lifting a print from a glass would not be helpful in defeating the sensor.
Once someone does and I dont doubt they will, then its the worst form of security. Like the quote in the article says, you cant change your fingerprint. You also cant keep it a secret as you leave it behind on everything you touch.
You need a new story.
Like I said: the surface pattern left behind when you touch something is not what this sensor is reading. This is just BS spouted by a clown senator who doesn't know what the hell he is talking about.
Also, the fact that you can't change it is also irrelevant. If someone cracks your password it is already too late to change it. He is going to download the data from your device and do whatever he wants with it. In order to take advantage of the fact that he now has your "permanent password" he would have to track you down and steal whatever other device you have that uses touch ID.
Now we're at a point where if you go to a security conference you get next to nobody selling fingerprint based solutions whereas 4 years ago 50% of the solutions were fingerprint based.
the senator may not have a clue what he's talking about, but he has managed to recite the main reason fingerprint scanners arn't used for a lot of things any more.
http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid
They're reportedly filming a better one that meets the specifics for collecting the bounty
Edit: Still waiting on final confirmation.
https://twitter.com/nickdepetrillo
The photo isn't being used to bypass the sensor directly but your usual reporting style is expected. They used a high resolution scan of a fingerprint to make a rubber finger:
[VIDEO]
It may be possible to lift such a print from the phone and create a rubber finger from it but it's not as trivial as using a photo of a fingerprint. It's also not clear in that video whether they registered one of the other fingers but no doubt there will be further tests. When Android devices catch up and have sensors, I'm sure you'll be just as anxious to see them bypassed:
http://www.trustedreviews.com/news/samsung-galaxy-note-3-will-feature-fingerprint-scanner-insiders-claim