Apple's Touch ID already bypassed with established 'fake finger' technique

11112141617

Comments

  • Reply 261 of 330

    The fact is, the same can't be done with passwords which is what most phones already use.

     

    A hacker can spend even 10 times the amount that he/she did on fingerprint duplication techniques with password cracking (using multiple GPUs) and will still not be able to crack my 8 character password in less than 3-10 tries after which, most systems would lock you out.

     

    Passwords > Fingerprints aka Touch ID = gimmick.

  • Reply 262 of 330
    Does anyone else think this guy has had too much caffeine?
  • Reply 263 of 330
    Quote:

    Originally Posted by DroidFTW View Post





    They released a part 2 video last night with two different people so there were different hands. The video would prove nothing to those here who are in denial.

     

    The second part, which isn't posted on their site by the way so not sure it is the same people, does nothing to dispel the questions from the 1st video. Need to see everything done in real time and from scratch. Doesn't answer the question is the other persons finger was already enrolled. Thus, the scanner is looking right through what is placed on the finger. Also, While the table looks the same, what is placed on the scanner is not. 1st video was a translucent latex piece and this is a black piece of plastic. Never show the bottom of it. If this is supposed to be a follow-up , why does it not using the same piece? 

     


    There is another thing as well, They do not show the bottom of the persons finger doing the initial scan in either case. How do you know there isn't something placed on his fingertip, which eliminates any detail like if you scanned you cat's paw or another body part. Thus, anything with lack of detail or minimal detail would unlock the phone. 
  • Reply 264 of 330
    Until they post a complete unedited video from start to finish it means nothing.

    Why keep arguing about which fingers were used or if he's shaking. Wait for the FULL video.
  • Reply 265 of 330
    mattd wrote: »
    The fact is, the same can't be done with passwords which is what most phones already use.
    A hacker can spend even 10 times the amount that he/she did on fingerprint duplication techniques with password cracking (using multiple GPUs) and will still not be able to crack my 8 character password in less than 3-10 tries after which, most systems would lock you out.
    Passwords > Fingerprints aka Touch ID = gimmick.

    Hey "MattD", is this another one of your accounts? The fact is a majority of users don't use the complex pass code and a lot of users don't even have a pass code set. The touch ID will make it so convenient for the owner to have a level of security without the annoyance of typing in a pass code.
  • Reply 266 of 330
    gqbgqb Posts: 1,934member
    Quote:
    Originally Posted by MacHarry de View Post



    OK,is it possible to return the new iPhone 5s to Apple until this hard issue is solved?

     

    Put it on eBay... you'll make a tidy profit and someone who isn't an idiot will get a great device that supports multi-factor authentication.

  • Reply 267 of 330
    drblankdrblank Posts: 3,383member
    mattd wrote: »
    The fact is, the same can't be done with passwords which is what most phones already use.
    A hacker can spend even 10 times the amount that he/she did on fingerprint duplication techniques with password cracking (using multiple GPUs) and will still not be able to crack my 8 character password in less than 3-10 tries after which, most systems would lock you out.
    Passwords > Fingerprints aka Touch ID = gimmick.

    If fingerprint ID is a gimmick, it's a good gimmick. It's a lot easier to use than typing in passwords and 4 character passwords as not very effective and I still accidently type even a 4 character password wrong, which takes more time to log in. The fingerprint ID was very quick and simple, I like it better, which is the bottom line.
  • Reply 268 of 330
    drblankdrblank Posts: 3,383member
    yoyo2222 wrote: »
    Does anyone else think this guy has had too much caffeine?

    I think he might have been on something a little stronger and possibly illegal than caffeine.
  • Reply 269 of 330
    Quote:

    Originally Posted by jungmark View Post





    Hey "MattD", is this another one of your accounts? The fact is a majority of users don't use the complex pass code and a lot of users don't even have a pass code set. The touch ID will make it so convenient for the owner to have a level of security without the annoyance of typing in a pass code.

     

    The Touch ID, I agree is convenient as it's faster than entering a password but it's NOT secure. In other words, not having any security is also convenient because the Touch ID is as good as not having any lock enabled.

     

    Passwords are secure which is why banks have been using them for years and would never implement a silly illusion such as this. How many videos have you seen of a password being cracked in under 10 attempts and how many years have passwords existed for? That's what I thought.

     


    Also, the video might not be a complete unedited version BUT it sure proves that the whole RF signal to check the sub epidermal layer beneath your skin is all marketing talk.


     


    The fact is, the majority of users don't need gimmicks. 
  • Reply 270 of 330

    They needed to show  negative responds on the finger that will be covered up with the fake print before unlocking. The touch sensor as it was explained, ignores dead skin (or thin latex?).  The illusion may be that the  middle finger was already trained and the device just simply ignore the latex. ....a good magic trick.  Anyway, we need independent confirmation.

  • Reply 271 of 330
    This is great news for the CIA. And the FBI. And Interpol.

    But for your average iPhone thief, it means nothing.
    More people will use longer and more complex passcodes on their iPhones.
    Touch ID doesn't eliminate the need for a passcode.
    You need to set up a passcode before using Touch ID in the first place.
  • Reply 272 of 330
    Okay, AI. Get right on the verification of this, okay? Surely you have some graphite dust or cyanoacrylate sitting around the office. And pull out that old photo editing software, and fire up your laser printer. And find some transparent sheets. Then go to the fridge for the pink latex milk -- that's where you keep it, right?-- or find your white wood glue. Now finish the process and report back.

    The fact is, our OS devices are stolen by junkies or meth heads, usually, and sold for pennies on the dollar. I'm guessing fingerprint labs aren't readily available to most people, nor do they care to make them available. Jeez, if thieves were capable of this kind of advance planning ( or "planning", as we call it in my country) they'd have straight jobs or be stealing something more lucrative than cell phones and tablets.

    Ask any thief whether he would prefer to break into a locked car or an unlocked car. This technology is a simple lock, that's all. But the best lock is the one you use...
  • Reply 273 of 330
    jfc1138jfc1138 Posts: 3,090member
    Quote:
    Originally Posted by MattD View Post

     

     

    The Touch ID, I agree is convenient as it's faster than entering a password but it's NOT secure. In other words, not having any security is also convenient because the Touch ID is as good as not having any lock enabled.

     

    Passwords are secure which is why banks have been using them for years and would never implement a silly illusion such as this. How many videos have you seen of a password being cracked in under 10 attempts and how many years have passwords existed for? That's what I thought.

     


    Also, the video might not be a complete unedited version BUT it sure proves that the whole RF signal to check the sub epidermal layer beneath your skin is all marketing talk.


     


    The fact is, the majority of users don't need gimmicks. 


     

    While the majority of thieves won't have a good original hi-res print to construct a fake from: rendering the entire "hack" demo irrelevant for the real world. Sure, anyone with a copy of my front door key can get in: that doesn't actually invalidate the concept of locked front doors being more secure than unlocked ones does it?

     


    I'd be interested in seeing, say, ten randomly selected from the real world phones all successfully broken into using this technique. It's possible real world phones never offer the high quality fingerprint necessary for the breaking: just like my locked door doesn't offer anyone a copy of my key to replicate.... might it may be that the defeat is as simple as smearing the fingerprint sensor after the successful unlock?: then the warning has had at least some use...


     


    ITRW few usable fingerprints are developed at crime scenes so who's to say whether real world phones ever have a good enough print to hi-tech extract and exploit?

     

    As to "gimmicks", the low penetration of any sort of passcode usage seems to contradict that. The "gimmick" of convenience is a reasonable argument.

  • Reply 274 of 330
    mattd wrote: »
    The Touch ID, I agree is convenient as it's faster than entering a password but it's NOT secure. In other words, not having any security is also convenient because the Touch ID is as good as not having any lock enabled.

    Passwords are secure which is why banks have been using them for years and would never implement a silly illusion such as this. How many videos have you seen of a password being cracked in under 10 attempts and how many years have passwords existed for? That's what I thought.
     
    Also, the video might not be a complete unedited version BUT it sure proves that the whole RF signal to check the sub epidermal layer beneath your skin is all marketing talk.
     
    The fact is, the majority of users don't need gimmicks. 

    Bullsh1t. The majority of 5S will use touch ID.

    Passwords can be easily obtained. Look at all the security breaches over the years. Since the fingerprint is stored locally, the only way you lose it is if you lose your iPhone too.

    Also you can socially engineer a password or phish for one too.

    No security system is ever flawless. I bet you say keys/locks on doors are gimmicks too because you can just break a window to bypass it.
  • Reply 275 of 330
    I can use any of my 10 fingers so which one are hackers going to guess at? I think I will use my middle finger, How about my toe or my one eyed snake?
  • Reply 276 of 330
    davendaven Posts: 628member

    I found this post on this subject on a news site. I couldn't have said it better.

     

    =======

     

    Jesus, some people are muppets.

     

    Phone thefts are on the whole opportunist crimes.

     

    How many people have the ability/desire or time to stalk you, get a clear print, steal your phone and create these fakes? Not many.

    How many phones are stolen by James Bond villains to get your secure data (bank details?) which of course you keep in a file marked 'BANK DETAILS' on your phone? About none.

     

    AFAIK, if they do go through this laborious process and hack into your phone via a fake fingerprint they STILL NEED YOUR PASSCODE to alter anything in order to make the phone useable. Otherwise the second it connects to the internet it will be disabled (presuming the owner disables it). There is no way around that. The phone is useless except as a source of information and it you are think enough to carry that info around with you on a device you deserve all you get.

     

    I used to laugh at the Apple fanbois but now the most hilarious bunch are the anti-apple brigade...

     

    ==========

  • Reply 277 of 330
    muppetrymuppetry Posts: 3,331member
    mattd wrote: »
    jungmark wrote: »
    Hey "MattD", is this another one of your accounts? The fact is a majority of users don't use the complex pass code and a lot of users don't even have a pass code set. The touch ID will make it so convenient for the owner to have a level of security without the annoyance of typing in a pass code.

    The Touch ID, I agree is convenient as it's faster than entering a password but it's NOT secure. In other words, not having any security is also convenient because the Touch ID is as good as not having any lock enabled.

    Passwords are secure which is why banks have been using them for years and would never implement a silly illusion such as this. How many videos have you seen of a password being cracked in under 10 attempts and how many years have passwords existed for? That's what I thought.
     
    Also, the video might not be a complete unedited version BUT it sure proves that the whole RF signal to check the sub epidermal layer beneath your skin is all marketing talk.
     
    The fact is, the majority of users don't need gimmicks. 

    Did you really just try to make the argument that Touch ID is no more secure than having no security at all?

    Also, fingerprint authentication is widely used as a security element in situations where high security is required. In conjunction with a single password it adds significant additional complexity to unauthorized access. For example, for protection of classified matter, we use it in combination with a badge swipe and a pass code, a triple requirement of possession of an item, knowledge of a passcode, and the physical presence of the authorized user.

    While each of those may be individually compromised, they each have their difficulties. In the case of the phone with fingerprint authentication, physical possession of the phone plus the correct fingerprint represent a double, rather than triple requirement, but even if the reported hack is real, that is still pretty secure, given the likelihood of someone having the resources and the incentive to pull off such a complex process. Much harder than just stealing a credit card, for example.
  • Reply 278 of 330
    Quote:
    Originally Posted by DaveN View Post

     

    AFAIK, if they do go through this laborious process and hack into your phone via a fake fingerprint they STILL NEED YOUR PASSCODE to alter anything in order to make the phone useable. Otherwise the second it connects to the internet it will be disabled (presuming the owner disables it). There is no way around that.


     

    Quote:
    Originally Posted by jungmark View Post



    Passwords can be easily obtained. Look at all the security breaches over the years. Since the fingerprint is stored locally, the only way you lose it is if you lose your iPhone too.



    Also you can socially engineer a password or phish for one too.

     

    You can only GUESS passwords using brute force or word lists (assuming the password is some easy to remember name/ word) or by using a key logging software. Fortunately, key logging software would not make it through to both the App store or Google Play.

     

    Passwords can't be hacked unless you can break encryption which is not possible in most cases as you'd need to be a genius to crack such encryption and if you can do so, you'd paid in hundred of thousands of dollars. This fingerprinting technique would cost a few hundred dollars to less than 2 grand meaning that, it can be easily bought by anyone.

     

     "you can socially engineer a password or phish for one too." - Social engineering and phishing only work on idiots who can't tell the difference between a real website and a fake one by looking at the URL bar and who are gullible enough to provide too much information over the phone to some "customer service rep". Fingerprint lifting can work on ANYONE and you can't change your fingerprint.

     

    The majority of thieves CAN afford the tools to hack your fingerprint but NOT your encrypted password which you can change and is a feature available on all smartphones.

     

    Quote:
    Originally Posted by DaveN View Post

     

    AFAIK, if they do go through this laborious process and hack into your phone via a fake fingerprint they STILL NEED YOUR PASSCODE to alter anything in order to make the phone useable. Otherwise the second it connects to the internet it will be disabled (presuming the owner disables it). There is no way around that.


     

    The point is about the fingerprint security by itself. Passwords, by themselves, can't be hacked.

     

    It does not make sense to spend a few hundred dollars more for a fingerprint scanner under the pretence of it being secure. Now people argue that it's more for convenience. My point is, not locking your phone at all is just as convenient.

  • Reply 279 of 330
    Quote:
    Originally Posted by muppetry View Post



    Also, fingerprint authentication is widely used as a security element in situations where high security is required. In conjunction with a single password it adds significant additional complexity to unauthorized access. For example, for protection of classified matter, we use it in combination with a badge swipe and a pass code, a triple requirement of possession of an item, knowledge of a passcode, and the physical presence of the authorized user.



    While each of those may be individually compromised, they each have their difficulties. In the case of the phone with fingerprint authentication, physical possession of the phone plus the correct fingerprint represent a double, rather than triple requirement, but even if the reported hack is real, that is still pretty secure, given the likelihood of someone having the resources and the incentive to pull off such a complex process. Much harder than just stealing a credit card, for example.

     

    So in your example, it's part of a COMBINATION of authentication techniques and my point is, by itself, it's useless. Also, if used as a combination with a pass code - you still have to enter the pass code which, them means that it's not more convenient. So, the whole purpose is defeated.

     

    Stealing a credit card sounds like fun except for the part where you need to enter a pin which is a software feature on the authentication server that could be added by merchants at anytime. You can't really do any upgrades to a fingerprint scanner. They've been the same over the years and now just have higher resolution.

     

    This "complex process" of breaking fingerprint authentication has been around for years and is 100 times less complex and cheaper than ATTEMPTING to break a password.

  • Reply 280 of 330

    Disappointing! I think I'm still gone have to remember my 20 random character password. Well, it was nice while the dream of never having to use another password lasted :(

Sign In or Register to comment.