And if I use my pinky finger, how would they get a copy of that. I don't touch my phone with it.
The hack as described is not at all easy to accomplish and they might need to process all ten fingers before they found a match. Not a likely scenario, to say the least. Perhaps there should be a time out after three successive failures.
The hack as described is not at all easy to accomplish and they might need to process all ten fingers before they found a match. Not a likely scenario, to say the least. Perhaps there should be a time out after three successive failures.
Plus they have to check other people's finger prints and their own.
The hack as described is not at all easy to accomplish and they might need to process all ten fingers before they found a match. Not a likely scenario, to say the least. Perhaps there should be a time out after three successive failures.
Plus they have to check other people's finger prints and their own.
Yeah it is not like any of the finger prints found on the phone are going to be pristine, more likely overlapping and smudged.
OK - this is getting silly and I'm rapidly losing interest in the discussion. Does your bank let you change your password with just an email request and no further verification? None of mine do. Nor does Paypal - you need to provide extra security information in the form of answers to security questions.
Many will send a text to verify a password change. I agree that it's far fetched but if it happens once it is one time too many.
The hack as described is not at all easy to accomplish and they might need to process all ten fingers before they found a match. Not a likely scenario, to say the least. Perhaps there should be a time out after three successive failures.
I agree, the most successful 'hack' will be when a significant other takes the phone and places the home button under the finger of their sleeping mate.
OK - this is getting silly and I'm rapidly losing interest in the discussion. Does your bank let you change your password with just an email request and no further verification? None of mine do. Nor does Paypal - you need to provide extra security information in the form of answers to security questions.
Many will send a text to verify a password change. I agree that it's far fetched but if it happens once it is one time too many.
They all seem to send an email or text to warn/verify, but that is in addition to requiring more than just access to the account holder email. With PayPal, for example, you can request a password change, but that just locks the account completely until you go to their website and provide additional verification data. Once you do that successfully, the password is changed and a notification email is sent.
Anything less than that is negligently insecure on the part of the financial institution, and not in any way a downside to fingerprint authentication on the phone. If this were a serious issue then imagine the number of compromised accounts due to the theft rate of completely unsecured smartphones.
The hack as described is not at all easy to accomplish and they might need to process all ten fingers before they found a match. Not a likely scenario, to say the least. Perhaps there should be a time out after three successive failures.
I agree, the most successful 'hack' will be when a significant other takes the phone and places the home button under the finger of their sleeping mate.
Maybe, but many significant others will already know the existing passcode to unlock the phone anyway. I'll bet this turns out to be another very infrequent occurrence.
LG also has a phone coming out with a fingerprint scanner and the rumor is that HTC will as well, but it was fingerprint scanners in general that were ridiculed.
Hey that actually makes more sense! So Motorola's promoted Tweets poking at the fingerprint tech was a pre-emptive move against they're more probable competitors? I'm still going to keep responding to them with mean tweets of my own. I really hate getting stuff from people I don't follow.
Unlocking the iPhone with a staged print - perfect print and they know this is the exact fingerprint that they need - is like telling someone which four numbers I use in my unlock code and seeing if they can unlock my iPhone. I'll say it's hacked when they do this in the wild. Until then this is just technological stage magic. Nothing to see here, move along.
Unlocking the iPhone with a staged print - perfect print and they know this is the exact fingerprint that they need - is like telling someone which four numbers I use in my unlock code and seeing if they can unlock my iPhone. I'll say it's hacked when they do this in the wild. Until then this is just technological stage magic. Nothing to see here, move along.
Assuming there will be 100+ million TouchID devices in the nearest future, I expect affordable DIY kits to be available on eBay.
This is so stupid. I mean, what homeless, drug-addicted, thief is going to go through the hassle of this process to unlock a stolen iPhone? Who cares if this method is successful? Unless you have extremely sensitive, private information and are a target of spies, you really shouldn't worry about this hack.
There's a difference between something being possible and something being worth doing.
Point is professional hackers can hack anyways (many ways) and unprofessional would not be able to reproduce these steps, and Apples main goal (at least for now) is not for added security, just improved.
Assuming there will be 100+ million TouchID devices in the nearest future, I expect affordable DIY kits to be available on eBay.
I believe you may have missed my point. This is unlocking done when you hand them the keys.
They started with a perfect print. They knew where to look for it. They knew whose print it was. They didn't have to throw out other prints from other people. They didn't have to throw other prints from the other fingers of the correct person. When you give someone so many unnatural advantages, yes they will succeed. Like I said, if I tell you all four digits of my passcode, chances are you will succeed.
Now that the hack has been independently confirmed by a number of sources and new videos published by Starbug I think it is fair to summarize the results.
1. The Apple implementation can be circumvented by trivial methods which have been known for many years and do not require any sophisticated special technology. Everything that is needed is readily available to millions of people.
2. In comparison with other fingerprint authentication technology, the Apple implementation does not offer a significantly higher level of security.
3. It is not sensible to think of this particular implementation as being highly secure in any reasonable interpretation of the words.
4. It is nevertheless a convenience gimmick that may be welcome by some users and is probably marginally more secure than nothing at all.
In my view the value of the hack is simply to make people aware that the advertized level of security and the claims associated with this, is substantially lower than people were led to believe.
The practical effect is simple. If one wrongly believes a particular technology or process is "highly secure" one will tend to act differently and make different assumptions in relation to security requirements than one would do knowing that the security is not high.
Simple really. If I know the lock on my car door is broken, I do not leave the car unattended on the roadside. I park it in a locked and/or secure parkhouse or garage. Sensible iPhone users will modify their behaviour knowing that the device is not highly secure. To me that is the take-home message, and Starbug needs to be congratulated for making this public and breaking the hype !
This is so stupid. I mean, what homeless, drug-addicted, thief is going to go through the hassle of this process to unlock a stolen iPhone? Who cares if this method is successful? Unless you have extremely sensitive, private information and are a target of spies, you really shouldn't worry about this hack.
There's a difference between something being possible and something being worth doing.
almost all hacks are this. Most people don't need to worry about their yahoo account password, either. But some do. Caveat Emptor.
But, I don't think homeless, addicts are the threat... if anything they are the mules who are paid $50 to 'steal' phones. But if it's a targetted attack ("I got a good fingerprint at my fake ATM system... now... go roll that guy in the blue hat and white jacket and bring me his iPhone... I want the rest of his money")
Until someone does a 'vulcan mind meld' to copy an iPhone 5s 'over the air' I'm less concerned about this hack, as the process of getting a good fingerprint, building it up, and applying it to MY phone is (if I'm conscious and not under bad guys control) longer than the time it takes to become aware of the loss of my phone and disabling it remotely.
The fact that it requires you to put a code to lock your phone is 99% better than the status quo and unlocking with a device lockec fingerprint is a ease of use step up for real security.... (me with an 8character 3 screen password, because of work requirements).
Apple will improve... hopefully in SW, but in future iterations... But for now... this is better than every other phone/tablet out there.
Comments
The hack as described is not at all easy to accomplish and they might need to process all ten fingers before they found a match. Not a likely scenario, to say the least. Perhaps there should be a time out after three successive failures.
Plus they have to check other people's finger prints and their own.
Ahh so you use the ol' 'cup of tea' grip?
I'm fancy like that. The pinky holds the bottom of the phone like a shelf.
Lots of people used to hold BlackBerrys like that and inadvertently cover the ridiculously placed microphone hole.
The hack as described is not at all easy to accomplish and they might need to process all ten fingers before they found a match. Not a likely scenario, to say the least. Perhaps there should be a time out after three successive failures.
Plus they have to check other people's finger prints and their own.
Yeah it is not like any of the finger prints found on the phone are going to be pristine, more likely overlapping and smudged.
Many will send a text to verify a password change. I agree that it's far fetched but if it happens once it is one time too many.
I agree, the most successful 'hack' will be when a significant other takes the phone and places the home button under the finger of their sleeping mate.
OK - this is getting silly and I'm rapidly losing interest in the discussion. Does your bank let you change your password with just an email request and no further verification? None of mine do. Nor does Paypal - you need to provide extra security information in the form of answers to security questions.
Many will send a text to verify a password change. I agree that it's far fetched but if it happens once it is one time too many.
They all seem to send an email or text to warn/verify, but that is in addition to requiring more than just access to the account holder email. With PayPal, for example, you can request a password change, but that just locks the account completely until you go to their website and provide additional verification data. Once you do that successfully, the password is changed and a notification email is sent.
The hack as described is not at all easy to accomplish and they might need to process all ten fingers before they found a match. Not a likely scenario, to say the least. Perhaps there should be a time out after three successive failures.
I agree, the most successful 'hack' will be when a significant other takes the phone and places the home button under the finger of their sleeping mate.
Maybe, but many significant others will already know the existing passcode to unlock the phone anyway. I'll bet this turns out to be another very infrequent occurrence.
LG also has a phone coming out with a fingerprint scanner and the rumor is that HTC will as well, but it was fingerprint scanners in general that were ridiculed.
Hey that actually makes more sense! So Motorola's promoted Tweets poking at the fingerprint tech was a pre-emptive move against they're more probable competitors? I'm still going to keep responding to them with mean tweets of my own. I really hate getting stuff from people I don't follow.
Near perfect circumstances? You've only seen the beginning... Biometric security isn't secure.
Unlocking the iPhone with a staged print - perfect print and they know this is the exact fingerprint that they need - is like telling someone which four numbers I use in my unlock code and seeing if they can unlock my iPhone. I'll say it's hacked when they do this in the wild. Until then this is just technological stage magic. Nothing to see here, move along.
Assuming there will be 100+ million TouchID devices in the nearest future, I expect affordable DIY kits to be available on eBay.
There's a difference between something being possible and something being worth doing.
They started with a perfect print. They knew where to look for it. They knew whose print it was. They didn't have to throw out other prints from other people. They didn't have to throw other prints from the other fingers of the correct person. When you give someone so many unnatural advantages, yes they will succeed. Like I said, if I tell you all four digits of my passcode, chances are you will succeed.
Apple can and will implement a fix for this hack that will render it useless and can be applied to the existing hardware with an update.
All the best.
Now that the hack has been independently confirmed by a number of sources and new videos published by Starbug I think it is fair to summarize the results.
1. The Apple implementation can be circumvented by trivial methods which have been known for many years and do not require any sophisticated special technology. Everything that is needed is readily available to millions of people.
2. In comparison with other fingerprint authentication technology, the Apple implementation does not offer a significantly higher level of security.
3. It is not sensible to think of this particular implementation as being highly secure in any reasonable interpretation of the words.
4. It is nevertheless a convenience gimmick that may be welcome by some users and is probably marginally more secure than nothing at all.
In my view the value of the hack is simply to make people aware that the advertized level of security and the claims associated with this, is substantially lower than people were led to believe.
The practical effect is simple. If one wrongly believes a particular technology or process is "highly secure" one will tend to act differently and make different assumptions in relation to security requirements than one would do knowing that the security is not high.
Simple really. If I know the lock on my car door is broken, I do not leave the car unattended on the roadside. I park it in a locked and/or secure parkhouse or garage. Sensible iPhone users will modify their behaviour knowing that the device is not highly secure. To me that is the take-home message, and Starbug needs to be congratulated for making this public and breaking the hype !
Apple can and will implement a fix for this hack that will render it useless and can be applied to the existing hardware with an update.
All the best.
...and yes, there is no sarcasm tag in my post because it wasn't sarcastic but my take on a near future eventuality.
This is so stupid. I mean, what homeless, drug-addicted, thief is going to go through the hassle of this process to unlock a stolen iPhone? Who cares if this method is successful? Unless you have extremely sensitive, private information and are a target of spies, you really shouldn't worry about this hack.
There's a difference between something being possible and something being worth doing.
almost all hacks are this. Most people don't need to worry about their yahoo account password, either. But some do. Caveat Emptor.
But, I don't think homeless, addicts are the threat... if anything they are the mules who are paid $50 to 'steal' phones. But if it's a targetted attack ("I got a good fingerprint at my fake ATM system... now... go roll that guy in the blue hat and white jacket and bring me his iPhone... I want the rest of his money")
Until someone does a 'vulcan mind meld' to copy an iPhone 5s 'over the air' I'm less concerned about this hack, as the process of getting a good fingerprint, building it up, and applying it to MY phone is (if I'm conscious and not under bad guys control) longer than the time it takes to become aware of the loss of my phone and disabling it remotely.
The fact that it requires you to put a code to lock your phone is 99% better than the status quo and unlocking with a device lockec fingerprint is a ease of use step up for real security.... (me with an 8character 3 screen password, because of work requirements).
Apple will improve... hopefully in SW, but in future iterations... But for now... this is better than every other phone/tablet out there.