Apple's Touch ID already bypassed with established 'fake finger' technique

1111213141517»

Comments

  • Reply 321 of 330
    gatorguygatorguy Posts: 23,302member
    The complete video of the fingerprint spoof is here:


    Pretty much answers every doubt expressed in the thread and looks legit.

    Tried embedding the video but it didn't like it.
  • Reply 322 of 330
    ruel24 wrote: »
    I told you that it was easily bypassed and I was told I was a troll and needed to do research before posting, etc. Well, here it is... Biometric security is a joke.

    I will correct your statement for you.

    Biometric security has some issues like all forms of information security.
  • Reply 323 of 330
    mattd wrote: »
    The Touch ID, I agree is convenient as it's faster than entering a password but it's NOT secure. In other words, not having any security is also convenient because the Touch ID is as good as not having any lock enabled.

    Passwords are secure which is why banks have been using them for years and would never implement a silly illusion such as this. How many videos have you seen of a password being cracked in under 10 attempts and how many years have passwords existed for? That's what I thought.
     
    Also, the video might not be a complete unedited version BUT it sure proves that the whole RF signal to check the sub epidermal layer beneath your skin is all marketing talk.
     
    The fact is, the majority of users don't need gimmicks. 

    Passwords are not secure.
  • Reply 324 of 330
    gatorguygatorguy Posts: 23,302member
    mattd wrote: »
     
    Also, the video might not be a complete unedited version BUT it sure proves that the whole RF signal to check the sub epidermal layer beneath your skin is all marketing talk.

    It may be marketing talk, but it's not coming from Apple. The problem is with sites that read more into "subdermal scanning" than what it really is. Apple never claimed it required live tissue or was any kind of new way to recognize a print. A bunch of folks simply assumed that. All it's really doing is looking beneath the top layer of skin for a clearer image of the fingerprint ridges. The top layer might have ridges filled with dirt or other debris and not be recognized as reliably.

    The hack doesn't prove that iTouch doesn't scan sub layers of your skin. It just proves that a whole lotta blogs and commenters didn't know what it was. Tech-speak can make it sound like magic.
  • Reply 325 of 330
    gatorguy wrote: »
    mattd wrote: »
     
    Also, the video might not be a complete unedited version BUT it sure proves that the whole RF signal to check the sub epidermal layer beneath your skin is all marketing talk.

    It may be marketing talk, but it's not coming from Apple. The problem is with sites that read more into "subdermal scanning" than what it really is. Apple never claimed it required live tissue or was any kind of new way to recognize a print. A bunch of folks simply assumed that. All it's really doing is looking beneath the top layer of skin for a clearer image of the fingerprint ridges. The top layer might have ridges filled with dirt or other debris and not be recognized as reliably.

    The hack doesn't prove that iTouch doesn't scan sub layers of your skin. It just proves that a whole lotta blogs and commenters didn't know what it was. Tech-speak can make it sound like magic.

    I still disagree with your description of how it works. The key feature is that it uses the perturbation of a quasi-static planar electric field to construct a 3D image the first conductive subdermal layer. That makes it impossible to spoof with a 2D fingerprint image, and led to the interesting technique used in the hack - thick toner setting to recreate a 3D structure and then use of a conductive overlay to create a suitable conductive layer.

    Though that did apparently work to fool the authentication system, I doubt that we will ever hear much of this method used in the wild. Too much effort - especially acquiring a good enough print of the correct finger - to make it worth the effort.
  • Reply 326 of 330
    zoetmbzoetmb Posts: 2,602member
    Quote:

    Originally Posted by Gatorguy View Post



    The complete video of the fingerprint spoof is here:





    Pretty much answers every doubt expressed in the thread and looks legit.



    Tried embedding the video but it didn't like it.

     

    Yes, it looks legit if the thief is willing to set up a small factory to scan the fingerprint (assuming there's a good one on the phone), process the image using software, transfer it to a PCB board, "develop" the PCB board, apply the glue and create the fake fingerprint.     AND...they have to do all that before the original owner goes to "Find my iPhone" and shuts down the phone.     Doesn't sound very practical to me.   You know what?   Anyone who has the intelligence and capacity to set all that up isn't going to steal my phone because they either already have a viable business or a decent job.    Most phones are stolen by addicts looking for quick cash for a quick fix or kids looking for quick cash.  

     

    I suppose if the phone used an optic scan instead of a fingerprint, people would complain that thieves could cut out your eyeball and use that. 

     

    My apartment can be broken into if someone sneaks past the security guard with a very large crowbar, has a large device that completely silences the sound of using a crowbar on a steel door, punches the lock out, takes all my stuff without making noise that the neighbors would notice, gets out of the building without attracting the notice of the security guard even though that's the only way out at night, etc.  But my building was built in 1954 and except for one inside job, there has never been a robbery in this building.   

     

    The complaints about this remind me of clients who come up with software use case tests like, "Well if it's a blue moon on a Thursday on a Jewish holiday and it's between 90 and 92 degrees and if you turn yourself around three times and accidentally press the 6 key before pressing Enter, the screen scrolls incorrectly, but not all the time.....how come you didn't catch that?"

     

    The purpose of biometric scanning is to simply keep nosy people from looking at what's on your phone without you having to punch in four digits each time.    That's all it's for.   End of story.    On my iPhone5, I don't even use a passcode because I trust my co-workers and the phone is always in my pocket anyway.    If it's lost or stolen, I'll go online and shut it down.    Being able to use a fingerprint to access the phone would be a big step up for me and I look forward to having such a feature in my next phone.      

  • Reply 327 of 330
    gatorguygatorguy Posts: 23,302member
    zoetmb wrote: »
    Yes, it looks legit. . . The purpose of biometric scanning is to simply keep nosy people from looking at what's on your phone without you having to punch in four digits each time.    That's all it's for.   End of story.    On my iPhone5, I don't even use a passcode because I trust my co-workers and the phone is always in my pocket anyway.    If it's lost or stolen, I'll go online and shut it down.    Being able to use a fingerprint to access the phone would be a big step up for me and I look forward to having such a feature in my next phone.      

    I completely agree. The fingerprint scanner is a great addition IMO and as soon as Android or Windows users have it they'll think so too.

    As shown by the comments in this thread showing serious doubts that it could be done there were a lot of misconceptions about just how it worked and the level of security it provides. Way too much misinformation was floating around about iTouch, the technology it used, and how it worked on iPhones. There's no serious doubt that it adds to the value of your iPhone tho.
  • Reply 328 of 330

    The video does not completely show a successful hack.  In order for this hack to be 100 percent they need a good print of all ten fingers,  and it still does not guarantee success.  Let me explain:

     

    1.  I notice that IOS7 allow 5 attempts before asking you to enter your passcode.

    2.  If the phone is turned off (to stop GPS location or remote wipe)  IOS7 will asked you for the pass code after power up.  

     

     

     

    Several interesting point about the technique used crate the fake finger print:

    1.  The print is scanned directly from the phone.  It is not lifted.  I assume this will provide the best print. There was only one perfectly placed print.  

    2.  they used a PCB photo etching process to created a deeper "3d" mold of the print.  A specialized skill set.

    3. They use some sort of conductive paint to simulate human skin.  Can you buy that anywhere?

    4.  In the video it look like the hacker took several attempts using the same fake print.  So each miss scan would  reduce from the maximum count.

     

    Because of the maximum of 5 attempt permitted by IOS7 the hacker has a small window of opportunity, so each step must be exact because each miss step reduces the chance of success.  The phone can't be turned off, just incase the user decide to remote wipe.  So the video should include a Faraday cage just to be safe.  

     

    I only trained one finger and only on the tip where I do not use for grip.  There should be multiple prints, one on top of another on my home button. That where a useful will be left.  I am sure that some hacker will come up with a vision software to extract  a good print sometime in the future.  The rest of the prints on the  phone should be useless.  

     

    So I have the hacker to thank for showing me the hack, so now I can use that information to guard against it.  Keep up the good work!

  • Reply 329 of 330
    gatorguygatorguy Posts: 23,302member
    zid1977 wrote: »
    So I have the hacker to thank for showing me the hack, so now I can use that information to guard against it.  Keep up the good work!

    That's why he did it.
Sign In or Register to comment.