Apple's Touch ID already bypassed with established 'fake finger' technique



  • Reply 161 of 330
    This video is misleading.

    Assuming that the screen for setting up a second finger is the same as the first...

    1. Notice he doesn't try the middle (unlocking) finger FIRST, to show that it CANNOT unlock the phone by itself.
    2. Thus, the film he puts on his finger could be anything, because the middle finger could already be set up to unlock. The phone unlocks because it might already be set up.

    And that doesn't even address if it's possible to get a complete enough print on a phone surface to photograph at the 2400dpi. Doubtful.

    Way too much NOT shown in this clip.

    Agreed. I thought the same thing when I saw this clip.
  • Reply 162 of 330
    Originally Posted by malax View Post



    The flaws are in steps 2 and 3.  First off, step 2 takes a ton of work and maybe you screw it up.  Then, more importantly, WTF leaves their phone behind when they go to the restroom?  Personally, I like to put my wallet, car keys, AND phone on the bar and leave them behind just to demonstrate my faith in humanity,


    Heck, I go to the bathroom to use my phone, because apparently it's rude to use it in front of other people. Lol.

  • Reply 163 of 330
    Originally Posted by Arlor View Post



    I think the concern is not so much about the phone as the data on it and the ability to spend money with the phone (if there's a wallet account linked to it). My phone's insured with a modest deductible; I suspect that a lot of people (albeit maybe not most) with phones this expensive have some form of insurance cover. But the insurance doesn't protect you against data or identity theft. This is especially a worry for people who are using their phone for corporate stuff. 


    I shouldn't act like this is not a security issue, others have said this, if you have reason to believe your phone was stolen, do a remote wipe. But consider this kind of theft takes time, even if a good print can be found on the phone itself (a screen protector probably solves this); take it to someone who knows how to do this and have the tools, lift a print, scan it, clean it up, print it etc. Meanwhile, find my iPhone (if its set up) can pinpoint the device the whole time. And the touch id "reset" is 48 hours right? So if its a random iPhone, its probably not easy to crack.


    I just cleaned my ipod and tried using an app, then looked at the finger prints left on, I mostly see smudged prints, there is one that is quite clear, but its not large, its the first deliberate tap to launch an app near a top corner (try it yourself!), don't know if its large enough, but the person who got hold of a phone will handle it too leaving their prints on, so its all a bit pro cracking touch id, takes some organizing to steal someone's phone and get inside it via touch id.
  • Reply 164 of 330
    Phone does not look like a 5
  • Reply 165 of 330
    ramrod wrote: »
    Honestly? Do you live in a bubble? WTF? Just because you're fine with not using gloves in the winter doesn't mean the rest of us are. The overwhelming population in North America alone (forget the rest of the world for a second) wears gloves in the winter. 
    And YES there are gloves out there that work with TOUCHSREENS (not just iPhones), but these gloves don't work with the Touch ID. That's what the discussion is. Are you so bent on wanting everyone to love the Touch ID that you could not see this point? One more time now, the point of mentioning gloves was to point out they do not work with the TOUCH ID. Can't believe I had to actually point this out. Dang!

    But what if I wear my mittens? What then?
  • Reply 166 of 330
    I'm with the skeptics. The putative method is clever, like a magic trick %u2013 bravo! %u2013 but I'd like to see it independently verified before believing it . The sensor is capacitative, not optical, so it seems unlikely that it works except with a perfect print, physical transfer, and thickness of PVA.

    The hackers aren't impartial: they are opposed to biometrics and (wrong-headedly) think that showing that it can be spoofed makes a case against it. (They should stick to jumping up and down about American-NSA phone-tapping in Germany etc., which is a REAL and pernicious threat to both personal and corporate security [ECHELON anyone?]).
  • Reply 167 of 330
    No Problem really.
    Don't use a finger... Use a knuckle on the back of any finger.
    Then a standard fingerprint impression won't unlock anything!
  • Reply 168 of 330
    jdwjdw Posts: 1,008member
    Originally Posted by Gatorguy View Post

    "Sub-dermal scanning" just refers to verifying the electrical activity that would be expected in live tissue. That way a plastic item or other "dead" object doesn't pass muster. If the CCC mock print isn't thin enough the electrical activity in the real finger underneath couldn't be read. That's the way I understand Authentec's tech anyway.


    Thanks for the explanation.  I had been thinking that the sensor could literally see physical features under the outer layer of skin, making it impossible to fake simply by using a copy of the external fingerprint.  But if that "sub-dermal" scanning is, as you say, merely confirming life itself, then there really isn't much that is special about this sensor at all, other than it's high resolution.

  • Reply 169 of 330
    Originally Posted by 1983 View Post



    Just go somewhere and relax, you rude zealot! I'm not going anywhere, and while I'm an Apple fan, I'm not going to shut up when they make the occasional mistake.


    What is the mistake?

  • Reply 170 of 330

    Originally Posted by malax View Post



    The flaws are in steps 2 and 3.  First off, step 2 takes a ton of work and maybe you screw it up.  Then, more importantly, WTF leaves their phone behind when they go to the restroom?  Personally, I like to put my wallet, car keys, AND phone on the bar and leave them behind just to demonstrate my faith in humanity,


    I don't even remember what pooping was like before smartphones.

  • Reply 171 of 330
    Originally Posted by pan101 View Post


    I do think it could be planned better than that. If I wanted to gain access to someone's email, Facebook or buy things on iTunes, etc. here's what could be done - would be easy for a work colleague/spouse/etc.:

    1. Get the fingerprint (I'm guessing it's going to be the thumb for 90% of people) from a glass or something else.

    2. Prepare the fake print (taking all the time you need)


    You can't take "all the time you need"  if the phone goes 48 hours without being unlocked, the password kicks in.  Nevermind the fact the owner can always do a remote wipe as well. 

  • Reply 172 of 330
    Originally Posted by Gatorguy View Post

    True. There's already been at least one guy using his nipple to unlock his 5s, and another who used his nose. Even a cat's paw presumably works


    But it only works on THE guy nipple? So what is your point?

  • Reply 173 of 330
    First, I can't believe that gomer going on and on about gloves—who are you, Scrooge McDuck? You wear spats, too?

    Secondly, anybody who thinks first AuthenTec and than Apple didn't try this technique six ways from Sunday...well, all I can say is I hear there's a really neat bridge for sale in New York.

    Thirdly, the sensor is reading the guy's print through the fake film print. It doesn't matter which finger he's using. The prints on your fingers aren't identical, but they're very, very similar. If you set up Touch ID with your index finger, I'll bet there's about a 95% chance your middle finger would work, too. Of course. 95% wasn't good enough for Apple—the Atrix's crummy reader probably worked 95% of the time—so they encourage you to register all the fingers you're going to use.

    To me it's very suspicious that they didn't register the thumb, which most people will use, probably because the size difference made it less likely that another finger would work.

    And lastly, this is Germany, where Apple-hatred is exceptionally virulent. I wouldn't give this propaganda piece a second thought.
  • Reply 174 of 330
    Originally Posted by Bishop of Southwark View Post

    These two bits in the article really undermine any pretence that AI is a balanced (or indeed sensible) publication:

    "In addition, a would-be thief would need access to the iPhone itself after the fake is produced."

    No kidding. But the same is true of getting past any security element - you to have a way to access a specific lock to pick it. Since we are talking about lock picking here, rather than getting around lock without opening it.

    "Also not taken into account is Apple's Find My iPhone app, which allows a lost or stolen phone to be wiped remotely. This leaves the window for breaking into the 5s very small, and would likely thwart all but the most dedicated criminals."

    What1?!? How about anyone who kept the iPhone it in a signal procf environment, or removed the SIM card, or ....

    Again Find My iPhone has no relevance to finger print security. It has relevance to overall iPhone security.

    The existance of Find My iPhone functionality will not deter anyone. The hastle of faking the print, that will deter casual people.

    This group are talking about the use of finger prints as a security method in general.

    Regardless of device.

    They are not talking about the security of the iPhone (as a collection of elements or in comparison to anything else).

    The article would be far more interesting and relevant without these two crackpot bits.

    Oh well, have to give up on AI for balance and sense....


    Me thinks you know nothing about a new Find My Phone feature in iOS 7.

  • Reply 175 of 330

    I think that it is curious that there is not more detail in the video, why they did not use a third party person to test the hacked fingerprint and why they needed to have the fingerprint on a translucent backing - stuck to a real finger. I think we need more proof. If they did this as they have depicted, it re-enforces that this can not be ultimate security for iPhone users.


    If they scammed us by a bogus video to take the prize money through a lie - well I think someone at Apple may want to mail some CCC fingers to the lab for further testing...


    Finally, what kind of idiot would post his fingerprint for the world to see, record, trace, use....?

  • Reply 176 of 330

    This test is not accurate.

    The sensor also senses for live tissue and scans sub-epidermal layer. If you use your finger with the high-resolution impression of your own fingerprint on a film (which is kind of weird because you might as well just use your finger) it is going to open alright. But if you use someone else's fingerprint, first of all it won't open because there is no live human tissue. If you place your finger on the back of the film, it will scan sub-epidermal layer as well, which will result in an incorrect scan.

  • Reply 177 of 330
    jfc1138jfc1138 Posts: 3,090member
    I want to see that replicated with a strangers phone just handed to them. Highly doubt it. Where would they get the hir-es fingerprint when they don't even know the owners identity, as would be the case with a stolen phone. Far more secure than a casually observable pin. Not that half of all phone users even bother with pins.
  • Reply 178 of 330
    Originally Posted by Taniwha View Post


    "It's not like Apple ever claimed touch id would work with gloves", no but they DO claim that it is highly secure, which now seems to be uncertain at best, and untrue at worst.


    So you can crack it now?

  • Reply 179 of 330
    Originally Posted by Tallest Skil View Post



    Are you really in any sort of position to be pulling this (perpetually meaningless) card?

    Reading his posts all I can say is yet another pimpled face Android teenager zealot joining AI. They're so full of THAT level of intelligence. :sigh:

  • Reply 180 of 330
    Originally Posted by Arlor View Post


    Alternatively, if they can lift the print right off the touch sensor itself, they can be sure to have the right print!


    Then why they didn't do that in the video? Why did they use glass? Are you assuming too much?

Sign In or Register to comment.