Apple's Touch ID already bypassed with established 'fake finger' technique

11113151617

Comments

  • Reply 241 of 330

    I wonder what other body parts one can use as a finger print. First you have to know which body part was used to even have a shot at this.

  • Reply 242 of 330
    Quote:

    Originally Posted by lkrupp View Post

     

     

    Care to provide a link where Apple claims this? As far as I know this nonsense was pulled out of some anonymous ass.


     

    The technology within Touch ID is some of the most advanced hardware and software we've put in any device. To fit within the Home button, the Touch ID sensor is only 170 microns thin, not much thicker than a human hair. This high-resolution 500 ppi sensor can read extremely fine details of your fingerprint. The button itself is made from sapphire crystal—one of the clearest, hardest materials available. This protects the sensor and acts as a lens to precisely focus it on your finger. The steel ring surrounding the button detects your finger and tells Touch ID to start reading your fingerprint. The sensor uses advanced capacitive touch to take a high-resolution image from small sections of your fingerprint from the subepidermal layers of your skin. Touch ID then intelligently analyzes this information with a remarkable degree of detail and precision. It categorizes your fingerprint as one of three basic types—arch, loop, or whorl. It also maps out individual details in the ridges that are smaller than the human eye can see and even inspects minor variations in ridge direction caused by pores and edge structures. Touch ID can even read multiple fingerprints, and it can read fingerprints in 360-degrees of orientation. It then creates a mathematical representation of your fingerprint and compares this to your enrolled fingerprint data to identify a match and unlock your iPhone. Touch ID will incrementally add new sections of your fingerprint to your enrolled fingerprint data to improve matching accuracy over time. Touch ID uses all of this to provide an accurate match and a very high level of security.

     

    Source: http://support.apple.com/kb/HT5949?viewlocale=en_US

  • Reply 243 of 330
    Give me a break. If someone wants my content that badly then go for it. It is very unlikely for this to really happen to the average Joe. If you have stuff that is so important that they would go to this length to get at it then a 4 digit pin is not adequate either.

    Even though I am not an expert on security I have to believe that this is still more secure than other options available today for the mass market.
  • Reply 244 of 330

    There's an obvious missing element from the video: where did they get the fingerprint that was used to create the synthetic fake? The insinuation is that this could be done using fingerprints from the phone's touch surface, but my guess is that smudging and incomplete prints would make finding a complete print a  low probability. Also, it would require the fingerprint that unlocks the phone to come from hand that the user operates the touch screen with...which means the user could easily defeat the hack by locking the phone with a finger from the hand that they don't touch the screen with. 

  • Reply 245 of 330
    Quote:

    Originally Posted by lkrupp View Post

     

     

    Care to provide a link where Apple claims this? As far as I know this nonsense was pulled out of some anonymous ass.


    Here you have it:

    http://support.apple.com/kb/HT5949?viewlocale=en_US

     

    Use Ctrl+F (Windows) or Option/Alt + F (Mac) to search on the website and paste/write "subepidermal" and you'll find that Apple states this in the "About Touch ID security" text... What this VIDEO doesn't show, is that the "hacker group" hasn't scanned the finger beforehand, which quashes this claim (for now).

  • Reply 246 of 330
    The idea of security is discourage break ins, not prevent them. The crackers just don't see how much work they went through, especially forgetting the odds of getting a good print. They've made a press release for the press.
  • Reply 247 of 330
    kedakeda Posts: 722member

    This doesn't seem realistic, and the print capture is staged (and not shown).

     

    There are several conveniently placed, well defined full finger prints visible on the glass of the phone in the video.  I'm assuming that these were used as the source of the print.  After all an iPhone thief would not likely have anything other than the phone to work from.

     

    I could not replicate this level of print quality without purposely pressing my finger on the glass.  After normal use, I had a partial prints that looked nothing like the ones shown here.  Most of the normal prints were obscured by smudges as a result of moving my fingers.

     

    This video show that it is possible to hack the sensor, but it hardly seem probable without an extremely clean source print.  As others have mentioned, I'd like to see someone using this technique with a print from a real-world device.

     

    Without doing anything out of the ordinary, look at your phone right now.  Does it have a print that looks usable for a hack?

  • Reply 248 of 330

    This is stupid - as others have said, the average criminal who steals your phone on the street, on the train, or picks it up if you lay it down - they will not have access to any of this and likely not have the know how. If a bunch of thieves hijack a shipment of phones, then this can come into play, but the street criminal - no. And even if they do, by time you hop on a computer to swipe it and use Find iPhone to have the police locate it, it's all for naught. This is a non-issue for 99% of the people out there.

  • Reply 249 of 330
    gtr wrote: »
    Okay, that's it.

    Haha Androids the most hacked OS!!! Why would any one do that

    TouchID on the iPhone has failed!

    Everybody swap across to Android for security.

    ;)
  • Reply 250 of 330
    Quote:
    Originally Posted by AppleInsider View Post





    "We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can?t change and that you leave everywhere every day as a security token", said CCC spokesman Frank Rieger. "The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access."

     

     

    Morons.  I suppose we should all start taking DNA samples of everyone we meet to make sure they're not impostors because their faces don't change and they're "left around everywhere they go" filmed by all the cameras everywhere.

  • Reply 251 of 330
    I told you that it was easily bypassed and I was told I was a troll and needed to do research before posting, etc. Well, here it is... Biometric security is a joke.
  • Reply 252 of 330

    If you have a gold 64g, I'll take it off your hands.

  • Reply 253 of 330

    Funny how much that guys' hands were shaking during the video, and if your going to show proof of cracking, you should clear out the "saved" finger prints, and for measure have someone else use their hands thats not recorded in the device to open it. 

  • Reply 254 of 330
    droidftwdroidftw Posts: 1,009member
    Funny how much that guys' hands were shaking during the video, and if your going to show proof of cracking, you should clear out the "saved" finger prints, and for measure have someone else use their hands thats not recorded in the device to open it. 
    They released a part 2 video last night with two different people so there were different hands. The video would prove nothing to those here who are in denial.
  • Reply 255 of 330
    Quote:

    Originally Posted by DroidFTW View Post





    They released a part 2 video last night with two different people so there were different hands. The video would prove nothing to those here who are in denial.

     

    The source of the fingerprint is the real issue. If it's supposed to come from the touchscreen itself, then all the user has to do to defeat it is not lock the phone with a print from the hand that they use to operate the touchscreen. If it's supposed to come from another source, then it's unlikely to apply to the standard lost or stolen phone scenario. 

  • Reply 256 of 330
    This is not a hack! It has nothing to do with a real world scenario. Lets see someone do this with someone else's phone, by lifting a finger print from the phone or something else, not by taking pictures of your own finger. One of the things this "hack" totally disregards is knowing which finger print is encoded and its orientation. Then add the difficulty of finding that particular finger print. So that is not a true representation of a real hack.

    While I would not call this the highest security measure, I don't really see it any worse than a 4 digit pass code, and as an iPhone 5S owner, it is much easier to use than the passcode. However, I am confident that a real vulnerability will be found, and fix, and so on and so on, as is normal!
  • Reply 257 of 330
    Quote:

    Originally Posted by mstone View Post

     

    Touch ID was designed to keep your wife from reading txt messages from your girlfriend while you are in the shower. If she suddenly orders a 2400 dpi laser film printer and a high resolution camera with a macro lens, then you might have something to worry about.


     

    If I had a wife then I'd have something to worry about  :err: 

  • Reply 258 of 330

    This is odd, I have posted twice to this thread over the last 24 hours and NOW both are missing in action.  Neither was a flame post or personal in nature.  I have never had posts pulled for any reason.

     

    David

  • Reply 259 of 330

    This "hack" was only done under near perfect circumstances, and doesn't really implicate real-world security. 

     

    Not only did CCC have the device and still needed two full days to crack it, but they also KNEW WHICH PRINT WAS REGISTERED and left a PERFECT, FULL PRINT to copy. I have 10 fingers, and I don't need to register the tip. I could register part under the knuckle for example, and just habitually smudge the home button after authenticating. I only touch the phone with my finger tips and palm mostly, so there are almost no clean prints for other parts of my finger. 

     

    In a real world theft scenario, the thieves would have to know exactly which print was registered because 5 failed attempts would require a password, and 10 failed attempts would wipe the device. They would also have to do this before I could wipe my phone, and when the worlds best biometric hacking experts still needed 48 hours under perfect conditions, the likelihood of them gaining access to my phone is almost zero. 

     

    This also implicates the oft-cited scenario where police can compel you to input your finger print. They don't know which finger or what part of each finger is registered. Under the print I currently registered with Touch ID, I could give them all 10 finger tips and they still couldn't gain access to the phone. There are 10 fingers to register, different parts of each finger, and at that point its just as much of a guessing game as a passcode except significantly more difficult to input a "guess." 

  • Reply 260 of 330
    zoetmbzoetmb Posts: 2,654member

    This is the most ridiculous thing I've ever read.    No security ever is infallible, including the locks we have on our doors and the remote controls we have for our cars.    The purpose is to make it reasonable and practical.     The purpose of the security I.D. on the iPhone is not to prevent the phone from being stolen.   It's to prevent your co-workers, friends or family from seeing what's on your phone or using up your phone/data allowances.    And considering how much privacy we voluntarily give up, by posting every trivial, absurd aspect of our lives on Facebook and the like, the privacy aspect isn't even all that important.    

     

    In NYC, robberies of this type take place mostly on the subway (although I've never seen one happen).    Do you think the idiots who grab a phone are going to go through the process of lifting and printing fingerprints?   Don't be ridiculous.    And with Apple's new tools for essentially bricking the phone, it's all pretty much a moot point anyway.    

     

    I have an iPhone 5 and I don't even use the four-digit security code as it's too much of a pain to use.   The phone is always with me and if I should lose it, I'll brick it.    I won't be buying the 5s, but I assume I'll eventually buy the 6 which will have the same feature.   I think it's a great feature that makes a lot of sense.   I'm sure they'll be tech advances that make it even more secure in the future.

Sign In or Register to comment.