Printed from http://www.electronista.com

'Fake finger' successfully used to bypass Touch ID on iPhone 5s

updated 07:20 pm EDT, Sun September 22, 2013

Hacker group offering unusual reward for breaking iOS authentication

A group in German claims to have successfully worked around Apple's new Touch ID biometric system, albeit using an extremely elaborate system to do so, involving a high-resolution lifted fingerprint and creating a "fake finger" that mimics a real one that has the lifted fingerprint printed onto latex milk or wood glue and then applied -- and of course physical access to the iPhone that utilizes that particular fingerprint. A different hacker group is offering a reward for such a solution, including cash, Bitcoins, liquor and books as a reward.

The German group issued a statement criticizing the biometric industry for making false claims about how secure fingerprint-based locking is, CNN reports. For most people, however, the group would seem to have undermined its own arguments with the elaborateness and extent of the work involved to bypass the Touch ID lock.

Apple automatically disables the Touch ID system and reverts back to a (simple or complex) passcode if the finger hasn't been used to unlock the iPhone within the last 48 hours. This means thieves would have to obtain the iPhone and the fingerprint, make the "fake finger" sheet and get it to the point where it could successfully unlock the phone very quickly.

Users who actually have classified or highly-sensitive information on their iPhone are likely to use complex passcodes, remote management or wipe, Activation Lock, Find My iPhone and many other safeguards in addition to Touch ID. Such measures make the possibility of an actual "sensitive" iPhone getting bypassed in this manner even more remote -- though the group makes a fair point that fingerprints can often be recovered fairly easily in real-world situations and aren't an end-all solution for security (nor has Apple attempted to market the Touch ID feature in that manner).

Senator Al Franken noted some shortcomings of using fingerprints as passwords in his letter to Apple CEO Tim Cook, saying that while passwords can be secret and easily changed if they are discovered, fingerprints are permanent and public." Franken's letter included some other questions regarding the future of the technology (such as whether it would be available to third parties, which would introduce further risks).

However, Franken's letter didn't acknowledge that Apple has already published safeguards and explanations of how the technology works, including fallbacks -- and the fact that TouchID is not required nor warranted to be foolproof. It is simply designed to be another obstacle for potential thieves and hackers to overcome compared to the security built into most other modern smartphones.

It is unclear if the workaround devised by the German group qualifies for the $16,000 prize from istouchidhackedyet.com, but the site has said that it seeks a reliable and repeatable way to "break into an iPhone 5s by lifting prints." with the community offering items and cash to sweeten the prize. Reuters reports that a venture capital firm has put up $10,000 towards the reward, saying it wants to help fix any problems found with Touch ID "before it becomes a problem" and that the competition will help "make things safer." The co-founder of the istouchidhackedyet website has said that he believes Apple has done a good job on making the new technology secure, but wants to engage the hacker community to be sure.

But lest anyone believe that the technology is impervious, a Minnesota man has posted a video setting the record straight. The Touch ID system works with animals as well as humans, he discovered, demonstrating that a chihuahua with a captured "pawprint" can also unlock the iPhone 5s

Neither group has shown any interest in trying to unlock the captured digital image information captured by the sensor, which is said by Apple to be stored in a "secure enclave" within the A7 processor. Presuming the data is strongly encrypted as Cook has said, it should be nearly impossible for even those with sufficient time and unlimited access to the workings of the chip to recreate the fingerprint data -- though ironically it may be possible to lift at least a partial high-resolution print of the users' preferred digit right from the sapphire glass used to protect the sensor on the iPhone 5s' home button.




By Electronista Staff
toggle

Comments

  1. macjockey

    Junior Member

    Joined: 06-23-04

    you know, who really gives a crap

  1. muadibe10

    Fresh-Faced Recruit

    Joined: 09-22-13

    No matter how much I protest, people just follow me everywhere lifting my fingerprints!! I mean, who doesn't have this problem.

    Dweebs.

  1. Sebastien

    Registered User

    Joined: 04-29-00

    Of course if this was happening to an Android, Blackberry or Windows device you two would be all over it. #doubleStandard

  1. djbeta

    Fresh-Faced Recruit

    Joined: 01-11-04

    What a waste of brain cells.. don't you idiots get it? Better security is better security. The people I am protecting myself against will NOT have the ability to do what you did in this video.. Why don't you spend your time on something that benefits people and doesn't try to simply "poke holes" ???

  1. djbeta

    Fresh-Faced Recruit

    Joined: 01-11-04

    And.. @Sebastien, you're wrong.. Touch ID is a truly useful method of protecting your device. MUCH better than a passcode.. which people can see you entering. Android has not provided us anything nearly that intuitive and useful.

  1. Rapscallion

    Fresh-Faced Recruit

    Joined: 03-12-04

    Previous story was door locks now unsafe, multiple copies of keys now possible...

  1. BLAZE_MkIV

    Professional Poster

    Joined: 02-23-00

    Myth-busters spoofed finger print readers years ago.

  1. hansmickle

    Fresh-Faced Recruit

    Joined: 02-25-03

    Myth Busters were working with the only technology then available, which is a far cry from that which Apple is using. Their results have absolutely no relation to the current issue. Technology has changed radially.

  1. besson3c

    Clinically Insane

    Joined: 03-03-01

    What's with these emotional reactions? People trying to thwart the security of something is how you make that security stronger. This is a good thing, no matter how you feel about Apple.

  1. Spheric Harlot

    Clinically Insane

    Joined: 11-07-99

    ^ agreed.

    What I find annoying is deliberate misinformation, like the tripe about the chihuahua meaning that the system is "not impervious". If you profile the dog's paw, it will work with the dog's paw. If you don't, it won't. How does that sort of shit help clarify anything? It's an amusing curiosity with zero relevance to the security of a system.

  1. besson3c

    Clinically Insane

    Joined: 03-03-01

    Originally Posted by Spheric HarlotView Post

    ^ agreed.

    What I find annoying is deliberate misinformation, like the tripe about the chihuahua meaning that the system is "not impervious". If you profile the dog's paw, it will work with the dog's paw. If you don't, it won't. How does that sort of booze help clarify anything? It's an amusing curiosity with zero relevance to the security of a system.




    How do you tell the difference between deliberate misinformation for ideological purposes, and ignorance with no particular ideological agenda? Does the ideology bother you, or the simple inaccuracy, or both?

  1. mr100percent

    Forum Regular

    Joined: 12-06-99

    Video aside, I'm still skeptical. Apple said that their sensor uses conduction sensors, so the old "gummy finger" hack to bypass old fingerprint scanners was no longer effective. I'm wondering how the cover somehow was in the same conductive range as skin.

  1. mr100percent

    Forum Regular

    Joined: 12-06-99

    Easy solution; don't program it to unlock with your finger. Use something else that isn't leaving prints everywhere.
    Good luck figuring out which body part you need to scan to unlock my phone.

  1. Spheric Harlot

    Clinically Insane

    Joined: 11-07-99

    Originally Posted by besson3cView Post

    How do you tell the difference between deliberate misinformation for ideological purposes, and ignorance with no particular ideological agenda? Does the ideology bother you, or the simple inaccuracy, or both?



    The misuse of inaccurately presented information to further sensationalism.

    "OMG SECURITY BREACH" proven by the mechanism presented working exactly as designed (talking about the animal paws thing here, not the CCC hack) is either intentional misinformation, or ignorance. Either way, it is misleading to the reader, and whoever used it to support claims of insecurity needs to be taken out back and slapped with an eel.

  1. besson3c

    Clinically Insane

    Joined: 03-03-01

    Originally Posted by Spheric HarlotView Post

    The misuse of inaccurately presented information to further sensationalism.

    "OMG SECURITY BREACH" proven by the mechanism presented working exactly as designed (talking about the animal paws thing here, not the CCC hack) is either intentional misinformation, or ignorance. Either way, it is misleading to the reader, and whoever used it to support claims of insecurity needs to be taken out back and slapped with an eel.




    So it's more of a bad journalism thing that irritates you more than a tech specific thing?

  1. besson3c

    Clinically Insane

    Joined: 03-03-01

    The other part of this that is sensationalized is the fact that on many phones no password at all is required to access the phone once you have physical access to it. Once you have physical access to a desktop/laptop there is a good chance you'll be able to do stuff too.

    For those that know better and need some actual security to prevent sensitive data, chances are over 99% of the time a thief is probably going to not bother with trying to get around your fingerprint security, it will be more than adequate deterrent. For those that need to protect sensitive info such as intellectual property or something that would have secret agents specifically gunning for your stuff (as opposed to whatever phone they can find), you probably shouldn't have any sensitive like your email on your phone anyway, because if somebody wants your stuff bad enough they can just crack upon the case and hook your hard drive up to something.

    The summary: nothing new... Once you have physical access to something all bets are off.

  1. Spheric Harlot

    Clinically Insane

    Joined: 11-07-99

    Originally Posted by besson3cView Post

    So it's more of a bad journalism thing that irritates you more than a tech specific thing?



    It's a misuse of evidence to prove things that cannot be inferred from the data, if you will.

    It's what pisses me off about those conspiracy assholes, as well: a deliberate misrepresentation of evidence to present the illusion of coherence and credibility. Which is ironic, considering what they claim to be countering.

  1. besson3c

    Clinically Insane

    Joined: 03-03-01

    Originally Posted by Spheric HarlotView Post

    It's a misuse of evidence to prove things that cannot be inferred from the data, if you will.

    It's what pisses me off about those conspiracy assholes, as well: a deliberate misrepresentation of evidence to present the illusion of coherence and credibility. Which is ironic, considering what they claim to be countering.




    This doesn't anger me really. This goes with the territory of being top dog in just about anything. Everybody wants to put a chink in the armor of the top dog.

    That's right, dogs wearing armor.

  1. YangZone

    Fresh-Faced Recruit

    Joined: 05-24-00

    Liquor? Nobody told *me*.

  1. Wingsy

    Fresh-Faced Recruit

    Joined: 04-14-05

    What's going to torque my jaws is when the mainstream media reports this. They will NOT go into any detail as to the process used to fake the finger. Quite the opposite; they will imply just how easy it is for anyone to do in just a few minutes, and will totally skip the part about how a thief is going to acquire your fingerprint (the one you used to teach the sensor). Just wait and see. CNBC, I'm looking at you.

  1. Wingsy

    Fresh-Faced Recruit

    Joined: 04-14-05

    Think it's easy to get your fingerprint off your phone? Try this. Get a strong magnifying glass and go over your phone very carefully, tilting it against the light. See any non-smudged fingerprints? If you do, is it the one you would have used to unlock your phone? All I could see on mine that were not smeared were small pieces of prints here and there.

  1. shifuimam

    Addicted to MacNN

    Joined: 08-15-06

    Originally Posted by djbetaView Post

    And.. @Sebastien, you're wrong.. Touch ID is a truly useful method of protecting your device. MUCH better than a passcode.. which people can see you entering. Android has not provided us anything nearly that intuitive and useful.



    Android has facial recognition for unlock, as well as the ability to use a pattern (which can be as complicated as you want, using as large as a 6x6 grid).

    Both are quite intuitive and useful.

    TouchID is fine for home users and their phones, but it's not fine for enterprise use. Biometric alone is NOT secure, and no security professional with any qualifications is going to tell you otherwise.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Tylt Energi 2K Travel Charger

Backup batteries and device chargers are objects that many users take for granted. They often only one-dimensional in functionality, r ...

ActvContent Sync Smartband

Smartbands of all sorts are hitting the market. Some build on the buzz around fitness trackers, while others offer simpler features fo ...

RocketStor 6324L Thunderbolt 2 eSATA bridge

Like it or not, the shift to Thunderbolt is underway. The connection is extremely flexible, allowing for video and data to co-habitate ...

Sponsor

toggle

Most Commented

 
toggle

Popular News