Jump to content



Photo

Chaos Computer Club breaks Apple TouchID

iphone 5s touchid ios

  • Please log in to reply
46 replies to this topic

#1 +Frank B.

Frank B.

    Member N° 1,302

  • 23,379 posts
  • Joined: 18-September 01
  • Location: Frankfurt, DE
  • OS: OS X 10.10
  • Phone: Sony Xperia Z2

Posted 22 September 2013 - 19:00

Chaos Computer Club breaks Apple TouchID

 

The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple's TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.

 

Apple had released the new iPhone with a fingerprint sensor that was supposedly much more secure than previous fingerprint technology. A lot of bogus speculation about the marvels of the new technology and how hard to defeat it supposedly is had dominated the international technology press for days.

 

"In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake", said the hacker with the nickname Starbug, who performed the critical experiments that led to the successful circumvention of the fingerprint locking. "As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints." [1]

 

The iPhone TouchID defeat has been documented in a short video.

 

The method follows the steps outlined in this how-to with materials that can be found in almost every household: First, the fingerprint of the enroled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.

 

"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token", said Frank Rieger, spokesperson of the CCC. "The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access." Fingerprint biometrics in passports has been introduced in many countries despite the fact that by this global roll-out no security gain can be shown.

 

iPhone users should avoid protecting sensitive data with their precious biometric fingerprint not only because it can be easily faked, as demonstrated by the CCC team. Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.

 

Many thanks go to the Heise Security team which provided the iPhone 5s for the hack quickly. More details on the hack will be reported there.

 

Source: CCC.de




#2 fusi0n

fusi0n

    Don't call it a come back

  • 3,751 posts
  • Joined: 08-July 04
  • OS: OSX 10.9\Elementary OS
  • Phone: iPhone 5S 64GB

Posted 22 September 2013 - 19:03

grumpy-cat-good-1.jpg



#3 Gandhi1

Gandhi1

    Neowinian

  • 27 posts
  • Joined: 26-June 13

Posted 22 September 2013 - 19:16

But tbf
The chances that someone will be able to take a 1200 dpi photograph of your fingerprint without your knowledge, however, is slim.

#4 metallithrax

metallithrax

    I saw you earlier, with the hairy stick....

  • 8,534 posts
  • Joined: 24-May 04
  • Location: Wherever I am at his moment in time.
  • OS: Windows 8
  • Phone: Sony Xperia U (android 4.0.4)

Posted 22 September 2013 - 19:23

So, and forgive my ignorance here, can you only register 1 finger print?



#5 theyarecomingforyou

theyarecomingforyou

    Tiger Trainer

  • 16,342 posts
  • Joined: 07-August 03
  • Location: Terra Prime Profession: Jaded Sceptic
  • OS: Windows 8.1
  • Phone: Galaxy Note 3 with Galaxy Gear

Posted 22 September 2013 - 19:27

All security systems have their weaknesses. However, it requires a lot more effort to bypass a fingerprint scanner than it does to overlook somebody typing in their pincode / pattern. The best security method is of course to prevent other people from accessing your phone.

 

The fingerprint scanners on the iPhone and various Android devices offer a decent level of security for casual use and an improvement upon previous systems.



#6 FloatingFatMan

FloatingFatMan

    Resident Fat Dude

  • 15,776 posts
  • Joined: 23-August 04
  • Location: UK

Posted 22 September 2013 - 19:38

All security systems have their weaknesses. However, it requires a lot more effort to bypass a fingerprint scanner than it does to overlook somebody typing in their pincode / pattern. The best security method is of course to prevent other people from accessing your phone.

 

The fingerprint scanners on the iPhone and various Android devices offer a decent level of security for casual use and an improvement upon previous systems.

 

Keep telling yourself that, but at the end of the day, they're still selling you fairy wings and unicorn horns.



#7 vcfan

vcfan

    Doing the Humpty Dance

  • 4,917 posts
  • Joined: 12-June 11

Posted 22 September 2013 - 19:41

But tbf
The chances that someone will be able to take a 1200 dpi photograph of your fingerprint without your knowledge, however, is slim.

come over to my place,i'll offer you a drink in a glass cup, then when you leave,ill just lift your prints,photograph them,then do the process to have a copy.



#8 goodbytes

goodbytes

    Just below average Joe

  • 6,141 posts
  • Joined: 07-May 04
  • Location: England

Posted 22 September 2013 - 19:42

Almost impossible to do in a real world situation, and if anyone would go to such lengths to get into your phone i would imagine it to be the least of your worries.

 

The article is flame bait.. while a lot of it might be true it's simply irrelevant to the average user.



#9 ctebah

ctebah

    Neowinian Senior

  • 4,432 posts
  • Joined: 11-February 03

Posted 22 September 2013 - 19:44

Haha sounds simple enough.



#10 spenser.d

spenser.d

    Neowinian Senior

  • 10,855 posts
  • Joined: 19-December 03

Posted 22 September 2013 - 19:52

 

it's simply irrelevant to the average user.

 

So is biometric security in general.



#11 ctebah

ctebah

    Neowinian Senior

  • 4,432 posts
  • Joined: 11-February 03

Posted 22 September 2013 - 19:56

So is biometric security in general.

 

I bet you the simplicity of it and the way Apple implemented it will make a lot of people use it.  I wouldn't be surprised if other companies offered the same feature in their future phones. 



#12 Rohdekill

Rohdekill

    Neowinian Senior

  • 3,556 posts
  • Joined: 06-July 05
  • Location: Earth

Posted 22 September 2013 - 20:07

come over to my place,i'll offer you a drink in a glass cup, then when you leave,ill just lift your prints,photograph them,then do the process to have a copy.

OK, now you're being just silly.  Security wise, there is an extremely low probability that you would obtain someone's phone AND obtain their fingerprint at the same point in time.  We're talking about a stranger obtaining your phone or thief; not your friends.

 

Even if you found/stoled the phone, managed to somehow track down the owner to get a fingerprint, enough time would have elapsed for the phone to have been reported stolen and is basically useless.



#13 theyarecomingforyou

theyarecomingforyou

    Tiger Trainer

  • 16,342 posts
  • Joined: 07-August 03
  • Location: Terra Prime Profession: Jaded Sceptic
  • OS: Windows 8.1
  • Phone: Galaxy Note 3 with Galaxy Gear

Posted 22 September 2013 - 20:13

Keep telling yourself that, but at the end of the day, they're still selling you fairy wings and unicorn horns.

They're selling a system that is more secure than other current methods. It won't prevent anyone dedicated to accessing your device but it will stop casual thieves, strangers and friends from accessing your device without permission. Anything that improves security should be welcomed, as long as people aren't complacent about its limitations.



#14 ManMountain

ManMountain

    Neowinian

  • 895 posts
  • Joined: 01-November 01
  • Location: Scotland
  • OS: Windows 8.1 Pro MC x64
  • Phone: LG Nexus 5

Posted 22 September 2013 - 20:13

It also may work by simply lifting a fingerprint from the stolen phones screen ... 



#15 FloatingFatMan

FloatingFatMan

    Resident Fat Dude

  • 15,776 posts
  • Joined: 23-August 04
  • Location: UK

Posted 22 September 2013 - 20:13

^ Yeah... That's the thing about modern smartphones, that they have touch screens made of glass... :p