Chaos Computer Club breaks Apple TouchID


Recommended Posts

you don't need physical access to the phone to lift the prints. You can get them off other surfaces. That's easier to accomplish sometimes than getting a passcode.

Not true. You need physical access and my fingerprint with the sensor. Without the sensor, you only need physical access (and time).

Link to comment
Share on other sites

you don't need physical access to the phone to lift the prints. You can get them off other surfaces. That's easier to accomplish sometimes than getting a passcode.

"Hey, do you know what the weather's gonna be like tomorrow? My phone's acting up..."

 

*hold phone up as if you're still trying to get it to work, while actually recording being semi-over their shoulder*

 

Ta-da!...

 

Funny thing is that you didn't even have to turn your head to make them feel awkward, you were looking at your phone the whole time. Though, I suppose if talking to people is hard, then that'd be a bit of an issue. :P

Link to comment
Share on other sites

"Hey, do you know what the weather's gonna be like tomorrow? My phone's acting up..."

 

*hold phone up as if you're still trying to get it to work, while actually recording being semi-over their shoulder*

 

Ta-da!...

 

Funny thing is that you didn't even have to turn your head to make them feel awkward, you were looking at your phone the whole time. Though, I suppose if talking to people is hard, then that'd be a bit of an issue. :p

if its a female you risk being suspected as being a perv for recording her cleavage.

Link to comment
Share on other sites

My 10 year old makes it a sport to guess my password by watching me type it over a few days. He is about 60-70% accurate after two or three days. At least with my finger print the guess is out of the equation.

Oh and do you realize how hard it will be to get a clean print with all the validation points off of a screen that is touched throughout the day. I am just curious how many points Apple is matching to. The world does not work like CSI, the more touches without cleaning the more difficult it becomes. Also, what happens with screen protectors, does the accuracy change when trying to lift a print?

Link to comment
Share on other sites

Dude, leave the hyperbole out; that waffle has nothing at all to do with my comment and you know it.

 

I said, and I quote: "A decent passcode is far more secure than a fingerprint ever will be.  It's just not quite as convenient."

 

For usage purposes, scanning a fingerprint might be slightly easier (if annoying after you've touched the damned sensor 3 or 4 times); but hacking... They might be able to lift a fingerprint from the screen given time (which they'll have if they've stolen it), but they aren't going to lift a passcode from it.

You're assuming a clean glass screen with a few fingerprints.  Try and grab one off a screen with thousands of overlapping prints, and most are smeared.

 

There's no saying Apple might not include a pin code lock at some point for two point security.  I'm certain they'll be watching the number of thefts going forward and implement it if needed.

 

But as for single point security, biometrics beats a pin code.  Biometrics secures based on what you have.  Meaning, you must have the print each time to unlock and can be difficult and time consuming to obtain a useable copy.  A pin code is based on what you know.  Watch the code be entered or force the person to tell it and you can unlock it anytime. 

Link to comment
Share on other sites

All security systems have their weaknesses. However, it requires a lot more effort to bypass a fingerprint scanner than it does to overlook somebody typing in their pincode / pattern. The best security method is of course to prevent other people from accessing your phone.

The fingerprint scanners on the iPhone and various Android devices offer a decent level of security for casual use and an improvement upon previous systems.

So far, no consumer Android device offers this kind of scanner. I believe a HTC model (can't remember which one, it was large) offered a scanner, but it was crappy like those ones you get on laptops.
Link to comment
Share on other sites

At the end of the day everyone knew this was going to happen. It has been known for years that fingerprint scanners can be tricked quite easily. There was a pretty good MythBusters episode on how easy it is. I know the tech has improved over the years but it is still quite poor.

 

However I don't see this as making Touch ID totally pointless. The point of Touch ID isn't so much to make your phone super secure it is designed to make security a little bit easier/transparent than using a passcode/password on the lock screen which, as Apple said in the key note, a lot of people do not use.Touch ID will hopefully make people have slightly more secure phones as it is not very likely somebody is going to go to this much effort to get your phone.

 

One issue this does have is that it shows that using Touch ID for anything important might not be a good idea. Unlocking your phone is fine but using it as a form of identification/authorisation for purchases, etc. ? Maybe not such a great idea. As with all security vs. convenience it is a trade off between how much the security gets in the way.

Link to comment
Share on other sites

It's actually laughable the people arguing for this in this thread, as if it's easy to grab a clean finger print, take a high resolution image of it, clean it, invert it, print it on thick toner, apply latex milk, somehow get their phone long enough to bypass the touch ID, to do what? write "i am gay" on their Facebook status?

 

It's a ######ing phone.

 

Not only do you need a degree in forensic science or have some really good tools at your disposal, you need access to the physical device.

 

Ok, from a technical stand point its very much breakable and less secure than other methods but for real world situations it's a perfectly viable solution to the annoying passcode.

 

I'll say it again, if you have something on your phone that would warrant somebody going to such extreme lengths to get access then the chances are this would be the least of your worries.

Link to comment
Share on other sites

OK, now you're being just silly.  Security wise, there is an extremely low probability that you would obtain someone's phone AND obtain their fingerprint at the same point in time.  We're talking about a stranger obtaining your phone or thief; not your friends.

 

Even if you found/stoled the phone, managed to somehow track down the owner to get a fingerprint, enough time would have elapsed for the phone to have been reported stolen and is basically useless.

Unless you use your phone wearing gloves all the time, changes are highly likely that there is at least one good fingerprint on the back of your phone. Of course a casual thief might not go through the trouble of creating a fake finger print out of latex. But still, it proves that a fingerprint as a security method is not better (and probably worse) than a good password.

Link to comment
Share on other sites

The fingerprint scanner is great to protect the phone from coworkers or friends that might want to take a look at your phone without your knowledge, as it's easy to set up and non trivial to break for someone without enough determination.

 

As a thief deterrent though is about as useful (or useless) as a PIN code.

 

Maybe thieves will now carry fringerprint ink kits around?  :D

Link to comment
Share on other sites

*Sigh*

 

I'll repost what I posted to macrumors:

 

If someone has that sensitive of information, you hold them at gun point/drug them/or simply hold them down, and force them to unlock the phone with their own finger.

That is the easiest route to obtain the information, far easier than stealing their phone, following them to lift prints off of objects, then go through this fairly extensive routine.

Seriously, if a thief wants your information bad enough, they will go to any lengths to obtain it. Nothing is 100% secure.

This will however deter any common thieves. 

And really, what are they going to obtain anyways? Currently, only your Apple ID, so then what? They can make some illegitimate purchases using your iTunes account? Tell your wife you're texting some other broad?

Who really leaves any pertinent, sensitive information, unencrypted on a phone anyways?


Jeez.

Link to comment
Share on other sites

So why exactly are people surprised about this? Most fingerprint scanners are susceptible to attacks like these, it's literally nothing new.

I remember reading a few years ago about children at a school that used fingerprint scanners for attendance records, breaking it by keeping gummy bears in their pockets and pressing it to the scanner to trick it.

Link to comment
Share on other sites

This topic is now closed to further replies.