"Chaos Computer Club: iPhone 5S finger-sniffer COMPROMISED"
Source: The Register
As the group explains here, it seems that the main advance in Cupertino's biometrics was that it uses a high resolution fingerprint scan. The post states:
"A lot of bogus speculation about the marvels of the new technology and how hard to defeat it supposedly is had dominated the international technology press for days. "In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake", said the hacker with the nickname Starbug, who performed the critical experiments that led to the successful circumvention of the fingerprint locking."
All the CCC needed to defeat the scanner was an image of a user's fingerprint at 2,400 dpi resolution. That scan was cleaned up, inverted, and printed into a transparent sheet. The image of the print is then lifted from the sheet using latex milk or woodglue.
After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone, the post states, adding that this technique can be used against the vast majority of fingerprint scanners
Read more: http://www.theregister.co.uk/2013/09/22/iphone_5_touchid_broken_by_chaos_computer_club/
It's a nifty and convenient "street-grade" security mechanism, to be sure, but I wouldn't have trusted it with vital information to begin with. Nothing beats a well-managed password system.
frazzled
(18,402 posts)This doesn't sound like a very practical way of hacking, and hardly a widespread danger. "Psst, little boy, come over here and put your finger on my flatbed scanner."
sir pball
(4,741 posts)Like I said, it's a fine daily-use security system, but even before this I couldn't see it being corporate or gov't approved for truly sensitive data. And that's leaving alone the inevitable degradation of the hardware, which it turns out is just a standard CMOS sensor with a higher resolution - which, over time, loses resolution. I'm sure Apple built-in some tricks to work around this over the expected lifetime of the phone, but ultimately it weakens the security even further.
seveneyes
(4,631 posts)All you would need is an image of the fingerprint and the software to create it on the printer.
frazzled
(18,402 posts)You still have to get me to put my finger on the printer (and rots 'o ruck with that). You can't steal it from my phone ... because the fingerprint is not stored as an image on the phone.
Second, the iPhone doesn't actually store fingerprint data in the first place. The iPhone 5s maps your fingerprint and converts that into a string of data (a one-way hash), then holds onto that chunk of data. The next time you put your paws on the phone, the same hashing process produces another data chunk; the two chunks -- not the two fingerprint images -- are matched up to allow access. In fact, assuming the hashing process works the same way as it does for existing iPhone passcodes, the fingerprint data is encoded in a way that's specific to that individual phone (salted). Copying it anywhere else would be useless. [Have we been hearing about hacker gangs remotely stealing iPhone passcodes via magical processes to use them elsewhere? No, we have not -- and if we had, it would almost certainly be via social engineering or visual spying as the phone is unlocked, both of which are impossible with Touch ID. Ed.]
Anyone who somehow managed to access the iPhone's Touch ID circuitry and extract the hashed data would just find a string of alphanumeric gibberish, not a 3D-printable set of whorls and ridges ready to be turned into a latex Mission:Impossible-style fake finger. My TUAW colleague Dr. Richard Gaywood, who knows a thing or two about this stuff, says turning that data back into a readable fingerprint "would be like taking a cake, eating half of it, smashing the rest up with a fork, then giving it to someone and asking them, 'How much did the whole cake weigh, and what message was written on the icing that was on top of it?' "
http://www.tuaw.com/2013/09/22/iphone-5s-fingerprint-sensor-gets-completely-misunderstood/
Off of silverware or a glass at a resturant.
Off the pen at the car rental place
Off the keyboard at the ATM
Off the door handle on your car
Off the doorknob you your house.
Off the bottle you just recycled.
Off the yogurt box you just threw away.
Off the elevator button.
Off the table you sat at during lunch.
We touch a lot of things in our daily lives.
frazzled
(18,402 posts)And then try not being so paranoid. Someone can get your password far more easily. And you don't seem to understand the technology.
Gore1FL
(21,119 posts)You asked how they'd get your fingerprint and I told you a bunch of ways someone could. I am not debating whether or not a password is more breakable or not. It's not paranoid knowing htat we leave fingerprints everyone. I simply answered a question you asked.
No need for the snark -- especially considering that I have over two decades of IT experience. I expect my understanding of technology dwarfs yours.
seveneyes
(4,631 posts)From something you clearly touched. Then print it out on a 3D Printer.
obxhead
(8,434 posts)All one needs is your phone and a low grade finger print kit. The screen is covered with them.
apnu
(8,750 posts)This is a cumbersome hack to say the least. Its something that can be done with any finger print reader and something that will only be used against a high value target (say in spying).
TalkingDog
(9,001 posts)Or you can use a camera app or even an app like Google Goggles to do the same thing.
This is not for your average street mugger. But for someone with a target.
Passwords (that you can memorize) are protected by the 4th. Scanned fingerprints may not be according to early assessment of the legal ramifications.
AtheistCrusader
(33,982 posts)"Nothing beats a well-managed password system."
Depends on how competent and motivated the user is to keep the password secure.
Major Nikon
(36,827 posts)I don't. A biometric system that requires access to a person's fingerprint or finger seems more secure than nothing at all.
The most secure systems require both a password and something physical like a pass card or a biometric. The problem with passwords is that if you require frequent changes and strong passwords, people tend to write them down and leave them in unsecured locations. I guarantee I could compromise the network where I work if I wished simply by going through desk drawers of my co-workers until I found one of their passwords. That's why we are transitioning to a system where you plug your badge into the computer for access.
sir pball
(4,741 posts)denverbill
(11,489 posts)I suppose if you are James Bond carrying about top-secret documents on your phone, you should be concerned about this.
My current (old) iPhone uses 4 digits for a password. It could be cracked by anyone with time on their hands.
The vast majority of people wanting to hack a phone are people who steal and/or find a phone, and 95% (or more) of those people wouldn't be able to crack it. Yes I suppose it's possible that maybe one in ten phones might have a good enough print to be lifted somewhere from the phone, if the finder was really careful handling the phone. Then if the finder happened to have read about CCC's technique, he'd still have to actually be able to replicate it, something which I doubt I could do, without a fair amount of practice anyway.
Personally, I think 'street grade' security is plenty good enough for the vast majority of people.
AtheistCrusader
(33,982 posts)Don't need a 3d printer. You can use the same 2d process that we use to etch circuit boards. Can get a kit from Radio Shack cheap.
All they've done is up the ante on the resolution. But yes, you do need access to a fingerprint. (Which you can probably find ON the phone)
denverbill
(11,489 posts)I'm a programmer and I work with a bunch of other pretty smart programmers and none of us do anything like that. Could I do it? Yeah, probably, if I read up on it and tried it a few times. Could the average phone thief? Not very likely.
And how likely is it that the first time a hacker tries this process it will succeed? CCC has obviously been working on this process off and on for years so they have practice lifting prints, etc.
The thing about the fingerprints is a phone would be covered in prints, from 10 different fingers or more (if a person is showing pictures to other people, etc). Most of the prints will overlap, get smudged, get wiped off sliding in and out of pockets, etc. A thief would have to be handling the phone with a tool to avoid smudging the prints even more. I think the likelihood that he could find one good complete print of the finger he needed would be rather low. And the chances of extracting the print correctly the first time without messing it (and other prints) up wouldn't be too good unless they had practiced the technique.
I seriously think that if you handed me your new iPhone with one and only one perfect fingerprint and told me it was mine free if I could crack it, chances are very low I could do it without help. And even if I could it would take me days if not weeks to do it.
AtheistCrusader
(33,982 posts)TalkingDog
(9,001 posts)sir pball
(4,741 posts)Any regular joe can go get one at Staples for like $1500 - no, it's not $99.99 (yet), but for somebody in the business of stolen bank/personal information it's not exactly a high bar to entry, either.
I agree it's "good enough" security for most people, but there's a persistent annoying meme with the non-techies that biometrics are some sort of Hollywood-style unbreakable ultra-security. I could see a high honcho in a major corporation keeping confidential information on a 5S and then being absolutely floored when the phone is stolen and cracked. Hell, the most interesting thing on my phone are the..."special" pictures and I run a proper alphanumeric password. And keep FileVault turned on on my laptop, with an even more gibberish code. No, it won't help if The Man decides to ask me personally, but it is proof positive against loss or theft.
denverbill
(11,489 posts)Nobody I know has one or really even wants one, but lots of people are using them.
I just don't think the vast majority of iPhone thefts are being done by identity thieves or people who are willing to spend thousands of dollars and significant amounts of time cracking them. Maybe I'm wrong about that though.
Heck with things like the 'where's my phone' apps, the cops will probably be at your door long before you could crack the phone anyway.
My point was just that it is good enough for most people, especially people that don't want to type in a 15 character password with special characters, numbers, and caps 20 times a day and change it every 3 months. Personally, I have enough trouble with the 40-50 passwords I have already.
onyourleft
(726 posts)...that on release of new technology the first thought is how to hack? I must live in a different reality since that is never the first question that comes to my mind.
AtheistCrusader
(33,982 posts)Does it ACTUALLY protect you or not? Well, only one way to find out!
TalkingDog
(9,001 posts)My mother would come home to find the clock taken apart, the hinges off the doors (cuz... how do they work?) the lawnmower motor dismantled to the degree that a screw driver and monkey-wrench would allow.
Your brain either works that way or it doesn't. Don't be hatin'.
tomm2thumbs
(13,297 posts)Guess an ambitious entrepreneur will set up a company to unlock iPhones now <g>
olddad56
(5,732 posts)sir pball
(4,741 posts)Looking at my thumb, there's a couple of small scratches that effectively render about 25% of it "different", plus the tiny cracks from dry skin, specks of dust, sensor degradation - there's no way it has to be a spot-on 1200 dpi replica. Anybody with that much of an interest in cracking the phone will likely have the time to assemble a workable print from bits and pieces.
IBEWVET
(217 posts)and use my left little finger to lock the phone, I doubt they could find a usable left little finger print on the phone.
TM99
(8,352 posts)You check your iPhone dozens and dozens of times a day, probably more. Entering a passcode each time just slows you down. But you do it because making sure no one else has access to your iPhone is important. With iPhone 5s, getting into your phone is faster, easier, and even a little futuristic. Introducing Touch ID a new fingerprint identity sensor.
Put your finger on the Home button, and just like that your iPhone unlocks. Its a convenient and highly secure way to access your phone. Your fingerprint can also approve purchases from iTunes Store, the App Store, and the iBooks Store, so you dont have to enter your password. And Touch ID is capable of 360-degree readability. Which means no matter what its orientation portrait, landscape, or anything in between your iPhone reads your fingerprint and knows who you are. And because Touch ID lets you enroll multiple fingerprints, it knows the people you trust, too.
This is a big deal because Apple has made it a big deal.
Has biometrics been used before? Yup, for over a decade now. Is it fairly secure. Yup, it is, but serious hackers will find ways like this to crack the security. Has biometrics been a part of heavily marketed consumer products?
This is where this now comes in as real and important. No. Thinkpad business models had options for biometrics. But Apple is pushing this through their marketing as not only a 'new' convenience but also as being 'secure'. So if that 'security' is cracked within days of release, that is a huge marketing failure even if it isn't a huge security failure.
But as a techie, the key for me is that Touch ID allows the enrollment of multiple fingerprints. That is a nice further little vector for hacking.
I agree with the OP in that given the choice, I would prefer a well-managed password system over a biometric scanner. Yes, a housewife's iTunes account may not be worth hacking, but now that iDevices are being used in business & government, those people's secure data are indeed worth hacking.
Response to sir pball (Original post)
Name removed Message auto-removed