This doesn't sound like a very practical way of hacking, and hardly a widespread danger. "Psst, little boy, come over here and put your finger on my flatbed scanner."

Like I said, it's a fine daily-use security system, but even before this I couldn't see it being corporate or gov't approved for truly sensitive data. And that's leaving alone the inevitable degradation of the hardware, which it turns out is just a standard CMOS sensor with a higher resolution - which, over time, loses resolution. I'm sure Apple built-in some tricks to work around this over the expected lifetime of the phone, but ultimately it weakens the security even further.

All you would need is an image of the fingerprint and the software to create it on the printer.

You still have to get me to put my finger on the printer (and rots 'o ruck with that). You can't steal it from my phone ... because the fingerprint is not stored as an image on the phone.

Off of silverware or a glass at a resturant.
Off the pen at the car rental place
Off the keyboard at the ATM
Off the door handle on your car
Off the doorknob you your house.
Off the bottle you just recycled.
Off the yogurt box you just threw away.
Off the elevator button.
Off the table you sat at during lunch.

We touch a lot of things in our daily lives.

And then try not being so paranoid. Someone can get your password far more easily. And you don't seem to understand the technology.

You asked how they'd get your fingerprint and I told you a bunch of ways someone could. I am not debating whether or not a password is more breakable or not. It's not paranoid knowing htat we leave fingerprints everyone. I simply answered a question you asked.

No need for the snark -- especially considering that I have over two decades of IT experience. I expect my understanding of technology dwarfs yours.

From something you clearly touched. Then print it out on a 3D Printer.

All one needs is your phone and a low grade finger print kit. The screen is covered with them.

This is a cumbersome hack to say the least. Its something that can be done with any finger print reader and something that will only be used against a high value target (say in spying).

Or you can use a camera app or even an app like Google Goggles to do the same thing.

This is not for your average street mugger. But for someone with a target.

Passwords (that you can memorize) are protected by the 4th. Scanned fingerprints may not be according to early assessment of the legal ramifications.

"Nothing beats a well-managed password system."

Depends on how competent and motivated the user is to keep the password secure.

I don't. A biometric system that requires access to a person's fingerprint or finger seems more secure than nothing at all.

The most secure systems require both a password and something physical like a pass card or a biometric. The problem with passwords is that if you require frequent changes and strong passwords, people tend to write them down and leave them in unsecured locations. I guarantee I could compromise the network where I work if I wished simply by going through desk drawers of my co-workers until I found one of their passwords. That's why we are transitioning to a system where you plug your badge into the computer for access.

http://xkcd.com/538/

I suppose if you are James Bond carrying about top-secret documents on your phone, you should be concerned about this.

My current (old) iPhone uses 4 digits for a password. It could be cracked by anyone with time on their hands.

The vast majority of people wanting to hack a phone are people who steal and/or find a phone, and 95% (or more) of those people wouldn't be able to crack it. Yes I suppose it's possible that maybe one in ten phones might have a good enough print to be lifted somewhere from the phone, if the finder was really careful handling the phone. Then if the finder happened to have read about CCC's technique, he'd still have to actually be able to replicate it, something which I doubt I could do, without a fair amount of practice anyway.

Personally, I think 'street grade' security is plenty good enough for the vast majority of people.

Don't need a 3d printer. You can use the same 2d process that we use to etch circuit boards. Can get a kit from Radio Shack cheap.

All they've done is up the ante on the resolution. But yes, you do need access to a fingerprint. (Which you can probably find ON the phone)

I'm a programmer and I work with a bunch of other pretty smart programmers and none of us do anything like that. Could I do it? Yeah, probably, if I read up on it and tried it a few times. Could the average phone thief? Not very likely.

And how likely is it that the first time a hacker tries this process it will succeed? CCC has obviously been working on this process off and on for years so they have practice lifting prints, etc.

The thing about the fingerprints is a phone would be covered in prints, from 10 different fingers or more (if a person is showing pictures to other people, etc). Most of the prints will overlap, get smudged, get wiped off sliding in and out of pockets, etc. A thief would have to be handling the phone with a tool to avoid smudging the prints even more. I think the likelihood that he could find one good complete print of the finger he needed would be rather low. And the chances of extracting the print correctly the first time without messing it (and other prints) up wouldn't be too good unless they had practiced the technique.

I seriously think that if you handed me your new iPhone with one and only one perfect fingerprint and told me it was mine free if I could crack it, chances are very low I could do it without help. And even if I could it would take me days if not weeks to do it.

Any regular joe can go get one at Staples for like $1500 - no, it's not $99.99 (yet), but for somebody in the business of stolen bank/personal information it's not exactly a high bar to entry, either.

I agree it's "good enough" security for most people, but there's a persistent annoying meme with the non-techies that biometrics are some sort of Hollywood-style unbreakable ultra-security. I could see a high honcho in a major corporation keeping confidential information on a 5S and then being absolutely floored when the phone is stolen and cracked. Hell, the most interesting thing on my phone are the..."special" pictures and I run a proper alphanumeric password. And keep FileVault turned on on my laptop, with an even more gibberish code. No, it won't help if The Man decides to ask me personally, but it is proof positive against loss or theft.

Nobody I know has one or really even wants one, but lots of people are using them.

I just don't think the vast majority of iPhone thefts are being done by identity thieves or people who are willing to spend thousands of dollars and significant amounts of time cracking them. Maybe I'm wrong about that though.

Heck with things like the 'where's my phone' apps, the cops will probably be at your door long before you could crack the phone anyway.

My point was just that it is good enough for most people, especially people that don't want to type in a 15 character password with special characters, numbers, and caps 20 times a day and change it every 3 months. Personally, I have enough trouble with the 40-50 passwords I have already.

...that on release of new technology the first thought is how to hack? I must live in a different reality since that is never the first question that comes to my mind.

Does it ACTUALLY protect you or not? Well, only one way to find out!

My mother would come home to find the clock taken apart, the hinges off the doors (cuz... how do they work?) the lawnmower motor dismantled to the degree that a screw driver and monkey-wrench would allow.

Your brain either works that way or it doesn't. Don't be hatin'.

Guess an ambitious entrepreneur will set up a company to unlock iPhones now <g>

Looking at my thumb, there's a couple of small scratches that effectively render about 25% of it "different", plus the tiny cracks from dry skin, specks of dust, sensor degradation - there's no way it has to be a spot-on 1200 dpi replica. Anybody with that much of an interest in cracking the phone will likely have the time to assemble a workable print from bits and pieces.

and use my left little finger to lock the phone, I doubt they could find a usable left little finger print on the phone.

You check your iPhone dozens and dozens of times a day, probably more. Entering a passcode each time just slows you down. But you do it because making sure no one else has access to your iPhone is important. With iPhone 5s, getting into your phone is faster, easier, and even a little futuristic. Introducing Touch ID — a new fingerprint identity sensor.

Put your finger on the Home button, and just like that your iPhone unlocks. It’s a convenient and highly secure way to access your phone. Your fingerprint can also approve purchases from iTunes Store, the App Store, and the iBooks Store, so you don’t have to enter your password. And Touch ID is capable of 360-degree readability. Which means no matter what its orientation — portrait, landscape, or anything in between — your iPhone reads your fingerprint and knows who you are. And because Touch ID lets you enroll multiple fingerprints, it knows the people you trust, too.

This is a big deal because Apple has made it a big deal.

Has biometrics been used before? Yup, for over a decade now. Is it fairly secure. Yup, it is, but serious hackers will find ways like this to crack the security. Has biometrics been a part of heavily marketed consumer products?

This is where this now comes in as real and important. No. Thinkpad business models had options for biometrics. But Apple is pushing this through their marketing as not only a 'new' convenience but also as being 'secure'. So if that 'security' is cracked within days of release, that is a huge marketing failure even if it isn't a huge security failure.

But as a techie, the key for me is that Touch ID allows the enrollment of multiple fingerprints. That is a nice further little vector for hacking.

I agree with the OP in that given the choice, I would prefer a well-managed password system over a biometric scanner. Yes, a housewife's iTunes account may not be worth hacking, but now that iDevices are being used in business & government, those people's secure data are indeed worth hacking.