Feeds

back to article Chaos Computer Club: iPhone 5S finger-sniffer COMPROMISED

Well, that lasted a long time: the Chaos Computer Club has already broken Apple's TouchID fingerprint lock, and warns owners against using biometric ID to protect their data. As the group explains here, it seems that the main advance in Cupertino's biometrics was that it uses a high resolution fingerprint scan. The post states …

COMMENTS

This topic is closed for new posts.

Page:

Black Helicopters

OMG

Well, that didn't take long!

14
0
Silver badge

Re: OMG

They confirmed that a well-known way to fool fingerprint scanners fools a particular brand of fingerprint scanner — I don't think anybody was seriously expecting it to take that long.

I guess the best advice is: if you can't be bothered with a password then the fingerprint scanner is better than nothing.

16
0
Silver badge
Facepalm

You're fingerprinting it wrong

Can't these stupid users get anything right?

13
4
Silver badge

Perspective please

Ok so as you get mugged the dirty little thief will insist on taking a high resolution picture of your fingerprints then head home and produce a latex copy of them to break the security on your phone?

Put it into perspective please.

10
22
Anonymous Coward

Re: Perspective please

A fingerprint might be on the phone, but how is the thief going to know which is theirs and which is yours?

It sounds like a lot of bother for a thief.

5
10
Anonymous Coward

Re: OMG

The fingerprint scanner is enough to keep your wife out, but if you see here with a bottle of liquid latex.....

Delete those numbers and photographs........

Isn't that what the find my phone app is about?

1
0
Anonymous Coward

Re: Perspective please

"A fingerprint might be on the phone, but how is the thief going to know which is theirs and which is yours?

It sounds like a lot of bother for a thief."

Sounds like you will accept any of sh*te to protect the image of you iFool'd ya!

Pathetic excuse. Apple got it wrong, they tried to redo an existing technology (as they always do, copy) and failed miserably.

21
12
Silver badge
Happy

Re: OMG

... wife ..., but if you see her with a bottle of liquid latex...

...I'll wait in joyful expectation. What numbers and photographs were you referring to?

5
0

Re: Perspective please

I would imagine that the fingerprint on the scanner itself would be the one to start with.

At least with the swipe type of scanner an attacker would have to try every print on the phone.

6
0

Re: Perspective please

The fact is that NO security system is entirely secure. When designing a system, you can only hope to make it unfeasible for a person to access that system. Every system (from the smallest mobile phone to the largest, most powerful military supercomputer) has at least one flaw that can be exploited to break in.

This flaw would require that the thief has access to a 2400dpi scanner, good enough photoshop skills to clean up the image, time to clean up that image and access to the fingerprint itself. This last may well be the most difficult to obtain. Not if you mug the person (after all if you've grabbed the phone, they'll probably grab for it, you can scan the fingerprints then), but if you steal the phone from a bag, pocket or table. Even assuming you can work out which person it belongs to, it would be difficult to get access to their fingerprints without them noticing you.

Now, please tell me: Do you think it would be worth the average thief going through all that just to get access to the users phone numbers, pictures and whatever apps/media they have? Access to bank accounts might make it worth their while, but in my experience, most mobile banking apps don't store user details on the device.

6
11
Bronze badge
Trollface

Re: Perspective please

Bother for a thief? No bother...wear gloves.

Put a big gate with barbed wire along the walls, gun turrets on watchtowers, crocodiles in the moat, and lift up the drawbridge but someone will still fly a swallow over the ramparts and drop a coconut on your head!

7
0
Anonymous Coward

Re: Perspective please

I suggest you take a look at the phone in the video, there are plenty of prints all over the screen that could be used for making the image.

2
0
Bronze badge

Re: OMG

"The fingerprint scanner is enough to keep your wife out, but if you see her with a bottle of liquid latex....."

No need to be paranoid - she might be planning something kinky.

0
0

Re: Perspective please

No, the dirty little thief will insist that you press your finger(s) onto the scanner to unlock the phone for him, or if you don't cooperate, grab your fingers and press them against the scanner by force.

1
0
Anonymous Coward

Disappointed...

I'm disappointed, mainly because I was wrong to assume any sanity in the FP reader selection process.

There are various types of FP readers. This problem is a classic, very basic one for the cheaper end of the range of readers you can get - the more expensive arrays use radio technology (basically you grounding a transmitting aerial with a ridge) to stop the use of such tricks. Given that this deficiency is not exactly a secret I find it disappointing Apple decided to choose that anyway instead of the better approach, especially because there is another problem with this cheap sensor:

This sensor cannot tell if finger and owner have parted ways.

*Not* good.

0
0
Bronze badge

Re: Perspective please

Bullshit, this is a quicker way to unlock your phone that can't be shoulder surfed. That's all, and we always knew that if you have a copy of the fingerprint you could get in.

If you lose your phone - no access.

If your phone is pick pocketed - no access.

Casual fraping at work - no access.

This is the purpose of the fingerprint scanner, not to defeat MI fucking 6.

16
2
Bronze badge

Re: Perspective please

That's what secateurs are for...

1
0

Re: Perspective please

African or European?

1
0

Re: Perspective please

Yes, but is that a European or African swallow?

2
0

Re: Perspective please

beats having your digit chopped off by a mugger though.......

1
0
Silver badge
Boffin

Re: OMG

"I guess the best advice is: if you can't be bothered with a password then the fingerprint scanner is better than nothing."

If you can't be bothered with a password, you deserve to lose everything you had on your phone.. Nobody would leave their car unlocked on the street with the ignition key on, yet having a smartphone without password protection is the equivalent of doing just that. Of course, there are things that are worse than no protection at all, like 4-digit PINs and easily-hackable fingerprint scanners.

I'm surprised they didn't go for the Gummi Bear route, though...

1
0
Bronze badge

Re: OMG

But one assumes the Apple Marketing Department overlooked this inconvenient, yet fairly obvious, little detail. Fingerprint, among possible biometrics, has the advantage of being quite easy to obtain and the disadvantage of being also quite easy to forge. I suspect that some others, like iris or retina scans, are a bit better but also possible to forge. For all its defects, a reasonably constrained password probably is about as good in practice.

0
0

Re: Perspective please

You are right, it would be so much simpler to chop the finger off with stout wire cutters when you are pinching the phone, and take that as well...

1
0
Bronze badge

Re: Perspective please

Better here to think "police" or "security agency". However, if people are foolish enough to leave sensitive information on their iPhone 5S it would be worthwhile for identity thieves to go through the effort of cracking the phone security.

0
0
Anonymous Coward

Re: Perspective please

The finger prints are all over the Iphone. They don't have to bother the person that they stole from

0
0
Anonymous Coward

Re: OMG

I'm surprised they didn't go for the Gummi Bear route, though...

In a room full of hungry geeks, you'd need military grade security to stop them from being eaten. May even need a fingerprint lock. Oh, wait ..

1
0

Re: OMG

Nobody would leave their car unlocked on the street with the ignition key on ....

Nobody you knew before .. then again .. there's me .. i left my keys in the ignition doors unlocked , at my house in the front door lock , the car's trunk ... the keys stay there until morning when i chase them .. so yes there's people distracted enough to do those things

Never assume there ain't a moron that's highly capable of doing the unthinkable :)

0
0
Bronze badge

Re: OMG

Nobody would leave their car unlocked on the street with the ignition key on

Clearly you're not from around here. At least once a week I walk by an unoccupied car with the doors unlocked and the engine running. It's not something I would do, for safety reasons (anyone dumb enough to steal my car is sure to punish himself inadvertently soon enough - to say nothing of the punishment that is driving my car), but clearly many of the drivers in these parts are more sanguine about it.

0
0
Bronze badge

Re: You're fingerprinting it wrong

Can't these stupid users get anything right?

Agreed. Biometrics are like passwords: you should always use a secret part of your body, and use a different part for each security domain. If you use one of your well-known fingers with a fingerprint reader it's your own damn fault.

0
0

Re: Perspective please

But which finger. OK, take both the hands with you... Oh heck, he used a toe print!

0
0
Bronze badge
Happy

Re: OMG @Daniel B

"Nobody would leave their car unlocked on the street with the ignition key on," A sight frequently seen in Crete even with engine running (and with the hazard lights on, parked in the middle of the road)!

Comment from a Cretan taxi driver when asked why we never saw any police "We don't need police here; we are good people!"

0
0
Pint

Re: OMG

Simple solution, don't use your finger. You leave your fingerprints all over the place.

Use... ...another appendage. One less likely to leave appendage-prints all over the place.

"Hey, why do you keep sticking you iPhone down the front of your trousers?"

0
0
Anonymous Coward

Re: You're fingerprinting it wrong

@Bob Vistakin

Prat.

0
0

training video

Is that not a customer help video produced by apple to demonstrate taking a backup copy of your finger in case the original is removed in a street mugging for your new iphone?

24
0

2002 called...

It would like to know if you fancy some Gummy Bears...

http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/

4
0
Bronze badge

Biometrics

Providing a false sense of security since digital imaging and analysis was in it's infancy.

25
0
Silver badge

Re: Biometrics

What digital?

It has been providing false sense of security and miscarriages of justice ever since Alphonse Bertillon.

That is what? Mid-19ths century if memory serves me rigt.

1
0
Anonymous Coward

Re: Biometrics

Can you trust the memory of somebody who forgot the h in right?

1
0

At least with a swipe pattern

you can be reasonably sure that a thief will not be able to guess your pattern in the three attempts permitted.

On the other hand, your iPhone is most likely covered with your fingerprints, so the probability of a successful break in is high.

10
0
Silver badge

Re: At least with a swipe pattern

@poopypants - "On the other hand, your iPhone is most likely covered with your fingerprints, so the probability of a successful break in is high."

In fact, since the phone is carrying your prints, a thief with a decent scanner and a sheet of latex would probably find it easier to break into this biometric lock than to crack a password or pass-pattern.

It's like writing your password on an adhesive label, and sticking it to the back of your phone.

8
1

Re: At least with a swipe pattern

Of course, my swipe pattern is usually left on the screen in a big greasy smear, so there's only two possibilities required to figure it out...

9
0
Anonymous Coward

Re: At least with a swipe pattern

Do thieves not have finger prints then? Will they all be wearing latex gloves now?

1
3
Silver badge
Facepalm

Re: At least with a swipe pattern

I wear non-latex gloves when in public for hygiene reasons (surely you know places like the tube are covered in germs?).. But I am not a thief...

Although I expect thieves would wear gloves if they plan on stealing iPhones or anything else for that matter, thieves know finger prints are the easiest bit of evidence to link them to a crime...

0
0
Bronze badge

Re: At least with a swipe pattern

You are a mentalist.

1
0
Silver badge

Re: At least with a swipe pattern @MrXavia

"I wear non-latex gloves when in public "

You kinky devil you!

1
0
Anonymous Coward

Re: At least with a swipe pattern

"I wear non-latex gloves when in public for hygiene reasons (surely you know places like the tube are covered in germs?).. But I am not a thief..."

Uh, news flash, everything everywhere is covered in germs, and it's good for your immune system to get exposure to them.

http://en.wikipedia.org/wiki/Hygiene_hypothesis

0
0
Anonymous Coward

Re: At least with a swipe pattern

Uh, news flash, everything everywhere is covered in germs, and it's good for your immune system to get exposure to them.

Germs, yes, viruses, not so much. Not a fan of the tube anyway - too many people who have missed their annual bath.

0
0
Paris Hilton

Tim Cook, can you really be this dumb?

I knew it would be hacked eventually, but only practical by commercial/government clients against high-value targets.

I can't believe it happened this soon and this easily.

Will wait out the next few days for official confirmation. If so, they have bricked a major Apple next-big-thing system almost as soon as it's released, which has never happened in history.

0
7
Anonymous Coward

Re: Tim Cook, can you really be this dumb?

Why are you surprised? They just used prior techniques; so they didn't need to reinvent the wheel at all.

To keep Apple from patenting this idea; the use of multiple fingerprints in a user defined order.

1
0

Re: Tim Cook, can you really be this dumb?

Why are the Apple-haters getting on this so quickly? To be honest, I'd want to use Touch-ID WITH a pass-code. That way, you stump hackers and thieves with 2-factor authentication. I don't think that's possible yet, but I can see that happening in an update.

For the consumer = result!

By the way, this was never going to be a military grade fingerprint scanner. Not even for millions of units sold and for all the money Apple has. It's the execution of the fingerprint tech where most other companies have failed to make it quick and easy to use. Convenience will win over security sometimes in consumer devices; that's life. Even for luxury brands.

I did read that 50% of iPhone users don't even lock their phone. If this encourages it, then all for the better for offering a basic protection mechanism that's simple to use.

And the media claiming this is a hack (being claimed on other sites)... hardly. Let's see them hack the firmware/software to get the fingerprint data first and then reproduce the fingerprint from that data.

4
0

Page:

This topic is closed for new posts.