back to article Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack

Apple’s shiny new iPhone 6 can be spoofed with the same fake fingerprints that tricked its older sibling, the iPhone 5S. That's according to mobile security firm Lookout, which said it discovered that it is possible to create a fake fingerprint that's capable of fooling the TouchID fingerprint sensor of the latest iPhones (6 …

  1. present_arms

    Blu-tack worked on my sons 5s

    anecdotal and just saying :D

  2. JimmyPage Silver badge
    Stop

    What industry do these guys work in ? Clearly not a tech one.

    Furthermore, the process to turn that print into a useable copy is sufficiently complex that it’s highly unlikely to be a threat for anything other than a targeted attack by a sophisticated individual

    A process that could be easily devolved to a 3D Printer - which are hardly like rocking horse shit.

    If there's an incentive, things will be made simple. Look at the grunts who skim cards, using quite high tech.

    1. Anonymous Coward
      Anonymous Coward

      Re: What industry do these guys work in ? Clearly not a tech one.

      > A process that could be easily devolved to a 3D Printer - which are hardly like rocking horse shit.

      Most 3D printers I've seen can't capture the level of detail required for a finger print - not the mass-market squirty plastic kind anyway.

      As above - on many sensors blutack or plasticine works just fine. Low tech and far easier ...

      > If there's an incentive, things will be made simple. Look at the grunts who skim cards, using quite high tech.

      True, but that's a create once and use many kind of operation. Getting one fingerprint of one guy unlocks one phone - it's not scalable to quite the same extent.

      That said, if you really really want to get into one guys phone hacking is a lot of bother - just threaten to hit him with a wrench until he gives you the pin number, or cut off his finger. Attack the fleshy part - not the technology - it's normally simpler.

      1. Oninoshiko

        Re: What industry do these guys work in ? Clearly not a tech one.

        Pete H is right, you're going to need one of the lithographic ones...

        If you are willing to wait a year, these guys should have it down is a cool £61 (100USD): http://www.peachyprinter.com/

    2. Anonymous Coward
      Anonymous Coward

      Re: What industry do these guys work in ? Clearly not a tech one.

      Look at the grunts who skim cards, using quite high tech.

      Unlike a card, you can't just skim it, possibly without the owner noticing, and reproduce the strip cheaply. You need the actual device itself, even if you can fake the print. Which is going to slow you down a lot, quite apart from the skill needed in the first place.

  3. Anonymous Coward
    Meh

    That's good news!

    It means that thieves won't have to cut off your finger when they steal your phone.

  4. Anonymous Coward
  5. Slap

    Biometrics are broken

    Outside of sci-fi films showing retina scans etc, biometrics are well and truly broken. If a physical attribute is used for access then it must be in some manner or form observable, and if it's observable then anybody with the right equipment can observe it and potentially use it

    Take, for example, the bunny boiler girlfriend, who, whilst you sleep, gets your phone and presses your thumb, or whatever digit she's observed that you use, against the sensor. She now has access to everything on that device, and possibly more besides. The equipment here is your digit.

    A password on the other hand is held in your head which is, at least at the moment, non observable until you enter it. Entering it carries the risk of observation but it's transitory and you can mitigate the possibility of the entry being observed.

    Passwords are still the best method of computer security, at least within the private sphere.

    1. armster

      Re: Biometrics are broken

      Biometrics are broken for high security. Biometrics are great for phones. Many people don't even use a passcode for the sake of convenience. Those who do mostly use 4 digit pins (or an android gesture that is equivalent to a 4 digit pin). There have been plenty of reports showing that such a pin can be brute forced if you have access to a standard PC with the proper software. If I use a fingerprint and a long passphrase as back-up authentication I truly believe I am much more secure than the next guy.

      If you worry about your credit card, do you carry a wallet in your pocket, or do you bring along an electronically keyed lockbox to the store? If anything credit card "no factor authentication" is broken, and paying with single use codes protected by single factor authentication is infinitely more secure.

      1. SuccessCase

        Re: Biometrics are broken

        Agree completely, but brute forced! Takes far too long. Far easier is just looking over the shoulder of the user entering a four or six digit pin. Users unlock their phones in public all the time. Customers enter their phone and card PIN numbers in full visibility of security cameras all the time. And The Register run their usual shit stirring contextless articles about fingerprints being crackable - as though we don't know that - all the time. As though users the world over should be oooh scared. Big deal (hint this is why there is a limit on transaction amounts: to mitigate risk). People still give credit card numbers out over the phone without great worry. A fingerprint scanner only has to be more effective than a four digit pin to be convenient and useful and that they certainly are.

      2. John Tserkezis

        Re: Biometrics are broken

        "Biometrics are great for phones. Many people don't even use a passcode for the sake of convenience. Those who do mostly use 4 digit pins (or an android gesture that is equivalent to a 4 digit pin). There have been plenty of reports showing that such a pin can be brute forced if you have access to a standard PC with the proper software. If I use a fingerprint and a long passphrase as back-up authentication I truly believe I am much more secure than the next guy."

        Really? You're saying that Biometrics + long passphrase is better than a swipe. Duh. If you're trying to sell biometrics, and bundling it with long passphrase, you're not doing very good sales job.

        I'd drop biometrics altogether and just go with the passphrase. Every android handset I've ever seen has this capability, and it's by far superior to biometrics.

    2. big_D Silver badge

      Re: Biometrics are broken

      Exactly Slap, biometrics are unique "usernames", they are not good passwords, once they have been "cracked", you can't change them!

  6. Steve Davies 3 Silver badge
    Black Helicopters

    Not only thieves

    Quote

    Furthermore, the process to turn that print into a useable copy is sufficiently complex that it’s highly unlikely to be a threat for anything other than a targeted attack by a sophisticated individual."

    Now that the contents of the iDevice are encrypted and Apple can't break it, the spooks will be really keen that Apple does not 'fix' this problem.

  7. Anonymous Coward
    Anonymous Coward

    This is a flaw in almost all fingerprint scanners

    Even the multi thousand dollar ones destined for secure access to rooms. Ditto for retinal scanners and the hand scanner thing used for border entry in the US. That's why for full security you need something beyond that - so set a password in addition to using Touch ID if you think this leaves you too exposed.

    1. Anonymous Coward
      Anonymous Coward

      Re: This is a flaw in almost all fingerprint scanners

      Touch ID is just a convenience feature. You HAVE to set a password before you can even start using Touch ID. So basically your suggestion is to just turn Touch ID off.

      Fine, if you're a lunatic about security.

      Jim Jefferies has a bit about gun control that goes something like, how much do you think of yourself that you think there are people out there who are trying to break into your house and murder your family?

      The same could be said for phone security. Who do you think is going to go to the trouble of spoofing your fingerprint to get at your phone data?

      1. Anonymous Coward
        Anonymous Coward

        Re: This is a flaw in almost all fingerprint scanners

        I'm still on a 5, so I don't know for sure, but can't you have Touch ID and a password? If I was paranoid, I'd want both, because it raises the bar.

        I've got my phone now set to 4 hour timeout for passcode, because while I'm slightly paranoid I'm also lazy and don't want to enter my passcode all the time. Since my phone is usually on my person when I'm with others, I don't see it as a big risk.

        In an ideal world, I'd like to see Apple have an option "use Touch ID, and also require passcode if phone has been locked for <same settings as passcode settings now>", so I could have the same thing I do now except I'd have the added protection of Touch ID. But if my phone was lost, or I was arrested and it fell into police hands, after four hours even if someone found a latent fingerprint on my phone (I hear cops are good at that) they'd also need the password to unlock it.

        1. Anonymous Coward
          Anonymous Coward

          Re: This is a flaw in almost all fingerprint scanners

          >>I'm still on a 5, so I don't know for sure, but can't you have Touch ID and a password? If I was paranoid, I'd want both, because it raises the bar.

          No. Touch ID is a convenience feature so you don't have to enter your password. It can't be used to augment your password. What if your finger is injured, or you need somebody else to access your phone? It has to be available via password.

          Since Touch ID means that you only have to enter your password once in a blue moon, you can make your password long and secure ... THAT makes the phone more secure. I used to have a 4-digit PIN on my phone which I'm sure would have been easy to see over my shoulder. Now I have a 14 (?) character password with numbers and symbols and whatnot.

          1. Anonymous Coward
            Anonymous Coward

            Re: This is a flaw in almost all fingerprint scanners

            Now I have a 14 (?) character password with numbers and symbols and whatnot.

            Not sure if this was present in earlier versions of ios, but the current iteration has an option for the phone to wipe after 10 incorrect password attempts. If you set that (and trust it to work), 14 characters is still vast overkill. Personally I loathe when it gets down to symbols on the iphone because I find the keys a real fiddle without autocorrect. I just stick to a ten number pin, which uses the numeric keypad as with four digits - a lot less of a faff if its bloody freezing!

            1. Anonymous Coward
              Anonymous Coward

              Re: This is a flaw in almost all fingerprint scanners

              >>If you set that (and trust it to work), 14 characters is still vast overkill. Personally I loathe when it gets down to symbols on the iphone because I find the keys a real fiddle without autocorrect.

              I think you might have missed my point, i.e., that Touch ID makes it so you hardly ever have to enter your password. So you might as well make it pretty secure, since you won't be typing it in for weeks or maybe months at a time.

              1. Anonymous Coward
                Anonymous Coward

                Re: This is a flaw in almost all fingerprint scanners

                In which case I don't want the "wipe after 10 attempts" because I'll probably forget the password :)

  8. Bob Vistakin
    Angel

    The iPhone may well still have this security flaw

    But its users know it sure is prettier than the others. And has the WiFis and the bigger GeeBees.

    So there's no real problem at all.

  9. Anonymous Coward
    Anonymous Coward

    Darnit...

    ... I guess I'll go back to having a 4 digit PIN on my phone instead.

    That's the intended takeaway from this article, right?

    1. Anonymous Coward
      Anonymous Coward

      Re: Darnit...

      ... I guess I'll go back to having a 4 digit PIN on my phone instead.

      That's the intended takeaway from this article, right?

      Set the password type to "advanced" but then use a digit only password. It still gives you the numeric keypad but anyone trying a 4 digit code won't get anywhere :). However, the highlighting of the individual digits of such a password is easy to shoulder surf, I wish I could switch that off.

      Personally I'd be much happier with a timeout on the FP reader which would then ask for a password/PIN instead. That way, if I was using the phone a lot it would be easy to open, yet be restricted to me and longer absence would still lock it "proper". Hey Tim, are you listening?

      1. Anonymous Coward
        Anonymous Coward

        Re: Darnit...

        >>Personally I'd be much happier with a timeout on the FP reader which would then ask for a password/PIN instead. That way, if I was using the phone a lot it would be easy to open, yet be restricted to me and longer absence would still lock it "proper". Hey Tim, are you listening?

        There's already a timeout--48 hours--and I hope everybody remembers that after 5 attempts with the fingerprint scanner, the password is required, right?

        I have my doubts that fingerprint spoofing would be effective in any real-world scenario. You'd have to find a patch of fingerprint on the phone big enough to satisfy the scanner, plus it would have to be of the correct finger (well, one of the ones that's programmed in), and then you'd have to apply it just-so to satisfy the scanner, and do this all without exhausting your 5 attempts.

        Notice that the Chaos video showed that under absolutely ideal circumstances, their first two attempts to unlock the phone with the spoofed fingerprint STILL failed. Imagine if they didn't even know which fingerprint they should be using, or couldn't get a big enough sample of said finger??

        If the scanner was completely busted, we'd be hearing reports of it being hacked ALL THE TIME. Samsung, The Register, etc. would love nothing more than to report THAT story. But it hasn't happened yet.

  10. Randy Hudson

    My very first experience with touchID (in the apple store)

    1) Train the phone to recognize my thumb

    2) lock the phone

    3) place my INDEX finger on the home button

    the phone recognized my "thumb" and unlocked.

    1. Anonymous Coward
      Anonymous Coward

      Fail on your part.

      The fingerprint app in the Apple Store makes it clear that it doesn't save your fingerprint. So you can program it and then see the fingerprint go red or green afterwards if it matches, but as soon as you quit the app your fingerprint is gone.

      OBVIOUSLY you aren't actually locking-in an iPhone in the Apple Store to your own fingerprint. Is that what you thought you were doing?

  11. Jonski

    Can't use a smudge eh?

    Using a fingerprint as security is doomed, as many have commented. Personally, I agree but for other reasons as well.

    As I go about my daily life, I leave a bit of fingerprint here, there, everywhere. I don't do this for my PINs or passwords. It wouldn't take much for someone to scrape together a few samples of my fingerprint scraps, stitch them together (I half expect Photoshop to do this OOB) and then manufacture a quality facsimile of my print.

    I've already seen with mine own eyes another fingerprint reader work with a photocopy of a fingerprint.

    And once compromised, it's not as if you can reset your fingerprint.

    1. Anonymous Coward
      Anonymous Coward

      Re: Can't use a smudge eh?

      >>As I go about my daily life, I leave a bit of fingerprint here, there, everywhere. I don't do this for my PINs or passwords. It wouldn't take much for someone to scrape together a few samples of my fingerprint scraps, stitch them together (I half expect Photoshop to do this OOB) and then manufacture a quality facsimile of my print.

      Are you some kind of foreign dignitary? Do you have the codes to nuclear weapons? Who in gods name is going to follow you around, James Bond style, lifting sections of your fingerprints from cocktail glasses and piecing them together? (Never mind, James Bond would never do that either. He'd punch you and then use your own damn finger to unlock your phone while you were unconscious. Another security "vulnerability" I suppose?)

      BTW -- using Touch ID on an iPhone isn't mandatory.

      1. Anonymous Coward
        Anonymous Coward

        Re: Can't use a smudge eh?

        He'd punch you and then use your own damn finger to unlock your phone while you were unconscious

        That would probably depend on 'which' Bond.

  12. Ed 11

    I've recently purchased a phone with TouchID and whilst it quite obviously isn't panacea from a security perspective, I think it's a fantastic feature. It works quickly and reliably. I've gone from a 4 digit pass code on a 5 minute time-out to my phone now requiring my fingerprint for every unlock, with a much longer pass code needed if my fingerprint isn't available for any reason. More security for less inconvenience. I'd go as far as saying it's my favourite feature on the phone.

    1. Anonymous Coward
      Anonymous Coward

      I ordered the 5S the second it became available online so I could have this feature.

      Even if it only takes you 1-2 seconds to type in a PIN number of whatever, why waste those seconds of your life every time you want to reply to a text message or take a picture or do some other mundane task?

      Touch ID works so well for me that I often completely forget I even have it. Sometimes I will hand my phone to someone so they can browse through my music collection or whatever and get confused as to why they can't unlock it. Or there are times when I try to unlock the phone with the wrong finger and it takes me a second to remember why it's not working. Absolutely genius feature.

  13. Jin

    False sense of security

    It is very worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “using two factors together”.

    Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected with the devices finally locked, they would have to see the device reset.

    Touch ID and other biometric products are operated by (2) so that users can unlock the devices by passwords when falsely rejected, which means that the overall vulnerability of the product is the sum of the vulnerability of biometrics and that of a password. It is necessarily larger than the vulnerability of a password, say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

    As for an additional vulnerability unique to biometrics, we could refer to

    http://mashable.com/2013/09/11/girl-fingerprint-scanner/

    Needless to say, so-called 2-factor systems with a password remembered as the first factor and something possessed as the second factor are generally operated by (1), providing raised security at the sacrifice of lowered convenience.

    I do not quite understand why the clever Apple is doing such a silly thing as spreading the false sense of security under the name of security.

    1. Anonymous Coward
      Anonymous Coward

      Re: False sense of security

      False. You assume that all passwords are equally secure.

      If you use the fingerprint scanner, that means you will rarely have to enter your password and thus you can make your password something that's much more secure than if you had to enter it quickly every time you wanted to check your text messages.

      So you're technically right that if you use Touch ID, your security is the sum of the vulnerabilities of the fingerprint scanner PLUS using a password ... but each of those is going to be MUCH more secure than just using a 4-digit PIN or similar ... so ultimately you still end up with better security.

  14. admiraljkb

    Even Mythbusters has done a thing on fingerprint readers. Some cellophane tape to grab your prints off of a glass, transfer to some melted gummy bears in the shape of a finger, keep warm, and et voila! Fingerprint Biometrics have been vulnerable like that for years. Every so often see a new study on it as breaking news, but its just the media forgot fingerprints have already been cracked for 10-15 years at least.

  15. Mot524

    I see what's gone wrong here

    Lots of self-styled security "experts" complaining about Apple's Touch ID system.

    The problem is that your only experience with fingerprint scanners is when you see them used in in an episode of Alias to secure biological weapons, so you assume the only reason to have a fingerprint scanner is to provide an ultimate, definitive, unbreakable level of security.

    And here you come on your white horse to point out that Apple's fingerprint scanner for consumer cell phones is actually NOT ideal for securing biological weapons. Well, yes, great, well spotted, I suppose.

    Maybe you should be doing a bit of introspection and asking yourselves why your expectations for a fingerprint scanner are coming from works of fiction. Just sayin'.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon