back to article Apple is too shallow, must go deeper to beat TouchID fingerprint hack, say securo-bods

News that Apple’s iPhone 6 can be spoofed with the same fake fingerprints that tricked its earlier version, the iPhone 5S, has sparked off a lively debate among security researchers. Lookout researcher Marc Rogers demonstrated that the TouchID fingerprint sensor of the latest iPhones could be made to work with a cloned …

  1. DougS Silver badge

    Getting it working is the first step

    Then they have to figure out how to make 150 million of them for a reasonable price. They might be working on it, but that doesn't mean it will be successful.

    Given that even multi-thousand dollar fingerprint scanners are bypassed in multiple ways, I don't think you'll ever see a fingerprint scanner (or retinal scanner, or any other body part scanner) that is as foolproof as security researchers dream about. The real world is a problem like that.

    1. DropBear Silver badge

      Re: Getting it working is the first step

      The real problem is that biometrics is OK for identification, but it's utterly, utterly useless as authentication. If you understand the difference...

      1. SuccessCase

        Re: Getting it working is the first step

        The problem is everything is useless for authentication when you are dealing with communities bigger than the local. Its an age old problem of verification. How do I know you are the official you if I don't know you in the first place. Answer: I don't. I trust what I am shown and that can be spoofed, hacked, stolen, borrowed. So I get a positive ID from a retina scan which confirms your identification an authentication database. But hang on that authentication database is, er, a database, filled with data about people where the operators of that database are in the same position and also have no local community knowledge.

        Of course there is certain data we will *tend* to treat as sufficient, but it is never wholly and completely sufficient. With all technologies its a matter of managing risk.

        Fingerprint scanners are higher on the scale of risk than the super doesn't-yet-exist-in-practical-form technology we want, but they remain one hell of a lot better than a four digit pin entered almost daily with people being able to see over your shoulder and in the presence of "security" camera's trained on the checkout till. Yet, for that, even the four digit pin is useful and better than no pin.

  2. Irongut

    if anyone can take tech and make it usable and affordable

    It certainly isn't Apple.

  3. Peter 48

    deep scanning finger print scanner

    Isn't this the sort of thing that Barclays are looking touse: http://www.wired.co.uk/news/archive/2014-09/05/barclays-finger-scanner

  4. Anonymous Coward
    Anonymous Coward

    Researching != production

    "There was speculation Apple would use that tech in TouchID, but in the end they didn't,"

    Maybe it isn't working yet????

    1. Someone Else Silver badge
      Coat

      Re: Researching != production

      Nah, they're just holding it wrong....

  5. Dan Paul

    Biometric Companies charge a premium for that vein pattern/blood flow technology

    Apple wants everything for next to nothing so they make even more money.

    The biometric fingerprint and vein readers (that actually work) are too expensive to be in a phone.

    Maybe in a few years but not likely.

    1. DougS Silver badge

      Re: Biometric Companies charge a premium for that vein pattern/blood flow technology

      Apple bought a biometric company (two in fact, I believe) so that's not the issue. Perhaps patent licensing would be if they don't hold enough biometric patents to form a cross licensing agreement, but presumably other biometrics companies would be happy to discuss much lower per unit rates or licensing per year given that it would mean a huge increase in licensing revenue.

  6. Dave, Portsmouth

    "Appropriate" Security

    if someone's going to go to the trouble of dusting for prints, gently transferring that to a Haribo and eventually unlocking my phone... well good luck to them. If the CIA or the KGB were after me for state secrets, then maybe I'd be more concerned!

    1. cduance

      Re: "Appropriate" Security

      Its much more likely that they will just chop your finger off than dust for prints

  7. Dan Paul

    Real Fingerprint/Vein reader link

    Here is a company (Safran) that has done the right thing for finger print/vein scanning technology that actually works and is very difficult to spoof. The vein pattern also gives indication between living and dead fingers.

    http://www.morpho.com/identification/acces-securise-biometrique/capteurs-d-empreintes-digitales-et-du-reseau-veineux/?lang=en

    This link below shows a product that uses the whole hand or could use BOTH HANDS in succession.

    http://www.morpho.com/identification/acces-securise-biometrique/fingerprint-sensors/morphotop-tm-639/?lang=en

    Several of these products will detect the "fake Finger" or gummy bear style of spoof with the vein detection capability.

    Apples currect fingerprint readerr tech cannot differentiate this.

    HID also has a product that uses regular prints (no veins),RFID AND Keypad for 3 factor ID that is extremely hard to spoof.

  8. Jin

    Touch ID and Password/code

    Biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used.

    Users can unlock the devices by passwords when falsely rejected by the biometric sensors, which means that the overall vulnerability of the product is the sum of the vulnerability of biometrics and that of a password. It is necessarily larger than the vulnerability of a password, say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

    As for an additional vulnerability unique to biometrics, we could refer to

    http://mashable.com/2013/09/11/girl-fingerprint-scanner/

    Apple should do something about these vulnerabilities if it claims to be security-sensitive.

  9. Tromos

    Better scanning need not cost more

    No need to put the prices up. How about sacrificing a bit of that huge margin to actually make a product that better justifies the price?

  10. KKM

    Many security holes in Touch ID

    I am reading all the time about the security lapses in Apple's fingerprint system. I think the future is leaning toward touchless mobile phone systems like onyx. Much more secure, reverse compatable with most phones, and doesn't require any hardware. Unless touch sensors up their game to capture a larger area od the print and add some liveness detection, these software only solutions are going to take over. Just IMHO.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019