back to article Chaos Computer Club: iPhone 5S finger-sniffer COMPROMISED

Well, that lasted a long time: the Chaos Computer Club has already broken Apple's TouchID fingerprint lock, and warns owners against using biometric ID to protect their data. As the group explains here, it seems that the main advance in Cupertino's biometrics was that it uses a high resolution fingerprint scan. The post states …

COMMENTS

This topic is closed for new posts.
  1. John Jennings
    Black Helicopters

    OMG

    Well, that didn't take long!

    1. ThomH

      Re: OMG

      They confirmed that a well-known way to fool fingerprint scanners fools a particular brand of fingerprint scanner — I don't think anybody was seriously expecting it to take that long.

      I guess the best advice is: if you can't be bothered with a password then the fingerprint scanner is better than nothing.

      1. Daniel B.
        Boffin

        Re: OMG

        "I guess the best advice is: if you can't be bothered with a password then the fingerprint scanner is better than nothing."

        If you can't be bothered with a password, you deserve to lose everything you had on your phone.. Nobody would leave their car unlocked on the street with the ignition key on, yet having a smartphone without password protection is the equivalent of doing just that. Of course, there are things that are worse than no protection at all, like 4-digit PINs and easily-hackable fingerprint scanners.

        I'm surprised they didn't go for the Gummi Bear route, though...

        1. Anonymous Coward
          Anonymous Coward

          Re: OMG

          I'm surprised they didn't go for the Gummi Bear route, though...

          In a room full of hungry geeks, you'd need military grade security to stop them from being eaten. May even need a fingerprint lock. Oh, wait ..

        2. FuzzyTheBear

          Re: OMG

          Nobody would leave their car unlocked on the street with the ignition key on ....

          Nobody you knew before .. then again .. there's me .. i left my keys in the ignition doors unlocked , at my house in the front door lock , the car's trunk ... the keys stay there until morning when i chase them .. so yes there's people distracted enough to do those things

          Never assume there ain't a moron that's highly capable of doing the unthinkable :)

        3. Michael Wojcik Silver badge

          Re: OMG

          Nobody would leave their car unlocked on the street with the ignition key on

          Clearly you're not from around here. At least once a week I walk by an unoccupied car with the doors unlocked and the engine running. It's not something I would do, for safety reasons (anyone dumb enough to steal my car is sure to punish himself inadvertently soon enough - to say nothing of the punishment that is driving my car), but clearly many of the drivers in these parts are more sanguine about it.

        4. Michael Dunn
          Happy

          Re: OMG @Daniel B

          "Nobody would leave their car unlocked on the street with the ignition key on," A sight frequently seen in Crete even with engine running (and with the hazard lights on, parked in the middle of the road)!

          Comment from a Cretan taxi driver when asked why we never saw any police "We don't need police here; we are good people!"

      2. tom dial Silver badge

        Re: OMG

        But one assumes the Apple Marketing Department overlooked this inconvenient, yet fairly obvious, little detail. Fingerprint, among possible biometrics, has the advantage of being quite easy to obtain and the disadvantage of being also quite easy to forge. I suspect that some others, like iris or retina scans, are a bit better but also possible to forge. For all its defects, a reasonably constrained password probably is about as good in practice.

    2. Bob Vistakin
      Facepalm

      You're fingerprinting it wrong

      Can't these stupid users get anything right?

      1. Michael Wojcik Silver badge

        Re: You're fingerprinting it wrong

        Can't these stupid users get anything right?

        Agreed. Biometrics are like passwords: you should always use a secret part of your body, and use a different part for each security domain. If you use one of your well-known fingers with a fingerprint reader it's your own damn fault.

      2. Anonymous Coward
        Anonymous Coward

        Re: You're fingerprinting it wrong

        @Bob Vistakin

        Prat.

    3. LarsG

      Perspective please

      Ok so as you get mugged the dirty little thief will insist on taking a high resolution picture of your fingerprints then head home and produce a latex copy of them to break the security on your phone?

      Put it into perspective please.

      1. Anonymous Coward
        Anonymous Coward

        Re: Perspective please

        A fingerprint might be on the phone, but how is the thief going to know which is theirs and which is yours?

        It sounds like a lot of bother for a thief.

        1. Anonymous Coward
          Anonymous Coward

          Re: Perspective please

          "A fingerprint might be on the phone, but how is the thief going to know which is theirs and which is yours?

          It sounds like a lot of bother for a thief."

          Sounds like you will accept any of sh*te to protect the image of you iFool'd ya!

          Pathetic excuse. Apple got it wrong, they tried to redo an existing technology (as they always do, copy) and failed miserably.

          1. Stuart Castle Silver badge

            Re: Perspective please

            The fact is that NO security system is entirely secure. When designing a system, you can only hope to make it unfeasible for a person to access that system. Every system (from the smallest mobile phone to the largest, most powerful military supercomputer) has at least one flaw that can be exploited to break in.

            This flaw would require that the thief has access to a 2400dpi scanner, good enough photoshop skills to clean up the image, time to clean up that image and access to the fingerprint itself. This last may well be the most difficult to obtain. Not if you mug the person (after all if you've grabbed the phone, they'll probably grab for it, you can scan the fingerprints then), but if you steal the phone from a bag, pocket or table. Even assuming you can work out which person it belongs to, it would be difficult to get access to their fingerprints without them noticing you.

            Now, please tell me: Do you think it would be worth the average thief going through all that just to get access to the users phone numbers, pictures and whatever apps/media they have? Access to bank accounts might make it worth their while, but in my experience, most mobile banking apps don't store user details on the device.

          2. Frank Bough

            Re: Perspective please

            Bullshit, this is a quicker way to unlock your phone that can't be shoulder surfed. That's all, and we always knew that if you have a copy of the fingerprint you could get in.

            If you lose your phone - no access.

            If your phone is pick pocketed - no access.

            Casual fraping at work - no access.

            This is the purpose of the fingerprint scanner, not to defeat MI fucking 6.

        2. Gotno iShit Wantno iShit

          Re: Perspective please

          I would imagine that the fingerprint on the scanner itself would be the one to start with.

          At least with the swipe type of scanner an attacker would have to try every print on the phone.

        3. C 18
          Trollface

          Re: Perspective please

          Bother for a thief? No bother...wear gloves.

          Put a big gate with barbed wire along the walls, gun turrets on watchtowers, crocodiles in the moat, and lift up the drawbridge but someone will still fly a swallow over the ramparts and drop a coconut on your head!

          1. FunkyEric

            Re: Perspective please

            African or European?

          2. TitterYeNot

            Re: Perspective please

            Yes, but is that a European or African swallow?

      2. Anonymous Coward
        Anonymous Coward

        Re: Perspective please

        I suggest you take a look at the phone in the video, there are plenty of prints all over the screen that could be used for making the image.

      3. .stu

        Re: Perspective please

        No, the dirty little thief will insist that you press your finger(s) onto the scanner to unlock the phone for him, or if you don't cooperate, grab your fingers and press them against the scanner by force.

      4. Anonymous Blowhard

        Re: Perspective please

        That's what secateurs are for...

      5. 20legend

        Re: Perspective please

        beats having your digit chopped off by a mugger though.......

      6. John 48

        Re: Perspective please

        You are right, it would be so much simpler to chop the finger off with stout wire cutters when you are pinching the phone, and take that as well...

        1. Trevor Marron

          Re: Perspective please

          But which finger. OK, take both the hands with you... Oh heck, he used a toe print!

      7. tom dial Silver badge

        Re: Perspective please

        Better here to think "police" or "security agency". However, if people are foolish enough to leave sensitive information on their iPhone 5S it would be worthwhile for identity thieves to go through the effort of cracking the phone security.

      8. Anonymous Coward
        Anonymous Coward

        Re: Perspective please

        The finger prints are all over the Iphone. They don't have to bother the person that they stole from

    4. Anonymous Coward
      Anonymous Coward

      Re: OMG

      The fingerprint scanner is enough to keep your wife out, but if you see here with a bottle of liquid latex.....

      Delete those numbers and photographs........

      Isn't that what the find my phone app is about?

      1. Evil Auditor Silver badge
        Happy

        Re: OMG

        ... wife ..., but if you see her with a bottle of liquid latex...

        ...I'll wait in joyful expectation. What numbers and photographs were you referring to?

      2. JohnG

        Re: OMG

        "The fingerprint scanner is enough to keep your wife out, but if you see her with a bottle of liquid latex....."

        No need to be paranoid - she might be planning something kinky.

    5. Anonymous Coward
      Anonymous Coward

      Disappointed...

      I'm disappointed, mainly because I was wrong to assume any sanity in the FP reader selection process.

      There are various types of FP readers. This problem is a classic, very basic one for the cheaper end of the range of readers you can get - the more expensive arrays use radio technology (basically you grounding a transmitting aerial with a ridge) to stop the use of such tricks. Given that this deficiency is not exactly a secret I find it disappointing Apple decided to choose that anyway instead of the better approach, especially because there is another problem with this cheap sensor:

      This sensor cannot tell if finger and owner have parted ways.

      *Not* good.

    6. JeffyPoooh
      Pint

      Re: OMG

      Simple solution, don't use your finger. You leave your fingerprints all over the place.

      Use... ...another appendage. One less likely to leave appendage-prints all over the place.

      "Hey, why do you keep sticking you iPhone down the front of your trousers?"

  2. HollyHopDrive

    training video

    Is that not a customer help video produced by apple to demonstrate taking a backup copy of your finger in case the original is removed in a street mugging for your new iphone?

  3. The obvious

    2002 called...

    It would like to know if you fancy some Gummy Bears...

    http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/

  4. Steven Raith

    Biometrics

    Providing a false sense of security since digital imaging and analysis was in it's infancy.

    1. Voland's right hand Silver badge

      Re: Biometrics

      What digital?

      It has been providing false sense of security and miscarriages of justice ever since Alphonse Bertillon.

      That is what? Mid-19ths century if memory serves me rigt.

      1. Anonymous Coward
        Anonymous Coward

        Re: Biometrics

        Can you trust the memory of somebody who forgot the h in right?

  5. poopypants

    At least with a swipe pattern

    you can be reasonably sure that a thief will not be able to guess your pattern in the three attempts permitted.

    On the other hand, your iPhone is most likely covered with your fingerprints, so the probability of a successful break in is high.

    1. Anonymous Coward
      Anonymous Coward

      Re: At least with a swipe pattern

      @poopypants - "On the other hand, your iPhone is most likely covered with your fingerprints, so the probability of a successful break in is high."

      In fact, since the phone is carrying your prints, a thief with a decent scanner and a sheet of latex would probably find it easier to break into this biometric lock than to crack a password or pass-pattern.

      It's like writing your password on an adhesive label, and sticking it to the back of your phone.

      1. Wallsy

        Re: At least with a swipe pattern

        Of course, my swipe pattern is usually left on the screen in a big greasy smear, so there's only two possibilities required to figure it out...

      2. Anonymous Coward
        Anonymous Coward

        Re: At least with a swipe pattern

        Do thieves not have finger prints then? Will they all be wearing latex gloves now?

        1. MrXavia
          Facepalm

          Re: At least with a swipe pattern

          I wear non-latex gloves when in public for hygiene reasons (surely you know places like the tube are covered in germs?).. But I am not a thief...

          Although I expect thieves would wear gloves if they plan on stealing iPhones or anything else for that matter, thieves know finger prints are the easiest bit of evidence to link them to a crime...

          1. Frank Bough

            Re: At least with a swipe pattern

            You are a mentalist.

          2. LarsG

            Re: At least with a swipe pattern @MrXavia

            "I wear non-latex gloves when in public "

            You kinky devil you!

          3. Anonymous Coward
            Anonymous Coward

            Re: At least with a swipe pattern

            "I wear non-latex gloves when in public for hygiene reasons (surely you know places like the tube are covered in germs?).. But I am not a thief..."

            Uh, news flash, everything everywhere is covered in germs, and it's good for your immune system to get exposure to them.

            http://en.wikipedia.org/wiki/Hygiene_hypothesis

            1. Anonymous Coward
              Anonymous Coward

              Re: At least with a swipe pattern

              Uh, news flash, everything everywhere is covered in germs, and it's good for your immune system to get exposure to them.

              Germs, yes, viruses, not so much. Not a fan of the tube anyway - too many people who have missed their annual bath.

  6. danR2
    Paris Hilton

    Tim Cook, can you really be this dumb?

    I knew it would be hacked eventually, but only practical by commercial/government clients against high-value targets.

    I can't believe it happened this soon and this easily.

    Will wait out the next few days for official confirmation. If so, they have bricked a major Apple next-big-thing system almost as soon as it's released, which has never happened in history.

    1. Anonymous Coward
      Anonymous Coward

      Re: Tim Cook, can you really be this dumb?

      Why are you surprised? They just used prior techniques; so they didn't need to reinvent the wheel at all.

      To keep Apple from patenting this idea; the use of multiple fingerprints in a user defined order.

    2. the-it-slayer

      Re: Tim Cook, can you really be this dumb?

      Why are the Apple-haters getting on this so quickly? To be honest, I'd want to use Touch-ID WITH a pass-code. That way, you stump hackers and thieves with 2-factor authentication. I don't think that's possible yet, but I can see that happening in an update.

      For the consumer = result!

      By the way, this was never going to be a military grade fingerprint scanner. Not even for millions of units sold and for all the money Apple has. It's the execution of the fingerprint tech where most other companies have failed to make it quick and easy to use. Convenience will win over security sometimes in consumer devices; that's life. Even for luxury brands.

      I did read that 50% of iPhone users don't even lock their phone. If this encourages it, then all for the better for offering a basic protection mechanism that's simple to use.

      And the media claiming this is a hack (being claimed on other sites)... hardly. Let's see them hack the firmware/software to get the fingerprint data first and then reproduce the fingerprint from that data.

  7. John Tserkezis
    Holmes

    Like some of the other comments, it's been done before, and has long since proved to be rather insecure. Besides, the Mythbusters team demonstrated this same fingerprint duplication technique in 2006. Not only that, it's been shown elsewhere, that a good (albeit short and very useable) regular password, offers more combinations than biometric fingerprints anyway.

    Like I've said before, it's just not funny anymore...

    1. Don Jefe

      Scamming biometric ID was practically institutionalized in Brazil and they got caught just this year. If people can cheat a piece of installed hardware at the hospital, where you, presumably, can't fiddle around with it for hours, doing it to a device in you tote around in your pocket should come as no surprise. Especially after all the hubbub in the media about how advanced it was.

      http://www.telegraph.co.uk/news/worldnews/southamerica/brazil/9926151/Doctor-in-Brazil-used-fake-fingers-to-sign-in-absent-colleagues.html

    2. Anonymous Coward
      Anonymous Coward

      There are better readers

      The issue is indeed that this is FP scamming for beginners - I think I still even have a copy of the original paper Tsutomu Matsumoto kindly sent me. There are much better FP scanners out there, but they are a lot more expensive.

  8. Cliff

    Who wants to be the one to break it to the fapples?

    There will be tears. There will be downvotes. What I doubt there will be is a let up in people transgrading.

    1. Anonymous Coward
      Anonymous Coward

      Re: Who wants to be the one to break it to the fapples?

      Probably leave it to someone who, unlike you, doesn't randomly oscillate between throwing insults and pretending not to be a partisan: http://forums.theregister.co.uk/forum/containing/1962953

      1. Cliff

        Re: Who wants to be the one to break it to the fapples?

        Depends on my mood. I have days of sunshine and days of thinner, sure. Always post as my own username though not hide behind AC - I may be fickle but I'll be fickle to your face.

        1. Anonymous Coward
          Anonymous Coward

          Internet person in mood change shocker!

          Because posting as AC is so brave

      2. Anonymous Coward
        Anonymous Coward

        Re: Who wants to be the one to break it to the fapples?

        AC claiming that a single user is fickle? Ludicrous criticism when posting AC, think it through dimwit!

  9. btrower

    Back to the drawing board

    This time maybe wear gloves.

  10. rvt

    I don't see how this is different to some devices that uses a image of your face to allow you into the system.

    I think I would like to see a hack where they copied the fingerprint from any place other then the users finger itself to unlock the device. However, I fail to see why this is news worthy. This has been done in the way past

    and will be done in future.

    But we also have to think about the usecase, this is not to open a bank or your safe. THis is to unlock a phone! If you have more secure stuff on this, simply use the complicated passcode lock, the one that asks more then 4 digits and you are good, well better at least!

    1. Cliff

      In the context of 2fa makes a heap of sense.

  11. Mitoo Bobsworth
    FAIL

    Fingerprints, DNA...

    it really doesn't matter - If someone can make it, you can bet someone can break it.

  12. MrZoolook
    Stop

    Erm...

    I don't get the big deal, all Apple need to do is patent this as a fingerprint retrieval mechanism. Then anyone doing this will face stiffer punishment then the theft of the phone would incur anyway.

  13. Eddy Ito

    DMCA

    Digit Metadata Copied Again

  14. Anonymous Coward
    Anonymous Coward

    Embedded RFIDs in your hand

    Embed RFID under the skin on the owners hand.

    User swipes finger to access

    Phone reads RDFID + swipe

    Access granted.

    The future is here!

    1. This post has been deleted by its author

    2. The lone lurker
      Joke

      Re: Embedded RFIDs in your hand

      "Also it causes all, both small and great, both rich and poor, both free and slave, to be marked on the right hand or the forehead, so that no one can buy or sell unless he has the mark"

      Revelation 13:16-17

      Is Steve planning his next big thing?

      1. Anonymous Coward
        Anonymous Coward

        Re: Embedded RFIDs in your hand

        I prefer Llama 13:13-26

        And lo, for the flying spaghetti monster doth say "for he with the jesus phone shall be loved by all"

      2. Don Jefe

        Re: Embedded RFIDs in your hand

        What version of the Bible did you quote that uses 'also' in that manner? Genuinely curious.

        1. No, I will not fix your computer

          Re: Embedded RFIDs in your hand

          NIV and ESV both start with "Also" the line goes on from "he gave the image the power to speak" (a prophesy about Siri perhaps?)

      3. Dan 55 Silver badge
        Trollface

        Re: Embedded RFIDs in your hand

        This is not the revelation you're looking for. It's based on Apple ID so if you don't have the mark then just borrow somebody else's.

    3. Mage Silver badge

      Re: Embedded RFIDs in your hand

      Remotely cloneable at about 3m or more.

  15. Neil Porter

    Pinky?

    Isn't the workaround for the 5s owner to unlock with their pinky or other alternative finger that they're not prodding their phone with? That removes this hack from the hands of your average thief.

    1. Khaptain Silver badge

      Re: Pinky?

      The biggest problem with any of the fingers is the fact that, where necessary, they can be easilly removed..... Think small knife and Yakuza.

      1. Anonymous Coward
        Anonymous Coward

        Re: Pinky?

        You really think a thief is going to cut off a finger? Given a choice between cutting off someone's finger and just holding the knife in front of them and saying "unlock your phone for me or I'll stab you" I think most thieves will choose the latter since it would be a much shorter sentence if you're caught.

        1. Khaptain Silver badge

          Re: Pinky?

          " I think most thieves will choose the latter since it would be a much shorter sentence if you're caught."

          I am not convinced that thiefs bring the length of the sentence into the equation when they are stealing things. If they did they would not steal things .....as often..

        2. Anonymous Coward
          Anonymous Coward

          Re: Pinky?

          "You really think a thief is going to cut off a finger? Given a choice between cutting off someone's finger and just holding the knife in front of them and saying "unlock your phone for me or I'll stab you" I think most thieves will choose the latter since it would be a much shorter sentence if you're caught."

          The chinese are selling body parts to join the folly. We don't like in fairies and unicorns land! Just wait till you hear it on the news!

        3. The Indomitable Gall

          Re: Pinky?

          DougS

          "You really think a thief is going to cut off a finger?"

          Does your car have a fingerprint reader? No? There's a reason they stopped installing them...

      2. No, I will not fix your computer

        Re: Pinky?

        I think if Apple went to finger vein technology instead people would be talking about it as if was genuinely innovative, it stops all that copying fingerprints and fingers cease to validate without a blood supply - they use it for cash machines.

    2. Frank Bough

      Re: Pinky?

      Even simpler, just use your other hand.

  16. returnmyjedi

    I suppose that is less messy than the pair of pliers I was planning to use of the Northern line this morning.

  17. adnim
    Joke

    Security by obscurity

    Use someone else's finger

    1. Anonymous Coward
      Anonymous Coward

      Re: Security by obscurity

      Or sit on your own finger until it goes numb and you can pretend it's someone else's?

      Or have I got the wrong forum....

    2. Anonymous Coward
      Anonymous Coward

      Re: Security by obscurity

      Isn't the video just showing the reader's ability to see through the latex (or glue, or whatever it is) copy of the finger print into the real one? If they used a second person with the latex, that would be fair play.

      1. Mike Bell

        Re: Security by obscurity

        "Isn't the video just showing the reader's ability to see through the latex (or glue, or whatever it is) copy of the finger print into the real one? If they used a second person with the latex, that would be fair play."

        No, not really. If the video was supposed to be a good demonstrator, the guy should have placed his middle finger on the sensor several times to indicate a negative; then apply the fake print and show that it is indicated positively. Not sure why anyone would miss such an obvious test. As it is, I wouldn't be at all surprised if a thin film applied to an already-registered finger was recognised.

      2. D Fife

        Re: Security by obscurity

        Watch the video again. He uses his index finger to train the sensor, then his middle finger with the latex print. Even if it can see through the latex, it's going to see a different "real" fingerprint.

    3. Jordan Davenport
      Joke

      Re: Security by obscurity

      Or just scan some other unique bodily appendage instead. That alone might make a thief think otherwise when stealing the phone...

  18. Anonymous Coward
    Anonymous Coward

    Can we repeat all this slagging off

    when the great god Samsung releases a phone with a similar feature?

    Will the likes of BetFred open a book on how long it will that someone to crack their scanner?

    Nah thought not.

    1. MrXavia
      Facepalm

      Re: Can we repeat all this slagging off

      We could slag off the low security of Samsungs face unlock feature.. but then again they tell you its low security, I suspect the same thing will happen when they bring out this feature.. a note will probably say medium security...

      1. Darryl
        Meh

        Re: Can we repeat all this slagging off

        Also, can we go back to the iFans' answers to the claims that Moto had this on the Atrix a couple years ago. You know the ones about how it takes Apple to make one that actually works.

        Turns out they were wrong again.

  19. JDX Gold badge

    How easy is it REALLY to get your fingerprint from a phone?

    The idea that a modern phone is a perfect fingerprint retrieval surface seems to make sense, but is it really? Maybe when your phone is new and clean, but what about after you've been touching it dozens of times a day? Won't the prints all be overlapping and smudged?

    1. Jordan Davenport

      Re: How easy is it REALLY to get your fingerprint from a phone?

      While I do agree... I don't know about you, but I tend to wipe my screen off rather frequently to keep it from being all smudged simply so I can actually see the thing. The rest of the thing is rather not-smooth thanks to the bumper case I've got.

    2. Anonymous Coward
      Anonymous Coward

      Re: How easy is it REALLY to get your fingerprint from a phone?

      "The idea that a modern phone is a perfect fingerprint retrieval surface seems to make sense, but is it really? Maybe when your phone is new and clean, but what about after you've been touching it dozens of times a day? Won't the prints all be overlapping and smudged?"

      Would this be the only means? No!

      Its a major secuirity fail. Once again Apple prove they just copy another idea and try to implement it in a way the feeble minded think is cool. Huge increase in their bank balanace. Worked a treat so far.

      1. JDX Gold badge

        Re: How easy is it REALLY to get your fingerprint from a phone?

        The only means... no. By far the biggest.... yes. Someone nicks your phone and wants to be able to unlock it.

      2. Don Jefe

        Re: How easy is it REALLY to get your fingerprint from a phone?

        Fingerprinting doesn't work like in the movies. You almost never get a whole, clean, unsmudged print. If you've ever been arrested you know how hard it is for the police to print you successfully.

        Fingerprint recognition works by matching a number of individual points, not the entire print; you don't need an entire print.

    3. Mystic Megabyte
      Pint

      Re: How easy is it REALLY to get your fingerprint from a phone?

      It just means that I will have to buy you a drink before I steal your phone and the glass.

  20. jeoten

    Funny really ...

    Well gee ... if someone had a 2400 dpi scan of my 12 digit password they could also gain access.

    1. Steven Raith

      Re: Funny really ...

      Do you involuntarily leave a retrievable (by whatever means) copy of your 12 digit password on every solid surface you touch?

      Didn't think so.

      1. JDX Gold badge

        Re: Funny really ...

        So you think a burglar is going to follow someone around, waiting for them to discard an empty soft drink can, before fishing it out of the bin and then nicking their phone?

        1. Steven Raith

          Re: Funny really ...

          Nope.

          But it's not like kids old enough to pull off a trick like this aren't interested in abusing mummy and daddys iTunes account.

          Another interesting question is - does the iTunes section of iOS show the full card number of the card you use to buy things - including CSV - and have they allowed this to be accessible with single factor fingerprint?

          I don't have a device here to confirm whether those details are present in plaintext or if it's hashed out to the last four numbers (as I'd expect) - can anyone have a deek at their iDevice and confirm/deny whether it shows the whole number once entered? Google Images is showing me nothing, natch...

          Steven R

  21. DesktopGuy

    CCC have been doing this kind of stuff for a decade

    Devil is in the detail.

    Can they do this from a lifted print, or only from a high res cropped scan of the correct digit.

    Also, lets get 3rd party verification. For all we know, the hacker had already enrolled their second digit into TouchID. When he placed the fake on the second digit it would have worked either way if that digit was already enrolled.

    Time for public commuters to start wearing gloves lest they fall asleep and get the fingers secretly scanned...

  22. LPF

    This is the most assine article ever....

    What is every tea leaf on the road today a CSI agent, yeah because everyone has latex and and high res scanner going around in the hope they can mug an iPhone user for their phone.

    People need to get a grip , you snatch the phone, high chance you will smear any useful finger prints on it, so unlee you grab it without smearing, you've wasted your time.

    1. Anonymous Coward
      Anonymous Coward

      Re: This is the most assine article ever....

      "What is every tea leaf on the road today a CSI agent, yeah because everyone has latex and and high res scanner going around in the hope they can mug an iPhone user for their phone.

      People need to get a grip , you snatch the phone, high chance you will smear any useful finger prints on it, so unlee you grab it without smearing, you've wasted your time."

      Your point is moot. You use a pin and expect a level of security which works a treat. Pins are used by the banking industry daily. The level of risk is acceptable.

      As mentioned by many appletards, on expects a finger print scan to offer enhanced security above the use of a PIN. This has been proved wrong in record time.

      Everyone who isn't an Applebitch knew this from the start.

      This is a HUGE FAILURE and yet another cause of embarrasment for Apple (and it's kin).

      1. JDX Gold badge

        Re: This is the most assine article ever....

        How has it been proved wrong? Creating a 2400dpi latex fingerprint copy is not exactly an easy process.

        1. Alexander Hanff 1

          Re: This is the most assine article ever....

          It is incredibly easy - follow these simple steps:

          1. I steal your phone

          2. I take it home, take off my coat, make a coffee and sit down at my PC

          3. I lift the lid on my very cheap Canon 3-in-1 (budget model) which has a 2400 DPI scanner

          4. I place your iphone on the glass, close the lid and scan the phone

          5. I open the scanned image in GIMP or any other half decent graphic editing app

          6. I find a complete print and crop the image around it

          7. I save the image at 2400 dpi

          8. I print it onto plastic (I presume OHP transparency for inkjet will do?)

          9. I wait for it to dry and then paint a thin film of liquid latex over it (very easy to purchase on the high street or online)

          10. Lift the print, unlock the phone.

          I don't understand why so many people are saying "Yeah but who has a 2400 dpi scanner laying around?" - actually most of us probably do - even budget level 3-in-1s have 2400 DPI capabilities nowadays and many have 4800+ DPI capabilities if you are willing to spend a little more.

          Apple screwed up - their main USP (which isn't even a USP given the Aria) is compromised within a couple of days of launch and no amount of "How will you get my fingerprint?" "Who has a 2400 dpi scanner?" or other attempts to mitigate this will change that fact.

          1. GettinSadda

            Re: This is the most assine article ever....

            OK, lets have a race...

            You do all that , and I will do:

            1. Discover phone is missing

            2. Fire up Find My iPhone

            3. Lock and wipe

            I wonder which of us will be finished first?

            1. Wang N Staines

              Re: This is the most assine article ever....

              Does the "lock & wipe" work when the SIM is removed?

              1. Mike Bell

                Re: This is the most assine article ever....

                'Does the "lock & wipe" work when the SIM is removed?'

                Lock & wipe works on a particular phone. The SIM that is currently in the phone has no bearing on that.

                If the phone is quickly put into 'Airplane' mode, it won't receive the lock command from Apple Central. But a phone in such a state isn't really much of a smartphone and will be worth very little to a thief.

            2. WatAWorld

              pretty much the other guy will finish first due to the length of time step 1 takes.

              OK, lets have a race...

              You do all that , and I will do:

              1. Discover phone is missing -- one day

              2. Fire up Find My iPhone -- five minutes

              3. Lock and wipe -- doesn't happen since the phone is no longer on the web.

              So pretty much the other guy will finish first due to the length of time step 1 takes.

              1. Anonymous Coward
                Anonymous Coward

                Re: pretty much the other guy will finish first due to the length of time step 1 takes.

                Most of the "Time taken" comments make the assumption that the fingerprints have not been prepared before the theft.

                Consider who could get a good fingerprint of yours in any one week.

                Lad walks into a bar "Any glass collecting jobs?"

                "oh no not another one!"

          2. Drs. Security

            Re: This is the most assine article ever....

            this works provided:

            1: the print you got is indeed the one I use to unlock the phone with

            2: your scanner lamp will not deflect off the shiny surface off my phone into your scanner camera and destroy your image

            3: you are within 48 hours of me touching/unlocking it for the last time

            4: you're done before the battery runs out

            5: you are actually interested in my personal data and didn't nick it to be used by yourself

            6: you are faster then me wiping it via find-my-iphone (yes tinfoil will help I know until you have to remove that to place it under your scanner unless you tinfoil wrap your entire room).

            Yes the sensor can be "fooled" but the real screw-up would be if they actually can obtain the data from the SecureZone within the A7.

            Essentially that would really break the TouchID system.

            1. Richard 12 Silver badge

              Re: This is the most assine article ever....

              You are aware that Flight Mode is available by default when the phone is locked?

              Thus trivially defeating Find My Phone by default.

          3. J__M__M

            Re: This is the most assine article ever....

            Did you watch the video? Correction on step two:

            2. I take it home, take off my coat, snort an entire 8-ball, and sit down at my PC

            > 2. I take it home, take off my coat, make a coffee and sit down at my PC

        2. Ken Hagan Gold badge

          Re: This is the most assine article ever....

          "Creating a 2400dpi latex fingerprint copy is not exactly an easy process."

          So the guy who takes the risk of nicking it isn't the guy who later empties your bank account. That's done by whoever he (or she) fences it to in the pub later.

      2. LPF

        Re: This is the most assine article ever....

        You do realise that when you use words like "appletards" and "Applebitch" all your proving to the world that you are a 10 year old virgin don't you ??

        1. Anonymous Coward
          Anonymous Coward

          Re: This is the most assine article ever....

          At least where I'm from when saying "10 year old" you don't need to add "virgin". It's generally assumed.

        2. Don Jefe
          Alert

          Re: Classic Literature, a dictionary and a thesaurus for you - All FREE Online

          I'm not sure which part of that is supposed to be the insult, "10 year old", or "virgin". By themselves those aren't especially insulting. A 10 year old posting to this site alone would be reasonably impressive; especially considering his use of protologisms comprised of non sequitors combined with slang.

          Virgin is not a bad thing. I think they're missing out, but then again 94% of everything ever done was part of an attempt to get laid. Maybe they're more focused in their endeavors because of it... Who knows.

          Now, a 10 year old non-virgin, that is disturbing but not really anything you could hold against someone in an insulting way. People of that age who are not virgins shouldn't exist; wouldn't exist if there weren't some terribly fucked up people out there.

          Both of you handled attempts at insults poorly. A proper insult should clearly and directly assault the targets honor, intelligence or other core Human virtue or physical feature in a manner that cannot be misconstrued (ex: Limp Dick Show Pony or Stupid Sloppy Gashed Whore). Good non sequitor insults not only attack the target, they make everyone else laugh; which only adds to the shaming power of the insult.

          Also crucial when insulting people in written formats, is to ensure proper spelling and, at a minimum, slightly above average use of grammar. This is doubly true when actually writing a letter, with pen and paper, to heads of State and/or the recipients of ransom demands.

          In this case I would say something like: "Christ Almighty. You lot of Syphilitic Little Garden Gnomes are really shitting in your own cereal here. Take your ignominious commentary elsewhere". You could append a good "forthwith" or "posthaste" on the end if you're dealing with a bunch of Blue-blooded Ivey League Tosspots.

    2. Drs. Security

      Re: This is the most assine article ever....

      agreed.

      Government agencies like NSA won't bother with your prints, they probably have other ways to get around the device's security.

      So is this a possible deterrent security control against phone theft? Yes.

      And possibly no more then that.

      Can you ever design a phone with enough security against people with enough skills and money and determination to get YOUR data? Which will be usable as well?

      I seriously doubt it.

  23. Anonymous Coward
    Anonymous Coward

    There were a few fools commenting here earlier saying it was the most secure method compaired to a pin.

    I was shot down for contradicting this assertion.

    Oh how right I was! Proven in record time too.

    Apple can innovate, my ass!

    1. JDX Gold badge

      Still seems more secure than a PIN to me.

      1. WatAWorld

        It is only more secure than a PIN if you write your PIN all over the outside of your phone.

        Otherwise it is pretty much equivalent security as your PIN.

        It involves more steps than entering a PIN, but 2400 pixel per inch scanners, etc., are pretty common.

  24. David Pollard
    Pint

    True security

    Whenever I read of the CCC's latest exploits I experience a gentle and pervasive sense of security. That we still have people who do this sort of thing just for the fun of it goes a long way towards keeping the world sane.

  25. MegaTech

    Front door keys deemed unsuitable for access control

    Front door keys have been demonstrably hacked and should not be used, says a prominent group of hackers.

    The group of experts warned that using a key to lock the front door to one's house is unsuitable, as the technology is flawed and could be easily stolen or reproduced.

    The hackers were given access to a key and using simple household materials, and with "minimal effort" (just 10 steps including basic forensic techniques, image processing expertise and the use of household chemicals), they reproduced it to a satisfactory level of accuracy.

    "We hope this puts an end to the notion that using front door keys is a good idea. They should be avoided at all costs," said the hacking group.

    In recent decades the use of door keys has proliferated to the point that even the hackers themselves admitted they use such devices. After this latest revelation, however, the experts have decided to use a far more complex access control mechanism, comprising a long and complex series of numbers and letters.

    In bygone times more than 50% of people didn't have any security on their doors - and even left their backdoors wide open. Pro-key lobbyists noted that keys gained prominence as they at least provided a basic level of security - which previously had not existed. Not only that but they were simple to use and hard to lose.

    Police fear is that this latest revelation will lead to more people once again leaving their homes unprotected, as they shun this imperfect technology.

    A police spokesman said: "Of course keys can be vulnerable - I'm not sure that anybody has claimed otherwise. But we believe that they are still a valuable addition to the overall security of premises. Determined criminals will be able to access your property regardless of your front door key, of course. But for opportunistic criminals - which represent the vast majority - front door key technology is a strong deterrent."

    1. Drs. Security

      Re: Front door keys deemed unsuitable for access control

      yeps! Totally agree.

      And we could rewrite this perfect scenario for:

      - passwords

      - pincodes on bankpasses and creditcards

      - Iris detection on airports

      - handprint scanners

      - face recognition

      - baggage locks with keys or 3-digit cyphers

      - those TSA locks nobody but the TSA is supposed to have the key for

      - wireless carkeys

      By simply copying the peace, replacing the appropriate security term and rewording some small bits to fit the different style of technology.

      What do you really want?

      An iPhone requiring both a fingerprint and a passcode to unlock? I would but then I'm security paranoid enough to care.

      99% of users on this world don't and that's why this will improve security for those who don't bother to set a passcode at all in the first place.

    2. LPF

      Re: Front door keys deemed unsuitable for access control

      You sir deserves more up votes than I am able to give, bravo!!

    3. Solmyr ibn Wali Barad

      Re: Front door keys deemed unsuitable for access control

      The key difference is a lack of hype about keys. Well, nearly, some con attempts can be safely ignored here. Keylocks are well understood and most people do not have illusions about them.

      Biometrics are not so ubiquitous to have the same familiarity.

      Oh, and keys do not have cult following.

    4. -tim

      Re: Front door keys deemed unsuitable for access control

      15 years ago a friend hacked a fingerprint scanner into his door bell button. While it didn't work well enough to unlock the door, it did work well enough to let him know when UPS had dropped off a package most of the time or when the mother in law dropped by.

    5. WatAWorld

      Front door keys under doormat deemed insecure

      If MS did something this stupid the press and the fanbois would be all over it labeling it a major vulnerability and serious negligence.

      It is true that in most cases blackhats and many alleged white hats have unreasonable expectations of programmers.

      Even main battle tanks can be vandalized and stolen.

      Even bank vaults can be broken into within 15 minutes using a thermic lance, which is why you need a police station within 15 minutes drive to get insurance on your bank branch insured.

      The lack of any kind of police crackdown on the thriving industry of buying and selling exploits is not something vendor coders can prevent. It is a justice system and legislative failure that only voters and their employees can fix.

      And how many people have complained about MS having vulnerabilities that required physical access to the desktop?

      However, in this case we're talking about a portable device that has its passwords (fingerprints) all over it.

      That is simply as bad as leaving the keys under your doormat.

  26. Lottie

    Not about mugging

    The whole "so a mugger has to do all this to get in to your phone... blah" scenario isn't the first thing that sprang to my mind.

    The one that I first though of was the where foolish business or political types keep *all* their important stuff on their phone. For the right people, it would be advantagious to take their time in getting the stuff they need beforehand, making the print and so on. Snagging the phone would be the very last thing to do. If they're already wearing the fake prints, they could be opening up their victims mobe as they're running away.

  27. Anonymous Coward
    Anonymous Coward

    Surely it's still more secure for the typical user who does not even set a passcode (50% I heard)?

  28. John H Woods Silver badge

    How about using your nose?

    You probably don't leave a print of that everywhere you go ... except possibly on the window glass at the Apple store ...

    1. Drs. Security

      Re: How about using your nose?

      ROFLMAO.

      It's even simpler then that: if you're right handed then simply use a finger you mostly ignore on your left hand and vice versa.

      Earprints maybe interesting as well.

      Although I'll hear the sceptics cry out wolf again as you will leave that on your phone everytime you make a call.

      Yes, so use the other ear!

      Besides: you have 10 fingers and only 5 attempts.

      I'll let somebody else do the math ;)

      1. Andy Gates

        Re: How about using your nose?

        Even better... there's photos going round of a lady who set it up to use her nipple.

        1. Don Jefe

          Re: How about using your nose?

          I use object recognition to unlock my phone. Specifically of a bored Lieutenant Jefe. This not only ensures no matches, but also makes everyone turn away when I unlock my phone.

  29. C 18
    Thumb Down

    The real world problem will not be...

    ...somebody breaking into your phone. And let's face it, thieves are not the people you're worried about getting into your phone. It's your close friends and those you keep even closer...

    It's a privacy thing not security. Anybody who keeps really important stuff on a phone that needs to be locked down is not being very smart.

    The real problem, in the real world, is the uniqueness of a fingerprint from the user's perspective. They cannot make a copy of their 'key'. They won't be using any of the other options to get into their phone, and will no doubt have lost their PUK codes etc. Then, oops, they catch their finger in a door and they have to wear a great big bandage on it for a few days until the swelling goes down. OMG! They won't be able to update FB to let everybody know how their finger is healing. They will probably not be able to get in touch with any of their contacts, because most people have their friends' numbers in their phone and nowhere else.

    I agree with the sentiments expressed elsewhere about the 'normalisation' of using fingerprints to go about our daily lives. It's a Bad Thing(tm). Selling this as a 'security feature' is disingenuous. In fact, the only security people in general care about with regard to their phone is the stealing of the hardware itself I think. I'm pretty sure the majority of thieves will factory reset any phone they get, they're not interested in your personal data. If they were, they wouldn't need to steal your phone to get it...

    1. Anonymous Coward
      Anonymous Coward

      Re: The real world problem will not be...

      "It's a privacy thing not security. Anybody who keeps really important stuff on a phone that needs to be locked down is not being very smart."

      By coincidence I was watching a documentary on digital privacy at the weekend, and in an interview with a guy at a security company which sells equipment to Governments and large companies in the security industry he was saying we keep more personal information on smart phones these days than we ever did on computers, and you have to bear in mind potential targets are likely to be politicians, celebrities, and the like who are hardly likely to be security minded at all, and are likely to assume everything on their phone is "secure".

      As to what is "important", sometimes this may not be apparent when you store or record it, sometimes something only becomes so after the event, witness the amount of private comments making there way into the public domain after the person responsible assumed they were "private"

  30. Evoflash

    That user in the video..

    ..is clearly a crim. Look at how he shakes.

    Poor guy hasn't had a hit in hours.

  31. Truth4u

    Fingerprint readers were cracked a long time ago. Surprising that Apple don't remember the Mythbusters episode. The human finger isn't the only material in the world that can be shaped to have ridges in an arbitrary pattern. Fingerprints aren't even difficult to clone.

    1. WatAWorld

      Too true Truth4u.

      I'm disappointed that the journalists we depend on did not do a Google search before reporting on "Apple's revolutionary breakthrough." 30 seconds and you have 7 examples going back to 2007.

  32. Anonymous Coward
    Anonymous Coward

    He must be pretty excited / nervous

    Shaking like a leaf!

  33. Randy Hudson

    Or you could…

    just chop off the owner's thumb.

  34. Dave Robinson
    Happy

    A better solution

    I reckon they should have fitted a rectal scanner. Much more secure. Or do I mean retinal? Can never remember the difference :-)

  35. BongoJoe
    Gimp

    Patent Pending

    Have Apple patented this method for lifting fingerprints yet?

  36. This post has been deleted by its author

  37. Anonymous Coward
    Anonymous Coward

    Of course it can be defeated

    Did Apple (or anybody else for that matter) claim it couldn't be defeated?

    The sensor provides a certain amount of security and mitigates certain threats. I don't think anybody expected it to be perfect, so all you Apple-haters are doing is arguing with strawmen.

  38. WatAWorld

    And if you have the phone in your possession, you almost definitely have the fingerprints too.

    And if you have the phone in your possession, you almost definitely have the fingerprints too, since the phone is operated by touch.

    Kind of like writing your PIN on the phone.

    1. WatAWorld

      Re: And if you have the phone in your possession, you almost definitely have the fingerprints too.

      Or leaving your keys under the mat in your car or by the front door of your house.

  39. Scott 62

    i'm pretty sure it'd be much less faff to actually cut someone's finger off and just use that.

  40. Anonymous Coward
    Anonymous Coward

    i got around this by using an impression of my bell-end to unlock my phone.

    makes replying to texts on the bus to work awkward though.

  41. hi_robb

    Errr.

    Cop - "So what makes you think theives managed to bypass the new touchID in your iPhone 5s?

    Crime Vitcum : I don't know, I just can't put my finger on it...

  42. This post has been deleted by its author

This topic is closed for new posts.

Other stories you might like