More details, new video showing Iphone fingerprint reader pwned by Chaos Computer Club

Weird how when the new iPhone was announced, they claimed the fingerprint reader was more advanced than previous fingerprint readers so it wouldn’t be hacked by the same methods. But now that it’s been easily hacked, Apple fans have decided that it doesn’t matter.

4 Likes

This same method, and some slightly simpler ones, work on “high security” finger print scanners used to secure buildings. It would be quite surprising if the iPhone finger print scanner was a lot more secure than scanners that cost more than the entire phone. Myth-busters beat expensive finger print scanners and were surprised how easy it was.

Its still better than what I have one my HTC one, nothing,

PIN codes are annoying

I think of fingerprint scanners on personal devices as a novelty feature. They don’t provide much security, because anyone who wants to get into the device can. They are like simple key and lock mechanisms which can be easily picked and only protect you from the generally lawful sort of person who won’t go to much effort to break into your stuff.

One thing that people in the US – or travelling into the US – should know is that even though you can’t be forced to hand over a password there, you CAN be forced to hand over your fingerprint to open a device. Your password falls under the 5th amendment right to not incriminate yourself, but your fingerprint (or really, any biometrics) do not.

NYPD has made the statement that fingerprint protection will help make your phone less likely to be stolen because it will make your phone worthless to thieves. I doubt that a fingerprint is going to give you any more protection than a pin or a pattern to unlock your phone. Yes, there are more patterns to try to match if you want to fuzz or brute force the lock, but there have been other ways shown to break into locked phones and bypass PINs already. (See Hak5 for several examples of hacks of locked phones.) I think that it’s just a matter of time before we see some non-fingerprint matching hacks for the new iPhone fingerprint lock as well.

The question, then, is who are you protecting your phone against? Your kids? Your coworkers? OK, this’ll do the trick. Thieves? This might be sufficient right now, but in a few weeks they’ll have a workaround if they don’t already. Authorities? You are much better off sticking to your PIN, at least in the US. In the UK, and I’m sure in other places as well, neither your PIN nor your fingerprint is going to keep you from opening that phone for them. And if they authorities REALLY want in, they’ll find a way.

1 Like

Your HTC one is an Android phone, right? So it has the ability to use PIN or pattern locking. That’s not nothing. If you are choosing not to use it, that’s your choice.

Not quite. The point is that Apple created the illusion - like a scam artist - that their fingerprint system uses data from under the skin for biometric purposes. It was reasonable to think that such a method could not get foiled with this classic approach.

So while Starbug and the CCC basically just polished their old technique, they still provided an excellent service to Apple users.

And yes, I thought that Apple would make true their claim. It’s not CCC’s fault, that Apple cannot deliver.

1 Like

First, there is no entity called “Apple fans“.

Second, Apple messed up, yep. They made it look as if they had new technology and apparently they don’t have. If they get into a class action suit because of that, I won’t mind at all.

Third, it matters, but doesn’t make Touch ID a total failure. TouchID is apparently no match for a targeted attack, But so isn’t the PIN, especially the short one, when can be easily be memorized by an onlooker. But the vast majority of users aren’t targets for such an attack.

There remains only one issue: Police arresting you and getting to your device by using your finger or your fingerprints. Again, not a likely scenario for most users, but a valid concern for law-abding citizens who encounter police brutality and who filmed it. In that case: Turn off the TouchID before recording or turn it off, once it gets dicey.

Otherwise, it’s still a convenient safety measure protecting users from small harm, until the tech used to trick is so cheap and commonplace that a frat boy can take his drunken friend’s iphone, break the touch ID and post nude pictures on Twitter.

1 Like

I think this is the biggest use case to consider here, as you have to both have access to the owner’s fingerprints as well as the iPhone in question. With these methods, an ethically challenged police force could bring you in as a suspect, charge you with a bogus claim such as burglary, and take your phone and your fingerprints. After they make the faker fingerprint and unlock your phone, they can read your mail, messages, and so on. Then they drop the charge, and let you go whilst they sort through the data dump.

I would suspect this more than I would that some band of scammers or thieves would clean out my accounts with my fingerprint. It’s something to consider if you’re a friend of Glen Greenawald or attend an Occupy demo.

1 Like

More of a collective I suppose. Like the Borg.

“Not quite. The point is that Apple created the illusion - like a scam artist - that their fingerprint system uses data from under the skin for biometric purposes.”

I see absolutely no evidence that Apple did any, such thing. The only possible claim they might have even implied is that the reader would be good & fast at recognizing fingerprints it had been trained on (as opposed to the Motorola Atrix, for example). And as far as I can tell, it is good & fast at that. (Mind you, whether fingerprint recognition is a good method of securing the phone is a whole, nuther issue. See lishevita’s excellent comment above for details)

Any, add’l promises of eternal life, sparkly unicorns, etc… are from the fevered imaginations of biased commenters :stuck_out_tongue:

^^ This a hundred times. All the rabid fans were telling us we didn’t know what we were talking about, we didn’t know what “capacitive” meant, this read the subdermal layer, Apple wouldn’t let 10 year old techniques defeat it, etc, etc. Now that it has been proven to be nothing but either BS on Apple’s part, or fanboyism on the Apple fans part, it doesn’t matter, it is just a simple convenience thing.

1 Like

That, or they’re different people.

Please remember that there are more than just Apple haters and Apple fanboys, there’s that third, oft forgotten group, ‘most people’.

I sort of agree with you on this. I turned off PIN security on both of my phones (iPhone 5 and Galaxy S3) because it is super annoying to put it in every time I want to unlock my phone. If I could unlock my phone with my fingerprint? I would totally do it. Some security is better than no security.

Well, there’s also activation lock to help protect against thieves. This may end up having a workaround, but likely not. Of course, then in the case of a stolen iPhone, there could be 2 victims, in the case of naive buyers who don’t think/know to check for activation lock first.

I don’t remember any rabid fans defending it like you say. Even Apple did not defend it all that strongly. I watched the presentation and the thing was presented light-heartedly in full admission of its limited usefulness. That doesn’t fit your scenario, so you forgot or left it out on purpose. This is about preventing nuisance trouble caused by unlocked phones. That is what they said and that is what it is.

You must not read a lot of tech forums. Please see the initial announcement threads on slashdot and engadget for just two examples. Or maybe just some examples from one BBS thread here (be sure to expand the quotes below so you can see between them they hit all my points exactly):

4 Likes

OK, I concede there are morons in the world. My bad.

1 Like

She was being polite by not calling them by the normal nomenclature… Fanboys :wink:

Check the Keynote, up from minunte 57.

1 Like

LALALALALALALALLALALA I can’t hear you.

This topic was automatically closed after 5 days. New replies are no longer allowed.