Chaos Computer Club claims it can unlock iPhones with fake fingers/cloned fingerprints




"It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token. The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access."

That sums it up so beautifully.


The response is out of scale to the thing. You can also spy on someone and get their pin. It seems to me about the same. We are not talking arming codes for missiles.

This fascination with personal privacy is starting to seem like an extension of the narcissistic culture we live in.


Dude in the video has the finger-shakes


It is plain stupid to use something that you can´t change

Possibly a silly question, but what happens if your fingerprint actually does change (like if you get a cut or something)?


Agree about the false claim of increased security - fingerprint login is probably as secure than 4 digit PIN but is still a compromise for convenience.

Still, I question the public's hysterical response to fingerprint biometrics once it became an iPhone feature, when far more devices with equal or more serious security implications (Motorola smartphone and Lenovo laptops) had (and still has) this feature in the past.


Most of you are forgetting about how relevant the environment is. I work in public school systems. The likelyhood that someone is going to lift my phone and fingerprint to access my data is pretty small, especially considering what kind of information they would find (Candy Crush high scores, contact list, MyTracks data from my workouts). Short of having a system that incorporates encryption, multiple sources of biometric data (FP, iris, heartbeat, face, etc) AND a password you're not going to see any sort of acceptable level security if you have something worth hiding.

Also why didn't anyone care about this when the Atrix had a FP scanner?


Shorter: "Single-factor authentication remains insecure."


You can change your PIN if it's compromised.


So I guess using your nipple really is the best idea


My approach to personal security is to be as boring as possible. Keeps me busy, but etceteras.


This is silly. Biometrics are far from totally secure. Is it any more or any less secure than the finger grease left on your cell phone screen from repeatedly entering your 4 key passcode? Are you planning on going Snowden? Or do you just reasonably want to keep someone from accessing your phone,data? Apple has provided a solution. If you're so paranoid, don't store that kind of thing in your phone.


As best I can tell, it's based mostly on the (sensibly, never actually explicitly endorsed by Apple) hysterical pre-release hype to the effect that Apple was going to unleash some sort of Totally New and Insanely Great fingerprint reader ( just check boingboing's own thread from a few days ago if you need a refresher on the optimists) that would revolutionize things and stuff.

When a PC OEM, or a boring Android phone maker, shoves one of those little silicon-strip fingerprint readers into their hardware, nobody gives a damn because the hacker side has already done the proof of concept, years ago, and so there is no novelty, and the only people who actually care about that feature are enterprise buyers checking boxes on some cargo-cult-security feature list.

When Apple does it, they get motivated to dust off (mostly the same old) techniques, modify them slightly, and shoot down the fanboys because there are fanboys(and, if they are also opponents of biometric ID in general, because one of the almost-certain-to-be-among-the-best-selling cellular handsets in the developed world just got fingerprint reading as a standard feature, which isn't going to help opponents of the idea very much).

As it turns out, (aside from being much better integrated aesthetically into the design) Apple's fingerprint widget appears to be pretty much the same as everybody else's in its capabilities, so the interest will probably die down as the release hype does.


I guess the real danger here is a co-worker could get your fingerprint and borrow your phone, log into iTunes, fill your phone with music you hate, and then slip it back to you without you ever knowing what happened.

And please don't tell him where you got the idea when he figures it out.


also @lecti:

Because it wasn't popular on any other device. Apple may not release the best technology, but iWhatevers are popular. As soon as people begin to accept fingerprint authentication for iTunes, they'll be ready to accept it for credit card purchases, to check out books at the library, to pass through airport security, at the dentist, when voting, etc. Then we will begin to see the real problem with fingerprint authentication, which is this right here.

@xof: Yes, as long as the second factor isn't my mother's maiden name or the street where I grew up.

@David_Diamante and everybody: This starts to run off-topic just a little, but it doesn't matter what the environment is, or what you're keeping secure. It's your stuff and you shouldn't want anyone else just looking at it [banana] without your explicit permission. Well, I don't, anyway. I don't play candy crush, or use mytracks, but I do have pictures of my friends and family on my phone, and I don't want just anybody looking at those pictures. To put it all back on topic, if my data is less secure because I'm using a weak method of protection, then there is an increased risk that someone will get at my stuff. I'd rather use my own version of correcthorsebatterystaple than my fingerprint or a 4-digit (or even 10-digit) PIN. They are weaker, and in the case of my fingerprint, if it's copied, I can't change it.

And we can't increase our security through fashion (gloves) because we've been leaving our fingerprints everywhere since we were little (ask your mom if you don't believe it).


After reading the steps they went through to make the fake, I've determined it's secure enough for me.


And moreover: if someone has physical access to your device you can no longer reasonably consider it secure. I fail to see the need for hysterics here.


Realistically speaking(and I'd bet anybody nontrivial money that this will happen, and soon) the bigger danger in social-attacker scenarios will be non-cloned fingers. Y'know the genre of sharpie-related cruelty perpetrated on people who drink themselves into unconsciousness? Well, now phone authentication, and all that it brings, can join the fun! Any heavy-sleeper SO/or spouse in a late-stage disintegrating relationship is probably a good bet as well.

Demonstrating a cloning attack is worth doing just to cut through the hype; but few people have enemies motivated enough to do that.


Aha! You're the first person to point out the real danger, I think!


Unless you're James Bond, no one is going to spend the time fake fingering you. If you don't want to use the fingerprint sensors then don't use it. I'm sure the rest of us will enjoy the convenience and never have an issue.