Chaos Computer Club claims it can unlock iPhones with fake fingers/cloned fingerprints

Shorter: “Single-factor authentication remains insecure.”


You can change your PIN if it’s compromised.


So I guess using your nipple really is the best idea


My approach to personal security is to be as boring as possible. Keeps me busy, but etceteras.

This is silly. Biometrics are far from totally secure. Is it any more or any less secure than the finger grease left on your cell phone screen from repeatedly entering your 4 key passcode? Are you planning on going Snowden? Or do you just reasonably want to keep someone from accessing your phone,data? Apple has provided a solution. If you’re so paranoid, don’t store that kind of thing in your phone.


As best I can tell, it’s based mostly on the (sensibly, never actually explicitly endorsed by Apple) hysterical pre-release hype to the effect that Apple was going to unleash some sort of Totally New and Insanely Great fingerprint reader ( just check boingboing’s own thread from a few days ago if you need a refresher on the optimists) that would revolutionize things and stuff.

When a PC OEM, or a boring Android phone maker, shoves one of those little silicon-strip fingerprint readers into their hardware, nobody gives a damn because the hacker side has already done the proof of concept, years ago, and so there is no novelty, and the only people who actually care about that feature are enterprise buyers checking boxes on some cargo-cult-security feature list.

When Apple does it, they get motivated to dust off (mostly the same old) techniques, modify them slightly, and shoot down the fanboys because there are fanboys(and, if they are also opponents of biometric ID in general, because one of the almost-certain-to-be-among-the-best-selling cellular handsets in the developed world just got fingerprint reading as a standard feature, which isn’t going to help opponents of the idea very much).

As it turns out, (aside from being much better integrated aesthetically into the design) Apple’s fingerprint widget appears to be pretty much the same as everybody else’s in its capabilities, so the interest will probably die down as the release hype does.


I guess the real danger here is a co-worker could get your fingerprint and borrow your phone, log into iTunes, fill your phone with music you hate, and then slip it back to you without you ever knowing what happened.

And please don’t tell him where you got the idea when he figures it out.


[quote=“David_Diamante, post:7, topic:10424”]
Also why didn’t anyone care about this when the Atrix had a FP scanner?
[/quote] also @lecti:

Because it wasn’t popular on any other device. Apple may not release the best technology, but iWhatevers are popular. As soon as people begin to accept fingerprint authentication for iTunes, they’ll be ready to accept it for credit card purchases, to check out books at the library, to pass through airport security, at the dentist, when voting, etc. Then we will begin to see the real problem with fingerprint authentication, which is this right here.

@xof: Yes, as long as the second factor isn’t my mother’s maiden name or the street where I grew up.

@David_Diamante and everybody: This starts to run off-topic just a little, but it doesn’t matter what the environment is, or what you’re keeping secure. It’s your stuff and you shouldn’t want anyone else just looking at it [banana] without your explicit permission. Well, I don’t, anyway. I don’t play candy crush, or use mytracks, but I do have pictures of my friends and family on my phone, and I don’t want just anybody looking at those pictures. To put it all back on topic, if my data is less secure because I’m using a weak method of protection, then there is an increased risk that someone will get at my stuff. I’d rather use my own version of correcthorsebatterystaple than my fingerprint or a 4-digit (or even 10-digit) PIN. They are weaker, and in the case of my fingerprint, if it’s copied, I can’t change it.

And we can’t increase our security through fashion (gloves) because we’ve been leaving our fingerprints everywhere since we were little (ask your mom if you don’t believe it).


After reading the steps they went through to make the fake, I’ve determined it’s secure enough for me.


And moreover: if someone has physical access to your device you can no longer reasonably consider it secure. I fail to see the need for hysterics here.


Realistically speaking(and I’d bet anybody nontrivial money that this will happen, and soon) the bigger danger in social-attacker scenarios will be non-cloned fingers. Y’know the genre of sharpie-related cruelty perpetrated on people who drink themselves into unconsciousness? Well, now phone authentication, and all that it brings, can join the fun! Any heavy-sleeper SO/or spouse in a late-stage disintegrating relationship is probably a good bet as well.

Demonstrating a cloning attack is worth doing just to cut through the hype; but few people have enemies motivated enough to do that.

1 Like

Aha! You’re the first person to point out the real danger, I think!

Unless you’re James Bond, no one is going to spend the time fake fingering you. If you don’t want to use the fingerprint sensors then don’t use it. I’m sure the rest of us will enjoy the convenience and never have an issue.


First - I am the BIGGEST tech cheerleader BUT I hate “innovations” that are basically marketing hype combined with a bunch of crap that doesn’t work and takes up my time. I have a laptop with “face recognition” on it (which is now disabled because it is the most incredible PITA on earth) - mostly doesn’t recognize my face and when it does takes much longer than typing in a pin.

This type of stuff is a waste of everyone’s time - the developers and the customers.

Work laptops have used secure token technology for over 15 years now (I had one back when Atlanta hosted the Olympics) and why the phone companies don’t just issue secure tokens coupled with a unique ID I don’t know. It’s effective, it’s been around a long time, and no one really wants to screw around getting into their phone that much unless they are 13 years old.

1 Like

For use instead of a 4 digit PIN, I agree, the fingerprint ID isn’t that much better.

For using instead of having to type in my Apple Password to purchase apps and music, I’m glad to be able to use my fingerprint instead. Much easier.

1 Like

“I can get you a toe. There are ways, Dude. You don’t wanna know about it, believe me. Hell, I can get you a toe by 3 o’clock this afternoon… with nail polish. These fucking amateurs…”


That’s what the marketing people will sell you but then when you sit that and try to get your finger on the pad just right or it won’t read because you are in the sunlight or it’s too dark or the battery is a little low, it’s annoying. If it does work super smoothly then it would be nice, but a lot of this gimmicky stuff is not quite as slick as the movie versions.

Yes, this is exactly hat I was getting at.

This will make me sound fanboyish, but I’ve not had any Apple features not work as demonstrated, from Airplay to Siri and hopefully to this. I have confidence it will work as demonstrated. I’ve found that what they show you is what you get. Whether or not you want what they show you is the question for most people.

In America, your pin is protected by your right against self-incrimination; your fingerprint is not.