Iphone fingerprint hacker on the limits of biometrics for security


1 Like

Full interview in english: http://blog.lix.cc/2013/09/27/zeit-online-interview-with-starbug/ or http://www.zeit.de/digital/datenschutz/2013-09/iphone-hack-fingerprint-scanner

1 Like

His points about the dangers of making everyone check in with biometrics are quite valid, but at least two points are misleading.

“The best example for this is Hamburg, where at one school all
students had to submit their fingerprints to get their lunch.”

That was an employee’s mistake - they made all kids register, even those whose parents didn’t opt in. There is and was a secondary method of paying with a key card in place. (Though I disagree withe both systems. Money works fine and frankly, it should be covered with a flat rate anyway.)

This has already begun with the fingerprints in the German identification card and the passport.

The fingerprint in the ID card is opt in.

Just on the point about kids paying for school lunches with money - My first hand experience of being a boy would suggest that at least some (and I suspect many) would choose to spend their lunch money in a way that is not entirely consistent with having a wholesome and healthy lunch. Such is the problem of a universal currency ;).

Yeah, that’s a valid point. That’s why I’d go for a flat rate, with exceptions for poorer families. Anyone can get his lunch, if someone wants to opt out completely, that’s doable, too, and I refuse to believe that the richtest countries on Earth get broke when a kid has a third helping.

After reading the hack, I keep wondering if it’s possible to lift the fingerprints with Silly Putty, then enhance them with some kind of dusting powder for a much quicker, lower tech way to break the security.

From my experience as a child, lunch money was occasionally also stolen. I wouldn’t have minded the fingerprints if it meant I could actually eat my lunch.

It’s unbelievable to heard that the fingerprints of the animal also can break the security.JOKING…

I believe Hang’s point was that if you give kids cash to spend on lunch, they may not spend it on lunch at all. And even a flat rate wouldn’t ensure that kids eat healthy, even if they do chose to spend their money on lunch.

My immediate thought is that I would rather not have my valuables (phone, car, home, etc.) secured in such a way that my presence is required during a robbery. If someone wants my car I’m not going to try to stop them from taking it, but if the car requires a thumbprint then any theft is far more likely to involve me directly and is more likely to involve violence, including the possibility of death or thumb amputation. No thanks. You want the car? Take it. There’s no alarm. You want to break into my house? Wait until there are no cars in the driveway, kick the door in and help yourself - there’s no security system, so no need to hold a gun to my head and demand I disable the alarm and then do god knows what with me or my family after you’re done cleaning out the place.

I meant a flat rate that would be paid in advance or at the end of the month. In that scenario, the kid would not have any money to buy junk food or snacks - beyond its pocket money, of course, If it chooses to burn the money, well, lesson learned the next day, when there’s nothing but the school lunch and no money for small amusements.

Starbug isn’t exactly new to this. If he needed a 2400 dpi scanner, a 1200 dpi printer and more, silly putty will not help that much.

If you watch the “making of” video, you’ll notice that they started with an exceptionally well formed fingerprint on the iPhone. I’ve scanned mine at 1200 dpi - there wasn’t anything that even resembled a fingerprint.

Let’s keep this in perspective: The fingerprint reader was intended as a “more convenient way to unlock your phone” than a passcode.

For me, personally, this means that I can switch to using a serious passcode, and using my finger 99% of the time.

Unfortunately, the fingerprint reader was not quite as secure as Apple’s claim – IF you have a really good fingerprint of the correct finger, it’s POSSIBLE but not EASY to trick the reader. (And of course, people will argue about how EASY it is, but I’ll argue that mere possession of the phone is not enough – there’s almost certainly not “good enough” fingerprints to steal on the phone itself.)

To me, personally, this does not change its value as a “convenience factor”. After all, if the fingerprint is not used for some time, it “expires” and then the thief has to crack the passcode.

However, Apple also wants people to use a fingerprint to authorize iTunes purchases. I won’t be doing that, partially because IF someone can fake my finger, they MIGHT be able to steal hundreds of dollars from me. But more importantly, I don’t buy that much STUFF from iTunes, so I’m happy to stick with a passcode.

The next question is, “Is the fingerprint data accessible?” and the answer is, “Probably it’s harder to get the data out of the ‘secure enclave’ than it is to get a good fingerprint via other means.”

As far as I know, Apple isn’t that reluctant to void charges when foul play was involved.

In any case, my workflow would limit my possible losses, as I buy 20% discounted iTunes cards every few months to bring my account around $200, with no other valid payment method registered.

Oh well (returns gallons of silly putty purchased for illicit purchases)

This topic was automatically closed after 5 days. New replies are no longer allowed.