Obligatory xkcd:
6 Likes
Yeah so⊠Apple has addressed this; they say this is not an optical scanner, does not rely on the top skin layer but rather conductivity of subdermal layers. In other words, they claim that the known vulnerabilities of past fingerprint systems do not apply.
Attack Appleâs claims, argue that they canât be true, explain how this could be fooled by x or y technique, even just speculate about the as-yet-not-publicly-testable tech that Apple is touting: this could be interesting or useful.
Spread fearmongery bullshit about irrelevant stuff that Apple has claimed does not apply here: not interesting, and not useful.
Iâve seen lots of high-emotion discussion about the TouchID sensor, and almost all of it pretends that Apple hasnât even attempted to address known vulnerabilities of fingerprint scanner technology. Thatâs just silly.
4 Likes
âif youâre willing to cut off someoneâs fingertip to unlock his phone, youâre probably also willing to torture him into giving up his PIN.â
Sorry, donât buy that. Torturing a person to extract information can take hours, days. In fact, torture might never produce valuable information. Wasnât that why we all tried to get Alberto Gonzales executed?
Chopping off a finger though: never fails, takes 30 seconds. And thatâs only if thereâs a struggle.
Why arenât alternate passwords more common to dodge coercion? That is, when a cop or a mugger demands that you reveal your PIN, you give him the âsafetyâ PIN which unlocks the phone to innocuous contents (to protect the data,) or the one that unlocks it and silently phones home with its GPS coördinates & video feed and/or unlocks it for a limited time before killing the phone (to devalue the hardware.)
Of course theyâll know this feature exists, but the mugger isnât going to stick around or kidnap you while he waits to make sure you gave him the real PIN. And if the Man is interested enough to send your phone in to Forensics youâre already in trouble.
Edit: The concerns Iâve heard about the fingerprint sensor arenât about its efficacy, but the prints being collected and transmitted to the NSA. (I donât know what they would want with your fingerprints if they already know who and where you are all the time; theyâre not dusting crime scenes.)
4 Likes
Second oblig XKCD:
4 Likes
Whoa. There seems to be quite a few people getting worked up about whether this is hackable without ever stopping to consider whether it matters or not. These are not state secrets weâre protecting, and our enemy isnât a sophisticated intelligence operation. Itâs a phone, and the goal is to keep it locked long enough to wipe it.
Everything is hackable, including your pin code. The fingerprint sensor is merely a convenient replacement for your pin code. If youâre protecting state secrets with this feature, youâre doing it wrong.
5 Likes
While weâre at it, can I have a new motherâs maiden name and first school. These ones are compromised.
4 Likes
If youâve got the guy and the phone secured enough that you could chop off his finger, why not just hold him still and unlock the phone? Save yourself the trouble of cleaning the blood off your clothes and only risk petty theft instead of aggravated assault.
4 Likes
Yep. Yours is the only reply that gets it.
The point is, 50% or so of iPhone users apparently donât use a pin code at all because itâs too much hassle to keep entering it. Thumbprint ID is quite a lot more secure than nothing, so itâll increase the overall security of the iPhone population in general quite significantly.
The vast vast majority of thieves donât want to access your phone anyway, they want to wipe it ASAP to stop you using Find My iPhone on it and to sell it on eBay or locally before the IMEI gets blocked. To that end, I suspect they rarely even notice if itâs got a PIN or not. Quite a bit easier to make money from selling a high end device than there is from rifling through your emails and trying to recover a paypal password or similar.
Activation Lock supposedly solves this second issue so maybe that will change but hopefully both together will just make iPhones less attractive to thieves overall.
5 Likes
Letâs just consider the scenarios a minuteâŠ
Pin scenarios: A mugger takes your phone, then with a knife demands to know the pin. Once revealed, runs away with the goods.
Fingerprint scenario: (i) A mugger takes your phone, then hands it back to you to unlock so that itâs possible to change the fingerprint. The mugger then stands there whilst programming the fingerprint reader to respond to a new fingerprint (because it probably requires the original fingerprint as confirmation). Once done, runs away with the goods.
or
(ii) A mugger takes your phone. Using the same knife chops off the end of your index finger, then runs away with both.
Do people seriously think that digit amputation is not going to happen?
True. Smartphone theft and resale is a huge, huge business now and there need to be better preventative measures built into the hardware itself.
Nearly half of all robberies in San Francisco last year involved smartphones, according to police. source
Whatâs activation lock?
The Activation Lock ties an iPhone to the Apple ID the user links it to during setup. As long as the Apple ID is linked to the iPhone and Find My iPhone is turned on, no one else can reset the iPhone, even if they plug it into a computer.
On iOS 6, users could plug a locked iPhone into iTunes and reset the device to factory settings. With iOS 7, Activation Lock will show the message above instead of resetting an iPhone.
âŠ
If the phone is locked or will not reset and the seller tells you that you should take it home and restore, say no thanks and get out of there as it could be a stolen iPhone at worst and an iPhone you canât use at best.
2 Likes
Yes, for very simple reason:
a) Itâs not that easy to amputate a finger with a knife Buy yourself a chicken leg, hold it in your left hand and try amputating with a knife in your right hand.
b) Itâs not necessary. The PIN is still there. It has to be still there, as a fallback, because hurting your fingers can render the touch id mechanism ineffective. So any thief is better off with forcing you to disclose your PIN. If heâs smart, heâll have you touch it in yourself while he records this with Google Glas.
c) Armed robbery gets a higher penalty than armed robbery, does it not?
Of course, you could do the same with a touch id system. (Theoretically, as this is not implemented by Apple.)
Just declare one finger as a dead manâs finger and have the system wipe itself when that one is used. Or have the system recognize that the finger lingers longer than usual and react on that.
Only when there are high stakes and trained or fanatical victims are involved. Even then torturers can and will extract such information.
In this case, the information would be easily verifiable and the torture can stop.
Torture fails when the information is not verifiable and/or the torturers do not really know if they have the right person at all.
Torture does work. Thatâs one of the reasons for âNeed to knowâ.
1 Like
Good point on still having the pin option.
You do however seem to be giving the mugger a remarkable amount of intelligence. Iâd be just as worried about a mugger trying to amputate my finger as succeeding.
I suspect that chopping someoneâs finger off will merit a longer stint in gaol than simply threatening the victim, however, I again question just how rational muggers are to begin with.
I think most muggers are rational enough to see that the choice âGive me you stuff or suffer bodily harmâ and âLet me amputate your finger or suffer bodliy harmâ are vastly different and will provoke different outcomes.
This, of course is old news - over 100 years in fact. I wonât post a bigger spoiler than, you can read the story. The Red Thumb Mark at Project Gutenberg
1 Like
We at NO2ID successfully lifted the then-Home Secretaryâs fingerprints from a glass she was using to demonstrate precisely this weakness.
1 Like
Alternate PINs have been touted for ages, and as an ex-fraud analyst Iâve dealt with a lot of people who complain about why they donât exist for debit and credit cards. The short story is that the vast majority of humans are fucking awful under pressure unless they are trained for the specific situation they are in. If someone has a knife on you and is demanding your PIN, the chance you will even remember that your phone is equipped with this technology is minute. This isnât something you think about every day, probably not even every year. And considering the most common proposed duress PIN is your real PIN reversed, this adds another level of complexity. So you have to:
a) Remember that you have a duress PIN.
b) Recite your PIN, backwards.
c) Do so in a realistic, natural-enough manner to successfully fool the person mugging you (who probably has a lot more experience mugging than you do).
1 Like
If you have to go through bone, a knife is really not the optimal choice. For bigger bones, a pair of bolt cutters or a hacksaw are nice. For smaller ones, a good pair of pruning shears, or a battery powered rotary tool with cutting disk, are really what you want.
1 Like
