back to article Chaos Computer Club: iPhone 5S finger-sniffer COMPROMISED

Well, that lasted a long time: the Chaos Computer Club has already broken Apple's TouchID fingerprint lock, and warns owners against using biometric ID to protect their data. As the group explains here, it seems that the main advance in Cupertino's biometrics was that it uses a high resolution fingerprint scan. The post states …

COMMENTS

This topic is closed for new posts.

Page:

  1. John Jennings
    Black Helicopters

    OMG

    Well, that didn't take long!

    1. ThomH

      Re: OMG

      They confirmed that a well-known way to fool fingerprint scanners fools a particular brand of fingerprint scanner — I don't think anybody was seriously expecting it to take that long.

      I guess the best advice is: if you can't be bothered with a password then the fingerprint scanner is better than nothing.

      1. Daniel B.
        Boffin

        Re: OMG

        "I guess the best advice is: if you can't be bothered with a password then the fingerprint scanner is better than nothing."

        If you can't be bothered with a password, you deserve to lose everything you had on your phone.. Nobody would leave their car unlocked on the street with the ignition key on, yet having a smartphone without password protection is the equivalent of doing just that. Of course, there are things that are worse than no protection at all, like 4-digit PINs and easily-hackable fingerprint scanners.

        I'm surprised they didn't go for the Gummi Bear route, though...

        1. Anonymous Coward
          Anonymous Coward

          Re: OMG

          I'm surprised they didn't go for the Gummi Bear route, though...

          In a room full of hungry geeks, you'd need military grade security to stop them from being eaten. May even need a fingerprint lock. Oh, wait ..

        2. FuzzyTheBear

          Re: OMG

          Nobody would leave their car unlocked on the street with the ignition key on ....

          Nobody you knew before .. then again .. there's me .. i left my keys in the ignition doors unlocked , at my house in the front door lock , the car's trunk ... the keys stay there until morning when i chase them .. so yes there's people distracted enough to do those things

          Never assume there ain't a moron that's highly capable of doing the unthinkable :)

        3. Michael Wojcik Silver badge

          Re: OMG

          Nobody would leave their car unlocked on the street with the ignition key on

          Clearly you're not from around here. At least once a week I walk by an unoccupied car with the doors unlocked and the engine running. It's not something I would do, for safety reasons (anyone dumb enough to steal my car is sure to punish himself inadvertently soon enough - to say nothing of the punishment that is driving my car), but clearly many of the drivers in these parts are more sanguine about it.

        4. Michael Dunn
          Happy

          Re: OMG @Daniel B

          "Nobody would leave their car unlocked on the street with the ignition key on," A sight frequently seen in Crete even with engine running (and with the hazard lights on, parked in the middle of the road)!

          Comment from a Cretan taxi driver when asked why we never saw any police "We don't need police here; we are good people!"

      2. tom dial Silver badge

        Re: OMG

        But one assumes the Apple Marketing Department overlooked this inconvenient, yet fairly obvious, little detail. Fingerprint, among possible biometrics, has the advantage of being quite easy to obtain and the disadvantage of being also quite easy to forge. I suspect that some others, like iris or retina scans, are a bit better but also possible to forge. For all its defects, a reasonably constrained password probably is about as good in practice.

    2. Bob Vistakin
      Facepalm

      You're fingerprinting it wrong

      Can't these stupid users get anything right?

      1. Michael Wojcik Silver badge

        Re: You're fingerprinting it wrong

        Can't these stupid users get anything right?

        Agreed. Biometrics are like passwords: you should always use a secret part of your body, and use a different part for each security domain. If you use one of your well-known fingers with a fingerprint reader it's your own damn fault.

      2. Anonymous Coward
        Anonymous Coward

        Re: You're fingerprinting it wrong

        @Bob Vistakin

        Prat.

    3. LarsG

      Perspective please

      Ok so as you get mugged the dirty little thief will insist on taking a high resolution picture of your fingerprints then head home and produce a latex copy of them to break the security on your phone?

      Put it into perspective please.

      1. Anonymous Coward
        Anonymous Coward

        Re: Perspective please

        A fingerprint might be on the phone, but how is the thief going to know which is theirs and which is yours?

        It sounds like a lot of bother for a thief.

        1. Anonymous Coward
          Anonymous Coward

          Re: Perspective please

          "A fingerprint might be on the phone, but how is the thief going to know which is theirs and which is yours?

          It sounds like a lot of bother for a thief."

          Sounds like you will accept any of sh*te to protect the image of you iFool'd ya!

          Pathetic excuse. Apple got it wrong, they tried to redo an existing technology (as they always do, copy) and failed miserably.

          1. Stuart Castle Silver badge

            Re: Perspective please

            The fact is that NO security system is entirely secure. When designing a system, you can only hope to make it unfeasible for a person to access that system. Every system (from the smallest mobile phone to the largest, most powerful military supercomputer) has at least one flaw that can be exploited to break in.

            This flaw would require that the thief has access to a 2400dpi scanner, good enough photoshop skills to clean up the image, time to clean up that image and access to the fingerprint itself. This last may well be the most difficult to obtain. Not if you mug the person (after all if you've grabbed the phone, they'll probably grab for it, you can scan the fingerprints then), but if you steal the phone from a bag, pocket or table. Even assuming you can work out which person it belongs to, it would be difficult to get access to their fingerprints without them noticing you.

            Now, please tell me: Do you think it would be worth the average thief going through all that just to get access to the users phone numbers, pictures and whatever apps/media they have? Access to bank accounts might make it worth their while, but in my experience, most mobile banking apps don't store user details on the device.

          2. Frank Bough

            Re: Perspective please

            Bullshit, this is a quicker way to unlock your phone that can't be shoulder surfed. That's all, and we always knew that if you have a copy of the fingerprint you could get in.

            If you lose your phone - no access.

            If your phone is pick pocketed - no access.

            Casual fraping at work - no access.

            This is the purpose of the fingerprint scanner, not to defeat MI fucking 6.

        2. Gotno iShit Wantno iShit

          Re: Perspective please

          I would imagine that the fingerprint on the scanner itself would be the one to start with.

          At least with the swipe type of scanner an attacker would have to try every print on the phone.

        3. C 18
          Trollface

          Re: Perspective please

          Bother for a thief? No bother...wear gloves.

          Put a big gate with barbed wire along the walls, gun turrets on watchtowers, crocodiles in the moat, and lift up the drawbridge but someone will still fly a swallow over the ramparts and drop a coconut on your head!

          1. FunkyEric

            Re: Perspective please

            African or European?

          2. TitterYeNot

            Re: Perspective please

            Yes, but is that a European or African swallow?

      2. Anonymous Coward
        Anonymous Coward

        Re: Perspective please

        I suggest you take a look at the phone in the video, there are plenty of prints all over the screen that could be used for making the image.

      3. .stu

        Re: Perspective please

        No, the dirty little thief will insist that you press your finger(s) onto the scanner to unlock the phone for him, or if you don't cooperate, grab your fingers and press them against the scanner by force.

      4. Anonymous Blowhard

        Re: Perspective please

        That's what secateurs are for...

      5. 20legend

        Re: Perspective please

        beats having your digit chopped off by a mugger though.......

      6. John 48

        Re: Perspective please

        You are right, it would be so much simpler to chop the finger off with stout wire cutters when you are pinching the phone, and take that as well...

        1. Trevor Marron

          Re: Perspective please

          But which finger. OK, take both the hands with you... Oh heck, he used a toe print!

      7. tom dial Silver badge

        Re: Perspective please

        Better here to think "police" or "security agency". However, if people are foolish enough to leave sensitive information on their iPhone 5S it would be worthwhile for identity thieves to go through the effort of cracking the phone security.

      8. Anonymous Coward
        Anonymous Coward

        Re: Perspective please

        The finger prints are all over the Iphone. They don't have to bother the person that they stole from

    4. Anonymous Coward
      Anonymous Coward

      Re: OMG

      The fingerprint scanner is enough to keep your wife out, but if you see here with a bottle of liquid latex.....

      Delete those numbers and photographs........

      Isn't that what the find my phone app is about?

      1. Evil Auditor Silver badge
        Happy

        Re: OMG

        ... wife ..., but if you see her with a bottle of liquid latex...

        ...I'll wait in joyful expectation. What numbers and photographs were you referring to?

      2. JohnG

        Re: OMG

        "The fingerprint scanner is enough to keep your wife out, but if you see her with a bottle of liquid latex....."

        No need to be paranoid - she might be planning something kinky.

    5. Anonymous Coward
      Anonymous Coward

      Disappointed...

      I'm disappointed, mainly because I was wrong to assume any sanity in the FP reader selection process.

      There are various types of FP readers. This problem is a classic, very basic one for the cheaper end of the range of readers you can get - the more expensive arrays use radio technology (basically you grounding a transmitting aerial with a ridge) to stop the use of such tricks. Given that this deficiency is not exactly a secret I find it disappointing Apple decided to choose that anyway instead of the better approach, especially because there is another problem with this cheap sensor:

      This sensor cannot tell if finger and owner have parted ways.

      *Not* good.

    6. JeffyPoooh
      Pint

      Re: OMG

      Simple solution, don't use your finger. You leave your fingerprints all over the place.

      Use... ...another appendage. One less likely to leave appendage-prints all over the place.

      "Hey, why do you keep sticking you iPhone down the front of your trousers?"

  2. HollyHopDrive

    training video

    Is that not a customer help video produced by apple to demonstrate taking a backup copy of your finger in case the original is removed in a street mugging for your new iphone?

  3. The obvious

    2002 called...

    It would like to know if you fancy some Gummy Bears...

    http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/

  4. Steven Raith

    Biometrics

    Providing a false sense of security since digital imaging and analysis was in it's infancy.

    1. Voland's right hand Silver badge

      Re: Biometrics

      What digital?

      It has been providing false sense of security and miscarriages of justice ever since Alphonse Bertillon.

      That is what? Mid-19ths century if memory serves me rigt.

      1. Anonymous Coward
        Anonymous Coward

        Re: Biometrics

        Can you trust the memory of somebody who forgot the h in right?

  5. poopypants

    At least with a swipe pattern

    you can be reasonably sure that a thief will not be able to guess your pattern in the three attempts permitted.

    On the other hand, your iPhone is most likely covered with your fingerprints, so the probability of a successful break in is high.

    1. Anonymous Coward
      Anonymous Coward

      Re: At least with a swipe pattern

      @poopypants - "On the other hand, your iPhone is most likely covered with your fingerprints, so the probability of a successful break in is high."

      In fact, since the phone is carrying your prints, a thief with a decent scanner and a sheet of latex would probably find it easier to break into this biometric lock than to crack a password or pass-pattern.

      It's like writing your password on an adhesive label, and sticking it to the back of your phone.

      1. Wallsy

        Re: At least with a swipe pattern

        Of course, my swipe pattern is usually left on the screen in a big greasy smear, so there's only two possibilities required to figure it out...

      2. Anonymous Coward
        Anonymous Coward

        Re: At least with a swipe pattern

        Do thieves not have finger prints then? Will they all be wearing latex gloves now?

        1. MrXavia
          Facepalm

          Re: At least with a swipe pattern

          I wear non-latex gloves when in public for hygiene reasons (surely you know places like the tube are covered in germs?).. But I am not a thief...

          Although I expect thieves would wear gloves if they plan on stealing iPhones or anything else for that matter, thieves know finger prints are the easiest bit of evidence to link them to a crime...

          1. Frank Bough

            Re: At least with a swipe pattern

            You are a mentalist.

          2. LarsG

            Re: At least with a swipe pattern @MrXavia

            "I wear non-latex gloves when in public "

            You kinky devil you!

          3. Anonymous Coward
            Anonymous Coward

            Re: At least with a swipe pattern

            "I wear non-latex gloves when in public for hygiene reasons (surely you know places like the tube are covered in germs?).. But I am not a thief..."

            Uh, news flash, everything everywhere is covered in germs, and it's good for your immune system to get exposure to them.

            http://en.wikipedia.org/wiki/Hygiene_hypothesis

            1. Anonymous Coward
              Anonymous Coward

              Re: At least with a swipe pattern

              Uh, news flash, everything everywhere is covered in germs, and it's good for your immune system to get exposure to them.

              Germs, yes, viruses, not so much. Not a fan of the tube anyway - too many people who have missed their annual bath.

  6. danR2
    Paris Hilton

    Tim Cook, can you really be this dumb?

    I knew it would be hacked eventually, but only practical by commercial/government clients against high-value targets.

    I can't believe it happened this soon and this easily.

    Will wait out the next few days for official confirmation. If so, they have bricked a major Apple next-big-thing system almost as soon as it's released, which has never happened in history.

    1. Anonymous Coward
      Anonymous Coward

      Re: Tim Cook, can you really be this dumb?

      Why are you surprised? They just used prior techniques; so they didn't need to reinvent the wheel at all.

      To keep Apple from patenting this idea; the use of multiple fingerprints in a user defined order.

    2. the-it-slayer

      Re: Tim Cook, can you really be this dumb?

      Why are the Apple-haters getting on this so quickly? To be honest, I'd want to use Touch-ID WITH a pass-code. That way, you stump hackers and thieves with 2-factor authentication. I don't think that's possible yet, but I can see that happening in an update.

      For the consumer = result!

      By the way, this was never going to be a military grade fingerprint scanner. Not even for millions of units sold and for all the money Apple has. It's the execution of the fingerprint tech where most other companies have failed to make it quick and easy to use. Convenience will win over security sometimes in consumer devices; that's life. Even for luxury brands.

      I did read that 50% of iPhone users don't even lock their phone. If this encourages it, then all for the better for offering a basic protection mechanism that's simple to use.

      And the media claiming this is a hack (being claimed on other sites)... hardly. Let's see them hack the firmware/software to get the fingerprint data first and then reproduce the fingerprint from that data.

Page:

This topic is closed for new posts.

Other stories you might like