OMG
Well, that didn't take long!
Well, that lasted a long time: the Chaos Computer Club has already broken Apple's TouchID fingerprint lock, and warns owners against using biometric ID to protect their data. As the group explains here, it seems that the main advance in Cupertino's biometrics was that it uses a high resolution fingerprint scan. The post states …
They confirmed that a well-known way to fool fingerprint scanners fools a particular brand of fingerprint scanner — I don't think anybody was seriously expecting it to take that long.
I guess the best advice is: if you can't be bothered with a password then the fingerprint scanner is better than nothing.
"I guess the best advice is: if you can't be bothered with a password then the fingerprint scanner is better than nothing."
If you can't be bothered with a password, you deserve to lose everything you had on your phone.. Nobody would leave their car unlocked on the street with the ignition key on, yet having a smartphone without password protection is the equivalent of doing just that. Of course, there are things that are worse than no protection at all, like 4-digit PINs and easily-hackable fingerprint scanners.
I'm surprised they didn't go for the Gummi Bear route, though...
Nobody would leave their car unlocked on the street with the ignition key on ....
Nobody you knew before .. then again .. there's me .. i left my keys in the ignition doors unlocked , at my house in the front door lock , the car's trunk ... the keys stay there until morning when i chase them .. so yes there's people distracted enough to do those things
Never assume there ain't a moron that's highly capable of doing the unthinkable :)
Nobody would leave their car unlocked on the street with the ignition key on
Clearly you're not from around here. At least once a week I walk by an unoccupied car with the doors unlocked and the engine running. It's not something I would do, for safety reasons (anyone dumb enough to steal my car is sure to punish himself inadvertently soon enough - to say nothing of the punishment that is driving my car), but clearly many of the drivers in these parts are more sanguine about it.
"Nobody would leave their car unlocked on the street with the ignition key on," A sight frequently seen in Crete even with engine running (and with the hazard lights on, parked in the middle of the road)!
Comment from a Cretan taxi driver when asked why we never saw any police "We don't need police here; we are good people!"
But one assumes the Apple Marketing Department overlooked this inconvenient, yet fairly obvious, little detail. Fingerprint, among possible biometrics, has the advantage of being quite easy to obtain and the disadvantage of being also quite easy to forge. I suspect that some others, like iris or retina scans, are a bit better but also possible to forge. For all its defects, a reasonably constrained password probably is about as good in practice.
Can't these stupid users get anything right?
Agreed. Biometrics are like passwords: you should always use a secret part of your body, and use a different part for each security domain. If you use one of your well-known fingers with a fingerprint reader it's your own damn fault.
"A fingerprint might be on the phone, but how is the thief going to know which is theirs and which is yours?
It sounds like a lot of bother for a thief."
Sounds like you will accept any of sh*te to protect the image of you iFool'd ya!
Pathetic excuse. Apple got it wrong, they tried to redo an existing technology (as they always do, copy) and failed miserably.
The fact is that NO security system is entirely secure. When designing a system, you can only hope to make it unfeasible for a person to access that system. Every system (from the smallest mobile phone to the largest, most powerful military supercomputer) has at least one flaw that can be exploited to break in.
This flaw would require that the thief has access to a 2400dpi scanner, good enough photoshop skills to clean up the image, time to clean up that image and access to the fingerprint itself. This last may well be the most difficult to obtain. Not if you mug the person (after all if you've grabbed the phone, they'll probably grab for it, you can scan the fingerprints then), but if you steal the phone from a bag, pocket or table. Even assuming you can work out which person it belongs to, it would be difficult to get access to their fingerprints without them noticing you.
Now, please tell me: Do you think it would be worth the average thief going through all that just to get access to the users phone numbers, pictures and whatever apps/media they have? Access to bank accounts might make it worth their while, but in my experience, most mobile banking apps don't store user details on the device.
Bullshit, this is a quicker way to unlock your phone that can't be shoulder surfed. That's all, and we always knew that if you have a copy of the fingerprint you could get in.
If you lose your phone - no access.
If your phone is pick pocketed - no access.
Casual fraping at work - no access.
This is the purpose of the fingerprint scanner, not to defeat MI fucking 6.
I'm disappointed, mainly because I was wrong to assume any sanity in the FP reader selection process.
There are various types of FP readers. This problem is a classic, very basic one for the cheaper end of the range of readers you can get - the more expensive arrays use radio technology (basically you grounding a transmitting aerial with a ridge) to stop the use of such tricks. Given that this deficiency is not exactly a secret I find it disappointing Apple decided to choose that anyway instead of the better approach, especially because there is another problem with this cheap sensor:
This sensor cannot tell if finger and owner have parted ways.
*Not* good.
@poopypants - "On the other hand, your iPhone is most likely covered with your fingerprints, so the probability of a successful break in is high."
In fact, since the phone is carrying your prints, a thief with a decent scanner and a sheet of latex would probably find it easier to break into this biometric lock than to crack a password or pass-pattern.
It's like writing your password on an adhesive label, and sticking it to the back of your phone.
I wear non-latex gloves when in public for hygiene reasons (surely you know places like the tube are covered in germs?).. But I am not a thief...
Although I expect thieves would wear gloves if they plan on stealing iPhones or anything else for that matter, thieves know finger prints are the easiest bit of evidence to link them to a crime...
"I wear non-latex gloves when in public for hygiene reasons (surely you know places like the tube are covered in germs?).. But I am not a thief..."
Uh, news flash, everything everywhere is covered in germs, and it's good for your immune system to get exposure to them.
http://en.wikipedia.org/wiki/Hygiene_hypothesis
I knew it would be hacked eventually, but only practical by commercial/government clients against high-value targets.
I can't believe it happened this soon and this easily.
Will wait out the next few days for official confirmation. If so, they have bricked a major Apple next-big-thing system almost as soon as it's released, which has never happened in history.
Why are the Apple-haters getting on this so quickly? To be honest, I'd want to use Touch-ID WITH a pass-code. That way, you stump hackers and thieves with 2-factor authentication. I don't think that's possible yet, but I can see that happening in an update.
For the consumer = result!
By the way, this was never going to be a military grade fingerprint scanner. Not even for millions of units sold and for all the money Apple has. It's the execution of the fingerprint tech where most other companies have failed to make it quick and easy to use. Convenience will win over security sometimes in consumer devices; that's life. Even for luxury brands.
I did read that 50% of iPhone users don't even lock their phone. If this encourages it, then all for the better for offering a basic protection mechanism that's simple to use.
And the media claiming this is a hack (being claimed on other sites)... hardly. Let's see them hack the firmware/software to get the fingerprint data first and then reproduce the fingerprint from that data.