“A group of German hackers claimed to have cracked the iPhone fingerprint scanner on Sunday, just two days after Apple Inc launched the technology that it promises will better protect devices from criminals and snoopers seeking access,” Jim Finkle reports for Reuters. “If the claim is verified, it will be embarrassing for Apple which is betting on the scanner to set its smartphone apart from new models of Samsung Electronics Co Ltd and others running the Android operating system of Google Inc.”
“Two prominent iPhone security experts told Reuters that they believed the German group, known as the Chaos Computing Club, or CCC, had succeeded in defeating Apple’s Touch ID, though they had not personally replicated the work,” Finkle reports. “One of them, Charlie Miller, co-author of the iOS Hacker’s Handbook, described the work as ‘a complete break’ of Touch ID security. ‘It certainly opens up a new possibility for attackers.'”
“CCC, one the world’s largest and most respected hacking groups, posted a video on its website that appeared to show somebody accessing an iPhone 5S with a fabricated print. The site described how members of its biometrics team had cracked the new fingerprint reader, one of the few major high-tech features added to the latest version of the iPhone,” Finkle reports. “The group said they targeted Touch ID to knock down reports about its ‘marvels,’ which suggested it would be difficult to crack.”
“The group said it defeated Touch ID by photographing the fingerprint of an iPhone’s user, then printing it on to a transparent sheet, which it used to create a mold for a ‘fake finger,'” Finkle reports. “CCC said similar processes have been used to crack ‘the vast majority’ of fingerprint sensors on the market. ‘I think it’s legit,’ said Dino Dai Zovi,” another co-author of the iOS Hacker’s Handbook. ‘The CCC doesn’t fool around or over-hype, especially when they are trying to make a political point.'”
Finkle reports, “Two security experts who sponsored an impromptu competition offering cash and other prizes to the first hackers who cracked the iPhone said they had reviewed the information posted on the CCC website, but wanted more documentation.”
Read more in the full article here.
[Thanks to MacDailyNews readers too numerous to mention individually for the heads up.]
Related articles:
Apple iPhone 5s’ Touch ID works with more than just your fingers… (with video) – September 22, 2013
Cracker of Apple’s Touch ID fingerprint recognition to win booze, cash, and bitcoins – September 21, 2013
How soon until Apple’s Touch ID comes to iPad and Mac? – September 21, 2013
U.S. Senate Democrat Al Franken demands answers from Apple CEO Tim Cook over iPhone 5s’ Touch ID – September 20, 2013
Hackers eager to try cracking iPhone 5s Touch ID fingerprint recognition – September 19, 2013
Security researcher: Apple iPhone 5s Touch ID is truly better security – September 19, 2013
Apple’s new iPhone 5s and iPhone 5c arrive in stores on Friday, September 20th – September 17, 2013
Engadget reviews Apple iPhone 5c: A breath of fresh air that will be wildly popular this holiday season – September 18, 2013
Apple’s 64-bit iPhone 5s is by far the fastest smartphone in the world – September 18, 2013
Ben Bajarin: Apple’s new iOS 7 will cause consumers to discover their iPhones all over again – September 18, 2013
John Gruber reviews Apple iPhone 5s: ‘This is what innovation, real innovation, looks like’ – September 18, 2013
AnandTech reviews iPhone 5s: Apple’s 64-bit A7 is seriously impressive – September 18, 2013
TechCrunch reviews Apple iPhone 5s: The best smartphone available – September 18, 2013
Apple’s new iPhone 5S likely to be in exceptionally short supply – September 18, 2013
USA Today’s Baig reviews Apple iPhone 5s: ‘Makes the best smartphone even better’ – September 18, 2013
Mossberg reviews Apple iPhone 5s: ‘The best smartphone on the market’ – September 18, 2013
iPhone 5s pre-orders quickly sell out in China; gold iPhone 5s sells out quickest of all – September 17, 2013
Apple’s new iPhone 5s and iPhone 5c arrive in stores on Friday, September 20th – September 17, 2013
Apple’s Touch ID is revolutionary, paradigm-altering technology; Steve Jobs would be quite proud – September 17, 2013
The wizard behind the curtain for the iPhone 5s: Apple’s M7 motion co-processor – September 16, 2013
Apple’s iPhone 5s with Touch ID seen as protection against U.S. NSA – September 16, 2013
Apple’s new iPhone 5s is the world’s first and only 64-bit smartphone – and it will be king of the hill for quite some time – September 13, 2013
Professional photographer on Apple iPhone 5s’ True Tone dual-LED flash: The sheer engineering prowess here is insane – September 13, 2013
Apple iPhone 5s camera leaps two years ahead of entire camera industry – all cameras, not just smartphone cameras – September 13, 2013
Apple changes the world again, propels biometrics into the mainstream with iPhone 5s’ Touch ID – September 12, 2013
iPhone 5s: Once again Apple leaps ahead with Touch ID fingerprint recognition; a big enterprise win for Apple – September 10, 2013
Apple reveals flagship iPhone 5s with Touch ID, the world’s first and only 64-bit smartphone – September 10, 2013
This is as much of a “hack” as looking over someone’s shoulder as they type in their password and writing it down, except for requiring much, MUCH more work, in addition to having physical access to the device. Let me know when someone hacks the “secure enclave” in the A7 processor.
Well said. Even with the print they still couldn’t reset the device as the passcode is needed.
What level of reset? Do you mean factory reset?
No crook stealing an iPhone to resell it is likely to have access to someone’s fingerprint. That’s a reasonable point.
But anyone wanting the DATA on an iPhone can now trivially capture the target’s fingerprint, blahblahblah, to grab the goods.
Easy fix:
Scan first
Opens screen with 12 photos, have to click designated photo.
Photos randomly shift with each opening so you can’t track smudges.
Only adds a split second to process
I’m still waiting to see how they faked the sub-dermal layer. It does not read the surface but the sub dermal layer, which is why I am sure that Apple chose that as the biometric source.
Great point. I think this is going to force Apple to show at least a couple cards, or go back to the drawing board.
More important issue is that CCC does not tell how they cheated TouchID to scan this film or whatever they used — as sensor is not supposed to read picture of non-living materials — this is why Apple wrote TouchID scans subepidermal layers, not epidermis itself.
So, for now, I consider claims of TouchID hacked to be doubtful.
Lets wait for more details how they did it — if they did — or for this PR trick to be exposed.
Don’t you know there is a super villain looking over everybody’s shoulder?
NSA? 🙂
Snidely Whiplash with a high resolution scanner, printer and a jar of Latex.
Sorry, but if someone is out to crack your iPhone, the process required to acquire your fingerprint, cast it into plastic then fake log into it is TRIVIAL. Anyone, literally ANYONE can do it with a simple set of instructions and access to a 3-D printer. Again: ANYONE could do this.
Ticked off that your ex? Crack into here iPhone.
Want to see the secret formula your rival has on his phone? Steal it, and that fingerprint he left on his water glass, blahblahblah.
There are thousands of mystery books about motivations for stealing information. The point all along has been how ANYONE can capture a fingerprint. Now we know that a very simply made cast of it is all one needs to crack into the iPhone 5S.
PLEASE don’t trivialize this folks. This is an era of heightened security awareness around the planet. Making it even EASIER to get into an iPhone than throwing a dictionary attack at its password protection (and faking a fingerprint really IS incredibly EASIER than a dictionary attack) is really, really BAD. It makes using Touch ID instead of a decent password a STEP BACKWARDS in security.
Sorry I’m such a rant hog on this subject. But I am incredibly concerned, as one might expect considering my Mac-Security blog.
You talk too much and you always come across as though you think you’re smarter than everyone else.
It’s just chatter. I point that out just about every day.
I think a better point is that you’re SHOUTING your insecurities to the world. So do something about them!
And no, I could not care less if someone finds my chatter intimidating. Get over it and find your OWN best self, and express it! That’s how it all works. We all share our individuality with the whole. NO ONE gets to shut us up because they’re all intimidated. Therefore, get over being intimidated and just get into the sharing and helping other good people with good stuff!
Oh and, ENJOY beating up BULLIES. I sure do! You’ll oddly find its a great way to help them respect you. Weird eh? But it’s a language they understand.
And yeah, the point of me blethering on has nothing to do with me needing attention, or being arrogant, or having to be better than anyone. I’m only being my best me. You do the same.
And stop being anonymous.
Derek, you are the one that is frequently SHOUTING! You post some decent stuff but, in this case, you are coming across as insecure and insulting. You assume that a lot of people are trivializing this potential crack of TouchID. And you leap to a flawed assumption that this alleged crack of TouchID “really IS incredibly EASIER than a dictionary attack.”
Chill out. If MDN doesn’t block Freek and his ilk, then they won’t block your posts. No one is forcing you to shut up. IT was just one anonymous person with an abbreviation in their “name.”
Derek, I read the rest of this thread and it really sounds like you have gone off your meds. You actually sound kind of scary, dude. I hope that you don’t go any further with your paranoia than just ranting on MDN.
Derek,
You’re just so awesome!
I agree with the second half of STFU’s comment.
By the time the phone is stolen, a fingerprint is copied and a cast is made. It is highly likely the phone would have been remotely wiped by the owner. Faking a finger print may or may not be easy. But it isn’t fast.
“This is an era of heightened security awareness” what? really? Nothing that is being heard in the news should be a surprise to anyone. People nearly their whole lives on Facebook and now all of a sudden they care who sees it. oh please!
Protecting your information/ data/ devices etc is one thing but how far are people really willing to go for their security?
1) I agree about your point of fingerprint faking not being anything a random crook would consider. Ideally the owner would think of wiping the phone. Ideally.
2) What are you going on about ‘oh please!’ about? I’ve been working with the local PC user group (seeing as the Mac UG here self-destructed due to crap leadership). The #1 thing they want me to teach them is computer security, and I do, and I get (not bragging) a large turn out every time I do. And all I teach them is INTERNET security, seeing as I loathe anything Windows and swore off teaching it or repairing it for others.
IOW: You are way wrong about people being INCREDIBLY concerned about security right this very moment. Wake the hell up! Here in the USA we’ve had the 4th Amendment to the US Constitution RIPPED AWAY from us with NO consequences. We’re SCREWED in the USA if we expect any government respect for citizen privacy. That’s PRECISELY the crap that cause the colonies to break away from King George and his corrupt Great Britain. IOW: We’re moving BACKWARDS.
And people aren’t concerned? ‘1984’ the book isn’t being pointed to every single day in the press as what we are becoming? Again: Wake the hell up. This is not acceptable and never will be.
If police or government officials want someones information they have ways of getting it. Legally or not. I resigned myself to this fact year and years ago. Also people freely give out so much of their personal info in various places often times you just have to ask for it and people will give it out willingly. I am just on small person I am not that important. In this day and age how much privacy and anonymity can we truly expect? AS I SAID BEFORE HOW FAR ARE PEOPLE WILLING TO GO FOR THEIR SECURITY AND PRIVACY?
1) I agree about your point of fingerprint faking not being anything a random crook would consider.
Well, IMO that should end the discussion right there. Touch ID is security on a consumer device. I sincerely doubt anyone buying an iPhone believes that they can stop the government or a multi-million dollar intelligence firm from cracking their phone if that agency can get their hands on it.
Security on a consumer device is about protecting your information from common criminals, as well as scumbag acquaintances and relatives. Touch ID is going to make that a lot easier.
If you truly need to keep your your information secure from everyone, including governments and those with government-like resources, you’re not going to settle for the stock security on the device, no matter what device it is.
——RM
Derek Currie writes:
“I agree about your point of fingerprint faking not being anything a random crook would consider. Ideally the owner would think of wiping the phone. Ideally.”
after writing…
“Literally, ANYONE can do it.”
“ANYONE”
“ANYONE can do this.”
______________________________
Methinks one Derek Currie is the major local distributor of crapola.
Get off your high horse. As mentioned this isn’t hacking the sensor. The method specifically says they took a picture of the iphone users finger. They didn’t lift a random print from somewhere. This means is someone wants to steal your info you’ll have to be nice enough to allow them to take a picture of your finger. That’s the equivalent of giving the thief your password because he asks.
See, this is what being anonymous accomplishes: TOTAL COWARDICE.
You know who I am. Who the hell are you, insecure fellow? You can’t quote me correctly and you don’t care. You’re merely here to be ANGRY and ANNOYING. Have fun! When I get ticked off you damned well know why. Meanwhile, you’re just ranting for the sake of pissing off someone, whoever you are, coward. Now get real and have a REAL conversation.
What’s with the all caps Derek? Stephen made a very valid point. I seriously doubt it is possible to pull a 2,400dpi finger print off a beer bottle or anywhere else for that matter. A thief would have to get a print directly from the iPhone owner in which case it would be much simpler to swipe the owner’s finger. Besides a thief is after the phone not the data, unless this a James Bond movie.
There were not ‘all caps’. Having a bad evening? Takeit out on no one please, except of course yourself.
Oh, and read the SOURCE (see the emphasis provided by occasional caps?) article to understand that yes you damned well CAN use a fingerprint off a beer bottle. That is essentially what the hackers used.
And get some sleep. That might help.
Lots of vague and grumpy people here tonight, and they aren’t me.
Polite and persuasive, I see.
Derek,
I am glad that you are not one of those “grumpy” people. I’d hate to see what you’d write if you were.
Blethering on, as you say, doesn’t seem to be making you any friends here, or likely customers… Aggressive language is likely to prove unhelpful also. Your critic makes good points and you might be wise to consider your posts more carefully before you hit the “post comment” button.
If not for Derek Currie’s ever homorous and razor wit that ever graces MDN’s feedback pages for many years, this place would long have gone the dogs of dogma, defeat and intelectual phobia.
Derek, thank you for perspective, reason, logic and factual input that brightens up the roffy raffy gloom – no matter how much we agree or disagree, (everyone’s shit smells) I hope you forever “rant”.
Your input always adds humor and a thoughtful perspective, even when we don’t agree.
If your are really of the mind that someone else is a coward while you are not, rather than BRAVELY calling them a coward from behind the safety of your computer keyboard, it would be rather more instructive to call them a coward to their face.
A more sensible writer on security matters might wait until the full details of this “hack” are released. Thus far, however, it appears that a 2400dpi photograph is required – quite how any hacker or thief would obtain that is open for debate…
Derek, the cracking of TouchID is currently only a claim, not established fact. You also make it sound far easier than it appears. Contrary to your assertion, I would assert that it is much easier to grab a cracking algorithm off of the internet and “throw a dictionary attack” against a target than it is to lift a valid fingerprint (quality version of the one used for TouchID), print it onto a transparent film, and use that to create a mold for a fake finger. Which is more credible? And that even assumes that the fake finger works as advertised, which contradicts what I have heard so far regarding the TouchID technology.
I have to admit that I will be more than a bit disappointed if even an elite hacker group has managed to accomplished the feat so quickly. But, I have no doubt that someone or some group will eventually find a way around TouchID. It has always been easier to break than to make. But making it very difficult to get around a security feature is much better than the status quo. Even if CCC has cracked TouchID, the feature still improves security and utility for the iPhone 5s. Show me anything better.
Yes this is a good point,
We have a german hacker club making sweeping (and unverified) claims. Well they have Charlie Miller jumping on the FUD train, the same man who made the huge and vocal proclamation he could he could hack a macbook in 30 seconds via wifi, he just “forgot” to mention that he had to use a third party wifi adaptor and third party wifi drivers (for which you would have had to had the admin password to install), yeah details, details…. particularly when MacBooks all come with wifi (it is not a BTO option) so none would use this “third party device he had to use to get his hack to work.) This hack of millers was just another stupid pet trick, absolutely unworkable in the real world but the “headline” was echo’d in the tech media (desperate to prop up windows sagging security reputation ) again and again.
The devil is in the details, and I dubious they are giving complete and accurate ones.
ANYONE!
Literally, ANYONE!
ANYONE could do this!
Did I mention that I have a Mac-Security blog?
Derek,
Thanks for providing us with information and as always your polite and week-phrased arguments. I am amazed at how much flaming you get for writing this.
Sure, most people will be fine because no one will go through the trouble of getting your print to open the phone, but that does not mean that we do not need Apple to further investigate and improve. Coming from Apple this needs to be state of the art and nearly uncrackable.
I guess it is much the same as public cameras. Many people will argue that if you have nothing to hide, there is nothing wrong with the cameras. But times may change and system can get hacked into and maybe one day you will be confronted by a not so decent power who wants to know why you went there and there….we have seen it before and it might happen again. If the Nazis of midway the last century had had today’s technology…….
Thanks for a nice post.
I could go off on the effect of psychopathic behavior on society for hours. But it’s a lot more than than, including people with the best of intentions ending up in the middle of thorough oppression of others for what are easily perceived as the best of reasons. IOW: All of we humans are severely limited in our perspectives and comprehension of the real world in which we live. It’s a default. I enjoy when people attempt to break down our walls and provide useful and important other perspectives. I do my best to attempt the same.
Sorry, week should have read well 🙂
If the best the “hackers” can do is “photographing the fingerprint” and “molding a fake finger,” Apple has succeeded. Typical iPhone users don’t even set a pass code. Touch ID is like Time Machine on a Mac. Once it is set up, the user forgets about it (until it is needed).
That’s why Touch ID will have a major impact on security, because MOST iPhone users will want to it. And (after stealing the iPhone) MOST criminals will not have the desire, time, skill, or resources to create a precision fake finger, even if they somehow also had a photograph of the owner’s fingerprint.
And it would have to be the correct (or one of the correct) fingerprints, as well.
That’s why I’m going to use my middle finger so thieves know exactly what I think of them.
Amazingly we’ll said!!!
Turns out the clandestine german hacker operation was hired by a Sumsung PR firm.
They have a point with my security token being everywhere but It is still better then all the alternatives.
I watch the video. I call bs on this as well, the touch id sensor is a capacitive touch sensor and reads the layer of skin below the dermis (living tissue below the surface of dead skin). Notice the same person using the same finger with a very thin piece of plastic between his finger and the scanner. The touch id is reading his fingerprint below the dermis like it is supposed to. I want to see him try this with someone else’s finger with his print. If anyone has taken the time to actually read how this sensor works, they would know that one of the benefits of this sensor is that it can be put behind an lcd display and still read. Because it is capacitive touch not optical. Only an optical sensor would be fooled by a high resolution fingerprint copy. The only thing to say here is that the sensor is reading the persons real fingerprint through the tape on the end of his same finger.
Also even if he is using his middle finger for the test how do we know he did not train it before hand as you can train more than one finger to unlock the phone.
Wait he copied his own finger? Then he accomplished absolutely nothing. The finger print sensor did its job it read HIS fingerprint.
They posted another video with a completely different person unlocking it with the “fake” finger mold. But my point above still remains.
The one thing I’m curious about (and will check once I get my 5s) is, can you enable both touch ID and password? That would give you two-factor authentication. Would be nice to have in some circumstances.
Even if they did that it proves nothing as well. I can train other peoples prints to open my phone as well
Yes you can have both TouchID and passcode. Passcode can even be longer than 4 digits.
Is it a system-wide setting, or can it be turned on for certain types of transactions?
I know you can have a longer passcode…which I might now enable if I don’t have to type it in all the time. Which is kind of the point of Touch ID. More secure on multiple levels.
So just use another part of the body. Others have reported using their nose, their cat’s paw and even their schwanstoggle. Like to see the replicate someone’s schwanstoggle! I think these Krauts are full of hackbraten!
We all know what Anthony Weiner’s using…
Schwanstoggle… that’s funny.
Nevertheless, I don’t consider this a crisis. You have to have the phone in hand. You have to know which finger was used. You have to lift a very good copy of its print somewhere (good luck, if your target used his meat whistle or other turgid appurtenance). And then you have to hope you can clean up the print and copy it well enough to work. All before your target bricks the phone using Find My iPhone.
Whatever.
LOL
German engineering vs. Californian design.
Thats it?Photocopying finger prints?
Lmao.
Making a latex cast of a fingerprint is TRIVIAL! You can use a fingerprint taken off a glass, toss it into the freeware 3-D app Blender, keep the 3-D version as thin as possible, then toss the 3-D image to a 3-D printer, whip out your 3-D fingerprint, toss it on your finger, and PWNed is that guy’s iPhone!
There is NOTHING new here at all except the recent ease with which anyone can make a 3-D cast of any captured fingerprint. A diabolical password would be HELLA-safer! Or best yet would be using BOTH a password AND a fingerprint scan.
Anyone remember the VOICE login you could use in old Mac OS 8? Remember what a JOKE that was? Trivially record someone voice logging into their Mac, play it back to the Mac, oops you PWNed their Mac? Same trivial PWNing as fingerprints.
Not good.
Derek,
Yes, of course this is an issue. There have been too many movies that have defeated fingerprint scanners for people to really put complete trust in them.
I think the average target for touch Id is the person who (like myself) doesn’t put ANY pass code on their phone, not the person who is protecting valuable information.
And the average attacker is unlikely to go to the effort of collecting the fingerprint in the first place.
Overall security for the platform is increased because it is now harder to pick the “low hanging fruit. “
There IS that point, and I understand.
However, Touch ID cannot be called, at this point, an actual improvement in iPhone security, UNLESS it is coupled with also using a password. Comparing fingerprint to a diabolical password, fingerprint LOSES. And yes, I am obsessed about the subject. That’s typical me.
How many people actually have access to 3D printers? My understanding is that it is not inexpensive to print something in 3D. Now you’re talking about a thief who acquires a 2400 dpi copy of your fingerprint, your iPhone 5S, AND had a 3D printer. All in the hopes that you left a balance on your Starbucks account, and all before you remotely wipe your iPhone.
Wow never use 1 word where 10 will do eh. Mind you English words would be an advantage occasionally.
I am unaware of the procedure for how to TOSS a file into a software app, and for how to TOSS a file to a printer, and for how to TOSS the printer output into my finger. Would simply importing, printing, and placing these things work? Or must they be TOSSED? Also, if I TOSS, does this make me cooler.
At any rate, I hope you will post a video showing the entire procedure that you learned from watching Mission Impossible. Start with the fingerprint on the glass, and then commence to TOSSING, until which time you have unlocked someone else’s iPhone 5s. I would interested to watch this simple procedure that literally ANYONE can do.
I shall be eagerly waiting.
6 badgering reply posts boris. That’s a record in my experience. So maybe you have something else on your mind that has nothing at all to do with me? Just a guess.
I have less posts than you do. Plus, mine are fun, while your’s are just self-congratulatory.
Hi Boris!
In the film the nervous guy is using the same finger to open the phone as he is using to present the micro-thin latex replica. The iPhone is reading through the semi transparent latex! Maybe the chap is nervous because he knows he is lying ?
If someone’s surreptitiously photographing my fingerprints, I think I’ve got more important things to worry about than my iPhone.
What happened to needing a “live” finger? I thought the reports said if it wasn’t a real finger or a severed finger it wouldn’t work?
Yes, really, who cares? Maybe a ‘live’ finger really IS required! And look at how we living humans all have living fingers and can put a latex cast of any captured fingerprint onto our living finger and fool the Touch ID scanner! As Matty pointed out to me earlier: PWNed!
Except the latex cast wouldn’t be living tissue, and so, presumably, wouldn’t register with the capacitance Touch ID system.
Long story short, if you can’t use an object as a stylus on an iPhone, you shouldn’t be able to use it on Touch ID.
——RM
As Matty shared with me earlier:
http://www.macrumors.com/2013/09/22/chaos-computer-club-bypasses-apples-touch-id-system/
This is really, really BAD.
Abbreviating one of my previous rants: If Apple FORCED users to fingerprint scan AND use a diabolical password then I’d be smiling with glee! Otherwise, I’m rather horrified at the moment. 👿
Maybe iOS 7.0.2 will rectify this LUSER capitulation rubbish from Apple and impress the world. It could happen!
Better yet, here is the video linked at MacRumors.com:
Watch it and weep.
In this video, the user trains the phone with his index finger. He then used his middle finger to pick up a piece of tape and unlocks the phone.
What, exactly, is this video intending to show?
What print is on the piece of tape?
IPhone 5s allows several fingerprints to be used. It is impossible to state that this video shows anything other than a middle finger, previously registered with the phone, can still be read through a piece of tape.
Perhaps other videos of this supposed hack are more persuasive, but this one doesn’t pass muster…
Yes I don’t think I will be weeping any time soon, that’s lame not to mention ‘trivial’
Based on that Im unsure of weather the scanner is reading his (authenticated) sub dermal fingerprint through the tape or if this is supposed to demonstrate that it is reading somthing off the tape.
It just makes no sense. And typically when hackers “demos” make no sense, I go from dubious to full on skeptical.
Somebody steals my iPhone off the bar. Assuming this vid is legit, where the fsck is he going to get a nice clean fingerprint? How will he know it’s the correct finger? Is he going to dust my Martini glass and get a nice tidy tape lift?
This isn’t even up there with antennagate.
If it’s the NSA you’re worried about, they don’t need to open your phone to nail you.
I think I’ve agreed with this scenario three times now. Valid point already!
But clearly you aren’t taking MY point seriously. It really is TRIVIAL to grab the fingerprint of a targeted person and break into their iPhone. I think what we’re refining here is: How often does someone have data worth stealing off an iPhone? There are probably more valid scenarios for that situation than I could count. But for average people, this isn’t remotely a likely concern. I get that.
I’m aiming for SERIOUS security. Touch ID is NOT serious security. That is, unless it as used in addition to a diabolical password. I think I’ve made that statement here about a dozen times. Maybe pay attention to what I’m saying and actually go read the link I’ve posted several times, which is THIS:
http://en.wikipedia.org/wiki/Multi-factor_authentication
Exactly right.
Unless your an international celebrity, mber of government or some other important person no one is gonna give a damn about jacking your phone!
Why would they bother to do it?
To see your holiday photos, find out who your connected to on social networks???
They are not bothered.
I’m a business owner and have all my meetings notes, business strategy and confidential data on my phone. It’s stored in an ecrypted app.
When I get my iPhone 5s I will have touch id and pass code activated.
Good luck anyone getting anyone out of my phone they will have to go through 3 layers of security.
By the time they do that, I will know where they are on maps, would have wiped the phone, sent them a message and called the police.
They can’t win.
Use your off hand pinky for touch id, unlikely to have left that print elsewhere
When I read this article, it remind me of one scene from the Bourne movie.
So, how to you crack it when you don’t have the cooperation of the person with the finger print?
I am thinking this guy did what those guys do when they make casts of the supposed “real” Sasquatch footprints.
For this approach to work, Apple’s technology can’t work the way they said it did. As another poster said, this is a capacitive scanner, not optical, so how can a latex fingerprint copy possibly work? This just doesn’t pass the smell test. Specific details to allow the replication of the technique by a third party are clearly necessary. The scanner should completely ignore any thin film between it and an actual finger.
Geez what do you guys want? Apple to build a fart analyzer that specifically is unique to you’re stink? Touch ID is an awesome addition to better security for mobile. Enjoy the dang thing.
I get the idea that it’s pretty much a waste of time trying to talk about REAL computer security around here. You are wrong Jubei and I’ve pointed out why via comments in this thread.
The only actual ‘better’ here is when, as Apple pointed out, someone who (foolishly) never bothered to lock their iPhone before decides to do so now because of the ease of the fingerprint scanner.
And again, MY form of better is to FORCE login via BOTH fingerprint scanning AND a password.
And of course people are sick of me reiterating it ad nauseam. Saying it simply and plainly over and over doesn’t seem to help penetration. But… It has to be said, and I said it! So you can’t blame me when… (fill in bad security scenario here).
No, not sick of you reiterating anything ad nauseam.
Just the arrogance.
And the omniscience.
And just the plain volume of posts. You need to get a grip on your ability to just stay quiet for a little bit.
No. The ‘arrogance’ and ‘omniscience’ in a product of your own insecure imagination. You can get free of it. Get to it!
Hee, hee.
Even if the fingerprint thing is found to have it’s flaws if some international Spy vs. Spy guys REALLY wanted your phone stuff, but, for the majority of users it’s great and better security than most of us had before—nothing. I admit I just activated the 4 digit passcode for the first time with the iOS7 upgrade. I just didn’t want to be bothered with typing numbers in every time I wanted to check my stuff. So when I upgrade I’ll be thrilled to have the fast access fingerprint scanner option available. When the average person’s phones are stolen the criminal is some loser idiot not a techy with the brains and means to pull off this hack.
Yes! Bring back the fart apps! Then no one would need a 2400 dpi copy of my fingerprint produced into 3D on a special printer!
They would just need access to a dog, whose farts can open anything (typically windows and doors in your house).
Oh and meanwhile, a second hack of iOS 7.0.1 has been discovered:
Another iOS 7 lockscreen hole opens up – call anywhere in the world for “free!”
Come on Apple! Your security testing has GOT to get better!
Where’s my aspirin?
You need a lot stronger medication than that.
Hang loose DC, Apple has outgrown it’s size so fast and so repeatedly, while under relentless attack, the kind (and deciept) that has never been wittnessed…this has to have impacted internal expansion and operations somewhat impacting QC perfection…( not everyone has Steve Jobs’ eagle eye for every single detail)…
Apple will stay on top of security without a doubt and knows full well it’s significance. There have been bugs, glitches and mistakes before and before you could say ‘oh shit’ they were rectified and reinforced by software updates. Save your Aspirins for the country and world at large, that never gets : Divided we fall.
They ‘defeated’ touch id by photocopying the iPhones user fingerprint.
Ok… How can they call the is hack???
Unless an iPhone user is particularly stupid there is no way the hackers wil get an opportunity to photocopy an iPhone users fingerprint.
So how do they get the fingerprint in the first place???
What a load of fud.
Perhaps in the following places:
Your iPhone, your car door/window, a glass/bottle, or maybe they shake hands with you wearing a special, fingerprint stealing, 3D printed glove, giving them a 2400 dpi impression of your fingerprint which can then be inverted into a mold, 3D printed, or otherwise put through a time-consuming process so they can obtain access to your Facebook app, Twitter feed, Messages and your Starbucks app and steal your Gold Card stars.
Is the Fingerprint security system fool proof? I doubt so. And I don’t think Apple will say that either.
What consumers need is a practical and affordable way to keep their phones safe.
If you have data in your phone that you accidentally dropped, the fingerprint will protect that well. The passcode can protect reasonable too but it is not convenient and many users don’t use that.
There is still a chance that you are being stalked by a perverted hacker that will scheme to steal your phone as well as your fingerprint. For the rest of the luckier people, the fingerprint solution is good enough.
Mugger KOs you. S/he then has – how many – attempts to unlock your iP5 with your real fingers? It’s another slow process fraught with risk of being caught. I could become paranoid, but I won’t. There are more worthwhile targets than me!
Lets get this over to Adam and Jamie ASAP.
IF this hack is real, then there it becomes an interesting question for the courts. So far rulings have been:
– Police can take and store your fingerprints (and/or DNA!) at whatever resolution for any alleged infraction.
– Police cannot require you to relinquish your password/passcode. (Thanks to the 5th Amendment.)
If you only use Touch ID (and don’t use 2-factor authentication like you should), is it legally permissible for authorities to break into your phone to find incriminating evidence using your fingerprint?
Not if a judge redefined the fingerprint as functionally equivalent to a passcode, which is likely; then the police could not use the print to raid your iPhone. Barring such an interpretation, the question becomes one of the relative semantic status of the three traditional authentication factors: something you know, something you possess, and something you are. These are deep waters for philosophers, and judges may find themselves unprepared for such subtleties.
Sure, you recreate the fingerprint, you get in to the system. The thing is, how much trouble is it to make the fingerprint? Even with a modicum of complexity, it would be sufficient to deter the majority of people.
I THINK Derek needs to NOT drink much COFFEE so he can actually SLEEP in the middle of the NIGHT. Seriously DEREK….get some SLEEP. On the other hand, you come across as so PARANOID that you probably DON’T get much sleep. Please…switch to Android or Windows Phone, since they MUST be SO much more SECURE than the GARBAGE that Apple puts out. THANKS!!
Do you enjoy playing the role of troll? I’d say so! You wear it well. Oh, and here is a more complicated way to make emphatic statements: You can add HTML italics code markers before and after your text. But I didn’t bother yesterday, and upset you so very much. I still don’t feel like writing italics code today, so I won’t.
I much prefer CAPS to italics, though I prefer moderation in their use.
In any case, you’re quite good in your attention to text styles, in my opinion. furosuto81 is doing a lampoon, which is a form of flattery, Derek.
I think you can relax a bit, because the recent wave of anxiety surrounding Touch ID has only served to heighten awareness of essential security practices, which was your objective.
This whole issue has reached into Congress as well, and we can be certain that a lot of cooties will shortly be shaken out of everyone’s security blanket. You played your domino well.
You are very kind Hannah.
I try to throw in humor, if only to keep myself on track as being humane. But I know full well I get obsessive on pet projects.
I was all excited about touchID. But now I realize two things:
1) it’s not encryption. If I want to encrypt, use something else
2) it’s as secure as if I were to write down my password in a POST-it note. Actually less secure, I leave my fingerprints everywhere!!
It could still be used for identification and e-commerce ad long as the vender doesn’t allow prosthetic thumbs to be used.
1 – The fingerprint data is encrypted by the A7 and stored in the secure enclave. So yes, it is encrypted
2 – Then use a 16-digit (or more) pseudorandom password. Good luck remembering it. And have fun typing it in every time you do anything with your phone
Seriously people…if you’re that paranoid about security, go back to a “feature” phone. Then again, someone might steal your address book off that too, so best to just stick with a landline and 56k modem.
Uh, no. Your password on a Post-It note simply requires the thief to have the note and be able to read. The TouchID “hack” (really not a hack, just a physical duping of the scanner) requires the iPhone, a VERY high quality scan of your fingerprint, and ability to make a 3D finger with that fingerprint on it.
Regardless of whether this “hack” is accurate or not, it is a process that very, very few thieves would even consider undertaking. It is complex, difficult, and must be done before the user remotely wipes the phone or finds them using Find My iPhone.