“A group of German hackers claimed to have cracked the iPhone fingerprint scanner on Sunday, just two days after Apple Inc launched the technology that it promises will better protect devices from criminals and snoopers seeking access,” Jim Finkle reports for Reuters. “If the claim is verified, it will be embarrassing for Apple which is betting on the scanner to set its smartphone apart from new models of Samsung Electronics Co Ltd and others running the Android operating system of Google Inc.”
“Two prominent iPhone security experts told Reuters that they believed the German group, known as the Chaos Computing Club, or CCC, had succeeded in defeating Apple’s Touch ID, though they had not personally replicated the work,” Finkle reports. “One of them, Charlie Miller, co-author of the iOS Hacker’s Handbook, described the work as ‘a complete break’ of Touch ID security. ‘It certainly opens up a new possibility for attackers.'”
“CCC, one the world’s largest and most respected hacking groups, posted a video on its website that appeared to show somebody accessing an iPhone 5S with a fabricated print. The site described how members of its biometrics team had cracked the new fingerprint reader, one of the few major high-tech features added to the latest version of the iPhone,” Finkle reports. “The group said they targeted Touch ID to knock down reports about its ‘marvels,’ which suggested it would be difficult to crack.”
“The group said it defeated Touch ID by photographing the fingerprint of an iPhone’s user, then printing it on to a transparent sheet, which it used to create a mold for a ‘fake finger,'” Finkle reports. “CCC said similar processes have been used to crack ‘the vast majority’ of fingerprint sensors on the market. ‘I think it’s legit,’ said Dino Dai Zovi,” another co-author of the iOS Hacker’s Handbook. ‘The CCC doesn’t fool around or over-hype, especially when they are trying to make a political point.'”
Finkle reports, “Two security experts who sponsored an impromptu competition offering cash and other prizes to the first hackers who cracked the iPhone said they had reviewed the information posted on the CCC website, but wanted more documentation.”
Read more in the full article here.
[Thanks to MacDailyNews readers too numerous to mention individually for the heads up.]
Related articles:
Apple iPhone 5s’ Touch ID works with more than just your fingers… (with video) – September 22, 2013
Cracker of Apple’s Touch ID fingerprint recognition to win booze, cash, and bitcoins – September 21, 2013
How soon until Apple’s Touch ID comes to iPad and Mac? – September 21, 2013
U.S. Senate Democrat Al Franken demands answers from Apple CEO Tim Cook over iPhone 5s’ Touch ID – September 20, 2013
Hackers eager to try cracking iPhone 5s Touch ID fingerprint recognition – September 19, 2013
Security researcher: Apple iPhone 5s Touch ID is truly better security – September 19, 2013
Apple’s new iPhone 5s and iPhone 5c arrive in stores on Friday, September 20th – September 17, 2013
Engadget reviews Apple iPhone 5c: A breath of fresh air that will be wildly popular this holiday season – September 18, 2013
Apple’s 64-bit iPhone 5s is by far the fastest smartphone in the world – September 18, 2013
Ben Bajarin: Apple’s new iOS 7 will cause consumers to discover their iPhones all over again – September 18, 2013
John Gruber reviews Apple iPhone 5s: ‘This is what innovation, real innovation, looks like’ – September 18, 2013
AnandTech reviews iPhone 5s: Apple’s 64-bit A7 is seriously impressive – September 18, 2013
TechCrunch reviews Apple iPhone 5s: The best smartphone available – September 18, 2013
Apple’s new iPhone 5S likely to be in exceptionally short supply – September 18, 2013
USA Today’s Baig reviews Apple iPhone 5s: ‘Makes the best smartphone even better’ – September 18, 2013
Mossberg reviews Apple iPhone 5s: ‘The best smartphone on the market’ – September 18, 2013
iPhone 5s pre-orders quickly sell out in China; gold iPhone 5s sells out quickest of all – September 17, 2013
Apple’s new iPhone 5s and iPhone 5c arrive in stores on Friday, September 20th – September 17, 2013
Apple’s Touch ID is revolutionary, paradigm-altering technology; Steve Jobs would be quite proud – September 17, 2013
The wizard behind the curtain for the iPhone 5s: Apple’s M7 motion co-processor – September 16, 2013
Apple’s iPhone 5s with Touch ID seen as protection against U.S. NSA – September 16, 2013
Apple’s new iPhone 5s is the world’s first and only 64-bit smartphone – and it will be king of the hill for quite some time – September 13, 2013
Professional photographer on Apple iPhone 5s’ True Tone dual-LED flash: The sheer engineering prowess here is insane – September 13, 2013
Apple iPhone 5s camera leaps two years ahead of entire camera industry – all cameras, not just smartphone cameras – September 13, 2013
Apple changes the world again, propels biometrics into the mainstream with iPhone 5s’ Touch ID – September 12, 2013
iPhone 5s: Once again Apple leaps ahead with Touch ID fingerprint recognition; a big enterprise win for Apple – September 10, 2013
Apple reveals flagship iPhone 5s with Touch ID, the world’s first and only 64-bit smartphone – September 10, 2013
i really don’t get this at all. apple has incredible resources. wouldn’t they have employed teams to research and hack and research and hack, etc. till no one could find the creativity within themselves to pursue it any longer. especially, since it’s more than just a firmware fix and might possibly end up being a recall or something. that would be bad. that’s why i don’t get it. there was too much at stake.
The new phone can be hacked using finger prints. I’ve seen it done on James Bond style programs and movies!
Seriously though, yes, this hack is most likely legit and should be confirmed soon, but the common thief won’t be able to do this and the ones who can won’t be interested in your phone. That being said, if you are a high level person who was targeted for your phone, then yes, you could be hacked. BUT you would also know that if the phone is gone, it would be erased quickly and effectively.
The scan feature will and is a fantastic safety feature for 99.99% of the people out there. If you are worried about being hacked, then you most likely think more of yourself than you should.
What you saw on “james bond style programs” should not work with the capacitive system that the iPhone uses, only with optical scanner technology.
I remain extremely skeptical until this is verified by others.
From CCC’s website, announcing the hack of the fingerprint sensor:
iPhone users should avoid protecting sensitive data with their precious biometric fingerprint not only because it can be easily faked, as demonstrated by the CCC team. Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.
“WHEN being arrested”??? It sounds like this is an everyday occurrence with these people.
Yeah, and I don’t think Apple’s stock iPhone security is meant to protect you from law enforcement anyway. It’s for protection from common criminals, and creepy relatives and co-workers.
——RM
This has been said multiple times by multiple people in this thread, but since people skim, here it is once more.
The Touch ID system uses capacitance to register touch, the same as what it uses to register touch on the screen. It doesn’t use optical, so a photograph isn’t going to work. It doesn’t use resistance, so a fake plastic print pressed against the scanner isn’t going to work.
In short:
If an object cannot be used by itself as an iPhone stylus, it cannot be used to fool Touch ID.
If Touch ID works the way Apple says it does, the only way to “fool” it would be to use a severed finger. And even then, the finger would still have to be moist enough to register capacitance.
Many people have pointed out ways those videos could have faked. I think there’s plenty of doubt and we should wait before deciding this “hack” is real.
——RM
How’d they BYPASS the sub-epidermal scanning?
Until they explain how they got past THAT – I call BS!
AAPL said that is how touch ID works, a high res pic is only the surface, not the SUB-EPIDERMAL.
Read more at http://macdailynews.com/2013/09/23/why-iphone-5s-owners-shouldnt-worry-about-the-old-fake-fingerprint-touch-id-hack/#h3eC5kbjlxQwYmwI.99
Meanwhile, for those who actually CARE about iPhone security, as opposed to playing ‘shoot the messenger baby games’:
Defeating Apple’s Touch ID: It’s easier than you may think
The hack using lifted fingerprints is easy; here’s how you can make it harder.
As Ars pointed out last week, the security of iPhones would improve dramatically if Apple allowed users to unlock iPhones only after producing a valid PIN and fingerprint. This would make the iPhone a truly two-factor device, and Apple’s decision not to provide the option is a missed opportunity. Given Apple’s long history of removing clutter from menus and user interfaces, it seems unlikely that this option will ever be available.
If that’s the case, I consider it a tragedy of Apple security. But you already figured that out.
One potential workaround for the faked Touch ID login problem, quoted from the article linked above:
For those who continue to use Touch ID, Graham suggested a simple step for minimizing the success of Starbug’s attack: use only pinky or ring fingers to unlock your device. He said most prints left on glasses, iPhone screens, and other surfaces are from thumbs and index fingers. Enrolling a pinky or ring finger won’t completely foreclose attacks like the one developed by Starbug, but it will require an attacker to work much harder to succeed.
Or Apple could simply enforce two-factor authentication.
I’m assuming this is a thinly-veiled swipe at me (you’re certainly have a flair for the dramatic.) I do happen to care about security, but I also care about convenience. Security is about tradeoffs. I’d submit that Touch ID is better than no passcode at all, which is how a majority of iPhone owners use their device. Enabling Touch ID also forces the user to create a passcode that must be entered every once in a while (it’s not clear how often) in addition to using Touch ID (there’s your two-factor). So now the user that previously was using nothing at all now has two security measures in place. Not only that, but they’re getting the value of encryption now that there is a passcode is in place.
I would like to see the option to always require both, but if that option were in place, I personally would not use it, since I’ll take the side of convenience of quickly unlocking the phone, which I do probably a hundred times a day. For high-security environments, it would be a great addition. Maybe you prefer to use a long, pseudorandom password every time you have to unlock your phone. For most of us, that’s simply not practical. Fortunately, Apple isn’t forcing anyone to use Touch ID.
As for enabling such an option…iOS 7 and Touch ID are brand new. You don’t know weather they’ll enable it or not. It’s just a software update away (and probably a simple one at that).
Not having an iPhone 5S (yet!) I’m going by hearsay all the way, which never really works. It’s good to hear that sometimes two-factor authentication is used!
I’m hoping that poking Apple a bit regarding this entirely expected problem with Touch ID (Seriously! This is an OLD fingerprint scanning problem! Yonks old!) will prod them into doing something actually innovative with it, like forcing two-factor authentication.
One GREAT thing about Touch ID is that at long freaking last it’s a dirt easy way for folks to approve of purchases. Apple’s use of it for the iTunes store is just a start. Apple could, in the future, put an RFC chip in the iPhone and no one would have to be afraid of random scans of the thing by random strangers. Dumping its data would require a fingerprint, which, similar to ‘fingerprints are better than no security at all’, it will allow RFC chips to no longer be more dangerous than useful. There’s some future speculation for the analysts to bludgeon.
This is meant to be a consumer product, so convenience and usability are key factors in this system. They stated their intentions with Touch ID: to get people not using a passcode to use it (which also forces creation of a passcode). They’re not going to force two-factor on every. single. unlock. and. transaction. That would be the quickest way to get John & Jane Appleseed to go back to using nothing at all. It would be exactly like Vista & Win 7 forcing users to approve every little thing the users do. People tired of it and turned the security features off. That’s not how Apple approaches product design. I hope they offer 100% two-factor as an option, but most are going to side with convenience.
Also, I really doubt Apple will put NFC (I assume that’s what you meant) in any of their phones. Between Bluetooth LE and iBeacons, they’ll have basically duplicated (and expanded) the feature set of NFC. If they wanted it in a phone, it would be in one already. They’ve shown less than no interest in it.
RFID is what I meant to use as an acronym. Thanks for catching it. I ended up with a mixed acronym. NFC is the more specific reference.
One of the critical reasons Apple needs Touch ID to really work is because of their efforts to make the iPhone THE standard for ‘The Enterprise’, aka big businesses. Apple has had enormous pressure from the (admittedly corrupt and itself security ignorant) US federal government to make solid iPhone, and iPad, security. Touch ID isn’t it. IOW: Apple’s iPhone security efforts are NOT just for the consumer market.
So how do we know they didn’t train the middle finger as well before they made the video, and just use some transparent type of material that allowed the sensor to work on a finger they trained into the phone previously. Could easily be faked.
So as a user if this is a concern, perhaps using two different fingers (and maybe not obvious ones) to open your phone frequently so there is no usuable fingerprint on the button. Then a hacker trying to get a fingerprint off the phone may have trouble which finger they need to use.
This is more than secure enough for the device class.
Not sure how I ended up here, but love the site. Had mine made here
wordpress plugins http://www.store.legalnursenetwork.com/
Simply want to say your article is as astounding. The clearness to your put up is just great and i could assume you’re a professional on this subject. Fine with your permission allow me to snatch your feed to stay up to date with coming near near post. Thank you a million and please carry on the gratifying work.