CCC Says Apple iPhone 5S TouchID Broken 481
hypnosec writes with word that the Chaos Computer Club claims to have "managed to break Apple's TouchID using everyday material and methods available on the web. Explaining their method on their website, the CCC hackers have claimed that all they did was photograph a fingerprint from a glass surface, ramped up the resolution of the photographed fingerprint, inverted and printed it using thick toner settings, smeared pink latex milk or white woodglue onto the pattern, lifted the latex sheet, moistened it a little and then placed it on the iPhone 5S's fingerprint sensor to unlock the phone." Update: 09/22 21:32 GMT by T :Reader mask.of.sanity adds a link to a video of the hack.
Re:Easy! (Score:5, Insightful)
Still beats no passcode at all against a casual attacker; but it sounds like the CCC technique works just fine with digital reproductions (ie, you don't need the original thumbprint to use as a mold, or develop with cyanoacrylate vapor, or anything like that) so it's fuck up once, have your fingerprint on file for however long it stays roughly the same, which is never terribly encouraging.
Re:Am I missing something? (Score:5, Insightful)
Re:Easy! (Score:5, Insightful)
Re:Easy! (Score:5, Insightful)
Remember that a hacker won't know which of 5 fingers the owner uses, so that's another layer of security
Actually, many people have up to ten fingers. Personally, I use my big toe.
But this shows that Apple was less than honest in their claims about pulse detection, and sub-surface tissue detection.
Re:Easy! (Score:5, Insightful)
Still beats no passcode at all against a casual attacker
Also beats pattern or password unlocks, which can be 'beaten' by just a bit of careful spying.
To me, the only things that are of real concern with this technology are false negatives and durability (I'm pretty sure putting the scanner on the home button is going to end up being a bad idea).
Not exactly new (Score:5, Insightful)
I remember Mythbusters doing something similar [youtube.com] with a multi thousand dollar computer secruity system.
Re:Easy! (Score:5, Insightful)
"sounds really trivial to break. I can see all kinds of kids doing this."
It's straight out of the Mythbusters fingerprint scanning episode.
They didn't find one they couldn't defeat, and many of them were ridiculously easy. They used exactly this technique.
I've been saying it for years: at our currently level of technology, relying on fingerprints for security (or nearly any biometric for that matter) is asking for trouble. It's just not good enough.
Re:Easy! (Score:5, Insightful)
The cops will have copies of all 10 fingers, and will be able to add this technique to their fourth and fifth amendment circumvention strategies.
Re:Am I missing something? (Score:5, Insightful)
Has anyone else verified that the suppose hack really does work? Isn't a bit premature to claim Apple is lying off a single youtube video?
Re:Different fingers (Score:5, Insightful)
Re:Easy! (Score:3, Insightful)
This is far short of the lengths a crazy ex girlfriend or suspicious spouse would go to.
Re:Easy! (Score:2, Insightful)
It's a capacitative scanner. It's not a photo scanner.
From the abstract: 'latex sheet, moistened it a little'. I see no reason why that wouldn't work on this capacitative scanner.
Re:Easy! (Score:5, Insightful)
Based on their respective histories, a sensible person would probably trust CCC over Apple.
You're missing the point. (Score:5, Insightful)
Fingerprints are good because they replace ZERO security. Most people don't PIN lock their phones. Finger Print lock is too convenient not to use.
It is meant as a deterrent to common thieves, and works well as such. A robber isn't going to grab your phone, ask for a nice clear print, and then run home to his laser printer and latex (and you could remote wipe the device in the mean time anyway).
If its the government you're worried about...well, if they have physical access to your device they probably have you in custody and can compel you to unlock it anyway, or just use existing forensic tools and warrants to get what they want. Even then we're talking about the unlikely scenario of you being arrested and having anything more interesting on your phone than funny cat pictures.
I'm trying to imagine a "real world" scenario where TouchID is less secure than a 4 digit passcode or no security at all...and I got nothing.
Blah blah blah... (Score:3, Insightful)
Sure they can break it. If they have your fingerprint to photograph. Assuming this is a lost or robbed phone, where will they get your fingerprint? From the phone? Maybe. Maybe not.
Apple's solution is good enough for civilian security on a phone, as long as you're not oblivious and pay attention to your surroundings while walking in unfamiliar areas so you don't get mugged, and don't lose phones regularly, or store very sensitive information on your phone.
Re:Easy! (Score:5, Insightful)
sounds really trivial to break. I can see all kinds of kids doing this.
Known vector. Gummy-bear attack.
The core issue is that you leave copies of your authenticator EVERYWHERE. It's as if you dropped 85% accurate copies of your smartcard on every item you touched - with random 15% damage to the material - and a card reader designed for 15% error in reads.
Any such scheme is going to be subject to this kind of impersonation or gaming. This is why biometrics are always a bad ID choice. Also, the A/D conversion is low-entropy, among other problems.
There's a false assumption, that because I can uniquely identify another person with 99.999% accuracy, based on your sound, shape and appearance, that therefore this is the best way a machine should do so. It is a falsehood that is reinforced by a misleading intuitive perception. The core issue concerns the questions related to what constitutes "identity" and an "authentication factor" in systems. Neither of these correlate to actual persons or their real-world characteristics in a unique and meaningful way, that is not also subject to spoofing, injecting or revocation DoS.
Re:You're missing the point. (Score:5, Insightful)
Fingerprints are good because they replace ZERO security.
Mod parent up. So often geeks think that if they can find some fancy way to overcome a security feature, it somehow automatically makes it completely useless.
Re:Easy! (Score:2, Insightful)
But this shows that Apple was less than honest in their claims about pulse detection, and sub-surface tissue detection.
Apple has been less than honest about just about every aspect of their product from design, to production, to sale. But even if iphones are designed by teenagers and young adults in china in super factories that house workers on site, make them work 16 hour days for years on end for pennies, and drive so many to suicide that they have installed suicide nets around every building, people keep buying them because they're trendy. Nobody cares if Apple lies to them, as long as people keep believing that owning Apple products is a status symbol.
Re:Easy! (Score:1, Insightful)
But this shows that Apple was less than honest in their claims about pulse detection, and sub-surface tissue detection.
Maybe not In the video [youtube.com]; the guy using the plastic strip to trick the device is holding the plastic strip over the same finger that can legitimately unlock the device.
To me... this raises the question; is the phone seeing his live finger through the plastic strip?
Is there anything unique about the tissue being detected; that might actually result in this not working If he had put a non-legitimate finger behind the fake strip instead of a legitimate registered finger?
Re:Easy! (Score:5, Insightful)
sounds really trivial to break. I can see all kinds of kids doing this.
Known vector. Gummy-bear attack.
The core issue is that you leave copies of your authenticator EVERYWHERE. It's as if you dropped 85% accurate copies of your smartcard on every item you touched - with random 15% damage to the material - and a card reader designed for 15% error in reads.
Any such scheme is going to be subject to this kind of impersonation or gaming. This is why biometrics are always a bad ID choice. Also, the A/D conversion is low-entropy, among other problems.
There's a false assumption, that because I can uniquely identify another person with 99.999% accuracy, based on your sound, shape and appearance, that therefore this is the best way a machine should do so. It is a falsehood that is reinforced by a misleading intuitive perception. The core issue concerns the questions related to what constitutes "identity" and an "authentication factor" in systems. Neither of these correlate to actual persons or their real-world characteristics in a unique and meaningful way, that is not also subject to spoofing, injecting or revocation DoS.
Let's say you get your grubby hands on an iPhone 5S and are immediately overcome by an irresistible urge to crack it open.
1) Getting the victim to pose his finger for a 2400dpi photo is not an option so you'd have to bag the device and dust it for prints since you'll probably need to make the prints more visible. I suppose you could get the hang of that in about half an hour if you are a novice with a print dusting sets you bought online.
2) Find a good thumb print. There is no guarantee that the print on the button sensor surface is any good nor is there a certainty that there is a usable print anywhere on the phone. I suppose you could monitor your victim and steal some of his drinking glasses and coffee cups but that means 'trivial' goes out the window right there.
3) For the sake of argument let's say you get 1 and 2 right and find a good print on the sensor surface or somewhere else on the phone, eliminating the need to poke around stealing coffee cups and drinking glasses. You now have still have to do what it says in the article and the photo processing, printing and latex covering that sounds like quite a bit more than 10 minutes of work, especially if you have never done it before.
That does not sound exactly trivial to me. Trivial is faking your way past Google's face recognition-login feature with a picture of the phone's owner. You could conceivably do that by borrowing his phone, snapping a picture of him with your iPad and using the image in the iPad to log into his phone... Ooops! somebody already went and did that [youtube.com] and it looks like a 20 second operation. Going through the above procedure to defeat the fingerprint scanner takes what? A hour? The average pick-pocket would probably not bother and the time it takes to crack phones this way with no guarantee of reward would make it un-economcal for criminal bands to crack phones on a large scale (in the hope of finding account numbers or dirty pictures for a blackmailing, ... or whatever) which means that this is way better security than no passcode at all. If you are carrying data valuable enough to make it worth while to go through this exercise to retrieve it you should put a 20 character password on your iPhone or consider putting the data on an IronKey in stead. And yes I know the NSA can probably pull this off in 10 minutes or less but if you have the NSA after you:
a) They probably have more efficient ways to get into your device than stealing it and hacking it by lifting your greasy fingerprints.
b) You have bigger things to worry about than somebody reading your e-mail... like getting snatched and sent to a secret jail for a course of water-boarding, or being on the shortlist for a drone strike.
Re:More secure. (Score:5, Insightful)
You mean like the android face unlock that can be defeated by a photo of the user? (at least you don't leave your photo on the glass surface of the phone when you put it down...)
Let's face it though, unless companies are willing to spend a fair amount more on these biometric sensors, they'll always be trivial to hack, there are good fingerprint readers (that actually don't use the prints, but subdermal tissue) but they cost a lot more than the ones taht are defeated in such trivial ways..
I'm still looking for the retraction from all those people who posted to the original fingerprint reader on iphone thread last week saying this wasn't a simple fingerprint reader on the iphones and wouldn't be susceptible to this form of attack...
Re:Easy! (Score:4, Insightful)
Anyone targeting data stored on a phone would come armed with a Faraday cage bag. You can buy them commercially, designed for "law enforcement" with the goal of preventing remote wipes. Some even come with a cable entry grommet so you can keep the phone powered and data-rape it without removing it from the bag, just in case the user enabled full device encryption.
Re:You're missing the point. (Score:1, Insightful)
but...that IS EXACTLY how they marketed it...they said "half of the users of smartphones don't even set a passcode" and also Schiller said "for somebody who opens his phone dozens of times a day this is a game changer" meaning it increases productivity for business users. they never said it was a good solution for al-qaeda operatives and drug traffickers.
Comment removed (Score:4, Insightful)
Re: More secure. (Score:5, Insightful)
well so far we have a marketing droid saying it does, and a documented hack proving otherwise. If you have better proof I'd suggest you post it because right now your case is pretty weak.
Re:You're missing the point. (Score:5, Insightful)
And for power users, fingerprint plus passcode is more secure than just one or the other. I'd love to see a setting like "require both fingerprint and passcode to initially unlock the phone. Lock the phone immediately when it goes to sleep, but allow it to be unlocked with either passcode or fingerprint for up to five minutes."
I'd set this in a heartbeat. Basically, it'd be more secure than any current options when initially unlocking the phone. It'd also be more convenient than the "require a passcode immediately when the phone goes to sleep" setting, and more secure than the "don't require a password for the next x minutes" settings. This is how I'd like the system to work.
Re:Easy! (Score:4, Insightful)
It's trivial to change your password, if it's ever compromised. It's not so easy to change your fingerprints.
total miss (Score:4, Insightful)
Of course a fingerprint sensor can be fooled. It doesn't take a video to prove that the sky is blue, you know?
What everyone misses is two important points. These are the days I'm glad I got out of the security industry because quite frankly, while lots of people are brilliant at the technology, most people are complete failures at the psychology of security.
First, a lot of people have no lock at all on their iPhones today. None. You can pick it up, slide to unlock and you're in. The fingerprint sensor will prevent the casual attacker, especially the one who doesn't want you noticing your phone is missing (people leave their phones on their tables when going to the bathroom, something that puzzles me but it happens).
Second, even an attacker dedicated and knowledgable enough to get your prints from somewhere and then build a fake finger will be slowed down enough to give you time for things like noticing your phone is missing, doing a remote wipe or changing your passwords.
Third, everyone is crying that fingerprints aren't good for "casual security" like your phone and should be reserved for serious stuff. You fools got that exactly backwards. Because fingerprints are so easily faked, never, ever use them for anything serious. But for your phone, it's perfect. It's easy to use, you can't forget it, and it's unique enough that you don't have to worry about everyone else also having 1-2-3-4 as their super-secret password.
Security is never about perfection, it is always about having the adequate security for your purpose and threat scenario. For 99% of people, having a fingerprint sensor is good enough and so easy to use that contrary to all the "good" security (that nobody enables), it will actually get used.
So for all I care, the real-world-stupid geniuses can continue theoretical discussions about theoretical security that nobody really uses, while the real-world normal people have just been given something that will jump their security level up from basically nothing to at least something. That's a massive improvement.