CCC Says Apple iPhone 5S TouchID Broken

hypnosec writes with word that the Chaos Computer Club claims to have "managed to break Apple's TouchID using everyday material and methods available on the web. Explaining their method on their website, the CCC hackers have claimed that all they did was photograph a fingerprint from a glass surface, ramped up the resolution of the photographed fingerprint, inverted and printed it using thick toner settings, smeared pink latex milk or white woodglue onto the pattern, lifted the latex sheet, moistened it a little and then placed it on the iPhone 5S's fingerprint sensor to unlock the phone." Update: 09/22 21:32 GMT by T :Reader mask.of.sanity adds a link to a video of the hack.

Re:Am I missing something?

[Anonymous Coward]

Isn't this the same attack vector that can be used with any finger print scanner?

There are a number of things to check to make sure that the fingerprint actually belongs to a human:
- Pulse
- Temperatur
- Conductivity (probably worked around by moisturizing the printed fingerprint)

But at the end of the day, fingerprints are just too easy to fake and not a good method of authentication.

Re:If true

[Lehk228]

fingerprint identification is fundamentally and irredeemably broken. no other authentication method leaves copies of itself all over the place.

everything else is an arms race between verifying it is a finger and pretending to be a finger.

Risk to Security Algorithm

[retroworks]

Interesting. We do have to remind ourselves that security needs to be proportionate to risk. The first rule is value, or what the potential for loss is. I want a really really difficult password for my credit card account, I get angry when a newspaper login requests the same password algorithm (how much should I care if someone reads the news site using my login account?) The second factor is proximity. If you steal the president's laptop from off the president's desk, you should face unheard of security. If the president's digital needle lies anonymously at the bottom of a city haystack, the statistical risk shrinks. The fingerprint app, like Android's code generator, seems like an appropriate level of security for a lost or stolen cell phone.

So, don't use the same finger for

[The Cisco Kid]

the security sender that you use for the touchscreen..

How hard is that?

In fact I'm surprised that wouldn't already be part of the advice for users of this.

Either that or require a swipe from two different fingers, in a specified order.

Re:Easy!

[maccodemonkey]

It's a bit much for casual purposes; but it effectively demonstrates that Apple's little toy is just another fingerprint sensor (albeit a more attractive one than the usual little stripe-thing) with no more resistance to an under-a-hundred-bucks, probably a few bucks per print, in quantity, attacks than any of the others.

Still beats no passcode at all against a casual attacker; but it sounds like the CCC technique works just fine with digital reproductions (ie, you don't need the original thumbprint to use as a mold, or develop with cyanoacrylate vapor, or anything like that) so it's fuck up once, have your fingerprint on file for however long it stays roughly the same, which is never terribly encouraging.

I think every Slashdotter's wet dream is that they need to keep to keep their phones safe against a CSI style government interrogation, but this is really just for anti-theft or corporate secrets. The passcode expires in 48 hours anyway, and a business has remote wipe, so it's just a backup in another chain of security measures. And the fingerprint ready is really meant as a convenience for people who are too lazy to set a passcode at all, which is undeniably less safe.

You know what a government is going to do if they have you and your phone? Take your finger, and press it to your phone, which legally they can compel (or physically force) you to do. All this talk about "Oh, what if the government has your fingerprint on file?" Please. That's overthinking it.

Re: Easy!

[Khyber]

Reproducible to a T, though I used a different method.

1. Get boyfriend to lock his new iPhone with his fingerprint.
2. Lift said fingerprint from his fresh drinking glass with tape and a light dusting of coarse graphite powder before applying tape.
3. Make fingerprint better viewable by optical scanners by dusting with extremely fine graphite powder after transfer to white paper.
4. Scan and print on copier using capacitive iron-wax toner.
5. Fingerprint security? Same bullshit from the beginning 2000s, with the exact same fucking flaws.

I was bypassing this exact same crap with the exact same method on IBM ThinkPads and HP NC/NX model Business-class notebooks years ago.

Re:Easy!

[formfeed]

Based on their respective histories, a sensible person would probably trust CCC over Apple.

Yes, I agree. No idea why this was modded "troll". There is a decent history to show that.

CCC:
Did this before. They lifted the fingerprints of the German minister of Interior from a water glass and turned it into a little stamp so you can place him now at any crime scene. (The hack was actually to show just how idiotic government use of biometric data is).

Apple:
I of course don't want to say anything negative against this good company, but some people might say that they have a history of over-hyping things.

Re:Easy!

[swillden]

It's a capacitative scanner. Whether you like it or not, that's not imaging the surface layer of skin, but the complexity of what's behind it.

You're correct that it doesn't image the surface layer, but wrong about it getting what's behind the skin. Capacitive sensors obtain an image of, essentially, the back side of the skin. The ridges are there, but no other subdermal structure is visible, and the ridges are the same ones visible on the surface, so a surface image (e.g. a skin-oil negative), provides a fine panel from which to construct a usable fake finger.

FWIW, I used to build biometric authentication systems, especially fingerprint stuff. I did security analyses of fingerprint scanners (optical and capacitive) for Visa, wrote the Linux kernel driver for the AuthenTec scanner, and a bunch of other stuff over 10-year period. I've never designed them and don't claim to fully understand the physics (though I've consulted extensively with people who do), but I've worked with them, a lot, and I know very well what they do and do not do.