Apple's TouchID Fingerprint Scanner: Still Hackable 70
electronic convict writes: A year ago, security researcher Marc Rogers demonstrated how to spoof the TouchID sensor in the iPhone 5S using some Elmer's glue and glycerol — oh, and a high resolution camera and a laser printer. Has TouchID security improved at all on the iPhone 6? Not really, Rogers reports in his latest post, in which he again hacks the iPhone 6's TouchID sensors using the same method as before. "Fake fingerprints created using my previous technique were able to readily fool both devices [the 6 and the 5S]," he reports. Rogers, however, says there's no reason to panic, as the attack requires substantial skill, patience and a good clear fingerprint. As he writes: "We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats."
Other hackable things (Score:4, Insightful)
The summary mentions locks and keys as also being hackable. Also combination locks, face recognition, mag stripes, signatures, DRM, many forms of encryption, passwords, captchas, PINs, ATMs Online banking, credit cards. In fact there is precious little security that isn't hackable.
Of course this isn't going to stop people here ragging on TouchID.
Re: Other hackable things (Score:1)
The security feature I'd like to see is a way to with touch only turn off a phone that's locked ( for example the 5 quick clicks method on the power button most portable vaporizors tend to use) .
This with a long password and whole disk encryption on boot
I could then use sloppy security most of the time , ( 4 digit pin) ,but I could easily turn it off in my pocket before handing it over to a malicious actor ( law enforcement / theif) .
Re: Other hackable things (Score:5, Informative)
So... get an iPhone, set a complex passcode, and use your fingerprint the rest of the time?
You can hold home+power for a few seconds to reboot the phone, and your passcode is required to unlock the phone after a reboot/shutdown.
Re: (Score:1)
that's actually exactly what I meant, thanks for the info. I'd mod you up if I could.
Re: (Score:3)
Re: (Score:3)
Actually, given you must use a passcode if you fail TouchID 3 times in a row, all you need to do is use the tip of your finger or palm of your hand 3 times.
Remember, the rules for TouchID:
1) Must use passcode on boot
2) Must use passcode if TouchID not used within previous 48 hours
3) Must use passcode if TouchID fails 3 tim
Different problem (Score:2)
So... get an iPhone, set a complex passcode, and use your fingerprint the rest of the time?
You can hold home+power for a few seconds to reboot the phone, and your passcode is required to unlock the phone after a reboot/shutdown.
The problem being solved here isn't one of ubiquitous use of complex passcodes. The problem is people not using passcodes at all because they are inconvenient. TouchID is a middle-ground between a complex passcode and no passcode.
Re: Other hackable things (Score:2)
But I can buy a new tv at best buy with your phone and a bloody finger and the cashier won't stop me
Re: (Score:3)
Re: (Score:1)
Re: (Score:1)
The difference is that you don't *hack* a lock by copying the key, right? You tinker with the lock directly. Yet replicating ones fingerprint is somehow hacking...
Re: (Score:2)
In fact there is no such thing as security that isn't hackable, except that made from finely ground unicorn horns
FTFY. I'm the farthest thing in the world from an Apple fanboy, but how does this pass for news?
In other news, shit still stinks.
Re: (Score:2)
Of course this isn't going to stop people here ragging on TouchID.
I think it's quite reasonable to rag on it given that Apple are claiming they encrypt data on the phone. Maybe they do but if you can get at it with a fingerprint then it's not hugely more secure than before. Not that I would single out Apple for all the heat here - most phones are only protected by a short pin and even alternative authentication schemes are likely guessable in some way - e.g. Microsoft's photo login and Google's pattern unlock can probably be inferred just by looking at the finger smears o
Indeed (Score:5, Insightful)
It should be perfectly fine for the average person protecting their credit card details from thieves and their porn from their partners.
People who go to these lengths would surely be either:
Really determined for some reason (in which case they'd probably social engineer it out of you or something)
People who'd just cut your finger off
The police (at which point they've already obtained your phone and fingerprint)
The NSA (who probably already have a backdoor)
Either way, it's more secure than your typical 4 digit PIN or pattern unlock.
If you need more than that, you'd probably use some tedious-to-type ultra secure battery horse staple thing anyway.
Re:Indeed (Score:5, Funny)
If you need more than that, you'd probably use some tedious-to-type ultra secure battery horse staple thing anyway.
Correct!
Re: (Score:2)
It should be perfectly fine for the average person protecting their credit card details from thieves and their porn from their partners.
People who go to these lengths would surely be either:
Really determined for some reason (in which case they'd probably social engineer it out of you or something)
People who'd just cut your finger off
The police (at which point they've already obtained your phone and fingerprint)
The NSA (who probably already have a backdoor)
Either way, it's more secure than your typical 4 digit PIN or pattern unlock.
If you need more than that, you'd probably use some tedious-to-type ultra secure battery horse staple thing anyway.
No, it wont even protect you from your spouse.
All you need is a photocopy of the owners thumb.
Your thumb print is conveniently all over the phone.
I've seen these cracked by placing a clear piece of plastic over the screen... stenciling the print, put the clear plastic on a copier, xerox... hold copy to phone. Viola. Finger print recognition is banned where I work for a reason.
Re: Indeed (Score:1)
There are different fingerprint sensors. Your method wouldn't work on an iPhone as it would need an optical scanner. The iPhone scanner works by measuring electrical field variations.
Re: (Score:2)
If your spouse is going to the lengths of covertly grabbing your phone, placing plastic over your screen, making sure you don't notice it, grabbing it again when you've used it, removing the plastic and taking it to a copier..
1) What an awesomely geeky spouse, where do I find one? Or do I just marry a copper?
2) You have much bigger problems to worry about than the security of your fingerprint scanner. But you might want to search for your divorce solicitors using Private Browsing on a throwaway pay-as-you
Re: (Score:2)
You shouldn't keep your credit card details on your phone in plaintext anyway. Contactless payments don't need to store them in a readable format.
Law Enforcement (Score:5, Insightful)
Re: (Score:2)
This will likely make life even easier for law enforcement as they can easily get the owner's fingerprints to unlock the device as opposed to a password which requires cooperation from the suspect (or a back door or password cracker).
Exactly - those prints they have on file for you from many years ago should perfectly translate into TouchID-compliant proofs. They likely already stocked up on latex milk and the various things that CCC used.
Re: (Score:2)
Per XKCD [xkcd.com], it's far more likely they'd forcibly put each of your fingers on the phone than do something elaborate with your printed fingerprints.
However— IIRC there's a lockout after a certain number of attempts, and IIRC from the first video it can take several tries to fool the sensor. So with ten fingerprints to choose from, not to mention different *parts* of each finger you could have used, it's less than probable they would succeed.
(And the look on the officer's face when he realizes you used you
Re:Law Enforcement (Score:5, Interesting)
They better hurry, too. TouchID gets locked out after powering off the phone, 48 hours of inactivity, or a few failed attempts. After any of those, it will only respond to the passcode.
Re: (Score:2, Informative)
Law enforcement use special bags to keep the phone powered up. The bag is basically a Faraday cage so that the phone can't be remote wiped, and has a charging cable built in to prevent the phone being powered off.
Re: (Score:3)
Do these bags simultaneously keep the phone powered on while preventing the internal clock from advancing? If so, I think there's some folks in Sweden that would like to award the creator some very nice jewelry.
Re: (Score:2)
or penis...
Re: (Score:2)
This will likely make life even easier for law enforcement
Your right.
I can either go with a 4 digit PIN which is far more vulnerable to the look-over-the-shoulder or look at the dirty screen attack that low level criminals will use.
Or I can go with a fingerprint which will defeat them, but can be extracted from me by law enforcement.
Or I can go with a 40 key passphrase and be pretty safe from both groups -- but then I have to enter a 40 key passphrase before I can reply to a text message or check a new emai
Re: (Score:3)
I propose setting a nine digit password, enabling touch ID and disabling responding to texts on a lock screen.
Nine digit password is better than four because it is quick to enter when you need to enter it, the length is unknown to an attacker and is less vulnerable to the dirty screen attack. The touch ID can be extracted by law enforcement but using the left middle finger or other less-common touch ID finger means they might run into the failed attempt limit before they get the right finger. Not having to
Re: (Score:2)
I actually use a galaxy s5, I've already got a good reasoable length 'alternate passphrase'.
I do very much like your advice about using a less frequent finger. Not only does that make it take longer, but one of the obvious sources for a fingerprint to use for the phone is the surface of the phone itself. So using your main index finger to unlock it, and then tapping it all over your screen ... the modern equivalent of putting a bunch of post-it notes with your password on your phone. With a less used finge
Re: (Score:2)
The s5 however does not require passphrase afterboot up. (I'm not sure how much of a big deal that is.)
I take this to mean that if you can reboot the thing, which you can always do by letting the battery run flat and then charging it, you can access the device without the passphrase. If true, this would be a huge deal. Have I misunderstood?
Re: (Score:2)
Re: (Score:2)
I take this to mean that if you can reboot the thing, which you can always do by letting the battery run flat and then charging it, you can access the device without the passphrase
After a reboot I can login either by fingerprint or by passphrase. With the iphone my understanding is that the passphrase must be used the first time before it will allow a fingerprint.
Again, I am not sure exactly what exactly the real security advantage of that is though.
Re: (Score:2)
8 or 40, wtf? (Score:2)
I use a longer passcode on my phone than 4 characters, but not even close to 40. If you need to use bad/broken logic to justify the use of something, it probably does not deserve justification.
Re: (Score:2)
I use a longer passcode on my phone than 4 characters, but not even close to 40.
On a phone keypad I'd rather enter a phrase then a complicated shorter password due to the clutzyness of smartphone keyboards and the tedious of switching cases, and accessing punctuation symbols.
If you need to use bad/broken logic to justify the use of something, it probably does not deserve justification.
10-12 characters, including numbers and punctuation marks would still be beyond annoying to have to enter every time I acce
Re: (Score:2)
My point was, and is, that there are options between 4 and 40 characters so you are not stuck with one or the other as you implied. In fairness, you may not have intentionally made this implication, but nevertheless it was made.
I agree a 4 number PIN is a horrible idea if you are worried at all about security. A 9 character PIN is going to be much harder to break into and still easy enough to manage. My screen is auto-locking at 5 minutes and I have the option of pressing a very fast access button to imm
Re: (Score:1)
This will likely make life even easier for law enforcement as they can easily get the owner's fingerprints to unlock the device as opposed to a password which requires cooperation from the suspect (or a back door or password cracker).
I'm curious to know how many non-techy people actually set PINs. When TouchID was announced, it was claimed by Apple that most folks don't / didn't.
Also, it is mandatory to enter the PIN if your iPhone has been restarted (since the PIN is tied into the crypto key), if it's been more that 48 hours since it's been unlocked, or when entering the Touch ID & Passcode settings area.
I don't think anyone is claiming TouchID is good enough to protect nuclear launch codes, but it's better than nothing, which is w
Re: (Score:2)
You could just get a users finger prints from the screen of the device.
Re: (Score:2)
This will likely make life even easier for law enforcement as they can easily get the owner's fingerprints to unlock the device as opposed to a password which requires cooperation from the suspect (or a back door or password cracker).
I quite suspect that taking a fingerprint by force will make any evidence found impermissible. And it is very easy to prove that you took a fingerprint by force: All the accused has to do is say that you did in court, hand over their phone, and if the police don't have the passcode (which they wouldn't) the accused's story must be true.
Laser? Try Gummy Bears (Score:1, Interesting)
About 10 years ago I read a story about a Jr. High school in Australia (ages 13-15) that had set up finger print readers at all the computers. Attendance was taken by students logging into a classrooms computers. This was all fine until one day the teacher needed a number of students to do a task. The attendance showed everyone there, but in reality more than half were truant. One student was covering up something, and the nosy teacher pulled off the paper to find..... candy gummy bears. "I was hungry"
Re: (Score:2)
About 10 years ago...
Clearly technology in fingerprint scanners could never have improved since then.
Re: (Score:1)
Well, it doesn't appear to have improved...
Re: (Score:2)
Well, it doesn't appear to have improved...
Why does it not appear that way? It's much more difficult to fool a fingerprint scanner today than it was ten years ago. Just because they're not perfect does not mean they're not better.
Re: (Score:2)
I can't find any actual instances of it happening, but this appears to mention the rumor you're talking about: http://whatis.techtarget.com/d... [techtarget.com]
Re: (Score:2)
Yes (Score:2, Interesting)
and it is much easier to take a peek at my screen one of the 20 times a day I type in my 4 digit code than to fake the fingerprint.
Don't use the forefinger or thumb (Score:2)
And a different hand than you usually hold it with. Should be good enough if the phone is just randomly lost.
I wonder if you have to use the end of a finger or could use the "print" on the middle or proximal phalanx?
Sudden outbreak of common sense (Score:5, Insightful)
"We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats."
Thank you, submitter and Slashdot, for not going for sensationalism and leaving this out of the summary.
Re: (Score:1)
Yes, exactly. That's why it's important to have a society where laws cover these situations. My house happens to have a glass door on the patio that could be "hacked" with a simple medium-sized rock. And I bet most people have easily accessible windows. But there's a reason why we don't worry about people easily breaking our windows and taking our stuff.
Biometrics are Not the Answer (Score:1)
Would you use passwords if they appeared on everything you touched and could never be changed?
Re: (Score:2)
and could never be changed
You actually have ten different one that can be rotated. Replicating a good enough fingerprint for TouchID is not easy. The cracker would not know if the fingerprint reproduction was faulty or the wrong finger was used. Since TouchID is disabled after a few tries it is not a bad choice for a device with the security need of a cell phone. It is a balance between convenience and security. As the submitter said, only a few people can do it and the chance of failure is high. Not everything needs top level secu
Two out of three.... (Score:2)
There is a third reason that such locks are practical, and it is something that cannot be satisfied by any kind of biometric authentication.
Failure of the security system provided by locks, however infrequent, can still be mitigated enough to carry on with no less effectiveness to meet security threats in the future as you had before the
Physical access... (Score:2)
If you have the device in hand, you've pretty much won.
I'm worried more about the "secure enclave."
It has been a year and it's still not broken. I hope it stays that way.
Eh... so? (Score:2)
Unless I'm missing something, three failed attempts and you have to enter the passcode. Reboot and you have to enter the passcode. 48 hours of not being used and you have to enter the passcode.
I just got a 5S and the TouchID is okay, but even when using the correct finger it doesn't always work and I have to enter my passcode (which is quite long). It wouldn't be hard to guess which finger I used but even then... everything would have to go perfectly to get into the phone using that method.
laugh (Score:1)
What moron is storing anything to worry about their?
Oh yeah Apples "wallet", good luck with that.