Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Iphone Security

Apple's TouchID Fingerprint Scanner: Still Hackable 70

electronic convict writes: A year ago, security researcher Marc Rogers demonstrated how to spoof the TouchID sensor in the iPhone 5S using some Elmer's glue and glycerol — oh, and a high resolution camera and a laser printer. Has TouchID security improved at all on the iPhone 6? Not really, Rogers reports in his latest post, in which he again hacks the iPhone 6's TouchID sensors using the same method as before. "Fake fingerprints created using my previous technique were able to readily fool both devices [the 6 and the 5S]," he reports. Rogers, however, says there's no reason to panic, as the attack requires substantial skill, patience and a good clear fingerprint. As he writes: "We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats."
This discussion has been archived. No new comments can be posted.

Apple's TouchID Fingerprint Scanner: Still Hackable

Comments Filter:
  • by BasilBrush ( 643681 ) on Tuesday September 23, 2014 @05:04PM (#47978599)

    The summary mentions locks and keys as also being hackable. Also combination locks, face recognition, mag stripes, signatures, DRM, many forms of encryption, passwords, captchas, PINs, ATMs Online banking, credit cards. In fact there is precious little security that isn't hackable.

    Of course this isn't going to stop people here ragging on TouchID.

    • The security feature I'd like to see is a way to with touch only turn off a phone that's locked ( for example the 5 quick clicks method on the power button most portable vaporizors tend to use) .

      This with a long password and whole disk encryption on boot

      I could then use sloppy security most of the time , ( 4 digit pin) ,but I could easily turn it off in my pocket before handing it over to a malicious actor ( law enforcement / theif) .

      • by pushing-robot ( 1037830 ) on Tuesday September 23, 2014 @06:21PM (#47979105)

        So... get an iPhone, set a complex passcode, and use your fingerprint the rest of the time?

        You can hold home+power for a few seconds to reboot the phone, and your passcode is required to unlock the phone after a reboot/shutdown.

        • by AvitarX ( 172628 )

          that's actually exactly what I meant, thanks for the info. I'd mod you up if I could.

          • well yes, that works, but it's a two handed task that is hard to do on-the-sly. Also takes a couple seconds longer that is ideal when you have a knife to your chest or a tazer in your eye.
            • by tlhIngan ( 30335 )

              well yes, that works, but it's a two handed task that is hard to do on-the-sly. Also takes a couple seconds longer that is ideal when you have a knife to your chest or a tazer in your eye.

              Actually, given you must use a passcode if you fail TouchID 3 times in a row, all you need to do is use the tip of your finger or palm of your hand 3 times.

              Remember, the rules for TouchID:

              1) Must use passcode on boot
              2) Must use passcode if TouchID not used within previous 48 hours
              3) Must use passcode if TouchID fails 3 tim

        • So... get an iPhone, set a complex passcode, and use your fingerprint the rest of the time?

          You can hold home+power for a few seconds to reboot the phone, and your passcode is required to unlock the phone after a reboot/shutdown.

          The problem being solved here isn't one of ubiquitous use of complex passcodes. The problem is people not using passcodes at all because they are inconvenient. TouchID is a middle-ground between a complex passcode and no passcode.

    • But I can buy a new tv at best buy with your phone and a bloody finger and the cashier won't stop me

      • If you don't know which finger, you'd have to bring all 10 of them and hope nobody in line behind you gets impatient while you keep trying different ones.
    • by Anonymous Coward

      The difference is that you don't *hack* a lock by copying the key, right? You tinker with the lock directly. Yet replicating ones fingerprint is somehow hacking...

    • In fact there is no such thing as security that isn't hackable, except that made from finely ground unicorn horns

      FTFY. I'm the farthest thing in the world from an Apple fanboy, but how does this pass for news?

      In other news, shit still stinks.

    • by DrXym ( 126579 )

      Of course this isn't going to stop people here ragging on TouchID.

      I think it's quite reasonable to rag on it given that Apple are claiming they encrypt data on the phone. Maybe they do but if you can get at it with a fingerprint then it's not hugely more secure than before. Not that I would single out Apple for all the heat here - most phones are only protected by a short pin and even alternative authentication schemes are likely guessable in some way - e.g. Microsoft's photo login and Google's pattern unlock can probably be inferred just by looking at the finger smears o

  • Indeed (Score:5, Insightful)

    by Cloud K ( 125581 ) on Tuesday September 23, 2014 @05:05PM (#47978601)

    It should be perfectly fine for the average person protecting their credit card details from thieves and their porn from their partners.
    People who go to these lengths would surely be either:
    Really determined for some reason (in which case they'd probably social engineer it out of you or something)
    People who'd just cut your finger off
    The police (at which point they've already obtained your phone and fingerprint)
    The NSA (who probably already have a backdoor)
    Either way, it's more secure than your typical 4 digit PIN or pattern unlock.

    If you need more than that, you'd probably use some tedious-to-type ultra secure battery horse staple thing anyway.

    • Re:Indeed (Score:5, Funny)

      by jfengel ( 409917 ) on Tuesday September 23, 2014 @05:28PM (#47978793) Homepage Journal

      If you need more than that, you'd probably use some tedious-to-type ultra secure battery horse staple thing anyway.

      Correct!

    • It should be perfectly fine for the average person protecting their credit card details from thieves and their porn from their partners.
      People who go to these lengths would surely be either:
      Really determined for some reason (in which case they'd probably social engineer it out of you or something)
      People who'd just cut your finger off
      The police (at which point they've already obtained your phone and fingerprint)
      The NSA (who probably already have a backdoor)
      Either way, it's more secure than your typical 4 digit PIN or pattern unlock.

      If you need more than that, you'd probably use some tedious-to-type ultra secure battery horse staple thing anyway.

      No, it wont even protect you from your spouse.
      All you need is a photocopy of the owners thumb.
      Your thumb print is conveniently all over the phone.
      I've seen these cracked by placing a clear piece of plastic over the screen... stenciling the print, put the clear plastic on a copier, xerox... hold copy to phone. Viola. Finger print recognition is banned where I work for a reason.

      • by Anonymous Coward

        There are different fingerprint sensors. Your method wouldn't work on an iPhone as it would need an optical scanner. The iPhone scanner works by measuring electrical field variations.

      • by Cloud K ( 125581 )

        If your spouse is going to the lengths of covertly grabbing your phone, placing plastic over your screen, making sure you don't notice it, grabbing it again when you've used it, removing the plastic and taking it to a copier..
        1) What an awesomely geeky spouse, where do I find one? Or do I just marry a copper?
        2) You have much bigger problems to worry about than the security of your fingerprint scanner. But you might want to search for your divorce solicitors using Private Browsing on a throwaway pay-as-you

    • by AmiMoJo ( 196126 ) *

      You shouldn't keep your credit card details on your phone in plaintext anyway. Contactless payments don't need to store them in a readable format.

  • Law Enforcement (Score:5, Insightful)

    by organgtool ( 966989 ) on Tuesday September 23, 2014 @05:16PM (#47978679)
    This will likely make life even easier for law enforcement as they can easily get the owner's fingerprints to unlock the device as opposed to a password which requires cooperation from the suspect (or a back door or password cracker).
    • by rsborg ( 111459 )

      This will likely make life even easier for law enforcement as they can easily get the owner's fingerprints to unlock the device as opposed to a password which requires cooperation from the suspect (or a back door or password cracker).

      Exactly - those prints they have on file for you from many years ago should perfectly translate into TouchID-compliant proofs. They likely already stocked up on latex milk and the various things that CCC used.

    • Per XKCD [xkcd.com], it's far more likely they'd forcibly put each of your fingers on the phone than do something elaborate with your printed fingerprints.

      However— IIRC there's a lockout after a certain number of attempts, and IIRC from the first video it can take several tries to fool the sensor. So with ten fingerprints to choose from, not to mention different *parts* of each finger you could have used, it's less than probable they would succeed.

      (And the look on the officer's face when he realizes you used you

      • Re:Law Enforcement (Score:5, Interesting)

        by santiago ( 42242 ) on Tuesday September 23, 2014 @06:02PM (#47978989)

        They better hurry, too. TouchID gets locked out after powering off the phone, 48 hours of inactivity, or a few failed attempts. After any of those, it will only respond to the passcode.

        • Re: (Score:2, Informative)

          by AmiMoJo ( 196126 ) *

          Law enforcement use special bags to keep the phone powered up. The bag is basically a Faraday cage so that the phone can't be remote wiped, and has a charging cable built in to prevent the phone being powered off.

          • Do these bags simultaneously keep the phone powered on while preventing the internal clock from advancing? If so, I think there's some folks in Sweden that would like to award the creator some very nice jewelry.

      • not to mention different *parts* of each finger you could have used

        or penis...

    • by vux984 ( 928602 )

      This will likely make life even easier for law enforcement

      Your right.

      I can either go with a 4 digit PIN which is far more vulnerable to the look-over-the-shoulder or look at the dirty screen attack that low level criminals will use.

      Or I can go with a fingerprint which will defeat them, but can be extracted from me by law enforcement.

      Or I can go with a 40 key passphrase and be pretty safe from both groups -- but then I have to enter a 40 key passphrase before I can reply to a text message or check a new emai

      • by praxis ( 19962 )

        I propose setting a nine digit password, enabling touch ID and disabling responding to texts on a lock screen.

        Nine digit password is better than four because it is quick to enter when you need to enter it, the length is unknown to an attacker and is less vulnerable to the dirty screen attack. The touch ID can be extracted by law enforcement but using the left middle finger or other less-common touch ID finger means they might run into the failed attempt limit before they get the right finger. Not having to

        • by vux984 ( 928602 )

          I actually use a galaxy s5, I've already got a good reasoable length 'alternate passphrase'.

          I do very much like your advice about using a less frequent finger. Not only does that make it take longer, but one of the obvious sources for a fingerprint to use for the phone is the surface of the phone itself. So using your main index finger to unlock it, and then tapping it all over your screen ... the modern equivalent of putting a bunch of post-it notes with your password on your phone. With a less used finge

          • The s5 however does not require passphrase afterboot up. (I'm not sure how much of a big deal that is.)

            I take this to mean that if you can reboot the thing, which you can always do by letting the battery run flat and then charging it, you can access the device without the passphrase. If true, this would be a huge deal. Have I misunderstood?

            • he likely meant that upon reboot you can use the fingerprint thing right away, whereas on the iphone upon reboot you need to put in your pin before the fingerprint thing will work. although i like the tone of your mesage.
            • by vux984 ( 928602 )

              I take this to mean that if you can reboot the thing, which you can always do by letting the battery run flat and then charging it, you can access the device without the passphrase

              After a reboot I can login either by fingerprint or by passphrase. With the iphone my understanding is that the passphrase must be used the first time before it will allow a fingerprint.

              Again, I am not sure exactly what exactly the real security advantage of that is though.

      • Keyboard password with an altered letter... é ò ñ... one of those or something similar.
      • I use a longer passcode on my phone than 4 characters, but not even close to 40. If you need to use bad/broken logic to justify the use of something, it probably does not deserve justification.

        • by vux984 ( 928602 )

          I use a longer passcode on my phone than 4 characters, but not even close to 40.

          On a phone keypad I'd rather enter a phrase then a complicated shorter password due to the clutzyness of smartphone keyboards and the tedious of switching cases, and accessing punctuation symbols.

          If you need to use bad/broken logic to justify the use of something, it probably does not deserve justification.

          10-12 characters, including numbers and punctuation marks would still be beyond annoying to have to enter every time I acce

          • by s.petry ( 762400 )

            My point was, and is, that there are options between 4 and 40 characters so you are not stuck with one or the other as you implied. In fairness, you may not have intentionally made this implication, but nevertheless it was made.

            I agree a 4 number PIN is a horrible idea if you are worried at all about security. A 9 character PIN is going to be much harder to break into and still easy enough to manage. My screen is auto-locking at 5 minutes and I have the option of pressing a very fast access button to imm

    • by Anonymous Coward

      This will likely make life even easier for law enforcement as they can easily get the owner's fingerprints to unlock the device as opposed to a password which requires cooperation from the suspect (or a back door or password cracker).

      I'm curious to know how many non-techy people actually set PINs. When TouchID was announced, it was claimed by Apple that most folks don't / didn't.

      Also, it is mandatory to enter the PIN if your iPhone has been restarted (since the PIN is tied into the crypto key), if it's been more that 48 hours since it's been unlocked, or when entering the Touch ID & Passcode settings area.

      I don't think anyone is claiming TouchID is good enough to protect nuclear launch codes, but it's better than nothing, which is w

    • You could just get a users finger prints from the screen of the device.

    • This will likely make life even easier for law enforcement as they can easily get the owner's fingerprints to unlock the device as opposed to a password which requires cooperation from the suspect (or a back door or password cracker).

      I quite suspect that taking a fingerprint by force will make any evidence found impermissible. And it is very easy to prove that you took a fingerprint by force: All the accused has to do is say that you did in court, hand over their phone, and if the police don't have the passcode (which they wouldn't) the accused's story must be true.

  • by Anonymous Coward

    About 10 years ago I read a story about a Jr. High school in Australia (ages 13-15) that had set up finger print readers at all the computers. Attendance was taken by students logging into a classrooms computers. This was all fine until one day the teacher needed a number of students to do a task. The attendance showed everyone there, but in reality more than half were truant. One student was covering up something, and the nosy teacher pulled off the paper to find..... candy gummy bears. "I was hungry"

    • by rsborg ( 111459 )

      About 10 years ago...

      Clearly technology in fingerprint scanners could never have improved since then.

      • by narcc ( 412956 )

        Well, it doesn't appear to have improved...

        • by praxis ( 19962 )

          Well, it doesn't appear to have improved...

          Why does it not appear that way? It's much more difficult to fool a fingerprint scanner today than it was ten years ago. Just because they're not perfect does not mean they're not better.

    • I can't find any actual instances of it happening, but this appears to mention the rumor you're talking about: http://whatis.techtarget.com/d... [techtarget.com]

    • by s.petry ( 762400 )
      Jello works just as well. Working at the Department of Defense we annually had to reject the latest greatest "biometric wonder" finger print ID systems because we could easily spoof people's identity lifting prints with Jello, then log in with the same Jello. Obviously a truly malicious person could eat the tasty evidence and ensure nobody knew what happened..
  • Yes (Score:2, Interesting)

    by Anonymous Coward

    and it is much easier to take a peek at my screen one of the 20 times a day I type in my 4 digit code than to fake the fingerprint.

  • And a different hand than you usually hold it with. Should be good enough if the phone is just randomly lost.

    I wonder if you have to use the end of a finger or could use the "print" on the middle or proximal phalanx?

  • by sootman ( 158191 ) on Tuesday September 23, 2014 @06:24PM (#47979121) Homepage Journal

    "We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats."

    Thank you, submitter and Slashdot, for not going for sensationalism and leaving this out of the summary.

    • by Anonymous Coward

      Yes, exactly. That's why it's important to have a society where laws cover these situations. My house happens to have a glass door on the patio that could be "hacked" with a simple medium-sized rock. And I bet most people have easily accessible windows. But there's a reason why we don't worry about people easily breaking our windows and taking our stuff.

  • by Anonymous Coward

    Would you use passwords if they appeared on everything you touched and could never be changed?

    • and could never be changed

      You actually have ten different one that can be rotated. Replicating a good enough fingerprint for TouchID is not easy. The cracker would not know if the fingerprint reproduction was faulty or the wrong finger was used. Since TouchID is disabled after a few tries it is not a bad choice for a device with the security need of a cell phone. It is a balance between convenience and security. As the submitter said, only a few people can do it and the chance of failure is high. Not everything needs top level secu

  • "We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats."

    There is a third reason that such locks are practical, and it is something that cannot be satisfied by any kind of biometric authentication.

    Failure of the security system provided by locks, however infrequent, can still be mitigated enough to carry on with no less effectiveness to meet security threats in the future as you had before the

  • If you have the device in hand, you've pretty much won.

    I'm worried more about the "secure enclave."
      It has been a year and it's still not broken. I hope it stays that way.

  • Unless I'm missing something, three failed attempts and you have to enter the passcode. Reboot and you have to enter the passcode. 48 hours of not being used and you have to enter the passcode.

    I just got a 5S and the TouchID is okay, but even when using the correct finger it doesn't always work and I have to enter my passcode (which is quite long). It wouldn't be hard to guess which finger I used but even then... everything would have to go perfectly to get into the phone using that method.

  • by koan ( 80826 )

    What moron is storing anything to worry about their?

    Oh yeah Apples "wallet", good luck with that.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...