How Did Chaos Computer Club Reportedly Hack Apple's TouchID?

[RedundantInk]

According to the Chaos Computer Club's Gerd Eist, the hardest part about defeating Apple's new TouchID reader was getting an iPhone 5S.

How Did Chaos Computer Club Reportedly Hack Apple's TouchID? : Read more

 

[warezme]

a higher resolution fake, well that sums it up, don't it.

 

[MKBL]

It sounds like a 19th century thief making a copy of an original key to a lock, rather than "hacking" in IT sense. Key to this "hacking" is to get the original key, the finger print of the owner of the phone. I'm not downplaying the work of the group, but the title can be misleading.

 

[mikat]

Soooo this requires the fingerprint of the correct user??? It's no more hackable than other fingerprint biometric system out there? Oh noes.

 

[MKBL]

It sounds like a 19th century thief making a copy of an original key to a lock, rather than "hacking" in IT sense. Key to this "hacking" is to get the original key, the finger print of the owner of the phone. I'm not downplaying the work of the group, but the title can be misleading.

 

[Guest]

i don't think our physical finger print need that high resolution, i think event 300-400 dpi is enough already

 

[ap3x]

this is interesting. So what was represented in terms of how the sensor works is incorrect then. They should be really careful with how this is positioned then. If this is part of a 2 factor authentication strategy then it is fine (something you have, something you know) but by itself it will not cut mustard for payments. It is however fine to authenticate to the phone with it.

Criminal's that are snatching phones are not all that sophisticated. Looking forward to hearing more about this.

 

[jonathanrhunter]

A lot of fingers are going to go missing...

 

[house70]

Can lift fingerprints from a whole bunch of objects (cigarette packs, glasses, etc), no need for the actual finger, LOL. Then hijack the phone and profit. With the right tools it could be done even before the victim starts missing the device.
Awesome.

 

[ingtar33]

i liked how the mythbusters were able to fool about every fingerprint scanner on the market with a simple photocopy of someone's fingerprint (they didn't even have to do all those elaborate steps to make a "living" copy like the CCC did). Till they can make biometrics locks a bit more dependable it seems like this is a tech that's not quite ready for primetime.

 

[brettms71]

@house70, yes you can lift fingerprints of most items like you say. You can EVEN lift fingerprints off iPhones. Great that when you take someones iPhone now, the person has supplied everything you need to break into it, saving you time. Thanks Apple. They just make everything easier.

 

[ap3x]

ok, is this a good thing? no, it is unfortunate but is the approach practical.....I think there is no one here that can say that it is practical. In fact, unless someone can actually hack the sensor using a lifted print one can argue that their is no problem at all.

Try and think like a actually criminal for a sec. This solution will defeat 95% of the ones that actually steal phones. The more sophisticated 5% will still fall into two groups. One that actually knows how to lift a print (which they may still very well be defeated by this thing) and the other group that might cut someones finger off or something (which they are probably not after the phone with but the contents on it).

Lets wait to see if someone finds a more practical way. If they manage to lift a print and then bypass it then I will join you guys in your typical Apple bashing because they would actually deserve it at that point.

 

[darkavenger123]

Soon, there'll be robbers will be chopping fingers and hands off iPhone owners when they rob their phone....

I am sticking to my Android. Rather lose a phone than to lose a hand/finger!

 

[Fearthebeard456]

Bogus hack. Who leaves a 2400dpi print on their phone? And the hack TOOK A PHOTO OF FINGER, they did not lift it from a random iPhone? This is like copying my house key and claiming I was able to rob myself? Lets say I lost my phone, where is the thief going to get a 2400 dpi pic of my finger? Come back and ask me for it? How they know which finger? If anything, this hack further proves its more secure than a simple four number.

 

[Fearthebeard456]

Dark avenger,

Easier to hold a gun to ur head for your four numbers than chopping fingers?

 

[Fearthebeard456]

Even if the attack proves to be real, this isn't a casual, fast trick. The attacker would have to be lucky enough to get a perfect print of the correct finger to unlock the iPhone, which means they'd have to find that specific print, or be forced to try several fake prints. Anyone this intent on hacking your iPhone would need prolonged access to it, and would almost certainly have been able to pull off a similar defeat of a simple passcode lock or direct electronic hack to get at your phone's contents.

 

[fixxxer113]

It sounds like a 19th century thief making a copy of an original key to a lock, rather than "hacking" in IT sense. Key to this "hacking" is to get the original key, the finger print of the owner of the phone. I'm not downplaying the work of the group, but the title can be misleading.

The point is, if you steal a phone without knowing the password, you would have to actually hack it (meaning a lot of knowledge on the phones security), spy on the person to find out their password or actually know him that well that you would guess it. That was a lot of trouble for some random person's phone and you would do it only if there was something else involved apart from just re-selling the phone (like acquiring certain data). Now, with the fingerprint scanner you have, as we 've read, a purely technical method to acquire the "password" that does not require any knowledge of mobile security and algorithms, not to mention a phone that will probably be covered in the user's fingerprints...

People need to understand a few things about security:

1) No one measure alone is enough. Usually, if you have a building with biometric security measures, there will be different ones, or combined with other measures (i.e. fingerprint scanners, along with facial recognition and a smart card).

2) Fingerprints on consumer devices are not used for extra security. It's simply an easy way to generate a random pattern on which the password will be based. Something that the user can't forget. It's a matter of convenience, not security.

3) Last but not least, EVERYTHING is hackable. There is a constant race between hackers and security systems and there's no sign it will ever end. The only thing that really defines how safe you are, is how much of a target you are. If there is enough interest for your data/information, be sure that people will spend time and money to get to it.

 

[ap3x]

Can lift fingerprints from a whole bunch of objects (cigarette packs, glasses, etc), no need for the actual finger, LOL. Then hijack the phone and profit. With the right tools it could be done even before the victim starts missing the device.
Awesome.

It sounds like a 19th century thief making a copy of an original key to a lock, rather than "hacking" in IT sense. Key to this "hacking" is to get the original key, the finger print of the owner of the phone. I'm not downplaying the work of the group, but the title can be misleading.

The point is, if you steal a phone without knowing the password, you would have to actually hack it (meaning a lot of knowledge on the phones security), spy on the person to find out their password or actually know him that well that you would guess it. That was a lot of trouble for some random person's phone and you would do it only if there was something else involved apart from just re-selling the phone (like acquiring certain data). Now, with the fingerprint scanner you have, as we 've read, a purely technical method to acquire the "password" that does not require any knowledge of mobile security and algorithms, not to mention a phone that will probably be covered in the user's fingerprints...

People need to understand a few things about security:

1) No one measure alone is enough. Usually, if you have a building with biometric security measures, there will be different ones, or combined with other measures (i.e. fingerprint scanners, along with facial recognition and a smart card).

2) Fingerprints on consumer devices are not used for extra security. It's simply an easy way to generate a random pattern on which the password will be based. Something that the user can't forget. It's a matter of convenience, not security.

3) Last but not least, EVERYTHING is hackable. There is a constant race between hackers and security systems and there's no sign it will ever end. The only thing that really defines how safe you are, is how much of a target you are. If there is enough interest for your data/information, be sure that people will spend time and money to get to it.

This is well said and 100% correct.

 

[hang-the-9]

Not sure how much of a hack this is, I mean the used the actual fingerprint to unlock it. It's no different than using a password you copied from the sticker that was left on the bottom of the laptop, you're not hacking the password, you're just finding it.

 

[chewy1963]

@fixxxer13 - The point here is that Apple is touting it as more secure than a password which it obviously isn't...

 

[house70]

Not sure how much of a hack this is, I mean the used the actual fingerprint to unlock it. It's no different than using a password you copied from the sticker that was left on the bottom of the laptop, you're not hacking the password, you're just finding it.

Real world hacking works this way. Remember, NSA had backdoors implemented by software developers into their products, which would be similar to having a spare key to a vault. Also, the vast majority of system-wide hacks (as in, an institution gets hacked and a lot of private data gets out) happens due to a mole that decided they want an early retirement and sell the access codes to the highest bidder. It is what it is, nobody has the time to go through the paces.

 

[none12345]

its not hacking it.

But its also not very secure. Its less secure then a password, because chances are the finger print is already right on the screen for the thief to use. Sure it takes a few steps to 'read' the fingerprint, and the 'write' it back to the sensor. But they dont even have to guess the password, the print is right there for them.

The biggest problem with something like this is what happens if someone really does find an easy way to hack it? You cant change your fingerprint like you can change a password. Once someone has the mathematical equivalent of your print; your security is compromised for all time. Apple better pray that no one finds a way to sneak in an app that leaks your finger print data.