How Did Chaos Computer Club Reportedly Hack Apple's TouchID?
According to the Chaos Computer Club's Gerd Eist, the hardest part about defeating Apple's new TouchID reader was getting an iPhone 5S.
Less than two weeks after Apple touted its new Touch ID fingerprint reader as a "convenient and highly secure way to access your phone," the biometrics team of the European hacking group, the Chaos Computer Club (CCC), has reportedly been able to successfully circumvent the sensor using the "Starbug" approach that was documented by the CCC back in October 2004. So how did they do it?
According to the group's release, this approach involves a number of remarkably simple steps that only require materials that can be found in any household:
- A fingerprint of the enrolled user was photographed with a 2400 dpi resolution.
- The resulting image was cleaned up, inverted and laser printed at 1200 dpi onto a transparent sheet with a thick toner setting.
- Pink latex milk or white wood glue was smeared into the pattern created by the toner onto the transparent sheet.
- After curing, the thin latex sheet was lifted from the transparent sheet, breathed on to make it a bit moist, and placed onto the sensor to unlock the phone.
The group further noted that this process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market and that the press had been dominated by "bogus speculation about the marvels of the new technology" while in reality, defeating Apple's higher resolution sensor simply required a higher resolution fake.
The Chaos Computer Club has promised that further details about the hack will be made available at the source link; you can view their demonstration video below.
Follow us @tomshardware, on Facebook and on Google+.
Criminal's that are snatching phones are not all that sophisticated. Looking forward to hearing more about this.
Awesome.
Try and think like a actually criminal for a sec. This solution will defeat 95% of the ones that actually steal phones. The more sophisticated 5% will still fall into two groups. One that actually knows how to lift a print (which they may still very well be defeated by this thing) and the other group that might cut someones finger off or something (which they are probably not after the phone with but the contents on it).
Lets wait to see if someone finds a more practical way. If they manage to lift a print and then bypass it then I will join you guys in your typical Apple bashing because they would actually deserve it at that point.
I am sticking to my Android. Rather lose a phone than to lose a hand/finger!
Easier to hold a gun to ur head for your four numbers than chopping fingers?
The point is, if you steal a phone without knowing the password, you would have to actually hack it (meaning a lot of knowledge on the phones security), spy on the person to find out their password or actually know him that well that you would guess it. That was a lot of trouble for some random person's phone and you would do it only if there was something else involved apart from just re-selling the phone (like acquiring certain data). Now, with the fingerprint scanner you have, as we 've read, a purely technical method to acquire the "password" that does not require any knowledge of mobile security and algorithms, not to mention a phone that will probably be covered in the user's fingerprints...
People need to understand a few things about security:
1) No one measure alone is enough. Usually, if you have a building with biometric security measures, there will be different ones, or combined with other measures (i.e. fingerprint scanners, along with facial recognition and a smart card).
2) Fingerprints on consumer devices are not used for extra security. It's simply an easy way to generate a random pattern on which the password will be based. Something that the user can't forget. It's a matter of convenience, not security.
3) Last but not least, EVERYTHING is hackable. There is a constant race between hackers and security systems and there's no sign it will ever end. The only thing that really defines how safe you are, is how much of a target you are. If there is enough interest for your data/information, be sure that people will spend time and money to get to it.
Awesome.
The point is, if you steal a phone without knowing the password, you would have to actually hack it (meaning a lot of knowledge on the phones security), spy on the person to find out their password or actually know him that well that you would guess it. That was a lot of trouble for some random person's phone and you would do it only if there was something else involved apart from just re-selling the phone (like acquiring certain data). Now, with the fingerprint scanner you have, as we 've read, a purely technical method to acquire the "password" that does not require any knowledge of mobile security and algorithms, not to mention a phone that will probably be covered in the user's fingerprints...
People need to understand a few things about security:
1) No one measure alone is enough. Usually, if you have a building with biometric security measures, there will be different ones, or combined with other measures (i.e. fingerprint scanners, along with facial recognition and a smart card).
2) Fingerprints on consumer devices are not used for extra security. It's simply an easy way to generate a random pattern on which the password will be based. Something that the user can't forget. It's a matter of convenience, not security.
3) Last but not least, EVERYTHING is hackable. There is a constant race between hackers and security systems and there's no sign it will ever end. The only thing that really defines how safe you are, is how much of a target you are. If there is enough interest for your data/information, be sure that people will spend time and money to get to it.
This is well said and 100% correct.