backtop


Print 114 comment(s) - last by Piiman.. on Oct 5 at 12:50 PM


  (Source: Apple)
Chaos Computer Club unlocks iPhones with high resolution-image based tactic, points out legal dangers

For iPhone owners that use the fingerprint sensor as a password, be aware that it's pretty much useless from a security perspective.  It turns out that as with past inexpensive fingerprint readers, the system could easily be tricked by showing it a photograph of the target's fingerprint.

A site sponsored a crowd-funded competition to see who could be the first to crack the security feature found on the new Apple, Inc. (AAPLiPhone 5S.  The prize -- which included a pledge of $10,000 USD from a Chicago-based venture capital fund -- attracted a lot of attention.

I. CCC Makes Short Work of Apple's Supposedly Secure Sensor

It appears that the first group to successfully circumvent the sensor's security was the veteran Chaos Computer Club (CCC), a German hacker ring that has accomplished many challenging hacks and exploits over the years.

The trick -- as a CCC member who goes by the handle "Starbug" states -- is to use at least 2,400 dots per inch (dpi) for the photograph of the target's fingerprint, and 1,200 dpi for the printed copy.  Comments "Starbug", "In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake.  As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."

The hack is demonstrated in a video posted by the CCC to YouTube:


The only "trick" outside the resolution is that you need to print onto a transparent sheet and after printing; you need to lift the fingerprint onto a polymer using "pink latex milk or white woodglue".  The latex layer is then cured and lifted, and breathed upon to "make it a tiny bit moist and then placed onto the sensor to unlock the phone."

Don't make it too moist, though as the fingerprint sensor can only be used with "dry" fingers.

iPhone 5S sensor
The iPhone 5S's sensor can easily be tricked with a "fake finger". [Image Source: Apple]
 
It's important to note that the only part of the process that involves the target user -- getting their fingerprint -- can be done quickly and surreptitiously.  The remaining steps can be taken at their own pace at a secure location of the unlocker's choosing.

II. Another Danger -- Police Seizing Your Data

CCC spokesperson Frank Rieger chides Apple and others for proliferating the myth of security regarding fingerprint-based biometrics.  He states:

We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token.  The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.

The group raises another interesting point regarding smartphone unlocking and legality.  The group writes:

Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.

Police arrest
If you get arrested, and have an iPhone with fingerprint unlock enabled, police can easily get ahold of your private data. [Image Source: BUSINESS, GOVERNMENT AND SOCIETY FIVE]

In other words, the supposed "crowning" feature on Apple's new smartphone may be worse than worthless -- it may be luring users into a false sense of security and compromising their data.

The site istouchidhackedyet.com says the CCC was the first group or individual to report a successful hack on the sensor.  The site is in the process of confirming the CCC's hack.  Once confirmed they'll receive the horde of goodies, including sweet, sweet cash.

Sources: CCC [press release], Is Touch ID Hacked Yet [YES!], YouTube [CCC]



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: LMAO
By chripuck on 9/23/2013 3:05:15 PM , Rating: 2
Apple has already stated that their target audience were people who didn't use a password, people like myself. First off I'm not stupid: I don't have anything critical on the phone in the first place. Secondly, this just provides an infinite improvement in security compared to my previous method so it's a win/win for me.


RE: LMAO
By borismkv on 9/23/2013 3:45:17 PM , Rating: 2
"Infinite Improvement" I do not think that means what you think it means.


RE: LMAO
By ritualm on 9/23/2013 6:56:20 PM , Rating: 2
"infinite improvement" is when I can physically destroy the phone (at a minimum, its internal components) even if I no longer have physical access to it.

Touch ID is a regression.

Fepic ale.


RE: LMAO
By futrtrubl on 9/23/2013 7:42:15 PM , Rating: 2
You and borismkv failed to read the full sentence then.
quote:
infinite improvement in security compared to my previous method

If your previous security is 0 then even 0.1 is an infinite improvement. Having said that it isn't just aimed at people with no security like he said since they made huge claims as to it's security.


RE: LMAO
By ritualm on 9/23/2013 10:18:51 PM , Rating: 1
quote:
If your previous security is 0 then even 0.1 is an infinite improvement.

If somebody has taken your phone away, 0.1 doesn't help you, because everything in your phone is already compromised.

I don't think you really know what "infinite improvement" means. As far as security is concerned, using a fingerprint to unlock a phone does not an "infinite improvement" make.
quote:
it isn't just aimed at people with no security

I have no security on my iPhone 4S other than slide-to-unlock. All a fingerprint sensor does is give me an additional vector of failure that I don't need. A concealed carry gives me one hell of a lot more security than that.


RE: LMAO
By web2dot0 on 9/24/2013 1:03:32 AM , Rating: 2
What are you talking about?


RE: LMAO
By Fritzr on 9/24/2013 6:16:54 AM , Rating: 2
If this is targeted at users who "slide to unlock", then how is a proven to be unreliable biometric lock an "improvement"???

Yes, I have used a fingerprint scanner lock in the past ... several years ago I had a laptop that used this Apple innovation. I am curious though about the design team's hardware though, since some form of time travel was required for them to be able to copy this invention.

The scanner was a nice idea ... just make sure that you never deviate from the conditions that are required for accuracy. Fail to follow directions and it will successfully keep you from using your device. You can of course follow the Chaos club's directions and make your own fingerprint unlocker for those days the phone doesn't want to know you


RE: LMAO
By w8gaming on 9/26/2013 2:31:47 AM , Rating: 2
Description such as "infinite improvement" makes us all non-Apple supporters realize it is useless to argue with Apple fans. Yes, it is like religions. Let them continue to spend their money on Apple products while the rest of the world spend it more wisely.


"This is about the Internet.  Everything on the Internet is encrypted. This is not a BlackBerry-only issue. If they can't deal with the Internet, they should shut it off." -- RIM co-CEO Michael Lazaridis














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki