backtop


Print 114 comment(s) - last by Piiman.. on Oct 5 at 12:50 PM


  (Source: Apple)
Chaos Computer Club unlocks iPhones with high resolution-image based tactic, points out legal dangers

For iPhone owners that use the fingerprint sensor as a password, be aware that it's pretty much useless from a security perspective.  It turns out that as with past inexpensive fingerprint readers, the system could easily be tricked by showing it a photograph of the target's fingerprint.

A site sponsored a crowd-funded competition to see who could be the first to crack the security feature found on the new Apple, Inc. (AAPLiPhone 5S.  The prize -- which included a pledge of $10,000 USD from a Chicago-based venture capital fund -- attracted a lot of attention.

I. CCC Makes Short Work of Apple's Supposedly Secure Sensor

It appears that the first group to successfully circumvent the sensor's security was the veteran Chaos Computer Club (CCC), a German hacker ring that has accomplished many challenging hacks and exploits over the years.

The trick -- as a CCC member who goes by the handle "Starbug" states -- is to use at least 2,400 dots per inch (dpi) for the photograph of the target's fingerprint, and 1,200 dpi for the printed copy.  Comments "Starbug", "In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake.  As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."

The hack is demonstrated in a video posted by the CCC to YouTube:


The only "trick" outside the resolution is that you need to print onto a transparent sheet and after printing; you need to lift the fingerprint onto a polymer using "pink latex milk or white woodglue".  The latex layer is then cured and lifted, and breathed upon to "make it a tiny bit moist and then placed onto the sensor to unlock the phone."

Don't make it too moist, though as the fingerprint sensor can only be used with "dry" fingers.

iPhone 5S sensor
The iPhone 5S's sensor can easily be tricked with a "fake finger". [Image Source: Apple]
 
It's important to note that the only part of the process that involves the target user -- getting their fingerprint -- can be done quickly and surreptitiously.  The remaining steps can be taken at their own pace at a secure location of the unlocker's choosing.

II. Another Danger -- Police Seizing Your Data

CCC spokesperson Frank Rieger chides Apple and others for proliferating the myth of security regarding fingerprint-based biometrics.  He states:

We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token.  The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.

The group raises another interesting point regarding smartphone unlocking and legality.  The group writes:

Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.

Police arrest
If you get arrested, and have an iPhone with fingerprint unlock enabled, police can easily get ahold of your private data. [Image Source: BUSINESS, GOVERNMENT AND SOCIETY FIVE]

In other words, the supposed "crowning" feature on Apple's new smartphone may be worse than worthless -- it may be luring users into a false sense of security and compromising their data.

The site istouchidhackedyet.com says the CCC was the first group or individual to report a successful hack on the sensor.  The site is in the process of confirming the CCC's hack.  Once confirmed they'll receive the horde of goodies, including sweet, sweet cash.

Sources: CCC [press release], Is Touch ID Hacked Yet [YES!], YouTube [CCC]



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: yup
By Monkey's Uncle on 9/23/2013 3:11:24 PM , Rating: 5
I'm sorry, but Apple has been bragging about this sensor being a foolproof and uncrackable.

Guess the fact that it being cracked within 3 days of it going on sale once again shows Apple's absolute arrogance in that it just can't fathom the possibility that there are people out in the wild that are a lot smarter than they are.

Oopsie!


RE: yup
By Tony Swash on 9/23/13, Rating: -1
RE: yup
By 440sixpack on 9/23/2013 4:38:33 PM , Rating: 1
I had a similar thought, this approach works if you know who the target is. If someone just loses a phone on the subway and whoever finds it wants to crack it, how do you approach if you don't know who the target fingerprint is?

That seems to be the value - not so much that it is secure against a directed attack, but more so as an inconvenience against casual snooping or protection against loss.


RE: yup
By ritualm on 9/23/2013 5:52:45 PM , Rating: 2
quote:
So to break into and/or reuse a stolen or lost iPhone protected with Touch ID and the new iOS 7 Activation Lock a miscreant must do the following...

Update the Apple remote such that it only has a single red button on its topside, and its internals replaced by a cellular radio. Link the remote directly to the phone.

Install a high-voltage capacitor in the phone's circuitry. Make its connection persistent even when the phone is completely turned off.

If the phone is compromised (stolen, lost, etc.), the user finds the remote and presses the red button. The capacitor goes to work, frying every electronic component inside.

Touch ID? Oh please. A triggered self-destruct feature works a lot better than that.


RE: yup
By Monkey's Uncle on 9/24/2013 11:45:31 AM , Rating: 1
Um, the whole fingerprint is right there on the touch sensor, including the correct finger it was taken from.

But let's face facts. The owner will be an iPhone user. Not the technically sharpest tools in the shed. It is most unlikely these will know what a remote wipe is much less how to do it. After all, technically savvy folks is not Apple's target demographic.


RE: yup
By web2dot0 on 9/24/2013 12:59:00 AM , Rating: 2
If you are the CEO of Apple, are you going introduce the product and say that it's "better than nothing"? What would you do to sell the product Mr. Know-it-all if you were Tim Cook?

The expectation going into this should be ... it is better than what it's replacing? Is it better than entering 4-PIN passcode? Better than no password?

I say yes.

Talk rationally and maybe people will listen to your arguments.


RE: yup
By Monkey's Uncle on 9/24/2013 11:58:29 AM , Rating: 2
Please explain how a gimmick that was cracked in a couple days could be more secure than a secure 4-digit passcode?

Ever try keying in 10,000 passcodes? Try it sometime and let us know how long that takes you. You can't automate it as they have to be entered through the touch screen. No matter how fast you can type them, it will take you more than 3 days to crack it.


RE: yup
By Fritzr on 9/24/2013 6:05:19 AM , Rating: 2
No smarts needed ... the fake fingerprint was invented about an hour after the first fingerprint scanner was designed. The great innovation by the hackers was finding the minimum resolution the lock will accept :D

It is a nice way to tell the phone you are ready to use it, but as security it was broken decades ago and will not allow access by authorized fingerprint reliably because of all the things that can temporarily change your finger's appearance.


"Game reviewers fought each other to write the most glowing coverage possible for the powerhouse Sony, MS systems. Reviewers flipped coins to see who would review the Nintendo Wii. The losers got stuck with the job." -- Andy Marken














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki