backtop


Print 114 comment(s) - last by Piiman.. on Oct 5 at 12:50 PM


  (Source: Apple)
Chaos Computer Club unlocks iPhones with high resolution-image based tactic, points out legal dangers

For iPhone owners that use the fingerprint sensor as a password, be aware that it's pretty much useless from a security perspective.  It turns out that as with past inexpensive fingerprint readers, the system could easily be tricked by showing it a photograph of the target's fingerprint.

A site sponsored a crowd-funded competition to see who could be the first to crack the security feature found on the new Apple, Inc. (AAPLiPhone 5S.  The prize -- which included a pledge of $10,000 USD from a Chicago-based venture capital fund -- attracted a lot of attention.

I. CCC Makes Short Work of Apple's Supposedly Secure Sensor

It appears that the first group to successfully circumvent the sensor's security was the veteran Chaos Computer Club (CCC), a German hacker ring that has accomplished many challenging hacks and exploits over the years.

The trick -- as a CCC member who goes by the handle "Starbug" states -- is to use at least 2,400 dots per inch (dpi) for the photograph of the target's fingerprint, and 1,200 dpi for the printed copy.  Comments "Starbug", "In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake.  As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."

The hack is demonstrated in a video posted by the CCC to YouTube:


The only "trick" outside the resolution is that you need to print onto a transparent sheet and after printing; you need to lift the fingerprint onto a polymer using "pink latex milk or white woodglue".  The latex layer is then cured and lifted, and breathed upon to "make it a tiny bit moist and then placed onto the sensor to unlock the phone."

Don't make it too moist, though as the fingerprint sensor can only be used with "dry" fingers.

iPhone 5S sensor
The iPhone 5S's sensor can easily be tricked with a "fake finger". [Image Source: Apple]
 
It's important to note that the only part of the process that involves the target user -- getting their fingerprint -- can be done quickly and surreptitiously.  The remaining steps can be taken at their own pace at a secure location of the unlocker's choosing.

II. Another Danger -- Police Seizing Your Data

CCC spokesperson Frank Rieger chides Apple and others for proliferating the myth of security regarding fingerprint-based biometrics.  He states:

We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token.  The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.

The group raises another interesting point regarding smartphone unlocking and legality.  The group writes:

Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.

Police arrest
If you get arrested, and have an iPhone with fingerprint unlock enabled, police can easily get ahold of your private data. [Image Source: BUSINESS, GOVERNMENT AND SOCIETY FIVE]

In other words, the supposed "crowning" feature on Apple's new smartphone may be worse than worthless -- it may be luring users into a false sense of security and compromising their data.

The site istouchidhackedyet.com says the CCC was the first group or individual to report a successful hack on the sensor.  The site is in the process of confirming the CCC's hack.  Once confirmed they'll receive the horde of goodies, including sweet, sweet cash.

Sources: CCC [press release], Is Touch ID Hacked Yet [YES!], YouTube [CCC]



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: yup
By Keeir on 9/23/2013 3:15:55 PM , Rating: 5
quote:
Yes there is, a long un-guessable encrypted password. Sure, you *could* break it maybe, but it would take years. iTouch is defeated in a manner of hours.


Read the steps.

#1. A clean fingerprint must be lifted
#2. A 2,400 dpi photo must be taken
#3. A 1,200 dpi mold must be made
#4. A model must be made, cured, and correctly

Apple finger print is to

#1. replace their 4 digit string with 10 numbers lock screen etc. There are only 10,000 combinations

#2. replace entering the AppleID password

I think its a decent solution to #1 and #2 quite frankly. I am not going to want to route my main bank account to it...

If you do have super senstive stuff on your phone, by gosh layer the security! Or erase the phone as soon as it goes missing. (Creating the mold will take a few hours)

I would agree its not "innovative". But will it make the user experience better? Maybe. If instead of constantly entering my 4 digit passcode, it just press home and the phone unlocks... there is value there. It will depend on the long term smoothness.


RE: yup
By Monkey's Uncle on 9/24/2013 11:50:52 AM , Rating: 2
Reclaimer's point being that instead if putting a security feature that is little more than a marketing gimmick, Apple would have been far better off to implement a REAL passphrase system rather than a stupidly simple 4-digit passcode, though I dare you to sit down and key in all 10-to-the-fourth-power combinations of those codes -- It would take MONTHS since it is kinda tough to automate that ;)


RE: yup
By spaced_ on 9/24/2013 12:04:50 PM , Rating: 2
Assuming you can enter a 4 digit key code in about 6 seconds it would take a human less than 24 hours to get into.


RE: yup
By tallcool1 on 9/24/2013 1:56:58 PM , Rating: 2
quote:
Assuming you can enter a 4 digit key code in about 6 seconds it would take a human less than 24 hours to get into.
Well except on the iPhone it locks you out for increasing amounts of time after failed attemps from what I read, see below:

"You have 10 chances to unlock the iphone with the security lock. You have 5 chances before you start getting locked out, on the 6th chance you get locked out for a minute,on the 7th you get locked out for 5mins, on the 8th time you get locked out for 15 minutes. On the 9th try you get locked out for 60 minutes. On the 10th try you can choose what happens here in your settings you can either have the iphone wipe all the data on your iphone or you must connect the iphone to your computer to unlock the phone."

So unless you get lucky on your first few attempts then I would say your not getting into it...

Again, this is what I read with a simple google search, someone can correct this if it is wrong.


RE: yup
By Monkey's Uncle on 9/24/2013 4:51:14 PM , Rating: 2
Try it. Go ahead. I dare you.


RE: yup
By osalcido on 9/26/2013 2:04:02 PM , Rating: 1
So they had 4 digit pass code for how many years... and that was fine...

but now they try and add a fingerprint unlocker to automate it a bit and the world bitches about security


“Then they pop up and say ‘Hello, surprise! Give us your money or we will shut you down!' Screw them. Seriously, screw them. You can quote me on that.” -- Newegg Chief Legal Officer Lee Cheng referencing patent trolls














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki