
Chaos Computer Club breaks Apple TouchID - biafra
http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid
======
abalone
Just to keep things in perspective, the goal of Touch ID is not to be
unhackable. The goal is to get more consumers to move from _zero_ security to
pretty good security.

A very large number of people don't put any kind of passcode of any kind on
their phone, simply because it's inconvenient. Touch ID is designed for them.
It's not designed to secure nuclear footballs.

Touch ID is going to _massively_ reduce the number of totally unsecured
iPhones that require zero effort to access. That's the goal.

I think some people see "fingerprint scanner" and think "military-grade
security" because that's where we've seen scanners before in movies and such.
But this is really very much a solution for the consumer market, where
_convenience_ and _usability_ are critical features of a security system.
Sometimes infosec folks forget that. If you make it too hard to use
(passcodes), people just bypass it. So you can blame the user, or you can try
to design something easier to use. If in the end you've improved the overall
security landscape, you've succeeded. I think that's what Apple is doing here.

~~~
DasIch
Touch ID is not "pretty good security" it's not even "good security" it's
simply very bad security.

Touch ID is better than nothing and that people use Touch ID instead of
nothing is better than the current state but not by much and this definitely
isn't a huge achievement. Which is really the biggest issue with Touch ID,
it's advertised as such and people believe it.

~~~
epo
Having a lock in your front door is not perfect but it is much better than not
having one at all.

The way that Apple haters use stunts like this to suspend normal logic and
reasoning in order to express their juvenile spite is staggering.

No one, ever, claimed TouchID was impregnable, but it _is_ very good security
and is better than what the vast majority of people do at present.

Anyone prepared to devote the time and resources that CCC did to breaking your
phone has other simpler means at their disposal. I personally believe that no
one else will replicate this achievement because it is simply a publicity
stunt to get clicks and feed the hordes of anti-Apple zealots.

~~~
hahainternet
> Anyone prepared to devote the time and resources that CCC did to breaking
> your phone has other simpler means at their disposal

Really? Lift someone's print, leave it with superglue, scan and print it and
then dump glue on the scan.

That seems to be the sum total of what needs to be done. You need only sticky
tape to lift the print and the rest can be done in an hour.

It sounds quite action movie, but in reality it's pretty damn simple and if I
wanted to get access to your phone I could easily prepare it in advance and
carry a tiny latex strip in my wallet for just the right occasion without your
knowledge at any point.

~~~
deveac
_It sounds quite action movie, but in reality it 's pretty damn simple_

Also in reality it will foil over 99% of potential unauthorized activation
attempts as most people aren't going to craft fingerprints to get into
someone's device.

If reality is the bar you're using, TouchID still wins.

------
MarcScott
If we've learned anything over the past few months, it is that security is an
illusion when it comes to Google, Apple and Facebook.

The fingerprint scanner is not intended to protect your personal data from
being accessed by nefarious cyber-spooks or crackers. The $5 dollar wrench
technique is fairly effective in bypassing such security anyway.

The fingerprint scanner is there so that when your phone is nicked by a
mugger, they can't reset to factory defaults and sell it on eBay. If some
knife wielding thug that robs me of my phone has the intellectual capability
of lifting my fingerprints off the case and then using them to bypass the
security, he still has to know my AppleID password before he can remove the
'Find my Phone' feature.

Give Apple a break. This is just another layer of security. It's _not_ the
panacea to all our security woes, and they have never claimed it was.

~~~
chmars
Giving Apple a break? Just another layer of security? That's not how Apple
describes it:

[http://support.apple.com/kb/HT5949?viewlocale=en_US](http://support.apple.com/kb/HT5949?viewlocale=en_US)

And selling a stolen iPhone on eBay does not need a password or a fingerprint,
a jailbreak is enough …

~~~
nobodyshere
Jailbreak is enough... When it exists. And for now it doesn't.

~~~
arbitrage
taking past trends into consideration, it looks like you're betting on the
wrong horse, here. it will exist.

~~~
tptacek
What are the actual trends on jailbreaks for iOS on current hardware?

------
WestCoastJustin
The _" How to fake fingerprints"_ link [1], is one of the scariest things I
have seen, given how simple it is, and how much we reply on fingerprints for
linking people to crimes.

BTW, for anyone who does not know about Chaos Computer Club (CCC) [2], they
run a massive conference in EU. You can look at some of their talks @
[http://media.ccc.de/](http://media.ccc.de/)

[1]
[http://dasalte.ccc.de/biometrie/fingerabdruck_kopieren?langu...](http://dasalte.ccc.de/biometrie/fingerabdruck_kopieren?language=en)

[2]
[http://en.wikipedia.org/wiki/Chaos_Computer_Club](http://en.wikipedia.org/wiki/Chaos_Computer_Club)

~~~
yellowbkpk
Frontline had an excellent piece on the (lack of) reliability behind most of
crime forensics. Fingerprints in particular are mentioned as being very
unreliable and unscientific. The only scientifically rigorous piece of "CSI"
is DNA matching.

[http://www.pbs.org/wgbh/pages/frontline/real-
csi/](http://www.pbs.org/wgbh/pages/frontline/real-csi/)

~~~
auctiontheory
Even DNA can provide false negatives in the case of human chimeras.

~~~
Amadou
Or just someone skilled enough to place fake dna in his body such that the
person taking the sample is fooled into taking it from the fake dna.

Yes, this really happened - at least once that we know of:
[https://en.wikipedia.org/wiki/John_Schneeberger](https://en.wikipedia.org/wiki/John_Schneeberger)

~~~
coldtea
Or someone just being careful with his DNA at the crime he commits, that then
places someone else's DNA that he wants to frame?

~~~
pavel_lishin
That would work in the sort of Hollywood movie where the government has
everyone's DNA on file.

Then again, I guess we've seen that you literally cannot be too paranoid.

~~~
coldtea
> _That would work in the sort of Hollywood movie where the government has
> everyone 's DNA on file._

You don't have to have "everyone's DNA on file". It's actually pretty trivial
even for your neighbor or whoever to get your DNA.

As for the police falsifying evidence, there's a wikipedia-long history of
cases, in Europe, Latin America, Asia, etc. Especially in politically charged
times, like the sixties and seventies. Heck, something like half of Italy's
government in the 70's have been proved in later Italian courts to be involved
in such things.

~~~
pavel_lishin
> You don't have to have "everyone's DNA on file". It's actually pretty
> trivial even for your neighbor or whoever to get your DNA.

Sorry, I wasn't clear. I can dump a gallon of your blood and semen onto a dead
guy in an alley, but how would the government trace that blood and semen back
to you?

~~~
CaveTech
They don't have to necessarily trace it back to me, as long as they can't
trace it back to _you_.

------
neilk
I think they're missing the point. The passcode on an iPhone defends against
other people in your environment - family members, coworkers, roommates -
getting your information opportunistically. It doesn't defend against hackers,
the government, or even slightly savvy thieves.

Also, if a fingerprint sensor is significantly easier to use, and in practice
will deter a class of privacy violations, it could increase overall security.
This is a question you can only answer by looking how people behave, not
solely with an analysis of the technology.

The fingerprint sensor worries me more that it records biometric information
at all. It's one thing to leave fingerprints all around your environment, but
there is now the potential to steal your biometrics over the internet. The
device supposedly hashes the data derived from your fingerprint, presumably
with a hardware-based secret, but I worry someone will find a way around that.
(EDIT: maybe this is physically impossible; can someone provide details?)

Also, the issues that CCC discusses about how fingerprint unlocking can be
coerced are important. Many law enforcement organizations now have devices
that can scan smartphone data, which is bad enough, but at least the use of
those devices are controlled. A fingerprint sensor now allows a cop to
handcuff someone, jam his or her finger onto the phone, and then to (for
instance) delete an incriminating video.

Likewise anyone else willing to use force. Might become the next schoolyard
amusement for bullies, if your kid has a smartphone.

~~~
controv3
> I think they're missing the point. The passcode on an iPhone defends against
> other people in your environment - family members, coworkers, roommates -
> getting your information opportunistically. It doesn't defend against
> hackers, the government, or even slightly savvy thieves.

The Google Chrome Security team begs to differ [1]. According to them giving
someone the illusion of security is bad.

[1]
[https://news.ycombinator.com/item?id=6165708](https://news.ycombinator.com/item?id=6165708)

~~~
CamperBob2
Giving someone the illusion of security is bad because it displaces their
_understanding_ of security.

An understanding of security will reveal that security is not a binary state
of affairs. It's perfectly reasonable to trust known-imperfect mechanisms like
the iPhone fingerprint reader to keep honest people honest and discourage
ordinary muggers and thieves. I don't need military-grade access control for
my personal iPhone, I don't want the inconvenience that would necessarily
accompany it, _and I damned sure don 't want to pay for it._

And the Google Chrome guy is correct in all respects: it's not reasonable to
expect an application to provide security that's redundant with security
provided by user accounts on the OS it runs on. It would be better to teach
users to create separate accounts on their system, if they want to hide their
local passwords from other members of their family.

~~~
epo
You are completely detached from normal practical realities, as such your
beliefs on security can be safely disregarded.

------
arrrg
Expected. Still much, much better security than no code at all. I will use it
(with full knowledge of its downsides and tradeoffs) and it would behoove the
CCC to not portray security as a binary state. (Just as much as it would
behoove Apple to be truthful in their marketing.)

Don't use it if thieves would consider going through all the effort of faking
out the scanner. That's what I take from this no doubt valuable and important
work from the CCC.

(I assume that iPhone tracking and activation lock cannot be disabled with the
fingerprint, so stolen phones will still be easily remotely wiped and bricked,
with fingerprint or without. Thieves will have to be crafty and quick if the
want to pull this off.)

~~~
makomk
Not that expected. I know a lot of people were BSing about how much more
secure Apple's fingerprint sensor was and how the usual techniques for faking
a finger wouldn't work on it, including some security researchers.

~~~
thrownaway2424
Yes. I anxiously await Gruber's lengthy post-mortem about the fingerprint
reader being just as bad as all previous fingerprint readers, equal in number,
length and enthusiasm to his previous posts about how wonderful and advanced
it is.

~~~
Anechoic
I know folks love to have on Gruber, but looking at df.net I don't see where
he has compared the security of TouchID to other fingerprint readers - rather
he's compared the convenience and performance of TouchID to other fingerprint
implementations, and I don't know that anything in the OP would, or should,
change his assessment of that.

(not an iPhone or Android user, at least not yet).

~~~
yapcguy
Gruber is an ignorant fanboy.

There are too many examples to pick from, but here's a recent one.

In his iPhone 5S review he rambles on about how Apple is an innovator and
picks out the A7 procesor, TouchID and a new burst-mode camera feature:

"But the real innovation — there’s that word — is software, right there on the
device itself, that makes it easy to select only the shots from those bursts
that you really want to keep, and to throw away the rest."

Yet Samsung did the same thing for the S3 back in 2012.

[http://www.youtube.com/watch?v=OxXEAyuoyQk](http://www.youtube.com/watch?v=OxXEAyuoyQk)

~~~
melange
So rather than addressing the point, you attack him on something completely
different. Presumably because there are actually no examples where he's been
wrong about TouchID.

~~~
yapcguy
No, I couldn't be bothered because the man writes guff.

[http://daringfireball.net/2013/09/the_iphone_5s_and_5c](http://daringfireball.net/2013/09/the_iphone_5s_and_5c)

> "You know how iOS touch latency and scrolling performance have always been
> far ahead of its competition? The way you could just tell that internally,
> Apple had uncompromising standards for how responsive these things needed to
> be? That’s what Touch ID is like — it’s to all previous fingerprint scanners
> I’ve seen what the original iPhone was to previous touchscreen computers."

Make that fawning guff. Convenient that he forgets the uncompromising
standards of Apple Maps.

> "Touch ID’s extraordinary performance and accuracy fit right into that
> story."

No benchmarks or comparisons to justify this hype compared to other
fingerprint scanners. How do we know it's not the same as a cheap $1 RF
scanner from China?

> " a complete experience hosted entirely on the device. Your fingerprint data
> is not just “not stored in iCloud yet”, it is not stored in iCloud by
> design, and according to my sources, never will be."

Rubbish. He knows nothing about Apple's roadmap. He always cites his inside
"sources" yet he has NEVER broken any story where he had the lead on a scoop.
Not on any products or corporate announcements.

I don't care what an armchair blogger thinks about TouchID. I do however care
what the Chaos Computer Club thinks because they actually know what they are
talking about.

~~~
gurkendoktor
> Convenient that he forgets the uncompromising standards of Apple Maps.

In the _next paragraph_ , he writes that Apple sucks at online services, and
that TouchID is great precisely because it's a completely offline feature. You
haven't even read the article. I wish HN would blacklist any mention of
Gruber's name.

------
gjmulhol
I have accidentally seen basically all of my friends' passcodes as they type
it in at bars etc. I could get into their phones easily. TouchID is more
secure than that simply because someone needs to take a 2400dpi image of the
person's finger to do it.

Locks (when physical access to a device is available) are to keep honest
people honest. Most security experts that I know agree that if an intruder has
physical access to a device, it can be considered compromised because it is
just a matter of time.

~~~
lawnchair_larry
> Most security experts that I know agree that if an intruder has physical
> access to a device, it can be considered compromised because it is just a
> matter of time.

Anyone who says this is not a security expert. That hasn't been true since
full disk encryption became available. A properly encrypted device is a brick
if stolen, which is the only reason to have full disk encryption in the first
place.

~~~
gjmulhol
Most people outside of this community are not using disk encryption.

With that said and the caveat that I am not an encryption expert myself: given
an infinite amount of computing power and an infinite amount of time, can full
disk encryption not be broken? If so, then it is just a question of computing
power and time, not of whether it is possible to get to the data.

~~~
unimpressive
>given an infinite amount of computing power and an infinite amount of time,
can full disk encryption not be broken?

Sure. But the difference between "infinite" and "a couple billion years" from
a human perspective is minute.

------
sehrope
Considering that people generally don't wear gloves when they use their phones
this is like having a picture of your key on your door. Combine that with what
we know you can do with pictures of keys[1] and yes it's obviously not a very
good idea.

[1]:
[https://news.ycombinator.com/item?id=6167246](https://news.ycombinator.com/item?id=6167246)

~~~
bobbles
no no no no no.

This is not being done by lifting an existing print from the existing device.
They're taking a photo of the authorised FINGER and using that to create their
fake finger...

I don't see how this could be considered a significant issue unless you are
going to steal someones phone AND somehow get a still 2400 dpi photo of the
surface of their finger

~~~
ethanhunt_
You are incorrect. Second sentence of the article: "A fingerprint of the phone
user, photographed from a glass surface, was enough to create a fake finger
that could unlock an iPhone 5s secured with TouchID."

~~~
czhiddy
Which glass surface? The oleophobic glass on the iPhone itself?

If the print was copied directly from one of the phone surfaces, you'd think
that the CCC would want to include that little tidbit.

~~~
slantyyz
>> Which glass surface? The oleophobic glass on the iPhone itself?

That brings up another interesting point -- I wonder how many people are going
to put screen protectors on their 5S's that are not oleophobic.

------
hrktb
In the comments there is so much focus on the convenient aspect of TouchID. I
agree, but the main point I think is that we have a situation where:

\- fingerprint authentication will be seen as more casual and mainstream than
it was before [1]

\- people will still leave fingerprints everywhere, including around and on
the fingerprint sensors

\- once a high resolution image of a fingerprint is done, it can be re-used
for literaly a lifetime (imagine keeping track of someone for years and use
his/her fingerprints anytime it's needed)

\- if enough applications rely on fingeprint authentication, exchanging
fingerprint databases might become lucrative enough

From this point of view, seeing TouchID as just a cute way adding some
security to a phone is too candid I think. It will have an immediate positive
effect for casual phone locking, but would bring much worse effects down the
line.

Optimisticly no one would rely on fingerprints alone to authenticate users for
anything important. But the definition of what's important is blurry, and
there is so many situations now where weak passwords are used, but it would be
so tempting to switch to fingerprints (door unlock for instance...).

[1] laptops had finger unlock features for years now, but it never really made
it to the wild masses I think. Fujitsu phones had a fingerprint reader too,
but again, I don't remember other makers picking up the feature.

------
kirillzubovsky
This is a really silly statement - "This demonstrates – again – that
fingerprint biometrics is unsuitable as access control method and should be
avoided."

Sure, maybe you can bypass this mechanism, but as an everyday password, this
is still a substantially easier tool than typing in a 4-digit password.

In fact, at least you cannot easily spoof my fingerprint at a public location,
while you could certainly easily figure out my password by just standing over
me when I type it. I wonder how many mall cameras, street cameras and all
sorts of public surveillance cameras have all our passwords?

~~~
MBCook
> this is still a substantially easier tool than typing in a 4-digit password.

I know tons of people, including myself, who don't use _any_ passcode on their
phone because the 4 digit stuff is a hassle.

CCC is arguing this isn't pick-proof anti-tampering deadbolt, when right now a
huge number of users _don 't even have a door_. It's still a MASSIVE
improvement.

------
professorTuring
Of course they have broken it, I had no doubt it would be broken like any
other fingerprint security system.

The issue here is that it's ok, it doesn't really matter. It is all about the
amount of security you need. Does a normal user need unbreakable security? No.
The security provided with this method is more than ok, it is kinda secure and
it's faster (imho) than writing your passcode. After all your "enemies" here
are nosy friends or similar...

If you need "unbreakable" security then you shouldn't use iphone or android,
or you should use an specific secure storage application (cyphered content,
hard to guess pass or whatever). If you need "unbreakable" security you better
consider hiring a security consultant.

So, the question here is, are the security systems in mobile devices more than
fine for most normal users? I guess so...

------
pcl
Here's an idea that would improve security in conjunction with the new sensor:

Create a random pattern of ridges and, using the technique outlined in the OP,
build a latex key. Attach that to your keychain (in some sort of case to
improve durability, maybe). Then, enjoy 2-factor auth, between the phone's
pass code and the synthetic fingerprint.

~~~
dwaltrip
Wow cool idea, someone needs to test that

------
chmars
What is the resolution of the fingerprint image stored in biometric passport,
i.e., the kind of passport you need to enter the US?

Biometric passports store an actual fingerprint image and not just a hash like
the iPhone 5S. So if the resolution was high enough, everyone with access to a
biometric passport – for example by scanning people carrying such passports
around at an airport – could forge fingerprints …

~~~
andrewpi
Biometric passports don't necessarily include fingerprint data. For example,
current US passports are considered biometric but do not include fingerprint
data since fingerprinting is not required to obtain a US passport.

~~~
chmars
That's interesting, thank you – especially because I had to get a biometric
passport with fingerprints in order to enter the US …

------
sarreph
An interesting comment on the YouTube video: Not cleaning your iPhone is
likely to leave fingerprint evidence/marks directly on the device's housing
that could be faked.

------
joejohnson
"[I]t is far too easy to make fake fingers out of lifted prints"

Really? It seemed like this was a lot harder then just shoulder-surfing
someone entering their passcode. Touch ID may be hackable, but this is still
way harder for the average person to hack than a simple passcode.

AND it's way easier to swipe your finger than type in a code! Touch ID can't
be worse for security; it appears it's at least a bit better.

------
reillyse
Talk about missing the point.

I dislike entering a passcode every time I pick up my phone. Yet if someone
steals my phone or I leave it somewhere I don't want someone to be able to
access my photographs or my data.

Fingerprint sensor sounds like a pretty good solution to me.

Do I want Fort Knox security on my phone? No.

Could someone still access all my data even if it was secured with a passcode,
certainly they could with physical access to the device and a couple of
debugging tools they could lay it wide open.

So put simply, fingerprint is more convenient than having to type in a
passcode. +1 for Apple

Good to know how easy it is to break though so no one gets carried away and
starts using it for things worth breaking into.

------
mephi5t0
They tried to make a fingerprint readers more sophisticated and added a
temperature registers to avoid fakes or (more in more gruesome case - a cut
off finger), but hackers managed to make so called rubber fingers or peel dead
finger and fill with a warm salty water. Anything can be hacked.

But I think they are missing the point. If Apple wanted its phones to be a
secure gimmick at Pentagon - that was silly. But for average user - nobody is
going to steal your prints. It's just a usability. For average Joe it is so
much easier to tap with finger than type PIN all the time. But if you get
specifically targeted nothing will save you.

~~~
bparsons
The exact same arguments could be made for having crappy passwords, which, I
might remind you, are defeated hundreds of thousands of times a day, at a
massive cost to its victims.

~~~
melange
I don't see hundreds of thousands of fingerprints being lifted from people to
fabricate 2400 dpi fake fingers 'every day'.

------
Cushman
Actually, this raises an interesting thought. Couldn't a security-conscious
user take advantage of this to turn "something you are" into "something you
have"? Since you can train the sensor with anything, is there a market for
semi-permanent, cryptographically-random... Thumb rings, or something?

~~~
BrianLey
This is a great idea. Go for it. -Brian :-)

------
Marazan
Wasn't Gruber getting awfully excited about how amazing and revolutionary
Apple's finger print sensor was?

Will he be claim chowdering?

~~~
jpttsn
What did he claim?

~~~
lyso
Well he did approvingly quote some nonsense that the reader would only work on
a 'live finger' (presumably it is supposed to be able to detect the presence
of a soul?).

[http://daringfireball.net/linked/2013/09/12/5s-fingerprint-s...](http://daringfireball.net/linked/2013/09/12/5s-fingerprint-
scanner)

~~~
dmishe
Well, to be fair, in this case it was a live finger.

------
DigitalSea
I don't think the goal of Touch ID is better security nor is it an attempt by
Apple to prevent the loss of iPhones from theft. The goal of Touch ID at the
end of the day is to make it easier for people to make purchases, entering
passwords to make an iTunes/App store purchase is a hindrance to Apple's
bottom line. Currently because of the steps involved, people have the ability
to rethink their purchases during the time it takes to enter and confirm they
want to make a purchase. Touch ID takes away a few seconds of time to make a
purchase, touch your finger on the reader and BAM! instant purchase.

The steps in which the Chaos Computer Club took to break into an iPhone, no
criminal would even think of undertaking. In the criminal world the longer it
takes to steal something, the higher the chance you'll be caught. It's no
different to an engine immobiliser that prevents a car from being stolen. If a
criminal were to take their time, they could pop the bonnet and start the car,
but most criminals will just take your stereo and car contents and leave the
car if they can't get it started within a couple of minutes...

Although, having said that. Apple's marketing speak does make Touch ID sound
much more secure than it actually is. This might come back to bite them in the
behind one day if the wrong person has their iPhone and data stolen and
decides to act upon Apple's somewhat deceivingly clever marketing speak in a
court room with dollars to spare.

And besides making it easier for people to spend money without having time to
think, a fingerprint scanner to the not-so-technology inclined sounds
futuristic and cutting-edge, which in turn will sell millions upon millions of
iPhone units. While many who frequent HN can see past the marketing spin and
realise a fingerprint scanner isn't all that exciting or new, the lowest
common denominator who buys an iPhone sees things differently.

------
dmishe
I thought, based on anandtech review, that this scanner is not optical but
electrical, hence "sub epidermal scanning", so why does a printed finger work?

~~~
Someone
It looks like either of the following:

\- the capacitance of the ridges and crests of one's fingerprint dominates any
differences in subcutaneous capacitance (possibly because they are closer to
the scanner, or because there simply is too little variance in capacitance
between flesh and hair veins)

\- subcutaneous structures resembles fingerprints too much (seems quite
possible, as there must be a reason that it is hard to permanently change
one's fingerprints by using sand paper)

Aside: a Google found this procedure:
[http://www.zoklet.net/bbs/archive/index.php/t-202956.html](http://www.zoklet.net/bbs/archive/index.php/t-202956.html)
I don't have the faintest idea whether that is real, but regardless, I don't
recommend it.

~~~
makomk
The subcutaneous structures are, from what I've read, basically the same as
the surface ridges and crests.

~~~
Someone
Looking at the chaos computer club video, that becomes plausible/likely (the
iPhone UI shows a picture of the fingerprint as a guideline for the quality of
the phone's knowledge of the fingerprint, and afaik the sensor does not have a
camera, so that is not just an aid for the user.)

Yes, it could also be Johnny Appleseed's fingerprint, used as an image users
are familiar with, but
[http://en.wikipedia.org/wiki/Friction_ridge](http://en.wikipedia.org/wiki/Friction_ridge)
seems to confirm it, too ("The pattern of ridges they produce in hands and
feet". I'm not sure whether they refers to the epidermal cells or to the blood
vessels (less likely), but that doesn't matter)

------
blinkingled
To be fair Apple hasn't said anything about liveness checks or any other
safeguards against faked/duplicated fingerprints. All they talked about was
how the fingerprint storage itself is secure, hardware level and local. The
hack that gets the fingerprints off of the chip by exploiting some
implementation related vulnerability would be a big deal.

TouchID is just another fingerprint reader - albeit one that's easier to use.

------
coldcode
Apparently a lot of people are much smarter than the people who built the
technology. Kinda like everyone is better at cryptography than actual
cryptographers. Nothing anyone says here is going to surprise the folks who
designed it.

------
drakaal
Kind of a "well duh" post. All of the image scan finger print readers are easy
to game.

Even the ones that use capacitance can be beaten with a rubber glove and a
copy of the finger print, printed on the latex. (the best is actually an Vinyl
condom that doesn't come pre-lubed, the ink sticks better and the vinyl is
less of an insulator)

~~~
danpalmer
The problem is that Apple made a big deal in the announcement about how it was
so much more secure than previous implementations, how it used sub-dermal
imaging and stuff like that. It appeared from what they were saying, that this
would be considerably harder to fake.

~~~
melange
It is considerably harder to fake.

~~~
danieldk
Considerably harder? From the article:

 _" In reality, Apple's sensor has just a higher resolution compared to the
sensors so far. So we only needed to ramp up the resolution of our fake",_

~~~
gfodor
Difficulty of lifting a good print is probably proportional to the resolution
needed. Ie, you need a higher quality print to get a higher resolution image
to contain additional information.

~~~
XorNot
I'm actually pretty skeptical this is the case. Fingerprint data is noisy - it
has to tolerate a high degree of error. I suspect the problem is actually that
you need to smooth it out appropriately to make the sensor not get tripped up
by non-biological noise.

I'd be really curious to see what you could do with a high-resolution
smartphone camera and a little image processing.

~~~
drakaal
I am guessing I can beat it with a good pen. As you say it has to be tolerant.
If you have a little grunge on your finger, or a cut, or get a tan or there is
grunge on the sensor it still has to work.

Also, there are a lot fewer fingerprints than the world has been lead to
believe. Especially since we each have 10 to try, since the phone only checks
1.

------
speeder
Great quote com CCC team:

"Biometrics is fundamentally a technology designed for oppression and control,
not for securing everyday device access."

It explains why Brazil is trying to put biometric scanners on the electronic
voting machines.

------
joshstrange
First off I want to say I agree with most of the people here that Touch ID was
not meant to be in breakable but rather an easy to use system that vastly
improved users security over 4 digit PINs or no PIN.

That said, hypothetically, let's say I get arrested and the police take my
phone. My phone has my fingerprints all over it. What is to stop them,
legally, from using my prints on the phone to unlock my device?

I say this not to spark an argument but as a real question, I bought an iPhone
5S and I really am interested to know if any law would protect my phone if it
was taken in such a situation?

------
induscreep
This isn't new, some other guy broke TouchId by making a fake finger from
gelatin and soy sauce.

[http://blog.fortinet.com/iPhone-5s--Basic-Fingerprint-
Replic...](http://blog.fortinet.com/iPhone-5s--Basic-Fingerprint-Replication-
Methods-Stymied-by-TouchID-Sensor/)

~~~
danieldk
It seems that that guy directly made a 'copy' of his own fingerprint in a
mold. I agree that it is breaking TouchId, but the CCC did a more realistic
crack: making a fake fingerprint without the person's finger.

~~~
interpol_p
He was not able to use the moulded version of his finger to access Touch ID.
Instead he had to "enrol" his fake finger as a new finger, and from that point
was able to unlock the phone.

------
nodesocket
Honestly, TouchID is better than what we have today; a 4 digit useless
passcode. If somebody has to take a photo of my fingerprint off a glass
surface to gain access to my phone, so be it.

~~~
nly
4 digit pin? I use a 12+ character alphanumeric password on Android.

~~~
_djo_
iOS lets you choose between a 4 digit pin or an alphanumeric password of
whatever length you want. The 4 digit pin is meant to be more convenient, but
even then most smartphone owners don't use it.

The point of TouchID was to have a more secure default for most than a 4 digit
pin or, more commonly, no pin or password at all. Few people would be happy
with having to enter a 12+ character alphanumeric password each time they
wanted to use their phone, you're an outlier there.

------
JofArnold
Presumably solvable by using a digit that isn't normally in contact with your
phone - eg the pinky of your non-dominant hand?

~~~
lostlogin
Wonder if using your nose would work... A toe surely would but accessing that
piece of hardware is an ugly hack in too many ways.

~~~
Tepix
It sounds silly but it's a brilliant idea!

------
fmax30
Nice , The mythbusters did this in their fingerprinter scanner episode ,
although they didn't have the iPhone5s but I am sure the same
principle/technique would work.

~~~
MBCook
As I remember, after using a similar technique they started working backwards
and found a simple photocopy (no gelatin or other simulated finger) would do
it. Apple has at least beat that horrifically low bar.

That was a great episode. Beating the thermal sensor was great too.

------
thatha7777
A further argument against biometrics, for those in the United States, is that
your "right to silence" (under the 5th amendment) doesn't protect you against
the government compelling you to use your fingerprint to unlock something
(however it does protect you against revealing a PIN code)...

------
yohann305
These findings would have been more surprising if the fingerprints were taken
from the phone itself!

~~~
msds
Actually, touchscreens are more or less the ideal surface to get the
fingerprints from - a smooth glass object frequently touched. I just took my
phone out of my pocket and found three very clear prints... Just look at 00:37
in the video they posted (1) - lots of clear prints. If the video was higher
resolution, you might even be able to use frames of their video as a print
source.

1\.
[http://www.youtube.com/watch?v=HM8b8d8kSNQ&t=37](http://www.youtube.com/watch?v=HM8b8d8kSNQ&t=37)

------
shawkinaw
Let's think about the real point of Touch ID technology. Is it to secure your
phone against high-tech criminals with a lot of time and resources? No; it's
to give you enough time to realize your phone is gone and remote wipe it via
iCloud.

------
bdcravens
We see him register his index finger. Then he places his supposedly artificial
index finger on his middle finger, and the phone unlocks.

Since it uses RF and goes beyond the outer layer of skin, how do we know that
the middle finger wasn't already registered?

~~~
computer
Because it's the CCC, and they're very reputable.

------
danpalmer
I'd be interested on peoples' opinions, is this more or less secure than a
4-digit passcode?

From a real security perspective, users should have alphanumeric password, as
far as I know, businesses often enforce this.

Obviously a 4-digit code is easy to brute-force on a computer, but it requires
far more technical knowledge to do so - booting custom firmware, using some
script to brute force, etc, and if the attacker doesn't have the skills, they
are limited to 10 tries, maybe more after waiting a few minutes or an hour.

It seems to me that, excluding users leaving smudges on their screen and
seeing the passcode that way, a fingerprint is even easier to break than a
4-digit passcode.

~~~
Cushman
I think you're missing the biggest security hole with passcodes: whenever
someone on the subway unlocks their phone, I need to consciously look away or
I'll risk inadvertently committing their code to memory. It makes me seriously
uncomfortable.

I'll hazard a guess that abuse by acquaintances, intimate or casual, is the
most common risk to smartphone users, and that the fingerprint is an
_incredible_ improvement over the status quo.

~~~
danpalmer
This is true, but this is more down to people not covering their phone. I tend
to shield my phone to the point where it would be obvious to me if someone
were trying to see my passcode.

I think TouchID provides good security against 'casual attacks' \- those by
people who see you use your phone a lot, people who aren't going to put much
effort into an 'attack', just try and post things on your Facebook account
while you're out of the room.

However, in the case of 'real' security, where a person is being targeted for
their data, or anything like that, I think it would provide less security.

~~~
Cushman
I find the idea that the typical 4-digit password provides any more security
against an attacker dedicated enough to make a copy of your finger pretty hard
to credit. You're placing a lot of weight on your "covering" ability. (There
have been times I've had to try hard not to infer someone's passcode purely
from their hand movements.)

------
cowsandmilk
> The method follows the steps outlined in this how-to with materials that can
> be found in almost every household

I own almost none of the materials they list. They have a very different idea
of what materials can be found in almost every household.

~~~
IvyMike
By my reading the minimum is: 1) Laser printer 2) transparency sheet 3) white
glue.

You might not own a laser printer but surely you have a library or kinkos
nearby that makes the distinction academic.

------
jccc
[Regarding the point that this is only supposed to be convenient for users,
not to be unhackable...]

Today: "Fingerprint scanning on my phone ... that's super convenient."

Tomorrow: "Fingerprint scan required by government ... oh well, I already use
that on my phone."

FTA:

 _" We hope that this finally puts to rest the illusions people have about
fingerprint biometrics. It is plain stupid to use something that you can´t
change and that you leave everywhere every day as a security token", said
Frank Rieger, spokesperson of the CCC. "The public should no longer be fooled
by the biometrics industry with false security claims. Biometrics is
fundamentally a technology designed for oppression and control, not for
securing everyday device access." Fingerprint biometrics in passports has been
introduced in many countries despite the fact that by this global roll-out no
security gain can be shown._

 _iPhone users should avoid protecting sensitive data with their precious
biometric fingerprint not only because it can be easily faked, as demonstrated
by the CCC team. Also, you can easily be forced to unlock your phone against
your will when being arrested. Forcing you to give up your (hopefully long)
passcode is much harder under most jurisdictions than just casually swiping
your phone over your handcuffed hands._

------
confluence
This is fairly unsurprising to anyone with even a modicum of understanding as
to how these sensors actually work and the decade long history of researchers
breaking them with Photoshop, gummy bears, latex and spit. What concerns me
more is the claims they make about the "secure enclave". Maybe I'm just
paranoid, but historically if data does exist, then it will be abused. The
TouchID sensor, coupled with its strong bullshit security claims by Apple, in
addition to the claims made about how data is never sent by Apple because of
the "secure enclave", makes me think that this would be a very convenient way
to create a global voluntary fingerprint database tied to every aspect of
everyone's identity without freaking anyone out. If a government were to
release something like this, they'd be sued into the ground and screamed
against for breaking core privacy covenants. But when Apple does it's just
brilliant and revolutionary.

Reasonable technically informed paranoia is what made the NSA releases fairly
unsurprising to me as well. My rule with security is that if it can be done,
then it will be abused. It's basically a Murphy's law for humanity.

Trust nothing. Trust no one. Doubt everything.

------
abritishguy
Some people seem to be forgetting what this is being used for.

This is an OPTIONAL replacement for the pass code.

However you feel about its level of security it is definitely more secure than
a passcode which is the other option.

If someone wanted to target you for whatever reason then how long would they
have to follow you with a high zoom camera before they would see you type the
passcode in? The passcode/touch ID is to stop opportunistic unlocks not a
determined attacker.

------
countrybama24
If you're really concerned about this, just register part of the finger that
isn't the tip, and get in the habit of smudging the home button afterwards. I
usually only touch the phone with my finger tips or palm, and you could
register, for example, a part of the finger under the knuckle that almost
never touches the device except to authenticate the print.

Of course if CCC knows which finger was registered, AND has a perfect print
left on the device AND they know which print corresponds to the finger
registered on the device, of course they can crack it. But if they have to
guess which print on the device cracks it, I'm willing to bet they trigger the
5 failed attempts which then requires a passcode (and 10 failed attempts
wiping the phone, although this is optional).

This means there are more than 10 options (which finger AND what part of each
finger) you could use as a print. The oft cited scenario of police being able
to compel you to input your print assumes they know what part of your hand
unlocks the phone. They can't make me divulge the part of my hand thats
registered just like they can't make me divulge my password.

~~~
countrybama24
So if some of the worlds most elite biometric hacking experts need 48 hours,
knowledge of the registered finger AND an almost perfect print left on the
phone, I think it actually proves how secure the system actually is. If this
was that easy they would have cracked it Friday, but it clearly took them
several attempts despite being (some of, if not) the best in the world at
forging fingerprints.

Yes you can't change your fingerprint, but you can change which is registered
on the device (or with the bank, or whatever) and I'm guessing financial
transactions outside of iTunes might require a passcode also. It's just
another layer of optional security. Clearly it shouldn't be relied on as a
foolproof, 100% secure authentication system but it certainly shrinks to pool
of people who can gain access to my phone from "anyone who sees me unlock it
several times a day" to "fingerprint forgery experts and highly sophisticated
and motivated criminals."

------
EpaL
Important to remember Touch ID only gives you 5 tries before _requiring_ the
device passcode.

I wonder how many attempts the CCC guys had before they were successful?

------
stesch
Just in time. Who knows how long these research projects stay legal in
Germany.

~~~
thrownaway2424
More context, for those of us not up-to-date on German politics?

~~~
stesch
Outcome of the elections. Merkel won. The CDU (Christian Democratic Union)
isn't very Internet and hacker friendly.

~~~
frank_boyd
For the record:

Merkel personally assured Obama that she would refuse Snowden, in case he
applied for asylum in Germany.

Makes it pretty clear what the world can (not) expect from Germany.

------
s_q_b
iOS security is trivial to break if you have physical access to the device.
TouchID (and passcodes) should be considered little more than a convenience,
not a serious security measure.

~~~
lawnchair_larry
Really, how do you trivially break a passcode on an iOS device? There is a way
that I know about, and it is very much non-trivial.

~~~
s_q_b
Just use brute force or dictionary attack over the wire. Given that most users
use 4-digit pass codes, this can be done usually in minutes, almost always in
less than an hour.

Or, if your target is paranoid and uses a very long passcode, target the
charger rather than the device itself. iOS assumes any physical device to
which it is connected when unlocked is secure. Replace the usb brick with a
small computer (e.g. Raspberry Pi) in a convincing looking Apple-esque case.
Then wait until your target plugs in his iDevice and unlocks it. You can then
dump the drive, or side load malicious code.

~~~
czhiddy
> Just use brute force or dictionary attack over the wire. Given that most
> users use 4-digit pass codes, this can be done usually in minutes, almost
> always in less than an hour.

It's clear you've never actually attempted this. The timeout between passcode
entries increases with the number of consecutive failures. Get 10 wrong in a
row, and the device is wiped (if the user has chosen that option).

> Or, if your target is paranoid and uses a very long passcode, target the
> charger rather than the device itself. iOS assumes any physical device to
> which it is connected when unlocked is secure. Replace the usb brick with a
> small computer (e.g. Raspberry Pi) in a convincing looking Apple-esque case.
> Then wait until your target plugs in his iDevice and unlocks it. You can
> then dump the drive, or side load malicious code.

This no longer works on iOS 7. The user has to manually choose to trust the
computer they're attached to prior to any communication going across the wire.

~~~
s_q_b
I'll ignore the needless snark.

> The timeout between passcode entries increases with the number of
> consecutive failures. Get 10 wrong in a row, and the device is wiped (if the
> user has chosen that option).

Only if you're typing in pass codes to the lock screen, which isn't how its
done. An attacker would instead image the flash, grab the Dkey from effaceable
storage, and decrypt the filesystem. Indeed this is exactly how professional
iOS forensic analysis kits work. This will get you access to SMS, photos, and
anything else that doesn't fall under Data Protection.

Data Protection, a second level of encryption that uses your passcode to
generate keys, is only used on the keychain block and emails by default. To
crack Data Protection, use brute force on the copied data, not on the iDevice
itself.

>This no longer works on iOS 7. The user has to manually choose to trust the
computer they're attached to prior to any communication going across the wire.

Cool, I didn't know that.

EDIT:

Here's a good overview: [http://mobappsectriathlon.blogspot.com/2012/09/how-
do-you-pr...](http://mobappsectriathlon.blogspot.com/2012/09/how-do-you-
protect-your-users-sensitive.html)

~~~
lawnchair_larry
_" Only if you're typing in pass codes to the lock screen, which isn't how its
done. An attacker would instead image the flash, grab the Dkey from effaceable
storage, and decrypt the filesystem. Indeed this is exactly how professional
iOS forensic analysis kits work. This will get you access to SMS, photos, and
anything else that doesn't fall under Data Protection."_

Yep, as I suspected, you haven't done this ;) Please don't discuss how
"simple" it is if you're getting your info from third parties. You can't image
the flash. None of this works how you think it does, because the forensics
toolkits left out a crucial detail in their marketing.

The dirty secret? You need a 0day bootrom exploit. The professional kits use
the limera1n exploit, which was patched years ago.

~~~
s_q_b
I didn't say "simple." I said "trivial" :)

Nope, I've never done this live. For this I'm reliant upon what I've read.
Feel free to tell me what's wrong. Stating how it works, or pointing the way
to an accurate source, is infinitely more helpful than saying "you're wrong",
even if it might feel satisfying.

Here's my understanding of how the initial loading works. BootROM uses a
series of RSA validity checks on the chain of software components to load the
RAMdisk (which is used for update in DFU mode.) To load your own RAMdisk, you
need an exploit in bootROM (which are the same exploits used for jailbreaking,
and thus of high value for the community to discover.)

~~~
lawnchair_larry
I just told you. You need a bootrom exploit. That's the non-trivial part.
Nobody has one, and they haven't since 2010. I mean, the NSA might, but the
forensics companies don't, and there aren't any public ones. Hence, it's far
from trivial.

Even with the multi-thousand dollar forensics kits, you cannot even begin a
brute force PIN attack on any bootrom for any iphone or ipad still on sale.
The last devices it worked on was iphone 4 (not 4S) and ipad 2.

~~~
s_q_b
You clearly know much more about iOS hacking than I do. It's well outside my
area of expertise, and I'm grateful for the corrections. I learned a lot
getting up to speed on how this actually works over the past couple days.

Pretending to have knowledge when you don't understand the fundamentals of the
problem is both a good way to make yourself look foolish, and is certainly the
cardinal sin in engineering. For that, I apologize.

For context, the reason I've been insistent is that there is a particular
company that claims to be able to pull data from iPhone 5 and below in spite
of the encryption. Whether this is true or not, I don't know, but I've heard
it from a person I trust in mobile security.

If you keep up with the jailbreak hacking community (which I'm just now
getting into), the Grugq (a fairly reputable source) posted on MuscleNerd's
twitter that he's heard a private company has a new 0-day bootrom exploit,
which would fit with the information I've heard.

Regardless, I should have just shut the f*ck up and let you teach me some
science, instead of letting my competitive instincts lead me down a rabbit
hole. I'll work on that.

------
adamconroy
It is amusing to see thousands of unpaid apple PR workers spring into action,
making sure no critical comment exists without a defence. Perhaps they feel
their credibility is on the line, given how often they have sermonised on the
genius/quality/beauty of their electronic device manufacturer of choice.

------
ForFreedom
According to the adverts by Apple they specifically select certain points on
the finger print and analayze then permit access. If such a technology is
broken then I would assume their encryption on the A7 chip where the
fingerprint is stored also can be broken.

If lots of people do not use passwords on their phones for the sake of comfort
then it is not anyones fault that their phones are logged into or information
stolen. Information is stolen because the user is lazy to secure the device.

When Apple says one can use finger print to do transactions then I have to
assume that the transaction cannot be done by anyone other than me and by any
other means through the phone.

------
malandrew
I want to see this exact attack repeated based entirely on the fingerprints
left on the device itself. It's an all glass surface and we leave fingerprints
everywhere, including on the device itself. It you are literally leaving the
key all over the screen itself, this is pretty damning. I wouldn't be
surprised if an entire photograph of all the partials all over the screen
could be used to reconstruct one full fingerprint of the desired digit.

Now that this type of security is on the iPhone, it is likely to become
widespread, which will only further increase the value of improving attacks on
this particular security measure.

------
tambourine_man
_First, the fingerprint of the enroled user is photographed with 2400 dpi
resolution. The resulting image is then cleaned up, inverted and laser printed
with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink
latex milk or white woodglue is smeared into the pattern created by the toner
onto the transparent sheet. After it cures, the thin latex sheet is lifted
from the sheet, breathed on to make it a tiny bit moist and then placed onto
the sensor to unlock the phone._

Yeah, easy as pie.

Finger chopping should be added to this xkcd:

Security:

[http://xkcd.com/538/](http://xkcd.com/538/)

------
Marazan
The amount of kool-aid drinking about TouchID in this thread:
[https://news.ycombinator.com/item?id=6403089](https://news.ycombinator.com/item?id=6403089)
is pretty staggering.

------
runn1ng
Looking on the video is very unsettling. I think the person needs some
medication or something.

[http://www.youtube.com/watch?v=HM8b8d8kSNQ](http://www.youtube.com/watch?v=HM8b8d8kSNQ)

~~~
frank_boyd
"CCC" actually stands for "Coffee, coffee & coffee".

------
moocowduckquack
Potential side effect of TouchID: Due to the mass marketing of this feature it
becomes cool for people to learn how to copy fingerprints, causing a massive
headache for forensics teams everywhere.

~~~
wiml
All the l33t kids will quit their current jobs and go to work busing tables,
where they can surreptitiously lift prints from every glass or coffee-mug they
carry.

------
Cbasedlifeform
Wouldn't it be ironic if the new iPhone 5S camera had a high enough resolution
to take the photo of another user's fingerprint off the screen of his or her
phone? ;)

------
anizan
Dont panic! this loophole is easy to fix if AAPL gives free mittens(cuter than
gloves) to its users with clear instructions to take them off only when
unlocking the phone.

~~~
_pmf_
Yes; the hackers are just holding it the wrong way! It's really secure if it's
held the right way.

------
matdrewin
Much more convienient than a passcode with a little less security. I'd still
use it unless I was a CIA agent.

~~~
abritishguy
How is it less security though? You don't have to follow someone for very long
with a high zoom camera before you can get their passcode and that is a lot
easier than duplicating their fingerprint. And yeh it is much much more
convenient.

~~~
matdrewin
The Touch ID is less secure because you can force a person to put their
fingerprint to unlock their own phone. Forcing the passcode out of someone can
prove more difficult and the phone will wipe itself after 10 tries (if you
have that feature enabled).

I could steal your phone and manage to unlock in the process by taking your
hand and unlocking the phone before walking away, somewhat more difficult to
do with a passcode.

~~~
interpol_p
You'd still have to force the correct finger, and Touch ID requires a passcode
after five incorrect tries.

------
joakleaf
So the big question is, how hard is it to get at 2400 DPI finger print?

They don't show if they can scan the finger print off the phone. I would
imagine that it could be quite tricky to get that level of resolution.

I would like to see a complete hack purely based on a finger print on the
phone.

~~~
contingencies
_How hard is it to get at 2400 DPI finger print?_

Left arrow key? Coffee cup? Left button of a mouse? Car door handle?

~~~
joakleaf
Well... yeah, but there is quite a lot of smearing.

Will the quality of the finger print you can extract that way using whatever
means you have be of high enough quality?

It is not obvious to me that you'll be able to get something that is 2400 DPI
quality.

~~~
contingencies
Look at your finger. Actual ridges are not that dense.

 _A sampling frequency of 20 points per mm is high enough to visualise a
fingerprint in sufficient detail for identification purposes_
[https://en.wikipedia.org/wiki/Fingerprint#Research](https://en.wikipedia.org/wiki/Fingerprint#Research)

Random #s: 20dpmm = 5,080dpi? Sounds like 2400dpi sensing is certainly
insufficient for research-grade identification... and therefore maybe easy to
fool? :)

~~~
brianpgordon
DPI refers to the number of samples in a straight line one inch long, not to
the number of samples in a 1 inch square.

~~~
contingencies
Aha! Thanks, that makes more sense. So 1 inch = 25.4mm. 20 dots per mm is
sufficient. So 20x25.4 = 508dpi. That's more believable as a rough minimum.

------
dbg31415
The comment was made, "It's not for people who care about security, it's about
people with no security."

But poor security just replaces no security with a fake sense of security. I'd
argue that false security is worse than no security.

------
spyder
Can the fingerprint reader work with other parts of your hand ? For example if
you can use the back of your finger or part of your palm then it could be a
little more secure because you don't leave the prints of these everywhere.

------
Fourplealis
Guys from IsTouchIDHackedYet.com crowdfunded reward for hacking TouchID. I
guess CCC won bounty worth over $10k.
[http://istouchidhackedyet.com/](http://istouchidhackedyet.com/)

------
seanmcdirmid
I've seen plenty of people "hack" the 4 digit password simply by observing the
user entering it. This kind of hacking seems to involve even more work than
that.

------
therandomguy
So much more secure than my house or car? Looks like it. Also probably buys me
enough time to realize that my phone is missing and do a remote wipe.

------
001sky
It is a Touch screen !

YOUR FINGER PRINTS ARE ON THE PHONE...

Don't lose it !! =D

------
frank_boyd
Demo: (only 1 min)

[http://www.youtube.com/watch?v=HM8b8d8kSNQ](http://www.youtube.com/watch?v=HM8b8d8kSNQ)

------
KamiCrit
At this rate, no method of security is secure.

~~~
adestefan
The most secure computer is the one locked in a room and unplugged.

There has _never_ been a method of security that is secure. The first thing
you learn when dealing with security is there are tradeoffs between
opportunity, time, money. and usability.

~~~
aroman
While I agree with the spirit of your post, there is in fact a method of
security that is definitively unbreakable (if used correctly/precluding side-
channelling): the one-time-pad.

But as you imply, the reason we don't use it is because the opportunity cost
and hassle of using it are too high for many uses.

~~~
adestefan
You proved my point by needing to exclude side-channel attacks. You also need
keying material, and a way to communicate that material, for a one-time pad
and that's vulnerable to a whole host of attacks.

------
ruttiger
This will end Poopin' tweets. [http://poopinrules.com](http://poopinrules.com)

------
anmalhot
even though it was almost expected to be bypassed easily, using fingerprints
can still be handy if one wants to establish claim on a device. I believe the
thinking was to provide a way to uniquely link the device to an entity -
security was just a byproduct (but marketing trumpeted it)

------
jchimney
Its an improvement. The typical pass has 4 characters so 10,000 possible
combinations. Doing about 1 per second would find the password in the worst
case scenario in about 3 hours; simply by trying all possible combinations.

I think trying to lift a usable fingerprint off a glass surface would be
significantly more difficult than that.

~~~
coldcode
No, each failure increases the time between tries until you brick the phone.

------
Navarr
Were people saying that this was secure? I thought it was just another fancy
unlocking method like Google's "use your face to unlock"

~~~
makomk
Yes, they were - for example
[http://tech.fortune.cnn.com/2013/09/19/iphone-5s-fingerprint...](http://tech.fortune.cnn.com/2013/09/19/iphone-5s-fingerprint-
scanner/):

"As for the tech itself, Rogers explains fingerprint scanning as a whole is
more secure than the four-digit passcode. Copying someone's fingerprints
remains a cumbersome process, not to mention pricey -- as much as $200,000, by
some estimates."

Edit - and
[http://daringfireball.net/linked/2013/09/12/5s-fingerprint-s...](http://daringfireball.net/linked/2013/09/12/5s-fingerprint-
scanner) which someone linked elsewhere in this discussion:

" And like the sensor in the iPhone 5S, the sensors ... can detect the ridge
and valley pattern of your fingerprint not from the layer of dead skin on the
outside of your finger (which a fake finger can easily replicate), but from
the living layer of skin under the surface of your finger, using an RF signal.
This will protect you from thieves trying to chop off your finger when they
mug you for your phone (assuming they’re tech-literate thieves, of course), as
well as from people with fake fingers using the fingerprint they lifted from
your phone screen."

------
rashthedude
Kabel-salat ist gesund.

------
JoachimS
(Huge discussion here - lets add to it. ;-)

There are several things here that people in discussion seems to miss och
confuse. I've been working with biometrics and can at least try to clear
things up.

For authentication (and identification) of a user we have three types of
information: Things you have (a hard token generator), things you know
(password) and things you are (shape of face, gait, voice, pattern in the
iris, arteries in the back of the eye, hand, DNA. And fingerprints). Measuring
what you are info and using it is called biometrics.

For good security we normally want to have a combination of at least two of
the types. OpenID using for example a Yubikey is a good example.

The good thing with biometrics is that the user always carry the info needed
with him/her. There are a few drawbacks though:

(1) The information is not very stable. It changes during the lifetime of the
user. Sometimes it can be pretty rapid.

(2) The information is not very unique. Some types of biometrics is better
than others. There is also differences in informational quality between
individuals and ethnic groups. Depending on type of biometrics we get anything
from a few bits to a few ten of bits. This means that it is not better than a
good password that is 8 characters or more, but as good as or a bit better
than a normal PIN code.

(3) The information is not under the users control and can't readily be
replace. _This_ is one thing many here and elsewhere seem to have missed in
the CCC announcement. The point is that you as a user can't decide at any
given time that you don't trust you token anymore, invalidate it and get a new
token. That is why biometrics is foremost a tool _for others_ to identify you
(passports, forensics).

The reason fingerprint based biometrics is so popular (compared to other types
of biometrics) is that it is possible to build compact, cheap sensors that are
pretty easy to use and are simple to integrate into digital systems.

All types of biometrics are fuzzy. We normally talk about False Acceptance
Rate (FAR), that is how often do we accept a biometric ID as valid when in
fact it is not. And correspondingly we have False Rejection Rate, where a
valid ID is rejected. Good biometric systems have FAR, FRR under 10%. But for
a busy airport there is still quite a few mistakes during a day.

The way a fingerprint based biometric system normally works is that you have a
sensor that creates an image (256 levels of gray scale or similarly). The
image is then processed (differential filters etc) followed by feature
extraction. The features are called minuae:

[https://en.wikipedia.org/wiki/Minutiae](https://en.wikipedia.org/wiki/Minutiae)

Typically sworls, where lines end, merges splits. Normally we find 8-10-15 or
a few more good minutae in the image. Based on the location of the minutae we
create a graph.

The graph is then stored (if registering a user - called enrollment) or
compared to stored graphs. And here comes the fuzziness. The graph will not be
similar so we simply can't do a SHA-1 digest and match. The graph will be
rotated, scaled, stretched, have fewer or more points. Basically fuzzy
congruence matching with threshold.

The feature extraction can be done directly in the sensor. But in the case of
TouchID I don't think so. Apple bought Authentec and their area sensors (that
can capture a whole image directly. Sweep sensors detect movement of a finger
over the sensor, estimate speed and stitch image slices together) simply
delivered a raw image. This means that the filtering, feature extraction and
matching is done inside A7.

Apple has touted the security of the processing. Basically it is ARM Trust
Zone used in several other devices.

[http://www.arm.com/products/processors/technologies/trustzon...](http://www.arm.com/products/processors/technologies/trustzone.php)

TZ is good, but there has been attacks published. And there is nothing that
says that Apple has not added a read port from the untrusted enclave into the
memory of the trusted enclave. For efficient debug reasons for example.

So. Biometrics is fuzzy and will give false acceptance (as the main problem.
rejextion is less of a problem). There is quite probably an image available in
the A7 and we really don't know if it and/or the graph database is in fact
accessible.

When it comes to the CCC attack - we simply don't know if they tried lower
resolution before ending up with 2400 dpi. I wouldn't be surprised if it works
(at least sometimes - fuzziness again) with lower resolution. Also attack
always gets better. I'm prepared to bet a good IPA that someone within 2 years
will show how he/she can unlock a 5S just by smartly pressing on the home
button while breathing to activate residue as fingerprint. It has been done
with area sensors such as Authentecs before.

TouchID is good if it makes users without PIN to use it. But if it gets users
with PINs stop using PINs, it is not as good. What would be great if we could
combine TouchID with PIN or password. All the time.

I hope all this explains a few things. And remember, once again, the main
problem with biometrics is that it can't be changed at will by the user. Good
for others, less so for the user.

------
rickjames28
_" Biometrics is fundamentally a technology designed for oppression and
control, not for securing everyday device access."_

Yes

~~~
geoffmacdonald
lol, @ "oppression and control" . go back to your conspiracy theory cave.
Apple didn't have this in mind, they simply set out to solve a problem.

------
goggles99
Not really anything new here. This was done a decade ago when bio-metrics were
shown to be a weak form of authentication/verification. Still, the iPhone
scanner is a deterrent and thus adds value.

------
cremnob
Overall security will be increased because of Touch ID because most people
don't use a pass code at all.

------
Siecje
He is still using his finger behind the tape....

~~~
zenbit
He is not using the same finger.

------
2muchcoffeeman
Despite all the claims of how insecure this is, I've just checked a bunch of
my stuff. I cannot find a single clear print. There are a few smudged prints
on my laptop and coffee cup. My phone is just smudges all over.

So what is a realistic way to clandestinely grab a print?

~~~
_ak
The CCC previously published a German minister's fingerprint. They acquired it
by lifting a water glass he had used at a public event.
[http://www.edri.org/edrigram/number6.7/fingerprint-
schauble](http://www.edri.org/edrigram/number6.7/fingerprint-schauble)

~~~
2muchcoffeeman
This doesn't really translate to an everyday attack vector.

They had to have served the minister a drink that would not cause
precipitation to form on the surface of the glass and specifically target him.
Then you need to actually process the print.

A better measure would be how easy it is to lift a usable print from a crime
scene. But even this has problems. You need to target a person to know whose
prints you have.

If you just randomly pick pocket a phone. How do you get the print? How do you
identify which finger was used? You need to get lucky or get 10 good prints.

I agree with others. The real question here is, "Is this better than no
password?" I think the answer is, yes.

------
yeukhon
I am not impressed by this so-called hack at all. This is like people
expecting encryption to solve both authenticity, integrity and confidentiality
altogether by doing c = E(p,k). We want to see real hack as in actually bypass
the system without any fingerprint, or a way to forge a fingerprint.

