
iPhone 6 TouchID hack - cjunky
https://blog.lookout.com/blog/2014/09/23/iphone-6-touchid-hack/
======
r00fus
The details are completely the same as the last time the author hacked TouchID
on the 5S [1]. From that article:

"Next you have to “lift” the print. This is the realm of CSI. You need to
develop the print using one of several techniques involving the fumes from
cyanoacrylate (“super glue”) and a suitable fingerprint powder before
carefully (and patiently) lifting the print using fingerprint tape. It is not
easy. Even with a well-defined print, it is easy to smudge the result, and you
only get one shot at this: lifting the print destroys the original."

The most interesting thing about the new article is learning that the iPhone6
TouchID sensor is more accurate and scans a bigger part of your finger. That's
good to hear.

I can only agree with the author that TouchID is mostly "good enough"
security, but it'd be really great to have "enterprise-class" security by
simply allowing 2-factor auth including TouchID + passcode.

I may be a bit naive but I don't see Apple being able to reconstruct your
physical fingerprint from their store info in the security enclave - I see it
more of a one-way function and if it never leaves the device, then it seems
safe to be collected.

[1] [https://blog.lookout.com/blog/2013/09/23/why-i-hacked-
apples...](https://blog.lookout.com/blog/2013/09/23/why-i-hacked-apples-
touchid-and-still-think-it-is-awesome/)

~~~
higherpurpose
> then it seems safe to be collected

At least until the myriad of iPhone data extraction tools being sold to the
police finds a way to extract that, too. This one is apparently already
compatible with iOS8:

[http://www.accessdata.com/solutions/digital-
forensics/mobile...](http://www.accessdata.com/solutions/digital-
forensics/mobile-phone-examiner)

And from what I've noticed Apple is pretty quite about fixing vulnerabilities
that these kind of tools used (i.e. the kind of vulnerabilities that need your
phone to work - which is exactly the kind of power say someone like the police
has).

~~~
sujal
Where do you see iOS 8 compatibility? It's not mentioned on the features page.

------
lukeman
> "Sadly there has been little in the way of measurable improvement in the
> sensor between these two devices."

Oh, gosh. That stinks.

> " _Another sign that the sensor may have improved is the fact that slightly
> “dodgy” fake fingerprints that fooled the iPhone 5S did not fool the iPhone
> 6._ To fool the iPhone 6 you need to make sure your fingerprint clone is
> clear, correctly proportioned, correctly positioned, and thick enough to
> prevent your real fingerprint coming through to confuse it. _None of these
> are challenging details for a researcher in the lab, but are likely to make
> it a little bit harder for a criminal to just “lift your fingerprint” from
> the phone’s glossy surface and unlock the device._ "

Wait, so that isn't a measurable improvement?

iOS 8 still requires your passcode after a reboot, so you can certainly force
a temporary timeout if you'd like.

I think some advanced timeout stuff could be useful, but I wish we could try
and have a bit more optimism that regular people now are excited about having
an encrypted phone. The rest of us carrying state secrets and nude selfies can
certainly still trade off that convenience for potentially more secure phone.

~~~
micampe
There is a fixed timeout: iOS (both 7 and 8) will ask for the passcode if you
haven’t unlocked it for 48 hours.
[http://support.apple.com/kb/HT5949](http://support.apple.com/kb/HT5949)

------
deedubaya
I foresee more devices being 'hacked' via pin codes being simple and/or
written down than by someone lifting a finger print.

How secure is secure enough? The weak spot is, and always will be, the human
aspect.

~~~
dkrich
Completely agree and was going to make this same point. The PIN system is a
lot easier to "hack" considering that all numerical layouts are the same and
all PIN's are four-digits. Thus you only have to see the area in which they
are touching the screen to get something close if not exactly accurate to the
correct PIN.

Same goes for the Android swipe pattern system except that if you turn off the
pattern display it is much more difficult to detect since length and pattern
can vary. However, on two separate occasions people have noted to me that they
"now know my pattern" despite my being fairly fast and subtle with how I
entered it.

All things considered, I think finger prints are much more secure for most
people.

~~~
lukeman
I haven't tried resetting mine, but allegedly with iOS 8 they're no longer
defaulting to the 4-digit simple PIN.

~~~
zippergz
It still defaulted to a simple PIN on my iOS 8 devices (including a new iPhone
6). But yes, it is of course possible to change the setting to allow a more
complex password.

------
ghshephard
I've often wondered why Apple won't allow you to enter a 4 digit PIN with your
touch ID. I would think that two-factor is better than just a thumbprint.

~~~
cjunky
I completely agree.

While two factor auth is probably overkill for just unlocking a device to many
people, I would like to at least have the option.

One of my concerns is that if your device is ever taken by an organization
that has the ability to command your fingerprints then they can quite easily
unlock your device negating any encryption.

Also while I think its unlikely right now for criminals to make fake
fingerprints in order to steal financial transactions, its a flaw and ApplePay
is going to financially motivate those criminals to look into ways to refine
the process and make it easier to do.

~~~
pilif
Turn your phone off before crossing a border. Put the wrong finger on the
sensor five times in quick succession when you are asked to hand over your
phone and you don't get a chance to turn it off.

In both cases, the phone will require a passphrase for unlocking (if you
configure one as opposed to just a simple code, of course).

Having a really long passphrase and the ability to very quickly render the
fingerprint reader useless is a huge improvement in security over previous
touchid-less phones.

Having to both type a code and using my fingerprint (in that case, in addition
to a very long passphrase, which would be difficult to explain to users how
that works) would be very annoying, at least for me.

~~~
r00fus
Even simply disabling "simple passcode" and using an equivalently simple
alphanumeric passcode makes the task a lot more difficult for the brute-force
cracker.

In fact, if you look at one of the cracking tools that law enforcement is
known to use [1], iOS8 looks to have made things more difficult:

"iOS 8

Currently under version 4.0 Advanced logical extraction will extract less data
compare to previous iOS versions."

[1] [http://releases.cellebrite.com/releases/ufed-release-
notes-4...](http://releases.cellebrite.com/releases/ufed-release-
notes-4-0.html)

------
gergles
This is neat, but movie-plot threat territory. Far more dangerous to actual
security on iPhones is that airplane mode can be enabled from the lock-screen
"Control Center" by default.

This basically means if somebody wants to steal your iPhone, the first thing
they're gonna do is swipe up, turn on Airplane mode, and lock you out of using
Find my iPhone to find or lock it. They can wait until they get to a chop shop
or anything else, by which point they'll have their money, meaning that
they'll still be incentivized to steal iPhones.

You can disable this 'feature' (control center from the lockscreen) in
Settings, and I think we should spend way more time advertising that than
worrying about whether it is possible for someone working in a lab to use
latent prints to unlock your phone. In the time it's going to take them to do
that, hopefully you can get somewhere to lock the phone online - but if the
villain disables your ability to remotely brick the device, that's way more
worrisome to me.

~~~
calebm
They could also simply power off the iPhone or put it in a Faraday cage.

------
chandraonline
Good hack but not losing sleep over it. Relevant XKCD:
[http://www.xkcd.com/538/](http://www.xkcd.com/538/)

------
lazyloop
Fingerprints are your username, not your password. Apple should really know
better.

------
axx
He's kinda late to the party: CCC (Chaos Computer Club) Members already hacked
TouchID last year[1] and broke it again this year (09.19.14)[2]

[1][http://www.ccc.de/en/updates/2013/ccc-breaks-apple-
touchid](http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid)

[2][http://www.heise.de/newsticker/meldung/Fingerabdrucksensor-d...](http://www.heise.de/newsticker/meldung/Fingerabdrucksensor-
des-iPhone-6-ueberlistet-2399891.html) (german)

If you ask me, it's really a shame (security-wise), BUT having a kind-of-
secure TouchID is WAY better, than having absolutely no security (i assume
that people that didn't use any passcode now use touchid).

We (and Apple) need to educate people, that it's not the perfect and
completely secure solution.

~~~
sp332
First two sentences of this article: _Last year, when the iPhone 5S was
released, I showed how you could hack its fancy new TouchID fingerprint
sensor. A year and one iPhone 6 later, I’ve done it again._ Obviously neither
of those links mention the iPhone 6, which is the whole point of this article.

~~~
cjunky
+1

