
Why I Hacked Apple’s TouchID and Still Think it is Awesome - signa11
https://blog.lookout.com/blog/2013/09/23/why-i-hacked-apples-touchid-and-still-think-it-is-awesome/
======
guygurari
> If you use your thumb to unlock it, the way Apple designed it, then you are
> looking for the finger which is least likely to leave a decent print on the
> iPhone.

This is my main takeaway. I suspect the vast majority of iPhone users either
do not secure their phone at all, or use a 4-digit PIN, and therefore are not
protected against targeted attacks anyway. Touch ID can improve security for
these users.

My main reason for protecting my phone is to prevent a scenario where it gets
stolen, and the thief can access my data with reasonable effort. My secondary
reason is to protect against snoopy acquaintances. A 4-digit PIN marginally
achieves these goals: a typical thief is locked out, but a more sophisticated
one can easily brute-force my code using commercially available tools.

What if I use Touch ID instead? It is very likely that a thief will not know
who I am, and therefore will not be able to go around lifting my fingerprints.
They might, however, try to lift prints off my phone. The way to protect
against this is to only unlock the phone using my thumbs, because (per TFA)
there are typically no good thumb prints on the phone itself. If I do this,
then I will in fact be more protected than I would be using a 4-digit PIN.

A couple of caveats. After 5 rejected attempts the iPhone will fall back to
asking for a PIN. It is therefore advisable to set a strong (longer than 4
digits) PIN here. Second, this of course may change if the 'secure enclave'
that stores the fingerprint hashes gets hacked.

TL;DR: If you only use your thumbs to unlock your iPhone, Touch ID currently
provides better security against typical threats than a 4-digit PIN.

~~~
casca
Please know that the 4-digit pin is easily removed by someone with non-
specialist tools that are widely available. Touch ID is too new to assess
whether this is also the case for the new Iphone, but it's quite possible that
there is a sufficiently clear fingerprint on the screen of your device already
for reuse.

 __UPDATE __For more detail about how this is done, have a look at the current
releases of jailbreaking tools. The general method is to perform a temporary
jailbreak which allows the ability to SSH into the device and dump all the
data.

~~~
dan1234
> Please know that the 4-digit pin is easily removed by someone with non-
> specialist tools that are widely available.

Got a credible source for this?

~~~
hrrsn
I've used msftguy's SSH ramdisk tool plus the iphone-dataprotection tools on
Google Code. Takes about 20 minutes maximum to bruteforce the 4 digit PIN.

What the poster doesn't mention that this only works on devices with iBoot
bootloader exploits, which is currently the A4/iPhone 4 and lower. The 4S, 5,
5S, 5C etc are all safe from this.

~~~
mitchty
Additionally, its rather easy to switch your lock password to be regular text.

Good luck guessing the length and the passphrase I use to lock my phone now
when the keyboard comes up.

~~~
hrrsn
True, but you can still access files on the device even with a complex
passcode using the SSH ramdisk tool.

~~~
mitchty
Doesn't that require the phone to have been jailbroken?

------
chrislomax
I'll be honest, I never saw finger print scanning as the next security
measure, it was always about convenience to me. It's the same with PIN
numbers, all someone has to do is stand next to you to see your PIN number and
they are good to go.

True security comes from multiple layers of security, where the question
changes randomly but you still know what the end result will be, much like a
bank does when signing in.

When things become easier, it only remains easy to get in to it. The reason it
isn't so easy right now is because it hasn't had to be so widely available.
When TouchID becomes more popular, you will read more stories on how people
have found easier ways of cracking it.

It's all about convenience. If you want security then it's TouchID from 5
fingers + 8 digit pin + your first dogs girlfriend's name.

~~~
banimod
And the dog's not talking.

------
zeroDivisible
Putting all the TouchID sucks / TouchID is great questions aside, can somebody
help me understand how Apple (supposedly) is calculating a hash of a
fingerprint and storing that hash in the phone, not the real fingerprint?

As I understand correctly, the purpose of a hashing function is to create
totally different output even on a very minor change in the input data, which
wouldn't work that great with fingerprints... or are they just using a clever
hashing function which tries to somehow normalise the data before hashing
them?

~~~
modernerd
There is a lot of detail in Authentec's 'Spot-based finger biometric
processing method' patent application here if you're interested:
[http://www.patentgenius.com/patent/7787667.html](http://www.patentgenius.com/patent/7787667.html)

In short, they store a number of unique sub-regions of each 'enrollment' (a
reading resulting in pixel data). These sub-regions – called 'spots' – can
then be hashed and matched against future enrollments to provide a correlation
score.

------
jrochkind1
> _Next you have to “lift” the print. This is the realm of CSI. You need to
> develop the print using one of several techniques involving the fumes from
> cyanoacrylate..._

Hmm, other people seem to have demonstrated an 'attack' that uses ordinary
photography to capture the print, and a much simpler process to reproduce it
than the one described in OP too.

Here's an article about that:
[http://www.forbes.com/sites/andygreenberg/2013/09/22/german-...](http://www.forbes.com/sites/andygreenberg/2013/09/22/german-
hackers-say-theyve-broken-the-iphones-touchid-fingerprint-reader/) (An article
about those germans was posted on HN a few days ago is how i know about it,
not sure if it was this same article)

OP may be right that TouchID is an appropriate level of security for many
users/usecases. All security is tradeoffs, none is unattackable.

But OP seems to be over-estimating the amount of work it takes to reproduce
the fingerprint, according to the Germans.

Additionally, if phones locked only with TouchID become common, I would expect
criminal networks to develop and share standardized processes and devices to
do it, lowering the barrier further.

~~~
sesqu
The author did mention the laser printer technique, but decided to go for
etching instead. Maybe because they didn't have a laser printer. The greatest
difference to me was lifting the print with special tape, guarding against
distortions but risking smudging.

It was clearly a bunch of work, but measured in hours.

------
ateevchopra
The first rule they teach at "Hacking" class is "Nothing is 100% secure, and
never will be". So this should not be any surprise that iPhone touch id gets
hacked. So instead of thinking how to "100% secure" a product, we should focus
that how to make it x% more secure than before. And that's what awesome
engineers at apple did. So we should be happy that instead of copying
someone's else devices, there are some engineers that are really into
improving what is already there.

~~~
danieldk
I think most people who are upset about this at the very least realize that a
4-digit PIN is not much, if any better. People are probably annoyed by Apple's
marketing mumbo jumbo about about scanning sub-epidermal skin layers, etc.,
while (as shown) it is not that much better than existing fingerprint
scanners.

~~~
hyperpape
Well, the guys who hacked it said you did need a higher resolution
picture/duplicate of the print, which may not be that big of a deal, but it is
an improvement.

------
gregorkas
I still think that they didn't "Hack" the TouchID as they claim. Faking a
finger print is one thing, but truly hacking it is completely another.

Imagine a scenario in which you find an iPhone (or "borrow" it) - how do you
unlock it without knowing the owner and having access to their fingerprints?
You don't, not with this "hack".

A cool demonstration of the fingerprint lifting technique though.

~~~
grey-area
Glass is a good surface for lifting fingerprints from, and the phone itself is
likely to have multiple fingerprints of the user on it, but even if not it's
not too hard to get fingerprints from someone without their knowledge.

~~~
madeofpalk
I believe the article mentions that the iPhone is a relatively poor surface to
obtain fingerprints from because there's an extremely high chance they would
already be smudged.

~~~
grey-area
Thanks, just gone to read it. I think they do show up sometimes though - look
at this video when they turn the screen off:

[http://www.youtube.com/watch?v=HM8b8d8kSNQ](http://www.youtube.com/watch?v=HM8b8d8kSNQ)

Several very clear fingerprints are visible on the glass.

------
exodust
Hope Apple doesn't try to own "fingerprint sensors in phones". Pretty sure the
tech is up for grabs?

I like my Galaxy S4, but I wouldn't mind easier phone unlocking. Even better
than fingerprinting, I wish I could draw an unlock pattern in the shape of
whatever I wanted, a higher resolution pattern with visible brushstroke.
Subtle unlock patterns would then be possible. You'd need a good algorithm to
allow some difference in the reproduced pattern, while remaining high
resolution enough to provide thousands more combinations than 4 digit pins.

Paint to unlock - that's what I need, if anyone wants to make that as an app
for Android, I'd buy it for a dollar!

~~~
gerad
Hasn't Android had pattern unlock forever?

[http://www.topdollarmobile.us/blog/android_unlock_pattern](http://www.topdollarmobile.us/blog/android_unlock_pattern)

------
Tichy
"If you use your thumb to unlock it, the way Apple designed it, then you are
looking for the finger which is least likely to leave a decent print on the
iPhone."

If the issue is smudgy prints, I wonder if some image processing could improve
results.

------
rbcgerard
Why do I need a password on my phone? 1\. If it gets stolen or lost I can be
assured my data is safe 2\. From law enforcement (if I get pulled over for
speeding or arrested for "disorderly conduct" there is no reason they need
access to my work emails, photos, etc) 3\. From snooping/mischevious kids,
wives, friends, girlfriends etc.

The fingerprint scanner only protects from #1, and is worse for 2 & 3 (the
police just put my finger on the phone, and my girlfriend just waits until I'm
asleep to put my phone on my finger... My overall security has gone down
considerably for a modest gain in convenience

~~~
thelambentonion
I feel like the probability of the 'average' user having his/her phone stolen
is much greater than that of being compelled to unlock his/her phone by police
or a significant other.

While I would prefer two-factor authentication with TouchID, I still feel like
this implementation protects the user from the lowest common denominator (i.e.
petty theft).

------
pcl
I use my thumb with my iPhone all the time. In fact, the main thing that kept
me from switching to an Android phone last summer was the discomfort I
experienced trying to reach the edges of the screen on the devices I tried
out.

------
edwintorok
The webfont for that site looks awful in Firefox 24, all the 'r' and 'g'
letters are cut in half:
[http://www.pasteall.org/pic/show.php?id=59766](http://www.pasteall.org/pic/show.php?id=59766)

If I zoom in or out it looks normal, so probably something wrong with hinting
in the font (or a bug in firefox?) FWIW it looks normal in Chromium.

~~~
ubernostrum
Here's what I see in Aurora (26) on Mac, no zooming or anything:

[http://i.imgur.com/wlfEBHC.png](http://i.imgur.com/wlfEBHC.png)

So even if there is a bug, it's apparently been fixed :)

~~~
edwintorok
Tried Firefox 25 beta and 26 aurora from the site on Linux, with same bad
rendering. Perhaps it renders things differently on the Mac, or uses different
versions of libraries there.

I have used 'Help->Submit feedback' to report it, is this the preferred way to
report website issues, or are bugzilla entries better?
[https://input.mozilla.org/en-
US/dashboard/response/3983188](https://input.mozilla.org/en-
US/dashboard/response/3983188)

------
drill_sarge
Fingerprint readers were always a joke and unreliable. Like on old IBM
Thinkpads. Nobody used them, people "hacked"/fooled them easily. I was
surprised that Apple brought them back, probably just for convienience
reasons.

~~~
CervezaPorFavor
I'd say this is probably the first time it's done right on a popular computing
device (to my knowledge). Previous fingerprint scanners always required the
finger swipe gesture, which was frustratingly difficult to get right.

Just like the pattern lock (or face unlock and its variations) on Android
phones, the idea is to encourage users to have at least some protection.

As an Android phone user, I hope to see this being adopted by the Android
manufacturers (and I hope the Apple camp would shut up about people copying
their idea).

------
glomph
I think it is kind of shocking how much brand dominance apple has.

Loads of companies used fingerprint readers and it it was a conversation for a
few days at most. This has had an article on hn every day for at least a week.

~~~
saturdaysaint
This was exactly the rap Apple got when they released a touchscreen phone.
Then, when it was released, people grudgingly attributed its superior
responsiveness to the fact that it used a capacitative touch screen. 4 years
later, their major competitor is still introducing improvements (Project
Butter) to get their OS/devices in the ballpark of the responsiveness of years
old devices. And their touchscreen latency is still markedly superior as shown
in benchmarks.

I use fewer and fewer of their products, but to me it's shocking how much of
Apple's success is still attributed to brand and marketing - I don't know how
you could argue that anyone else is the gold standard for hardware/software
integration in consumer devices. If anything, their marketing _glosses over_
the exacting level of fit and finish that obviously go into these things.

------
martin-adams
Am I the only one thinking that touchscreens are fingerprint magnets. I mean,
you lose your phone, I wonder what the likelihood is that the print needed to
unlock is right there on the phone itself.

~~~
jasonlotito
A clear and precise fingerprint? The chances aren't good, I'd imagine. Indeed,
you'd be far more likely to figure out their passcode or "swipe pattern code."

------
knodi
The word "hacked" is missed used a lot here.

~~~
nutate
The word misused wasn't even used in your comment.

------
saltyknuckles
Why I [insert action and feels]

