A very large number of people don't put any kind of passcode of any kind on their phone, simply because it's inconvenient. Touch ID is designed for them. It's not designed to secure nuclear footballs.
Touch ID is going to massively reduce the number of totally unsecured iPhones that require zero effort to access. That's the goal.
I think some people see "fingerprint scanner" and think "military-grade security" because that's where we've seen scanners before in movies and such. But this is really very much a solution for the consumer market, where convenience and usability are critical features of a security system. Sometimes infosec folks forget that. If you make it too hard to use (passcodes), people just bypass it. So you can blame the user, or you can try to design something easier to use. If in the end you've improved the overall security landscape, you've succeeded. I think that's what Apple is doing here.
> Put your finger on the Home button, and just like that your iPhone unlocks. It’s a convenient and highly secure way to access your phone. Your fingerprint can also approve purchases from iTunes Store, the App Store, and the iBooks Store, so you don’t have to enter your password.
It is definitely intended to replace passwords. Pretty good security would be to require both the fingerprint and a PIN (for unlocking the phone, at that stage a fingerprint is fine for authenticating iTunes' digital purchases).
My debit card, for example, has "paywave" short range payment support. So anybody who has my card can go around making small purchases, no PIN, no signature needed. I'm fine with this because the convenience far outweighs the security concern.
With the iPhone an attacker who replicates your fingerprint can make purchases to your iTunes account using your phone. They can't purchase to a different account, they can't purchase to a different device. In that sense, requiring a valid fingerprint is more than secure enough — even if faked it's not going to do much damage.
Creating a fake print that can fool the scanner is so much harder than stealing someone's debit/credit card. It's also so much less damaging to the victim (making purchases on their iTunes account vs. making any arbitrary purchase).
I think the balance between security and convenience for this technology is more than reasonable.
No, it's not. Starbug used simple means starting from a photo of a fingerprint. The fact that fingerprints are blasted all over the place makes this very easy. You could probably even build a cheap machine that automates this process.
Creating fake print: Step 1. Either find a perfect print, or a number of imperfect prints. Step 2. photograph. Step 3. enhance. Step 4. print. Step 5. Use print on suitably encoded device (which probably means steeling their phone too).
Edit: Given the front of a phone is glass, there's probably going to be a print on the screen, though I wonder if any prints take from a phone screen would be clean? I don't know.
You're missing the point. Right now lots of people have no password at all. Touch ID is a big improvement over having no password.
 From the citation: "Passcodes and passwords aren’t completely eliminated by Touch ID, then, but they almost certainly will be later on."
 The glass screen will have your fingerprint on it, somewhere. That can be CSI'd by anyone who finds it. Anyone serious enough to do that (and its not much) can start escalating.
If someone wants what you have bad enough, there really isn't anything you can do to stop them.
TouchID is highly secure if the only way to break into it is to have an ultra high-def image of the exact finger the device is looking for. I guess 50 character-long passcodes aren't secure because you could just tell a thief the code?
We must have wildly different definitions of "highly". I'm pretty confident I could reproduce this result in one afternoon. Compare that to other things we might consider highly secure, like strong encryption or Fort Knox. What word do you use for security measures that take non-trivial resources to circumvent?
How do you approach that part of the problem?
But if I were trying to break into an iPhone, perhaps the finger prints are on the phone. Or some other item I also got as part of the same theft. Or I found the phone in the owner's house when I robbed it and have my pick of surfaces. Or I have the owner's prints in a database because they went were convicted of a crime(I admit I have no idea what resolution those are taken at). I don't think there's a shortage possibilities. You leave prints on almost everything you touch.
To be extra clear, I'm not saying the finger print reader isn't good enough for most iPhone users; I'm not arguing the nth-grandparent's point about that. My point is that it's not highly secure, and Apple shouldn't be marketing it that way. Similarly, the lock on my front door is plenty good for my house, but no one would ever describe my house as highly secure.
You do have a very valid argument.
It needs a 2400 dpi output. This is not hard. 300 ppi source can easily generate a 2400 dpi output. DPI =/= PPI.
From what I've found online, chip-PIN does indeed reduce fraud, but when fraud does happen, it becomes extraordinarily difficult for the cardholder to get a refund from the bank.
I could see fingerprint scanning going the same way -- with vendors saying "what do you mean you aren't the one who made this purchase? The device was unlocked with your unique fingerprint!"
You're baselessly asserting your position, though.
If you write your pin on your ATM card, they will not refund you. That is policy and they ask everytime you lose your card. The bank views this as lack of due care. Likewise, if you leave copies of your fingerprints on your payment device, they could argue that you are likewise acting with un-reasonable care.
Now that this has been (so easily?) spoofed, is it reasonable to believe it is secure? That is a valid concern. Unlike a pin, you cannot reset a fingerprint security mechanism. So when it is compromised, it is over. So, the result is messy in that it puts you in a problem using today's standard practices, but at the same time, the standard practice "defense" is not applicable, and lacks an obvious alternative.
This is not a strawman, its a legitimate edge case.
3. I will hold in strict confidence my personal identification number (PIN). I will take reasonable precautions to keep my PIN separate from my ATM card and to prevent the unauthorized disclosure of my PIN.
So, you sign an affadavit verifying you did not contravence this agreement. They will screen for this as/if you file a claim for fraud.
I live in Europe, and twice in the last two years or so my card details have been compromised, and both times my bank has rang me to notify me of suspicious transactions before I'd even noticed. It depends on the bank (and the country most likely) with regards to getting a refund. I got refunds no problem, but I've heard people having problems in the UK. The fraud happened online (not sure how, I'm reasonably tech savvy and careful with my card details).
I believe that this has now changed (although I've not had a new card recently and I don't remember seeing any new TOS).
Buying apps with your device is not terribly useful unless you have take full posession of the device, in which case the owner can remote lock/wipe it with iCloud and dispute the charges with their CC company.
Having some shiny new method does not mean these people that do not currently use a pin/password will magically start using this.
Now, if Apple started forcing everyone to use one or the other (or both), that's another story.
It actually does mean exactly that in the aggregate. There are huge number of people that don't use pass codes not because they don't care, but because they are inconvenient. This technology is for them, and it will have nothing to do with "magic" when they adopt this fundamental improvement (that happens to be also a heavily marketed main differentiation from the previous model).
As for the people that never used a pass code because they weren't aware/didn't care... probably less adoption, but just because the feature is so heavily marketed, many of them will also use it.
But yeah. Significant numbers of people who didn't secure their devices with pass codes will now do so. No magic required.
Edit: I realized that the link is for iOS 6 - though I wouldn't expect them to reduce business IT functionality, not sure if these options are still in iOS 7.
As I understand it every now and again Apple will prompt you to enter your passcode/password, such as when you restart your device or if you haven't unlocked it in two days. Hardly a signal that passwords are done.
>You check your iPhone dozens and dozens of times a day, probably more. Entering a passcode each time just slows you down. But you do it because making sure no one else has access to your iPhone is important. With iPhone 5s, getting into your phone is faster, easier, and even a little futuristic. Introducing Touch ID — a new fingerprint identity sensor.
Put your finger on the Home button, and just like that your iPhone unlocks. It’s a convenient and highly secure way to access your phone. Your fingerprint can also approve purchases from iTunes Store, the App Store, and the iBooks Store, so you don’t have to enter your password. And Touch ID is capable of 360-degree readability. Which means no matter what its orientation — portrait, landscape, or anything in between — your iPhone reads your fingerprint and knows who you are. And because Touch ID lets you enroll multiple fingerprints, it knows the people you trust, too.
I believe that's the opinion being referred to.
-- the phone
-- a 2400 dpi resolution image of the correct fingerprint
-- a 1200 dpi laser printer & transparent paper
-- pink latex milk or white woodglue
-- a non-trivial amount of time
I heard that too, airbags, satnav and entertainment systems are the target...
The code is in someone's head, or you have to deconvolute it from screen smudges. Your fingerprints are literally everywhere you go.
So you don't need to get "in someone's head". You just need a good view of them using it.
Granted, getting an iTunes Store password by just watching would be a lot harder. But compared to the 4-digit lock screen pw (or even the Android shape pw) TouchID seems a bit more secure, at least to me.
I bet you if CCC wanted to make a much stronger case, they would have taken that image from a fingerprint on a glass - but that didn't work. They photographed the finger and not a stray print for a reason.
"The third feature is all about security. Now we have so much personal information on our devices that we want to protect. <snipped> So we have to protect them. The most common wave of course is to set up a passcode. Simple four digit passcode or more complex one if you want. This is something you do, dozens of times a day to unlock and get access to your phone. Unfortunately, some people find that's too cumbersome and they don't set it up. In fact in our research about half of smartphone customers do not set up a passcode on the device and they really, really should. That's the team has worked so hard in the brand new technology to make this easy and fun to do."
Touch ID is better than nothing and that people use Touch ID instead of nothing is better than the current state but not by much and this definitely isn't a huge achievement. Which is really the biggest issue with Touch ID, it's advertised as such and people believe it.
I also bet, in 99.9999% or more of those cases, the attacker doesn't even attempt to bypass the security by faking the users fingerprint.
I'd also be willing to bet that these figures are substantially better than the current situation where people don't bother to lock their phone at all. People will use it because it's a gimmick, not because of it's security properties, but it will still work.
Activation Lock + Touch ID = all the security that almost anyone needs on a phone and much higher security than any of us have been used to up to now.
But with the new Activation Lock, it supposedly doesn't matter if it is shut down, the minute someone tries to flash the phone. Be it normally via iTunes or via DFU mode and iTunes there should appear a message that the phone has been wiped and must be unlocked with the iCloud password of the account that did the wiping. So no chance to flash the phone back to factory settings.
You can't be serious. A completely unlocked phone that anybody can trivially access with a swipe.. vs. a scanner that you'd have to lift and reconstruct someone's fingerprint to bypass. That is definitely a significant improvement.
Sure is a significant improvement for some people at least. http://t.co/EK3sdeloUX
What operating system I prefer really has nothing to do with it, even if it is linux.
Posted from my iPhone, android, third mac mini, 2nd mac air, or first thinkpad who the fuck knows (or cares? oh you obviously)
> Touch ID does not store any images of your fingerprint. It stores only a mathematical representation of your fingerprint.
> The Secure Enclave is walled off from the rest of A7 and as well as the rest of iOS. Therefore, your fingerprint data is never accessed by iOS or other apps, never stored on Apple servers, and never backed up to iCloud or anywhere else. Only Touch ID uses it and it can't be used to match against other fingerprint databases.
It absolutely isn't. Even if just the hash were sent over the wire (or if it were possible for the authorities to extract it over the wire), it would be perfectly possible for the authorities to run the same hash algorithm on their candidate print and see if the hashes match. Such evidence would likely not be admissible in court but 1) it would be enough to give the authorities a tipoff, 2) for matters deemed important enough, secret trials seem to be all the rage these days.
I would be _very_ surprised if there were no backdoor in iPhones for the authorities. Even their "secure" area. The U.S. authorities simply do not take no for an answer when having a "talk" with a vendor producing a widespread "security" related product.
I'm not sure if you understand what FUD means. Your surprise or lack thereof does not count as evidence, and is irrelevant to whether something is FUD or not.
> MS Exec: "I'd be very surprised if Linux had a lower TCO than Windows Server."
Canonical example of FUD. EXACT same thing as you're saying, just in a different context.
You've got to be careful when you say things like that, because they're trivial to refute.
The whole point of a backdoor is to be obfuscated and hard to find. So it would be very likely that you would not find one even if one were present. Your example is simply a Microsoft not bothering to do something that's perfectly researchable.
We don't have any _proof_ that Dual EC DRBG is defeatable to the NSA. By your logic we should still be using it happily until we have that proof and until then any caution is simply "FUD".
So if that's "FUD", then I've got news for you: the security world is very sensibly built upon FUD.
Which in this case doesn't matter because you're talking complete nonsense. Apple does not send your fingerprint over the wire.
TouchID represents a massive increase in security over draw pattern to unlock, and it's easier to use at the same time.
It probably also represents an increase in security over 4 digit PIN codes, though that's shakier.
If somebody swipes on their homescreen, browse the web, etc, the trail would not be just the unlock pattern.
The exploit you're talking about may work if you get hold of the phone right after the user unlocks it since the trail only has the pattern.
It's much easier that you imagine. I've been using my phone as I normally do throughout the day, and I can see the unlock pattern clearly on the phone.
The way that Apple haters use stunts like this to suspend normal logic and reasoning in order to express their juvenile spite is staggering.
No one, ever, claimed TouchID was impregnable, but it is very good security and is better than what the vast majority of people do at present.
Anyone prepared to devote the time and resources that CCC did to breaking your phone has other simpler means at their disposal. I personally believe that no one else will replicate this achievement because it is simply a publicity stunt to get clicks and feed the hordes of anti-Apple zealots.
The threat is similar. Now there is an exploit.. now the collective security researcher (and hacktivist) will work to make the hack easier by building a tool.. THERE lies the real danger.
I still commend Apple for trying. The real issue will be if I can steal the "Hash" of the fingerprint and reverse it to know who it is... so far TouchId has done well. The way that happens, Apple users will need to rethink using TouchID
Really? Lift someone's print, leave it with superglue, scan and print it and then dump glue on the scan.
That seems to be the sum total of what needs to be done. You need only sticky tape to lift the print and the rest can be done in an hour.
It sounds quite action movie, but in reality it's pretty damn simple and if I wanted to get access to your phone I could easily prepare it in advance and carry a tiny latex strip in my wallet for just the right occasion without your knowledge at any point.
Also in reality it will foil over 99% of potential unauthorized activation attempts as most people aren't going to craft fingerprints to get into someone's device.
If reality is the bar you're using, TouchID still wins.
Also, it's not remotely "pretty damn simple":
"Creating the fake fingerprint is arguably the hardest part and by no means “easy.” It is a lengthy process that takes several hours and uses over a thousand dollars worth of equipment..."
If having TouchID will increase the amount of people that doesn't lock thir phone I'm up for it. But is not this amazing super-secure technology that will revolutionize the world.
I've read there is already something like 35% adoption of iOS7 so we may see soon how effective Activation Lock is at deterring theft.
That makes it great security.
> fingerprint biometrics is unsuitable as access control method and should be avoided.
What happens when the next set of hackers figure out how to remotely access and extract the fingerprints (hashed, secured, whatever) stored on the iPhone itself?
The fingerprint information stored in the 'secure enclave' of the A7 is a combination of the data related to the fingerprint combined with unique information for that specific device. So even if the data could be extracted, using it for any purpose other than unlocking that specific phone would be impossible.
No, it wouldn't send that response at all. That's called a client-side security control, and I'm sure you can think of why that's out of the question in any system.
That said, I sincerely doubt this is the case. I imagine the phone acts as a proxy for the authentication, validating the fingerprint then sending some other form of authorization to Apple or using the fingerprint as input to a cryptographic algorothm.
http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3093498/ states that even professional forensics required independent verification to eliminate false positives.
The hashes, whatever they are, will not be "binary" in their nature. Matching against a range of visual characteristics requires to allow some level of fuzziness. Even assuming that near future improvements bring the false positive rate to half of that of the best forensic experts (to 0.05%), the law of large numbers guarantees that innocent people will be caught up in investigation dragnets. Just imagine the lives destroyed by these kinds of clerical errors.
The above is the same reason I'm against our national law enforcement getting access to the passport biometric databases. Even discounting the potential for abuse: once the police have a suspect with "matching" fingerprint available, they will have less incentive to find other ones.
Whatever the case, maybe we should step back and get some more perspective. How many of us don't put locks on our shared computers and phones because we don't want the inconvenience of ensuring everybody that should be allowed to use it can? My phone is a shared device and I removed any and all locks on it as I got very tired of "oh, let me unlock that for you." Basically, I want everybody that can reach it physically (when it isn't lost or stolen) to be able to access it and make calls, surf the web, use the map, search contacts, play games, etc. Is any phone locking mechanism going to work perfectly, probably not. Being able to set up my phone to unlock for anybody in my family and friends circle by something like fingerprints is a pretty good start.
I feel like we just went through this very same drill with the Chrome team refusing to hide web site passwords behind a master password, something that all browsers, except Chrome, support. Given how stubborn the Chrome team has been in its handling of this situation, I think fighting that TouchId battle is going to be equally challenging.
Common sense is, sadly, not very common, not even among the security circles.
Agreed. Complaining about this hack would be like people saying locks are "hackable" if you steal someones key and make a copy. There's always a way around any system, if a criminal is dedicated enough to get past it.
I like what you're saying, massively allow users to secure their phones without the pain of entering a password, but when it comes at a compromise of "little is better than none" is not the mentality people need for security. I'd rather see corporations rewarding and encouraging proper security strategies rather than creating some compromise for marketing.
If you're talking aggregate security, TouchID will still increase security (even with current PIN users moving to a FP Scan) as currently about 50% don't use any sort of pass code now.
If you're talking about the ability for current PIN users to maintain their level of security if they wish, -they can still use a PIN.
Bottom line is that there will be fewer successful unauthorized login attempts in the wild.
One might argue that Touch ID is too strong to be used where there was no security before. In an arms race with thefts and hackers, leaping too far forwards might not be the best option in the long term.
Even if your phone was unlocked, they probably wouldn't bother more than a cursory glance. They have more phones to steal than to bother with is on some random person's phone. When the data is important, the theft will be more targeted.
I haven't heard of it recently, but a few years ago there was a story on phone operator temporary staff that would offer clients to move their contact info from their old phone to the new one (it's a completely legit service) and keep a backup of the old info to sell it. The price for an entry was something like 2 cents, but data would be sold by batches for about 700~800 dollars.
I didn't find any quick resources in english, just for the numbers there was this piece by trendmicro (to note, they are of course biased to make the number a littre bigger)
(Of course, this post ends with Apple has succeeded. Sigh.)
...while lowering the security of a massive number of iPhones previously secured by PINs.
The fingerprint scanner is not intended to protect your personal data from being accessed by nefarious cyber-spooks or crackers. The $5 dollar wrench technique is fairly effective in bypassing such security anyway.
The fingerprint scanner is there so that when your phone is nicked by a mugger, they can't reset to factory defaults and sell it on eBay. If some knife wielding thug that robs me of my phone has the intellectual capability of lifting my fingerprints off the case and then using them to bypass the security, he still has to know my AppleID password before he can remove the 'Find my Phone' feature.
Give Apple a break. This is just another layer of security. It's _not_ the panacea to all our security woes, and they have never claimed it was.
This attack is an interesting data point in the debate over using biometrics in access control systems. Apple was hyped to have introduced something new and exciting in this space, but it's quickly been shown to not be a significant advance in fingerprint sensor technology.
Touch ID, however, is still an adequately secure access control check to be useful to consumers.
Just to clarify, it wasn't just the increased resolution that was required here, but "latex milk", I assume to simulate a living finger, as well. It's not as simple as print-of-print = unlock.
No matter how cool the fingerprint tech is on iPhones, you wouldn't go as far as using it for your master access to your password manager app or bank account app.
For the purpose of replacing the lock screen pin, or as others have said, no pin at all, I think it's fine.
And selling a stolen iPhone on eBay does not need a password or a fingerprint, a jailbreak is enough …
You check your iPhone dozens and dozens of times a day, probably more. Entering a passcode each time just slows you down. But you do it because making sure no one else has access to your iPhone is important. With iPhone 5s, getting into your phone is faster, easier, and even a little futuristic. Introducing Touch ID — a new fingerprint identity sensor.
If cracking fingerprint authentication is as easy as this article suggests then there's no doubt that these types of shops will do this readily. Steal a phone -> bring it to a place that does it.
The AppleID password is another thing though.
Police caught the "muggers" slipping the phones into faraday bags so they couldn't be remotely wiped which led them to the ringleaders. They were busted but I'm sure there's a new crew doing it
I prefer Schneier's original rubber hose technique. Leaves fewer broken bones and bruises, but just as effective.
I don't know if others are experiencing this, but as of iOS 7, that feature turns itself off every time my phone is rebooted.
But they've never said it wasn't, either. It's important that everyone is in the clear about how secure TouchID is. I'm going to use it anyway, but the other decision is how much personal data I want to store on my phone.
* Note: TouchID is not the panacea to all our security woes. will not cure cancer, create world peace, does not kill kittens, [continues on listing everything it's not for 9 trillion pages]
BTW, for anyone who does not know about Chaos Computer Club (CCC) , they run a massive conference in EU. You can look at some of their talks @ http://media.ccc.de/
In addition to that, there are problems with bias and statistical independence. A given marker is unlikely to be present in exactly 50% of the population, and to the extent that it isn't it can reduce the probability by that amount that a test match is a true match. Meanwhile the suspect pool for a given crime is likely to encompass several (perhaps many) members of the same extended family, who for the obvious reason are significantly more likely than random members of the world population to have the tested markers match one another. Even within a city you will generally see concentrations of specific ethnicities who may have a higher statistical incidence of specific genetic markers than other populations, which can screw up the numbers by an amount that historically hasn't even knowable because we don't have good numbers on the statistical incidence of specific markers within geographical populations.
The place where this is most pernicious is when they get a sample from a crime scene and run it against some "DNA database" to find a hit. Then everybody is talking about the probability that X suspect would match the DNA at the crime scene rather than the probability that someone in the database would match even if the actual perpetrator wasn't in the database.
Or the probability that, match or not, the DNA from the crime scene belongs to the criminal.
And not, say, someone the victim came in contact with earlier, someone that happened to be in the crime scene before the crime took place, or even some third guy the actual criminal took a DNA from in order to frame him.
I thought that was pretty much always the case. Which is why DNA evidence is never used alone - you don't take DNA traces found at a scene of crime, run it against a huge database, find a match, close the case and try and sentence the matching person.
Instead you either investigate whether that matching person had means and motive and no alibi, or (more often) you check the DNA only against people you already suspect for whatever reasons.
Both variants reduce the likelihood of false positives by quite a few orders of magnitude.
As one example, combine a fairly limited set of targets with gel chromatography, and varying quality/accuracy of analysis/analysts of same... And you have a lot less "uniqueness" than things like the common, public term "DNA fingerprint" imply.
Yes, it may be a useful tool in combination with proper understanding of its limitations. However, we have (in the U.S., for example) and adversarial judicial process and prosecutors have been shown to often not place such understanding even in context let alone as a primary concern. If the defence is lacking, including simply financially to engage its own "expert witnesses"... misbegotten interpretations can and do rule the day.
Yes, this really happened - at least once that we know of:
During his 1999 trial, Schneeberger revealed the method he used to foil the DNA tests. He implanted a 15 cm Penrose drain filled with another man's blood and anticoagulants in his arm. During tests, he tricked the laboratory technician into taking the blood sample from the place the tube was planted.
Then again, I guess we've seen that you literally cannot be too paranoid.
You don't have to have "everyone's DNA on file". It's actually pretty trivial even for your neighbor or whoever to get your DNA.
As for the police falsifying evidence, there's a wikipedia-long history of cases, in Europe, Latin America, Asia, etc. Especially in politically charged times, like the sixties and seventies. Heck, something like half of Italy's government in the 70's have been proved in later Italian courts to be involved in such things.
Sorry, I wasn't clear. I can dump a gallon of your blood and semen onto a dead guy in an alley, but how would the government trace that blood and semen back to you?
Well, as the culprit, you can always arrange some things or leave other stuff that also points to me.
Also, your main benefit is that the police will more easily believe that it wasn't you (since your DNA won't match).
> But scientists are finding that it’s quite common for an individual to have multiple genomes. Some people, for example, have groups of cells with mutations that are not found in the rest of the body. Some have genomes that came from other people.
> Women can also gain genomes from their children. After a baby is born, it may leave some fetal cells behind in its mother’s body, where they can travel to different organs and be absorbed into those tissues. “It’s pretty likely that any woman who has been pregnant is a chimera,” Dr. Randolph said
It's much less common than a consumer-grade scanner and some wood glue.
I think DNA evidence is even worse. Given how simple it's for anyone (from an oppresive government to a criminal to take DNA from someone they want to frame and place in on a crime scene. Heck, it's even easier than fingerprints, and it's also thought of as "irefutable".
It's a bit old now but it's still as valid.
Also, if a fingerprint sensor is significantly easier to use, and in practice will deter a class of privacy violations, it could increase overall security. This is a question you can only answer by looking how people behave, not solely with an analysis of the technology.
The fingerprint sensor worries me more that it records biometric information at all. It's one thing to leave fingerprints all around your environment, but there is now the potential to steal your biometrics over the internet. The device supposedly hashes the data derived from your fingerprint, presumably with a hardware-based secret, but I worry someone will find a way around that. (EDIT: maybe this is physically impossible; can someone provide details?)
Also, the issues that CCC discusses about how fingerprint unlocking can be coerced are important. Many law enforcement organizations now have devices that can scan smartphone data, which is bad enough, but at least the use of those devices are controlled. A fingerprint sensor now allows a cop to handcuff someone, jam his or her finger onto the phone, and then to (for instance) delete an incriminating video.
Likewise anyone else willing to use force. Might become the next schoolyard amusement for bullies, if your kid has a smartphone.
The Google Chrome Security team begs to differ . According to them giving someone the illusion of security is bad.
An understanding of security will reveal that security is not a binary state of affairs. It's perfectly reasonable to trust known-imperfect mechanisms like the iPhone fingerprint reader to keep honest people honest and discourage ordinary muggers and thieves. I don't need military-grade access control for my personal iPhone, I don't want the inconvenience that would necessarily accompany it, and I damned sure don't want to pay for it.
And the Google Chrome guy is correct in all respects: it's not reasonable to expect an application to provide security that's redundant with security provided by user accounts on the OS it runs on. It would be better to teach users to create separate accounts on their system, if they want to hide their local passwords from other members of their family.
It is perfectly reasonable to expect an application to provide more security than the user account provides because in the real world, we know that people don't always lock their computers. Not all applications are risky, but one that centralizes a users credentials is clearly so.
Pretending otherwise is simply not acknowledging the real world.
Name one security technology that is 100% foolproof. They don't exist. So the point isn't to rely on one thing, but to rely on many things that, used in concert, increase the risk, complexity and cost associated with subverting the entire system--not its individual components.
In the same way that you'd afford extra scrutiny to a government agent making claims about what encryption methods to use, you should afford the same scrutiny to companies making security claims who are documented collaborators with the TLAs.
An ad hominem isn't always a fallacy, especially when the credibility of the speaker is legitimately in question. Saying they're automatically wrong would be fallacious (not to mention silly), but questioning credibility based on actual, documented behavior is not.
The main argument is in the second paragraph.
Anyhow, thanks for noticing :)
Security is not binary.
Correct me if I'm wrong, but the biometric data never leaves the device.
You need the fingerprints themselves to fake out the hardware.
For example, the obvious approach is to store fingerprint features, which will be then matched by any print that has the same features in the same positions. If you do a good enough job of generating the new print you might even be able to fool police investigations, since they compare prints the same way.
All bets are off with physical access to the hardware, of course.
I am not a lawyer but it seems to me, 9 times out 10, the cop would prefer a cleaner result - they confiscate your device, and oops, when you get it back, the video is gone.
...the people closest to you in your environment ( kids, parents, spouse, boss, co-workers) are the ones who can most easily obtain your fingerprints...
Don't use it if thieves would consider going through all the effort of faking out the scanner. That's what I take from this no doubt valuable and important work from the CCC.
(I assume that iPhone tracking and activation lock cannot be disabled with the fingerprint, so stolen phones will still be easily remotely wiped and bricked, with fingerprint or without. Thieves will have to be crafty and quick if the want to pull this off.)
(not an iPhone or Android user, at least not yet).
There are too many examples to pick from, but here's a recent one.
In his iPhone 5S review he rambles on about how Apple is an innovator and picks out the A7 procesor, TouchID and a new burst-mode camera feature:
"But the real innovation — there’s that word — is software, right there on the device itself, that makes it easy to select only the shots from those bursts that you really want to keep, and to throw away the rest."
Yet Samsung did the same thing for the S3 back in 2012.
> "You know how iOS touch latency and scrolling performance have always been far ahead of its competition? The way you could just tell that internally, Apple had uncompromising standards for how responsive these things needed to be? That’s what Touch ID is like — it’s to all previous fingerprint scanners I’ve seen what the original iPhone was to previous touchscreen computers."
Make that fawning guff. Convenient that he forgets the uncompromising standards of Apple Maps.
> "Touch ID’s extraordinary performance and accuracy fit right into that story."
No benchmarks or comparisons to justify this hype compared to other fingerprint scanners. How do we know it's not the same as a cheap $1 RF scanner from China?
> " a complete experience hosted entirely on the device. Your fingerprint data is not just “not stored in iCloud yet”, it is not stored in iCloud by design, and according to my sources, never will be."
Rubbish. He knows nothing about Apple's roadmap. He always cites his inside "sources" yet he has NEVER broken any story where he had the lead on a scoop. Not on any products or corporate announcements.
I don't care what an armchair blogger thinks about TouchID. I do however care what the Chaos Computer Club thinks because they actually know what they are talking about.
In the next paragraph, he writes that Apple sucks at online services, and that TouchID is great precisely because it's a completely offline feature. You haven't even read the article. I wish HN would blacklist any mention of Gruber's name.
What matters is the rate at which copies of real prints are rejected, not the fact that one carefully made print can be made to work.
I also don't think Apple is dishonest in their marketing. Fingerprint scanning is absolutely better than a pass code and the marketing around it all gives the impression that using it ensures no one can unlock your phone without your fingerprint. Nothing dishonest in that. Plus the layperson really has no interest in learning the specifics anyway so I'm not sure it matters what they say about it so long as it sounds cool and futuristic.
How often can you change your fingerprint? I can change my pass code virtually an infinite number of times. How often do you inadvertently leave your pass code in random places just by touching things?
A good pass code is absolutely better than fingerprint scanning.
Security is all about trade-offs. This result was to be expected (in some form). What will be worry me is if the "secure enclave" where the fingerprint data is stored is cracked (and I wouldn't be surprised if that happens too eventually).
Probably, apps will get access to capture raw prints themselves at some time. Someone will start to store real and unhashed fp's in their database. As happening frequently with databases containing CC numbers (and even CC pins), that DB will eventually get copied and accessible on the net.
Buying one's fp data will become possible at some point.
Any company that designs their hardware so this is possible deserves the suit they'll get.
Locks (when physical access to a device is available) are to keep honest people honest. Most security experts that I know agree that if an intruder has physical access to a device, it can be considered compromised because it is just a matter of time.
Note: Finger Print, not finger.
Here, have a drink out of this freshly washed glass... no, don't worry, I'll wash the glass for you later. :)
On the last second point regarding access to a device, I could take a week to make up the fake print during which it won't matter if I have it or not. Since your print isn't changing I just need 5 minutes with your device at any point in the future.
That's it. This is not rocket science or time consuming like brute forcing. You don't even have to shoulder-surf to catch their password.
Until they do that, this doesn't really indicate much about how weak TouchID is in the real world.
And your friends could change their password 365 times per year every year for the rest of their lives.
With fingerprints, they get 10 password changes.
But then again it might not be too convenient to carry said cat around all the time.
I'd say 9 password changes...
Anyone who says this is not a security expert. That hasn't been true since full disk encryption became available. A properly encrypted device is a brick if stolen, which is the only reason to have full disk encryption in the first place.
Cold boot attacks, copying the drive and hacking the bootloader to get the drive password the next time you log in are two trivial methods, both of which have been used already.
Once you lose physical access to your hardware, it's game over. You simply cannot trust your computer after that point if you care AT ALL about maximizing security.
With that said and the caveat that I am not an encryption expert myself: given an infinite amount of computing power and an infinite amount of time, can full disk encryption not be broken? If so, then it is just a question of computing power and time, not of whether it is possible to get to the data.
Sure. But the difference between "infinite" and "a couple billion years" from a human perspective is minute.
So basically we need some new form of computer (one that's not flipping individual physical bits), and not "just faster" ones, to crack certain encryptions by brute force.
This is not being done by lifting an existing print from the existing device. They're taking a photo of the authorised FINGER and using that to create their fake finger...
I don't see how this could be considered a significant issue unless you are going to steal someones phone AND somehow get a still 2400 dpi photo of the surface of their finger
If the print was copied directly from one of the phone surfaces, you'd think that the CCC would want to include that little tidbit.
That brings up another interesting point -- I wonder how many people are going to put screen protectors on their 5S's that are not oleophobic.
Does that mean you couldn't find my prints in other places? Sure. But I can probably find your keys in other places, too.
We know that SSL is generally not implemented properly, that the CAs are probably all hacked or subverted by the NSA, that the NSA may have developed backdoors to a number of the more popular encryption suites, but I don't hear anyone running around demanding Google or Facebook disable SSL.
If you are doing something that requires sufficient security that you don't want someone to access it via your fingerprint alone, add additional layers of security.
If you are doing something potentially incriminating ... don't do it on your freaking phone because it's probably been exploited in a dozen other ways by various authorities who can use it to find out most of what they need without being in physical possession of the phone anyway.
Most people aren't worried about the mafia or the CIA or the NSA. Most people don't even bother using a passcode, let alone a passphrase on their phones. If you can add something as easy to use as this, then it adds an additional layer of security against the casual abuse most people will find themselves subjected to (random people making calls from your phone, spouses spying on their email, etc.).
If you are worried about the CIA and the NSA, using a phone at all for anything is probably not in your best interest at this point.
CCC made it look easy but I bet it didn't work for them first try or even 5th try...
Yeah, but as every decent locksmith will attest, very-nearly-almost-all door locks can be easily opened with the right tools. Like picking a lock is a specialist skill, so is lifting a fingerprint and making a copy of it. No security is absolute; it's all trade-offs. Making it such that it's not worth your adversary's time to bother.
And that is what happens with a finger-print based secure system; you inadvertently place the imprint of the key on the phone's display as well as public places.
- fingerprint authentication will be seen as more casual and mainstream than it was before 
- people will still leave fingerprints everywhere, including around and on the fingerprint sensors
- once a high resolution image of a fingerprint is done, it can be re-used for literaly a lifetime (imagine keeping track of someone for years and use his/her fingerprints anytime it's needed)
- if enough applications rely on fingeprint authentication, exchanging fingerprint databases might become lucrative enough
From this point of view, seeing TouchID as just a cute way adding some security to a phone is too candid I think. It will have an immediate positive effect for casual phone locking, but would bring much worse effects down the line.
Optimisticly no one would rely on fingerprints alone to authenticate users for anything important. But the definition of what's important is blurry, and there is so many situations now where weak passwords are used, but it would be so tempting to switch to fingerprints (door unlock for instance...).
 laptops had finger unlock features for years now, but it never really made it to the wild masses I think. Fujitsu phones had a fingerprint reader too, but again, I don't remember other makers picking up the feature.
Sure, maybe you can bypass this mechanism, but as an everyday password, this is still a substantially easier tool than typing in a 4-digit password.
In fact, at least you cannot easily spoof my fingerprint at a public location, while you could certainly easily figure out my password by just standing over me when I type it. I wonder how many mall cameras, street cameras and all sorts of public surveillance cameras have all our passwords?
I know tons of people, including myself, who don't use any passcode on their phone because the 4 digit stuff is a hassle.
CCC is arguing this isn't pick-proof anti-tampering deadbolt, when right now a huge number of users don't even have a door. It's still a MASSIVE improvement.
The issue here is that it's ok, it doesn't really matter. It is all about the amount of security you need. Does a normal user need unbreakable security? No. The security provided with this method is more than ok, it is kinda secure and it's faster (imho) than writing your passcode. After all your "enemies" here are nosy friends or similar...
If you need "unbreakable" security then you shouldn't use iphone or android, or you should use an specific secure storage application (cyphered content, hard to guess pass or whatever). If you need "unbreakable" security you better consider hiring a security consultant.
So, the question here is, are the security systems in mobile devices more than fine for most normal users? I guess so...
Create a random pattern of ridges and, using the technique outlined in the OP, build a latex key. Attach that to your keychain (in some sort of case to improve durability, maybe). Then, enjoy 2-factor auth, between the phone's pass code and the synthetic fingerprint.
Biometric passports store an actual fingerprint image and not just a hash like the iPhone 5S. So if the resolution was high enough, everyone with access to a biometric passport – for example by scanning people carrying such passports around at an airport – could forge fingerprints …
Really? It seemed like this was a lot harder then just shoulder-surfing someone entering their passcode. Touch ID may be hackable, but this is still way harder for the average person to hack than a simple passcode.
AND it's way easier to swipe your finger than type in a code! Touch ID can't be worse for security; it appears it's at least a bit better.
I dislike entering a passcode every time I pick up my phone. Yet if someone steals my phone or I leave it somewhere I don't want someone to be able to access my photographs or my data.
Fingerprint sensor sounds like a pretty good solution to me.
Do I want Fort Knox security on my phone? No.
Could someone still access all my data even if it was secured with a passcode, certainly they could with physical access to the device and a couple of debugging tools they could lay it wide open.
So put simply, fingerprint is more convenient than having to type in a passcode. +1 for Apple
Good to know how easy it is to break though so no one gets carried away and starts using it for things worth breaking into.
But I think they are missing the point. If Apple wanted its phones to be a secure gimmick at Pentagon - that was silly. But for average user - nobody is going to steal your prints. It's just a usability. For average Joe it is so much easier to tap with finger than type PIN all the time. But if you get specifically targeted nothing will save you.
Will he be claim chowdering?
Let's be fair. Apple said it was easy to use and improved security (compared to the previous iPhone). They didn't say it was designed to the standards needed to protect DOD secrets.
This seems like CCC is just trying to get attention to me; holding the device up to straw-man standards of security.
I'm sorry, but this is so much backpedaling. Do i really need to start pulling out comments from the last discussion where people were quoting Apple's press conference about how revolutionary and secure this was?
Apple made a huge deal about how secure it was an how much of an improvement and how very sophisticated it was. It turns out, it wasn't really.
Now people are saying "well, they never really said it was all that good, or meant to keep you secure", blah blah blah.
Let's start with the basic press release:
"and introducing Touch ID™, an innovative way to simply and securely unlock your phone with just the touch of a finger."
" “iPhone 5s sets a new standard for smartphones, packed into its beautiful and refined design are breakthrough features that really matter to people, like Touch ID, a simple and secure way to unlock your phone with just a touch of your finger.""
"“There’s so much personal stuff on these devices; our email, our photos, our contacts. We have to protect them. The most common way is to set up a passcode. A simple 4-digit passcode, or a more complex one if you want. Unfortunately, some people find it’s too cumbersome and dont set it up. In our research as much as half of people don’t ever set it up.”"
"We’ve set up a new technology that makes this super easy to do. We call it: Touch ID."
"“Your fingerprint is one of the best passwords in the world.”"
This was said by Apple at the iphone 5s press conference.
This says it is meant to replace the passcodes, and it was "one of the best passwords in the world", and supposed to be able to protect personal data.
Here's a cite: http://techcrunch.com/2013/09/10/live-blog-from-apples-iphon...
You can verify from other transcripts as well.
I avoided the slides they had explaining how very sophisticated the sensor technology was.
So what i'm getting at is that most of the comments in this thread smack of "Apple never really meant it to do X, or Apple didn't say it would be all that secure". They did, on both counts.
They said it would replace passwords, and they said it was quite secure.
The claims otherwise are ridiculous.
Just because it can be hacked does not mean it is a bad method to use.
Number 1 on the list from the Toronto Star was "How long before hackers crack the security function?" How 'misinformed' of them.
The steps in which the Chaos Computer Club took to break into an iPhone, no criminal would even think of undertaking. In the criminal world the longer it takes to steal something, the higher the chance you'll be caught. It's no different to an engine immobiliser that prevents a car from being stolen. If a criminal were to take their time, they could pop the bonnet and start the car, but most criminals will just take your stereo and car contents and leave the car if they can't get it started within a couple of minutes...
Although, having said that. Apple's marketing speak does make Touch ID sound much more secure than it actually is. This might come back to bite them in the behind one day if the wrong person has their iPhone and data stolen and decides to act upon Apple's somewhat deceivingly clever marketing speak in a court room with dollars to spare.
And besides making it easier for people to spend money without having time to think, a fingerprint scanner to the not-so-technology inclined sounds futuristic and cutting-edge, which in turn will sell millions upon millions of iPhone units. While many who frequent HN can see past the marketing spin and realise a fingerprint scanner isn't all that exciting or new, the lowest common denominator who buys an iPhone sees things differently.
- the capacitance of the ridges and crests of one's fingerprint dominates any differences in subcutaneous capacitance (possibly because they are closer to the scanner, or because there simply is too little variance in capacitance between flesh and hair veins)
- subcutaneous structures resembles fingerprints too much (seems quite possible, as there must be a reason that it is hard to permanently change one's fingerprints by using sand paper)
Aside: a Google found this procedure: http://www.zoklet.net/bbs/archive/index.php/t-202956.html I don't have the faintest idea whether that is real, but regardless, I don't recommend it.
Yes, it could also be Johnny Appleseed's fingerprint, used as an image users are familiar with, but http://en.wikipedia.org/wiki/Friction_ridge seems to confirm it, too ("The pattern of ridges they produce in hands and feet". I'm not sure whether they refers to the epidermal cells or to the blood vessels (less likely), but that doesn't matter)
TouchID is just another fingerprint reader - albeit one that's easier to use.
Even the ones that use capacitance can be beaten with a rubber glove and a copy of the finger print, printed on the latex. (the best is actually an Vinyl condom that doesn't come pre-lubed, the ink sticks better and the vinyl is less of an insulator)
"In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake",
I'd be really curious to see what you could do with a high-resolution smartphone camera and a little image processing.
Also, there are a lot fewer fingerprints than the world has been lead to believe. Especially since we each have 10 to try, since the phone only checks 1.
"Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access."
It explains why Brazil is trying to put biometric scanners on the electronic voting machines.
That said, hypothetically, let's say I get arrested and the police take my phone. My phone has my fingerprints all over it. What is to stop them, legally, from using my prints on the phone to unlock my device?
I say this not to spark an argument but as a real question, I bought an iPhone 5S and I really am interested to know if any law would protect my phone if it was taken in such a situation?
Additionally, all of this was done with molds of the target finger - not from lifted fingerprints. Completely different target.
The point of TouchID was to have a more secure default for most than a 4 digit pin or, more commonly, no pin or password at all. Few people would be happy with having to enter a 12+ character alphanumeric password each time they wanted to use their phone, you're an outlier there.
I presume longer codes are ok on iphones even today?
That was a great episode. Beating the thermal sensor was great too.
Since it uses RF and goes beyond the outer layer of skin, how do we know that the middle finger wasn't already registered?
From a real security perspective, users should have alphanumeric password, as far as I know, businesses often enforce this.
Obviously a 4-digit code is easy to brute-force on a computer, but it requires far more technical knowledge to do so - booting custom firmware, using some script to brute force, etc, and if the attacker doesn't have the skills, they are limited to 10 tries, maybe more after waiting a few minutes or an hour.
It seems to me that, excluding users leaving smudges on their screen and seeing the passcode that way, a fingerprint is even easier to break than a 4-digit passcode.
I'll hazard a guess that abuse by acquaintances, intimate or casual, is the most common risk to smartphone users, and that the fingerprint is an incredible improvement over the status quo.
I think TouchID provides good security against 'casual attacks' - those by people who see you use your phone a lot, people who aren't going to put much effort into an 'attack', just try and post things on your Facebook account while you're out of the room.
However, in the case of 'real' security, where a person is being targeted for their data, or anything like that, I think it would provide less security.
Oh I think it's cool to notice, for instance, that a physics major uses 3141.
I own almost none of the materials they list. They have a very different idea of what materials can be found in almost every household.
You might not own a laser printer but surely you have a library or kinkos nearby that makes the distinction academic.
Today: "Fingerprint scanning on my phone ... that's super convenient."
Tomorrow: "Fingerprint scan required by government ... oh well, I already use that on my phone."
"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token", said Frank Rieger, spokesperson of the CCC. "The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access." Fingerprint biometrics in passports has been introduced in many countries despite the fact that by this global roll-out no security gain can be shown.
iPhone users should avoid protecting sensitive data with their precious biometric fingerprint not only because it can be easily faked, as demonstrated by the CCC team. Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.
Reasonable technically informed paranoia is what made the NSA releases fairly unsurprising to me as well. My rule with security is that if it can be done, then it will be abused. It's basically a Murphy's law for humanity.
Trust nothing. Trust no one. Doubt everything.
This is an OPTIONAL replacement for the pass code.
However you feel about its level of security it is definitely more secure than a passcode which is the other option.
If someone wanted to target you for whatever reason then how long would they have to follow you with a high zoom camera before they would see you type the passcode in? The passcode/touch ID is to stop opportunistic unlocks not a determined attacker.
Of course if CCC knows which finger was registered, AND has a perfect print left on the device AND they know which print corresponds to the finger registered on the device, of course they can crack it. But if they have to guess which print on the device cracks it, I'm willing to bet they trigger the 5 failed attempts which then requires a passcode (and 10 failed attempts wiping the phone, although this is optional).
This means there are more than 10 options (which finger AND what part of each finger) you could use as a print. The oft cited scenario of police being able to compel you to input your print assumes they know what part of your hand unlocks the phone. They can't make me divulge the part of my hand thats registered just like they can't make me divulge my password.
Yes you can't change your fingerprint, but you can change which is registered on the device (or with the bank, or whatever) and I'm guessing financial transactions outside of iTunes might require a passcode also. It's just another layer of optional security. Clearly it shouldn't be relied on as a foolproof, 100% secure authentication system but it certainly shrinks to pool of people who can gain access to my phone from "anyone who sees me unlock it several times a day" to "fingerprint forgery experts and highly sophisticated and motivated criminals."
I wonder how many attempts the CCC guys had before they were successful?
Merkel personally assured Obama that she would refuse Snowden, in case he applied for asylum in Germany.
Makes it pretty clear what the world can (not) expect from Germany.
Or, if your target is paranoid and uses a very long passcode, target the charger rather than the device itself. iOS assumes any physical device to which it is connected when unlocked is secure. Replace the usb brick with a small computer (e.g. Raspberry Pi) in a convincing looking Apple-esque case. Then wait until your target plugs in his iDevice and unlocks it. You can then dump the drive, or side load malicious code.
It's clear you've never actually attempted this. The timeout between passcode entries increases with the number of consecutive failures. Get 10 wrong in a row, and the device is wiped (if the user has chosen that option).
> Or, if your target is paranoid and uses a very long passcode, target the charger rather than the device itself. iOS assumes any physical device to which it is connected when unlocked is secure. Replace the usb brick with a small computer (e.g. Raspberry Pi) in a convincing looking Apple-esque case. Then wait until your target plugs in his iDevice and unlocks it. You can then dump the drive, or side load malicious code.
This no longer works on iOS 7. The user has to manually choose to trust the computer they're attached to prior to any communication going across the wire.
> The timeout between passcode entries increases with the number of consecutive failures. Get 10 wrong in a row, and the device is wiped (if the user has chosen that option).
Only if you're typing in pass codes to the lock screen, which isn't how its done. An attacker would instead image the flash, grab the Dkey from effaceable storage, and decrypt the filesystem. Indeed this is exactly how professional iOS forensic analysis kits work. This will get you access to SMS, photos, and anything else that doesn't fall under Data Protection.
Data Protection, a second level of encryption that uses your passcode to generate keys, is only used on the keychain block and emails by default. To crack Data Protection, use brute force on the copied data, not on the iDevice itself.
>This no longer works on iOS 7. The user has to manually choose to trust the computer they're attached to prior to any communication going across the wire.
Cool, I didn't know that.
Here's a good overview: http://mobappsectriathlon.blogspot.com/2012/09/how-do-you-pr...
Yep, as I suspected, you haven't done this ;) Please don't discuss how "simple" it is if you're getting your info from third parties. You can't image the flash. None of this works how you think it does, because the forensics toolkits left out a crucial detail in their marketing.
The dirty secret? You need a 0day bootrom exploit. The professional kits use the limera1n exploit, which was patched years ago.
Nope, I've never done this live. For this I'm reliant upon what I've read. Feel free to tell me what's wrong. Stating how it works, or pointing the way to an accurate source, is infinitely more helpful than saying "you're wrong", even if it might feel satisfying.
Here's my understanding of how the initial loading works. BootROM uses a series of RSA validity checks on the chain of software components to load the RAMdisk (which is used for update in DFU mode.) To load your own RAMdisk, you need an exploit in bootROM (which are the same exploits used for jailbreaking, and thus of high value for the community to discover.)
Even with the multi-thousand dollar forensics kits, you cannot even begin a brute force PIN attack on any bootrom for any iphone or ipad still on sale. The last devices it worked on was iphone 4 (not 4S) and ipad 2.
Pretending to have knowledge when you don't understand the fundamentals of the problem is both a good way to make yourself look foolish, and is certainly the cardinal sin in engineering. For that, I apologize.
For context, the reason I've been insistent is that there is a particular company that claims to be able to pull data from iPhone 5 and below in spite of the encryption. Whether this is true or not, I don't know, but I've heard it from a person I trust in mobile security.
If you keep up with the jailbreak hacking community (which I'm just now getting into), the Grugq (a fairly reputable source) posted on MuscleNerd's twitter that he's heard a private company has a new 0-day bootrom exploit, which would fit with the information I've heard.
Regardless, I should have just shut the f*ck up and let you teach me some science, instead of letting my competitive instincts lead me down a rabbit hole. I'll work on that.
Your latter attack is an entirely different threat model, and can't be used on a stolen device.
I thought this was fixed in iOS7?
If lots of people do not use passwords on their phones for the sake of comfort then it is not anyones fault that their phones are logged into or information stolen. Information is stolen because the user is lazy to secure the device.
When Apple says one can use finger print to do transactions then I have to assume that the transaction cannot be done by anyone other than me and by any other means through the phone.
Now that this type of security is on the iPhone, it is likely to become widespread, which will only further increase the value of improving attacks on this particular security measure.
Yeah, easy as pie.
Finger chopping should be added to this xkcd:
I could steal your phone and manage to unlock in the process by taking your hand and unlocking the phone before walking away, somewhat more difficult to do with a passcode.
They don't show if they can scan the finger print off the phone. I would imagine that it could be quite tricky to get that level of resolution.
I would like to see a complete hack purely based on a finger print on the phone.
Left arrow key? Coffee cup? Left button of a mouse? Car door handle?
Will the quality of the finger print you can extract that way using whatever means you have be of high enough quality?
It is not obvious to me that you'll be able to get something that is 2400 DPI quality.
A sampling frequency of 20 points per mm is high enough to visualise a fingerprint in sufficient detail for identification purposes https://en.wikipedia.org/wiki/Fingerprint#Research
Random #s: 20dpmm = 5,080dpi? Sounds like 2400dpi sensing is certainly insufficient for research-grade identification... and therefore maybe easy to fool? :)
But poor security just replaces no security with a fake sense of security. I'd argue that false security is worse than no security.
YOUR FINGER PRINTS ARE ON THE PHONE...
Don't lose it !! =D
There has never been a method of security that is secure. The first thing you learn when dealing with security is there are tradeoffs between opportunity, time, money. and usability.
But as you imply, the reason we don't use it is because the opportunity cost and hassle of using it are too high for many uses.
I think trying to lift a usable fingerprint off a glass surface would be significantly more difficult than that.
"As for the tech itself, Rogers explains fingerprint scanning as a whole is more secure than the four-digit passcode. Copying someone's fingerprints remains a cumbersome process, not to mention pricey -- as much as $200,000, by some estimates."
Edit - and http://daringfireball.net/linked/2013/09/12/5s-fingerprint-s... which someone linked elsewhere in this discussion:
" And like the sensor in the iPhone 5S, the sensors ... can detect the ridge and valley pattern of your fingerprint not from the layer of dead skin on the outside of your finger (which a fake finger can easily replicate), but from the living layer of skin under the surface of your finger, using an RF signal. This will protect you from thieves trying to chop off your finger when they mug you for your phone (assuming they’re tech-literate thieves, of course), as well as from people with fake fingers using the fingerprint they lifted from your phone screen."
There are several things here that people in discussion seems to miss och confuse. I've been working with biometrics and can at least try to clear things up.
For authentication (and identification) of a user we have three types of information: Things you have (a hard token generator), things you know (password) and things you are (shape of face, gait, voice, pattern in the iris, arteries in the back of the eye, hand, DNA. And fingerprints). Measuring what you are info and using it is called biometrics.
For good security we normally want to have a combination of at least two of the types. OpenID using for example a Yubikey is a good example.
The good thing with biometrics is that the user always carry the info needed with him/her. There are a few drawbacks though:
(1) The information is not very stable. It changes during the lifetime of the user. Sometimes it can be pretty rapid.
(2) The information is not very unique. Some types of biometrics is better than others. There is also differences in informational quality between individuals and ethnic groups. Depending on type of biometrics we get anything from a few bits to a few ten of bits. This means that it is not better than a good password that is 8 characters or more, but as good as or a bit better than a normal PIN code.
(3) The information is not under the users control and can't readily be replace. This is one thing many here and elsewhere seem to have missed in the CCC announcement. The point is that you as a user can't decide at any given time that you don't trust you token anymore, invalidate it and get a new token. That is why biometrics is foremost a tool _for others_ to identify you (passports, forensics).
The reason fingerprint based biometrics is so popular (compared to other types of biometrics) is that it is possible to build compact, cheap sensors that are pretty easy to use and are simple to integrate into digital systems.
All types of biometrics are fuzzy. We normally talk about False Acceptance Rate (FAR), that is how often do we accept a biometric ID as valid when in fact it is not. And correspondingly we have False Rejection Rate, where a valid ID is rejected. Good biometric systems have FAR, FRR under 10%. But for a busy airport there is still quite a few mistakes during a day.
The way a fingerprint based biometric system normally works is that you have a sensor that creates an image (256 levels of gray scale or similarly). The image is then processed (differential filters etc) followed by feature extraction. The features are called minuae:
Typically sworls, where lines end, merges splits. Normally we find 8-10-15 or a few more good minutae in the image. Based on the location of the minutae we create a graph.
The graph is then stored (if registering a user - called enrollment) or compared to stored graphs. And here comes the fuzziness. The graph will not be similar so we simply can't do a SHA-1 digest and match. The graph will be rotated, scaled, stretched, have fewer or more points. Basically fuzzy congruence matching with threshold.
The feature extraction can be done directly in the sensor. But in the case of TouchID I don't think so. Apple bought Authentec and their area sensors (that can capture a whole image directly. Sweep sensors detect movement of a finger over the sensor, estimate speed and stitch image slices together) simply delivered a raw image. This means that the filtering, feature extraction and matching is done inside A7.
Apple has touted the security of the processing. Basically it is ARM Trust Zone used in several other devices.
TZ is good, but there has been attacks published. And there is nothing that says that Apple has not added a read port from the untrusted enclave into the memory of the trusted enclave. For efficient debug reasons for example.
So. Biometrics is fuzzy and will give false acceptance (as the main problem. rejextion is less of a problem). There is quite probably an image available in the A7 and we really don't know if it and/or the graph database is in fact accessible.
When it comes to the CCC attack - we simply don't know if they tried lower resolution before ending up with 2400 dpi. I wouldn't be surprised if it works (at least sometimes - fuzziness again) with lower resolution. Also attack always gets better. I'm prepared to bet a good IPA that someone within 2 years will show how he/she can unlock a 5S just by smartly pressing on the home button while breathing to activate residue as fingerprint. It has been done with area sensors such as Authentecs before.
TouchID is good if it makes users without PIN to use it. But if it gets users with PINs stop using PINs, it is not as good. What would be great if we could combine TouchID with PIN or password. All the time.
I hope all this explains a few things. And remember, once again, the main problem with biometrics is that it can't be changed at will by the user. Good for others, less so for the user.
So what is a realistic way to clandestinely grab a print?
They had to have served the minister a drink that would not cause precipitation to form on the surface of the glass and specifically target him. Then you need to actually process the print.
A better measure would be how easy it is to lift a usable print from a crime scene. But even this has problems. You need to target a person to know whose prints you have.
If you just randomly pick pocket a phone. How do you get the print? How do you identify which finger was used? You need to get lucky or get 10 good prints.
I agree with others. The real question here is, "Is this better than no password?" I think the answer is, yes.