Touch ID Already Defeated
The Chaos Computer Club has reportedly figured out how to defeat Touch ID, the fingerprint scanner in the iPhone 5s, with a fake finger. The method involves taking a 2400 dpi picture of an approved fingerprint, laser printing the image with a thick toner setting, and smearing latex on top to create a mold. Starbug, the hacker who performed the tests, said that the main difference between Apple’s sensor and others is that Apple’s has a higher resolution.
This is not to say that we should throw prudence out the window -- I certainly lock my house, my truck, my computer, my phone, etc. -- but locks only keep honest people out.
Imagine if "hackers" were constantly testing your security by showing how to break into your house, your car, etc. like they do with computers, phones, printers, microwave ovens, pacemakers, etcetera. I am sure I missed some.
A fair point, and one that I'm sympathetic to, but I think the difference is that we're being told by the companies building this technology that it's secure, so the demonstrations aim to show the validity (or lack thereof) of those claims. In the more egregious examples, it's a little like a door company claiming that their screen door will deter thieves because it has a simple lock, when it's obvious that anyone could slash the screen with any piece of metal.
I was thinking more along the lines of public sharing of how to break into specific homes, cars, etcetera. Imagine the paranoia.
Yes, it's an easily crossed line, depending on how specific and personal it gets, but this is at a product level. So it's like showing how to open a Kryptonite bike lock with a Bic pen, to give a real example. People who own, or are considering Kryptonite locks, would want to know about that. (This exploit is old, so I assume it no longer works on modern bike locks.)
C'Mon, give me a break. They haven't 'defeated' the TouchID. Their 'hack' only works if they already have a copy of your fingerprint. That's like saying they can defeat password protection if they know your password.
Just plain silly.
No, it's not a serious vulnerability, but the point is that the Touch ID scanner can be fooled with a fake finger. Now that it's clear that a fake is sufficient, you can bet that people will start investigating other methods of creating the fake.
This demonstration is not nearly definitive enough to even prove that they did, in fact, defeat TouchID. But for sure, many are trying to do just that, and nothing is truly impenetrable... I commend Apple for trying to maintain the balance between security and usability.
Multiple people have confirmed the process: http://news.cnet.com/8301-1009_3-57604255-83/touch-id-hack-verified-as-legit/
Ok then. Backup plan. Wonder if a nose print would work? Hard to find anywhere to lift those from. ;)
My understanding is that nose prints, cat paw prints, nipple prints, and even…other parts will work.
I was going to mention "other parts" but thought better of it. Hope that doesn't catch on.
Department store windows! :-)
I was careful not to call it a "hack," since it's not. But since Touch ID can be fooled by a fake finger, something which should not happen, it has, in fact been defeated.
However, it's not a vulnerability that I'm terribly worried about, since it takes prolonged access to a phone and a significant level of skill.
Most people don't even use a simple password on their phone. Touch ID solves this problem quite elegantly and almost transparently.
If your iPhone contains sensitive material, you may simply use the traditional password that is available as an additional measure, after you passed the Touch ID test.
My understanding is you can't require both Touch ID and a passcode to unlock your iPhone 5s. Some apps let you set a separate passcode which could help protect information stored in those apps.