Blu-tack worked on my sons 5s
anecdotal and just saying :D
Apple’s shiny new iPhone 6 can be spoofed with the same fake fingerprints that tricked its older sibling, the iPhone 5S. That's according to mobile security firm Lookout, which said it discovered that it is possible to create a fake fingerprint that's capable of fooling the TouchID fingerprint sensor of the latest iPhones (6 …
Furthermore, the process to turn that print into a useable copy is sufficiently complex that it’s highly unlikely to be a threat for anything other than a targeted attack by a sophisticated individual
A process that could be easily devolved to a 3D Printer - which are hardly like rocking horse shit.
If there's an incentive, things will be made simple. Look at the grunts who skim cards, using quite high tech.
> A process that could be easily devolved to a 3D Printer - which are hardly like rocking horse shit.
Most 3D printers I've seen can't capture the level of detail required for a finger print - not the mass-market squirty plastic kind anyway.
As above - on many sensors blutack or plasticine works just fine. Low tech and far easier ...
> If there's an incentive, things will be made simple. Look at the grunts who skim cards, using quite high tech.
True, but that's a create once and use many kind of operation. Getting one fingerprint of one guy unlocks one phone - it's not scalable to quite the same extent.
That said, if you really really want to get into one guys phone hacking is a lot of bother - just threaten to hit him with a wrench until he gives you the pin number, or cut off his finger. Attack the fleshy part - not the technology - it's normally simpler.
Look at the grunts who skim cards, using quite high tech.
Unlike a card, you can't just skim it, possibly without the owner noticing, and reproduce the strip cheaply. You need the actual device itself, even if you can fake the print. Which is going to slow you down a lot, quite apart from the skill needed in the first place.
Outside of sci-fi films showing retina scans etc, biometrics are well and truly broken. If a physical attribute is used for access then it must be in some manner or form observable, and if it's observable then anybody with the right equipment can observe it and potentially use it
Take, for example, the bunny boiler girlfriend, who, whilst you sleep, gets your phone and presses your thumb, or whatever digit she's observed that you use, against the sensor. She now has access to everything on that device, and possibly more besides. The equipment here is your digit.
A password on the other hand is held in your head which is, at least at the moment, non observable until you enter it. Entering it carries the risk of observation but it's transitory and you can mitigate the possibility of the entry being observed.
Passwords are still the best method of computer security, at least within the private sphere.
Biometrics are broken for high security. Biometrics are great for phones. Many people don't even use a passcode for the sake of convenience. Those who do mostly use 4 digit pins (or an android gesture that is equivalent to a 4 digit pin). There have been plenty of reports showing that such a pin can be brute forced if you have access to a standard PC with the proper software. If I use a fingerprint and a long passphrase as back-up authentication I truly believe I am much more secure than the next guy.
If you worry about your credit card, do you carry a wallet in your pocket, or do you bring along an electronically keyed lockbox to the store? If anything credit card "no factor authentication" is broken, and paying with single use codes protected by single factor authentication is infinitely more secure.
Agree completely, but brute forced! Takes far too long. Far easier is just looking over the shoulder of the user entering a four or six digit pin. Users unlock their phones in public all the time. Customers enter their phone and card PIN numbers in full visibility of security cameras all the time. And The Register run their usual shit stirring contextless articles about fingerprints being crackable - as though we don't know that - all the time. As though users the world over should be oooh scared. Big deal (hint this is why there is a limit on transaction amounts: to mitigate risk). People still give credit card numbers out over the phone without great worry. A fingerprint scanner only has to be more effective than a four digit pin to be convenient and useful and that they certainly are.
"Biometrics are great for phones. Many people don't even use a passcode for the sake of convenience. Those who do mostly use 4 digit pins (or an android gesture that is equivalent to a 4 digit pin). There have been plenty of reports showing that such a pin can be brute forced if you have access to a standard PC with the proper software. If I use a fingerprint and a long passphrase as back-up authentication I truly believe I am much more secure than the next guy."
Really? You're saying that Biometrics + long passphrase is better than a swipe. Duh. If you're trying to sell biometrics, and bundling it with long passphrase, you're not doing very good sales job.
I'd drop biometrics altogether and just go with the passphrase. Every android handset I've ever seen has this capability, and it's by far superior to biometrics.
Quote
Furthermore, the process to turn that print into a useable copy is sufficiently complex that it’s highly unlikely to be a threat for anything other than a targeted attack by a sophisticated individual."
Now that the contents of the iDevice are encrypted and Apple can't break it, the spooks will be really keen that Apple does not 'fix' this problem.
Even the multi thousand dollar ones destined for secure access to rooms. Ditto for retinal scanners and the hand scanner thing used for border entry in the US. That's why for full security you need something beyond that - so set a password in addition to using Touch ID if you think this leaves you too exposed.
Touch ID is just a convenience feature. You HAVE to set a password before you can even start using Touch ID. So basically your suggestion is to just turn Touch ID off.
Fine, if you're a lunatic about security.
Jim Jefferies has a bit about gun control that goes something like, how much do you think of yourself that you think there are people out there who are trying to break into your house and murder your family?
The same could be said for phone security. Who do you think is going to go to the trouble of spoofing your fingerprint to get at your phone data?
I'm still on a 5, so I don't know for sure, but can't you have Touch ID and a password? If I was paranoid, I'd want both, because it raises the bar.
I've got my phone now set to 4 hour timeout for passcode, because while I'm slightly paranoid I'm also lazy and don't want to enter my passcode all the time. Since my phone is usually on my person when I'm with others, I don't see it as a big risk.
In an ideal world, I'd like to see Apple have an option "use Touch ID, and also require passcode if phone has been locked for <same settings as passcode settings now>", so I could have the same thing I do now except I'd have the added protection of Touch ID. But if my phone was lost, or I was arrested and it fell into police hands, after four hours even if someone found a latent fingerprint on my phone (I hear cops are good at that) they'd also need the password to unlock it.
>>I'm still on a 5, so I don't know for sure, but can't you have Touch ID and a password? If I was paranoid, I'd want both, because it raises the bar.
No. Touch ID is a convenience feature so you don't have to enter your password. It can't be used to augment your password. What if your finger is injured, or you need somebody else to access your phone? It has to be available via password.
Since Touch ID means that you only have to enter your password once in a blue moon, you can make your password long and secure ... THAT makes the phone more secure. I used to have a 4-digit PIN on my phone which I'm sure would have been easy to see over my shoulder. Now I have a 14 (?) character password with numbers and symbols and whatnot.
Now I have a 14 (?) character password with numbers and symbols and whatnot.
Not sure if this was present in earlier versions of ios, but the current iteration has an option for the phone to wipe after 10 incorrect password attempts. If you set that (and trust it to work), 14 characters is still vast overkill. Personally I loathe when it gets down to symbols on the iphone because I find the keys a real fiddle without autocorrect. I just stick to a ten number pin, which uses the numeric keypad as with four digits - a lot less of a faff if its bloody freezing!
>>If you set that (and trust it to work), 14 characters is still vast overkill. Personally I loathe when it gets down to symbols on the iphone because I find the keys a real fiddle without autocorrect.
I think you might have missed my point, i.e., that Touch ID makes it so you hardly ever have to enter your password. So you might as well make it pretty secure, since you won't be typing it in for weeks or maybe months at a time.
... I guess I'll go back to having a 4 digit PIN on my phone instead.
That's the intended takeaway from this article, right?
Set the password type to "advanced" but then use a digit only password. It still gives you the numeric keypad but anyone trying a 4 digit code won't get anywhere :). However, the highlighting of the individual digits of such a password is easy to shoulder surf, I wish I could switch that off.
Personally I'd be much happier with a timeout on the FP reader which would then ask for a password/PIN instead. That way, if I was using the phone a lot it would be easy to open, yet be restricted to me and longer absence would still lock it "proper". Hey Tim, are you listening?
>>Personally I'd be much happier with a timeout on the FP reader which would then ask for a password/PIN instead. That way, if I was using the phone a lot it would be easy to open, yet be restricted to me and longer absence would still lock it "proper". Hey Tim, are you listening?
There's already a timeout--48 hours--and I hope everybody remembers that after 5 attempts with the fingerprint scanner, the password is required, right?
I have my doubts that fingerprint spoofing would be effective in any real-world scenario. You'd have to find a patch of fingerprint on the phone big enough to satisfy the scanner, plus it would have to be of the correct finger (well, one of the ones that's programmed in), and then you'd have to apply it just-so to satisfy the scanner, and do this all without exhausting your 5 attempts.
Notice that the Chaos video showed that under absolutely ideal circumstances, their first two attempts to unlock the phone with the spoofed fingerprint STILL failed. Imagine if they didn't even know which fingerprint they should be using, or couldn't get a big enough sample of said finger??
If the scanner was completely busted, we'd be hearing reports of it being hacked ALL THE TIME. Samsung, The Register, etc. would love nothing more than to report THAT story. But it hasn't happened yet.
Fail on your part.
The fingerprint app in the Apple Store makes it clear that it doesn't save your fingerprint. So you can program it and then see the fingerprint go red or green afterwards if it matches, but as soon as you quit the app your fingerprint is gone.
OBVIOUSLY you aren't actually locking-in an iPhone in the Apple Store to your own fingerprint. Is that what you thought you were doing?
Using a fingerprint as security is doomed, as many have commented. Personally, I agree but for other reasons as well.
As I go about my daily life, I leave a bit of fingerprint here, there, everywhere. I don't do this for my PINs or passwords. It wouldn't take much for someone to scrape together a few samples of my fingerprint scraps, stitch them together (I half expect Photoshop to do this OOB) and then manufacture a quality facsimile of my print.
I've already seen with mine own eyes another fingerprint reader work with a photocopy of a fingerprint.
And once compromised, it's not as if you can reset your fingerprint.
>>As I go about my daily life, I leave a bit of fingerprint here, there, everywhere. I don't do this for my PINs or passwords. It wouldn't take much for someone to scrape together a few samples of my fingerprint scraps, stitch them together (I half expect Photoshop to do this OOB) and then manufacture a quality facsimile of my print.
Are you some kind of foreign dignitary? Do you have the codes to nuclear weapons? Who in gods name is going to follow you around, James Bond style, lifting sections of your fingerprints from cocktail glasses and piecing them together? (Never mind, James Bond would never do that either. He'd punch you and then use your own damn finger to unlock your phone while you were unconscious. Another security "vulnerability" I suppose?)
BTW -- using Touch ID on an iPhone isn't mandatory.
I've recently purchased a phone with TouchID and whilst it quite obviously isn't panacea from a security perspective, I think it's a fantastic feature. It works quickly and reliably. I've gone from a 4 digit pass code on a 5 minute time-out to my phone now requiring my fingerprint for every unlock, with a much longer pass code needed if my fingerprint isn't available for any reason. More security for less inconvenience. I'd go as far as saying it's my favourite feature on the phone.
I ordered the 5S the second it became available online so I could have this feature.
Even if it only takes you 1-2 seconds to type in a PIN number of whatever, why waste those seconds of your life every time you want to reply to a text message or take a picture or do some other mundane task?
Touch ID works so well for me that I often completely forget I even have it. Sometimes I will hand my phone to someone so they can browse through my music collection or whatever and get confused as to why they can't unlock it. Or there are times when I try to unlock the phone with the wrong finger and it takes me a second to remember why it's not working. Absolutely genius feature.
It is very worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “using two factors together”.
Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected with the devices finally locked, they would have to see the device reset.
Touch ID and other biometric products are operated by (2) so that users can unlock the devices by passwords when falsely rejected, which means that the overall vulnerability of the product is the sum of the vulnerability of biometrics and that of a password. It is necessarily larger than the vulnerability of a password, say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.
As for an additional vulnerability unique to biometrics, we could refer to
http://mashable.com/2013/09/11/girl-fingerprint-scanner/
Needless to say, so-called 2-factor systems with a password remembered as the first factor and something possessed as the second factor are generally operated by (1), providing raised security at the sacrifice of lowered convenience.
I do not quite understand why the clever Apple is doing such a silly thing as spreading the false sense of security under the name of security.
False. You assume that all passwords are equally secure.
If you use the fingerprint scanner, that means you will rarely have to enter your password and thus you can make your password something that's much more secure than if you had to enter it quickly every time you wanted to check your text messages.
So you're technically right that if you use Touch ID, your security is the sum of the vulnerabilities of the fingerprint scanner PLUS using a password ... but each of those is going to be MUCH more secure than just using a 4-digit PIN or similar ... so ultimately you still end up with better security.
Even Mythbusters has done a thing on fingerprint readers. Some cellophane tape to grab your prints off of a glass, transfer to some melted gummy bears in the shape of a finger, keep warm, and et voila! Fingerprint Biometrics have been vulnerable like that for years. Every so often see a new study on it as breaking news, but its just the media forgot fingerprints have already been cracked for 10-15 years at least.
Lots of self-styled security "experts" complaining about Apple's Touch ID system.
The problem is that your only experience with fingerprint scanners is when you see them used in in an episode of Alias to secure biological weapons, so you assume the only reason to have a fingerprint scanner is to provide an ultimate, definitive, unbreakable level of security.
And here you come on your white horse to point out that Apple's fingerprint scanner for consumer cell phones is actually NOT ideal for securing biological weapons. Well, yes, great, well spotted, I suppose.
Maybe you should be doing a bit of introspection and asking yourselves why your expectations for a fingerprint scanner are coming from works of fiction. Just sayin'.