Just to keep things in perspective, the goal of Touch ID is not to be unhackable. The goal is to get more consumers to move from zero security to pretty good security.
A very large number of people don't put any kind of passcode of any kind on their phone, simply because it's inconvenient. Touch ID is designed for them. It's not designed to secure nuclear footballs.
Touch ID is going to massively reduce the number of totally unsecured iPhones that require zero effort to access. That's the goal.
I think some people see "fingerprint scanner" and think "military-grade security" because that's where we've seen scanners before in movies and such. But this is really very much a solution for the consumer market, where convenience and usability are critical features of a security system. Sometimes infosec folks forget that. If you make it too hard to use (passcodes), people just bypass it. So you can blame the user, or you can try to design something easier to use. If in the end you've improved the overall security landscape, you've succeeded. I think that's what Apple is doing here.
Here's Apple's main marketing text on the subject:
> Put your finger on the Home button, and just like that your iPhone unlocks. It’s a convenient and highly secure way to access your phone. Your fingerprint can also approve purchases from iTunes Store, the App Store, and the iBooks Store, so you don’t have to enter your password.
It is definitely intended to replace passwords. Pretty good security would be to require both the fingerprint and a PIN (for unlocking the phone, at that stage a fingerprint is fine for authenticating iTunes' digital purchases).
I think it's more than adequate security for App Store purchases.
My debit card, for example, has "paywave" short range payment support. So anybody who has my card can go around making small purchases, no PIN, no signature needed. I'm fine with this because the convenience far outweighs the security concern.
With the iPhone an attacker who replicates your fingerprint can make purchases to your iTunes account using your phone. They can't purchase to a different account, they can't purchase to a different device. In that sense, requiring a valid fingerprint is more than secure enough — even if faked it's not going to do much damage.
Creating a fake print that can fool the scanner is so much harder than stealing someone's debit/credit card. It's also so much less damaging to the victim (making purchases on their iTunes account vs. making any arbitrary purchase).
I think the balance between security and convenience for this technology is more than reasonable.
> Creating a fake print that can fool the scanner is so much harder than stealing someone's debit/credit card.
No, it's not. Starbug used simple means starting from a photo of a fingerprint. The fact that fingerprints are blasted all over the place makes this very easy. You could probably even build a cheap machine that automates this process.
I'd argue stealing a credit card is a much simpler one step process: Step 1. steal card. Done. Pretty easy too, lots of people leave their wallet or purse unattended in all sorts of scenarios, typically with their phone sitting underneath it. The home kitchen or the desk at work are typically places.
Creating fake print: Step 1. Either find a perfect print, or a number of imperfect prints. Step 2. photograph. Step 3. enhance. Step 4. print. Step 5. Use print on suitably encoded device (which probably means steeling their phone too).
Edit: Given the front of a phone is glass, there's probably going to be a print on the screen, though I wonder if any prints take from a phone screen would be clean? I don't know.
Well, no password on their phone unlocks. But I thought Apple intended to replace your passwords in application services as well. Now, I didn't read the article at all (not a single damn word), so maybe the hack only applies to phone unlocks. If that is not the case however, then I think _you_ are missing the point. This would compromise all passwords replaced by finger print scans, right?
'every so often' seems a bit casual, for a payment [1,2]
[1] From the citation: "Passcodes and passwords aren’t completely eliminated by Touch ID, then, but they almost certainly will be later on."
[2] The glass screen will have your fingerprint on it, somewhere. That can be CSI'd by anyone who finds it. Anyone serious enough to do that (and its not much) can start escalating.
The primary use case here is keeping kids from buying apps or in-app purchases when their parents lend them the phone to play games. A casual solution is perfectly acceptable. If someone is going to go through the trouble of stealing my phone and cloning my fingerprint I'm guessing they would want more than purchasing music or apps under my iTunes account.
When most payments are under $5 it's probably ok. It's good enough for the credit/debit card payment industry, at least. (They relaxed the rules so you don't have to sign or enter a PIN for small purchases.)
Did you read the article? To crack the sensor, the would-be malevolent party needs a _2400 DPI photo of the fingerprint._
TouchID is highly secure if the only way to break into it is to have an ultra high-def image of the exact finger the device is looking for. I guess 50 character-long passcodes aren't secure because you could just tell a thief the code?
We must have wildly different definitions of "highly". I'm pretty confident I could reproduce this result in one afternoon. Compare that to other things we might consider highly secure, like strong encryption or Fort Knox. What word do you use for security measures that take non-trivial resources to circumvent?
It's not common for me to do that, but it's also not common for me to try breaking into iPhones.
But if I were trying to break into an iPhone, perhaps the finger prints are on the phone. Or some other item I also got as part of the same theft. Or I found the phone in the owner's house when I robbed it and have my pick of surfaces. Or I have the owner's prints in a database because they went were convicted of a crime(I admit I have no idea what resolution those are taken at). I don't think there's a shortage possibilities. You leave prints on almost everything you touch.
To be extra clear, I'm not saying the finger print reader isn't good enough for most iPhone users; I'm not arguing the nth-grandparent's point about that. My point is that it's not highly secure, and Apple shouldn't be marketing it that way. Similarly, the lock on my front door is plenty good for my house, but no one would ever describe my house as highly secure.
This is where things start to get tricky. I've read up on "chip and PIN" in Europe, where purchasers have to insert their cards into a reader and enter the numeric code that is stored on the card.
From what I've found online, chip-PIN does indeed reduce fraud, but when fraud does happen, it becomes extraordinarily difficult for the cardholder to get a refund from the bank.
I could see fingerprint scanning going the same way -- with vendors saying "what do you mean you aren't the one who made this purchase? The device was unlocked with your unique fingerprint!"
So you're going with a slippery slope argument? This thing could cause that thing that could cause that bad thing, so this thing is bad? I suppose that is something that could happen in the future. It's not a likely problem to complain about with this particular implementation.
You're baselessly asserting your position, though.
If you write your pin on your ATM card, they will not refund you. That is policy and they ask everytime you lose your card. The bank views this as lack of due care. Likewise, if you leave copies of your fingerprints on your payment device, they could argue that you are likewise acting with un-reasonable care.
Now that this has been (so easily?) spoofed, is it reasonable to believe it is secure? That is a valid concern. Unlike a pin, you cannot reset a fingerprint security mechanism. So when it is compromised, it is over. So, the result is messy in that it puts you in a problem using today's standard practices, but at the same time, the standard practice "defense" is not applicable, and lacks an obvious alternative.
This is not a strawman, its a legitimate edge case.
3. I will hold in strict confidence my personal identification number (PIN). I will take reasonable precautions to keep my PIN separate from my ATM card and to prevent the unauthorized disclosure of my PIN.
So, you sign an affadavit verifying you did not contravence this agreement. They will screen for this as/if you file a claim for fraud.
In particular, it turned out that there was a flaw in the Chip and PIN specification which made it possible to bypass the PIN requirement. There's some evidence this was exploited fairly widely in the wild before security researchers found the flaw, but since the banks erased the logs that recorded whether a PIN was actually used all the customers ended up liable for the fraudulent charges.
> From what I've found online, chip-PIN does indeed reduce fraud, but when fraud does happen, it becomes extraordinarily difficult for the cardholder to get a refund from the bank.
I live in Europe, and twice in the last two years or so my card details have been compromised, and both times my bank has rang me to notify me of suspicious transactions before I'd even noticed. It depends on the bank (and the country most likely) with regards to getting a refund. I got refunds no problem, but I've heard people having problems in the UK. The fraud happened online (not sure how, I'm reasonably tech savvy and careful with my card details).
When Chip and PIN came in, as part of the TOS that you accepted by using the card, it included a clause that the bank is not liable for any fraud on the card as Chip/PIN is unbreakable (the implication being you must have given away your PIN).
I believe that this has now changed (although I've not had a new card recently and I don't remember seeing any new TOS).
The big gaping problem of course being that most fraud does not involve chip+pin transactions, but online transactions that are no better protected than before.
The payment can (mostly) only benefit the device owner though, right?
Buying apps with your device is not terribly useful unless you have take full posession of the device, in which case the owner can remote lock/wipe it with iCloud and dispute the charges with their CC company.
>Having some shiny new method does not mean these people that do not currently use a pin/password will magically start using this.
It actually does mean exactly that in the aggregate. There are huge number of people that don't use pass codes not because they don't care, but because they are inconvenient. This technology is for them, and it will have nothing to do with "magic" when they adopt this fundamental improvement (that happens to be also a heavily marketed main differentiation from the previous model).
As for the people that never used a pass code because they weren't aware/didn't care... probably less adoption, but just because the feature is so heavily marketed, many of them will also use it.
But yeah. Significant numbers of people who didn't secure their devices with pass codes will now do so. No magic required.
I understand that iPhone (and iPad) allow IT to enforce setting of password (1). I think from the security perspective, IT is more worried about ability to remotely manage the device (like remote wipes in case of loss etc).
Edit: I realized that the link is for iOS 6 - though I wouldn't expect them to reduce business IT functionality, not sure if these options are still in iOS 7.
"you don’t have to enter your password" != "you don't need a password"
As I understand it every now and again Apple will prompt you to enter your passcode/password, such as when you restart your device or if you haven't unlocked it in two days. Hardly a signal that passwords are done.
My iPad asks me for my iTunes password pretty much every time I update the apps. I'm assuming this is orthogonal from my having set a PIN to unlock the thing.
>You check your iPhone dozens and dozens of times a day, probably more. Entering a passcode each time just slows you down. But you do it because making sure no one else has access to your iPhone is important. With iPhone 5s, getting into your phone is faster, easier, and even a little futuristic. Introducing Touch ID — a new fingerprint identity sensor.
Put your finger on the Home button, and just like that your iPhone unlocks. It’s a convenient and highly secure way to access your phone. Your fingerprint can also approve purchases from iTunes Store, the App Store, and the iBooks Store, so you don’t have to enter your password. And Touch ID is capable of 360-degree readability. Which means no matter what its orientation — portrait, landscape, or anything in between — your iPhone reads your fingerprint and knows who you are. And because Touch ID lets you enroll multiple fingerprints, it knows the people you trust, too.
What's the opinion? Apple said you can use this to replace your password. No one had an iTunes Store account without a password before, so this would 100% be replacing a password.
>> "Pretty good security would be to require both the fingerprint and a PIN (for unlocking the phone, at that stage a fingerprint is fine for authenticating iTunes' digital purchases)."
That's what I was thinking, too. The fingerprint scanner is a bit like a LoJack - it's still possible to steal a car with a "The Club" on it, but most thieves will probably just move on to another car (although I've heard that car thieves, like pick pockets, don't really steal cars anymore, just components and loose gear.)
I think it would be pretty easy to get many people's phone password -- just by being in the right place when they unlock it, and watching closely. Most people I know don't cover up their phone at all when they enter it, even in public.
So you don't need to get "in someone's head". You just need a good view of them using it.
Granted, getting an iTunes Store password by just watching would be a lot harder. But compared to the 4-digit lock screen pw (or even the Android shape pw) TouchID seems a bit more secure, at least to me.
Conversely you can just change a phone password. Hell you could rotate it daily if you wanted (surprised that's not a feature yet). But you can't change your fingerprints.
Do you think the finger prints you leave everywhere are a substitute for the 2400 dpi photograph?
I bet you if CCC wanted to make a much stronger case, they would have taken that image from a fingerprint on a glass - but that didn't work. They photographed the finger and not a stray print for a reason.
To corroborate your point, here is the transcript from the 5S launch:
"The third feature is all about security. Now we have so much personal information on our devices that we want to protect. <snipped> So we have to protect them. The most common wave of course is to set up a passcode. Simple four digit passcode or more complex one if you want. This is something you do, dozens of times a day to unlock and get access to your phone. Unfortunately, some people find that's too cumbersome and they don't set it up. In fact in our research about half of smartphone customers do not set up a passcode on the device and they really, really should. That's the team has worked so hard in the brand new technology to make this easy and fun to do."
Touch ID is not "pretty good security" it's not even "good security" it's simply very bad security.
Touch ID is better than nothing and that people use Touch ID instead of nothing is better than the current state but not by much and this definitely isn't a huge achievement. Which is really the biggest issue with Touch ID, it's advertised as such and people believe it.
I'd be willing to bet that over the next couple of years millions of people will try to log into somebodys iPhone that they shouldn't have access to, but in the process are prevented from doing so by the fingerprint based security.
I also bet, in 99.9999% or more of those cases, the attacker doesn't even attempt to bypass the security by faking the users fingerprint.
I'd also be willing to bet that these figures are substantially better than the current situation where people don't bother to lock their phone at all. People will use it because it's a gimmick, not because of it's security properties, but it will still work.
But you have to consider potential damage from the successful attack.
It doesn't matter if 99% of low damage attacks are unsuccessful but 1% high damage attacks will go through.
The solution is fine by itself but millions of people will use it and not understand the real level of protection.
The potential damage is zero. You (and everyone else in this thread) are forgetting that you can't steal an iPhone for more than 30 seconds anymore without Activation Lock locking you and everyone else out, forever, period, paragraph.
Activation Lock + Touch ID = all the security that almost anyone needs on a phone and much higher security than any of us have been used to up to now.
I think this is key here. Before, you could try and lock or wipe your phone when it was stolen. But in order for it to work the thief must have let it powered on. If he was smart and shut it off, took it home and booted into DFU mode to restore a the thing back to factory settings, you were out of luck.
But with the new Activation Lock, it supposedly doesn't matter if it is shut down, the minute someone tries to flash the phone. Be it normally via iTunes or via DFU mode and iTunes there should appear a message that the phone has been wiped and must be unlocked with the iCloud password of the account that did the wiping. So no chance to flash the phone back to factory settings.
Well right now I'd guess that the percent of high damage attacks that go through are significantly higher than 1%, so lowering that to "1%" isn't an improvement?
> Touch ID is better than nothing... but not by much
You can't be serious. A completely unlocked phone that anybody can trivially access with a swipe.. vs. a scanner that you'd have to lift and reconstruct someone's fingerprint to bypass. That is definitely a significant improvement.
Based on what they've said previously, I'm pretty sure the people who ran that competition expected TouchID to be a lot harder than this to bypass and were doing it as a publicity stunt to try and demonstrate that.
Where the fuck did that come from? It is neither baseless or FUD. That fingerprint will be sent over the wire at some point and the NSA will gladly pick it up. How you think otherwise is beyond me.
What operating system I prefer really has nothing to do with it, even if it is linux.
Posted from my iPhone, android, third mac mini, 2nd mac air, or first thinkpad who the fuck knows (or cares? oh you obviously)
> Touch ID does not store any images of your fingerprint. It stores only a mathematical representation of your fingerprint.
> The Secure Enclave is walled off from the rest of A7 and as well as the rest of iOS. Therefore, your fingerprint data is never accessed by iOS or other apps, never stored on Apple servers, and never backed up to iCloud or anywhere else. Only Touch ID uses it and it can't be used to match against other fingerprint databases.
Then you might as well say Apple already secretly have finger scanner since iPhone first generation and already sent that data over the wire. Or may be there are also finger scanner on your keyboard right now!!! Also that video-cam on most notebook, it's now always on and secretly send the data to NSA!!!!
It's fud until you or someone else posts evidence that the fingerprint is sent over the wire, or that Apple intends to do the same (for example, code that sends the fingerprint that awaits activation by a third party). You're not going to be able to do that. It's shameful that you can't even recognize the fudishness of what you posted, especially if Linux actually is your operating system of choice and you have been through the fud wars of the late nineties and early two thousands (that was only a guess on my part).
"It's fud until you or someone else posts evidence that the fingerprint is sent over the wire"
It absolutely isn't. Even if just the hash were sent over the wire (or if it were possible for the authorities to extract it over the wire), it would be perfectly possible for the authorities to run the same hash algorithm on their candidate print and see if the hashes match. Such evidence would likely not be admissible in court but 1) it would be enough to give the authorities a tipoff, 2) for matters deemed important enough, secret trials seem to be all the rage these days.
I would be _very_ surprised if there were no backdoor in iPhones for the authorities. Even their "secure" area. The U.S. authorities simply do not take no for an answer when having a "talk" with a vendor producing a widespread "security" related product.
> I would be _very_ surprised if there were no backdoor
I'm not sure if you understand what FUD means. Your surprise or lack thereof does not count as evidence, and is irrelevant to whether something is FUD or not.
> MS Exec: "I'd be very surprised if Linux had a lower TCO than Windows Server."
Canonical example of FUD. EXACT same thing as you're saying, just in a different context.
You've got to be careful when you say things like that, because they're trivial to refute.
The whole point of a backdoor is to be obfuscated and hard to find. So it would be very likely that you would not find one even if one were present. Your example is simply a Microsoft not bothering to do something that's perfectly researchable.
We don't have any _proof_ that Dual EC DRBG is defeatable to the NSA. By your logic we should still be using it happily until we have that proof and until then any caution is simply "FUD".
So if that's "FUD", then I've got news for you: the security world is very sensibly built upon FUD.
I would be very surprised if the fingerprint is sent over the wire. Instead, I would expect the "secure enclave" to validate the fingerprint, and then emit a time-limited certificate of some sort to authenticate with servers. The fingerprint information - or derived information such as hashes - never needs to leave the phone.
While I don't have data to back it up, I believe most Android users use the draw pattern to unlock method. This feature is absolutely trivial to defeat - you can simply hold the phone up to the light, see the trails of oil left on the phone, and follow that trail. People have done this to my own phone with just a few tries.
TouchID represents a massive increase in security over draw pattern to unlock, and it's easier to use at the same time.
It probably also represents an increase in security over 4 digit PIN codes, though that's shakier.
True enough, there is other "noise" on the phone, in the form of point-like finger prints, and even other trails. But you're imagining a blank phone, where you have to try and discern one trail from another. Now turn the phone on, and the unlock background appears. Which trails intersect all of the dots of the unlock background?
It's much easier that you imagine. I've been using my phone as I normally do throughout the day, and I can see the unlock pattern clearly on the phone.
It also doesn't work nearly as well if you are OCD about wiping your screen often, not that that makes the pattern lock any better but it isn't quite that trivial to defeat
Having a lock in your front door is not perfect but it is much better than not having one at all.
The way that Apple haters use stunts like this to suspend normal logic and reasoning in order to express their juvenile spite is staggering.
No one, ever, claimed TouchID was impregnable, but it is very good security and is better than what the vast majority of people do at present.
Anyone prepared to devote the time and resources that CCC did to breaking your phone has other simpler means at their disposal. I personally believe that no one else will replicate this achievement because it is simply a publicity stunt to get clicks and feed the hordes of anti-Apple zealots.
The problem is not so much what CCC has done, but CCC has started. In the days/month ahead.. there is now a possibility of building a more practical attack.
Remember the firefox plugin which allowed users to steal FB user sessions in a cafe with Free WiFi (or any WiFi hotspot)? That wasn't a new attack.. just made an existing attack easier (and hence caught a LOT of attention).
The threat is similar. Now there is an exploit.. now the collective security researcher (and hacktivist) will work to make the hack easier by building a tool.. THERE lies the real danger.
I still commend Apple for trying. The real issue will be if I can steal the "Hash" of the fingerprint and reverse it to know who it is... so far TouchId has done well. The way that happens, Apple users will need to rethink using TouchID
> Anyone prepared to devote the time and resources that CCC did to breaking your phone has other simpler means at their disposal
Really? Lift someone's print, leave it with superglue, scan and print it and then dump glue on the scan.
That seems to be the sum total of what needs to be done. You need only sticky tape to lift the print and the rest can be done in an hour.
It sounds quite action movie, but in reality it's pretty damn simple and if I wanted to get access to your phone I could easily prepare it in advance and carry a tiny latex strip in my wallet for just the right occasion without your knowledge at any point.
It sounds quite action movie, but in reality it's pretty damn simple
Also in reality it will foil over 99% of potential unauthorized activation attempts as most people aren't going to craft fingerprints to get into someone's device.
If reality is the bar you're using, TouchID still wins.
"Creating the fake fingerprint is arguably the hardest part and by no means “easy.” It is a lengthy process that takes several hours and uses over a thousand dollars worth of equipment..."
Is not about Apple haters is that the security code is actually more secure than TouchID.
If having TouchID will increase the amount of people that doesn't lock thir phone I'm up for it. But is not this amazing super-secure technology that will revolutionize the world.
Really? You think a four digit security code that users have to enter repeatedly is more secure than obtaining a 2400 dpi clean image of a specific fingerprint and a nontrivial lab procedure? It might require some patience but if you have an excuse for being around the target, it doesn't require great skill to see the digits as they are entered. In either case the adversary has to deal with Activation Lock which has been introduced with iOS7.
I've read there is already something like 35% adoption of iOS7 so we may see soon how effective Activation Lock is at deterring theft.
Touch ID is competing against pins chosen from a universe of 10,000. This isn't great security, but it's appropriate security for unlocking a device you already must have physical access to.
Actually doesn't that highlight one of the biggest flaws with this, in that your finger prints will already be all over the device? Lift the device, get the authorisation token for free. At least with a password you also need to either crack it or discover it from some other means.
So far, nobody has demonstrated an attack that is able to break the fingerprint reader by reading fingerprints off of the device (or another surface). The attack demonstrated by CCC requires them to take a high resolution photograph of your finger. It is likely substantially harder to just lift a good enough quality fingerprint to defeat the system.
I was going to argue with your statements but than I turned the screen in my phone off and realized that the front part of the screen is covered with my thumb prints, and they are ripe for photographing.
I took a security class where, amongst other things, we learned how to pick locks. After we learned how to do so with provided equipment, the instructor said "So since these locks are insecure, should I have them in my home? Yes, because if a motivated intruder wanted to come into my home, I still have windows."
Except, there is a larger point that CCC is making:
> fingerprint biometrics is unsuitable as access control method and should be avoided.
What happens when the next set of hackers figure out how to remotely access and extract the fingerprints (hashed, secured, whatever) stored on the iPhone itself?
I don't really think it is relevant. The iTunes authorisation for example wouldn't be sent the fingerprint information, it would be sent the response 'yes the person passed the test'.
The fingerprint information stored in the 'secure enclave' of the A7 is a combination of the data related to the fingerprint combined with unique information for that specific device. So even if the data could be extracted, using it for any purpose other than unlocking that specific phone would be impossible.
>I don't really think it is relevant. The iTunes authorisation for example wouldn't be sent the fingerprint information, it would be sent the response 'yes the person passed the test'.
No, it wouldn't send that response at all. That's called a client-side security control, and I'm sure you can think of why that's out of the question in any system.
I don't want to jump in on the "how secure is my phone discussion", I just wanted to point out that with all the revelations and concerns regarding privacy, a single company having fingerprints for some significant portion of North America is nothing to be taken lightly.
That said, I sincerely doubt this is the case. I imagine the phone acts as a proxy for the authentication, validating the fingerprint then sending some other form of authorization to Apple or using the fingerprint as input to a cryptographic algorothm.
We don't really know exactly what it stores, but they claim it's a hash of the fingerprint. That is not the same as the actual fingerprint at all, and it should be unusable outside the iPhone 5S ecosystem. I would imagine this hash, is also what they send to the servers to authenticate, but time will tell.
If they send a hash to servers, that still has privacy implications. Apple could build a searchable database of those hashes, and the government could issue subpoenas to search that database for particular fingerprints. Maybe that's not such a bad thing, because it could help to solve crimes, but it's worth thinking about.
The hashes, whatever they are, will not be "binary" in their nature. Matching against a range of visual characteristics requires to allow some level of fuzziness. Even assuming that near future improvements bring the false positive rate to half of that of the best forensic experts (to 0.05%), the law of large numbers guarantees that innocent people will be caught up in investigation dragnets. Just imagine the lives destroyed by these kinds of clerical errors.
The above is the same reason I'm against our national law enforcement getting access to the passport biometric databases. Even discounting the potential for abuse: once the police have a suspect with "matching" fingerprint available, they will have less incentive to find other ones.
It's a shame really, because all evidence is fuzzy on some level. DNA could be planted, videos can be a of a lookalike, or being at a particular location at a particular time could be a coincidence. I don't know exactly how law enforcement works, but they really should be looking for connections and try to explain why a suspect is not the right guy, instead of the other way around. Maybe that is just wishful thinking.
I remember reading (but can't find the source, I think it was Anand) that they store a hash of the fingerprint data and a unique identifier of the phone.
Usually when I see smart people talking about security, they think about what attack vector/situation you are trying to protect against. In this case, the situation you are trying to protect against is not keeping your phone locked when you are in custody or at gun point. The situation is someone unlocking your phone if someone swipes it from your pocket, you lose your phone, or simply leave it on your desk for a few moments as you go to the bathroom at the office. So, yes, a biometric scanner, even one that is easily beaten by an attacker, is good for this purpose.
Whatever the case, maybe we should step back and get some more perspective. How many of us don't put locks on our shared computers and phones because we don't want the inconvenience of ensuring everybody that should be allowed to use it can? My phone is a shared device and I removed any and all locks on it as I got very tired of "oh, let me unlock that for you." Basically, I want everybody that can reach it physically (when it isn't lost or stolen) to be able to access it and make calls, surf the web, use the map, search contacts, play games, etc. Is any phone locking mechanism going to work perfectly, probably not. Being able to set up my phone to unlock for anybody in my family and friends circle by something like fingerprints is a pretty good start.
> Touch ID is going to massively reduce the number of totally unsecured iPhones that require zero effort to access.
I feel like we just went through this very same drill with the Chrome team refusing to hide web site passwords behind a master password, something that all browsers, except Chrome, support. Given how stubborn the Chrome team has been in its handling of this situation, I think fighting that TouchId battle is going to be equally challenging.
Common sense is, sadly, not very common, not even among the security circles.
What worries me the most is that biometrics can be used to authorize payments, and for anyone that has crafty teenage (or younger) kinds this might sounds a bit risky. Getting access to your parents fingerprint is easy while getting access to their password is much harder.
>Just to keep things in perspective, the goal of Touch ID is not to be unhackable. The goal is to get more consumers to move from zero security to pretty good security.
Agreed. Complaining about this hack would be like people saying locks are "hackable" if you steal someones key and make a copy. There's always a way around any system, if a criminal is dedicated enough to get past it.
Piss poor excuse - think of all the users using a password now downgrading their security, but Apple advertising it as "high security".
I like what you're saying, massively allow users to secure their phones without the pain of entering a password, but when it comes at a compromise of "little is better than none" is not the mentality people need for security. I'd rather see corporations rewarding and encouraging proper security strategies rather than creating some compromise for marketing.
>Piss poor excuse - think of all the users using a password now downgrading their security, but Apple advertising it as "high security".
If you're talking aggregate security, TouchID will still increase security (even with current PIN users moving to a FP Scan) as currently about 50% don't use any sort of pass code now.
If you're talking about the ability for current PIN users to maintain their level of security if they wish, -they can still use a PIN.
Bottom line is that there will be fewer successful unauthorized login attempts in the wild.
> The goal is to get more consumers to move from zero security to pretty good security.
One might argue that Touch ID is too strong to be used where there was no security before. In an arms race with thefts and hackers, leaping too far forwards might not be the best option in the long term.
I don't know, reproducing a fingerprint is relatively easy to understand (just scan and print), while cracking a password can be more exotic to 'traditional' thieves. When today they'd just wipe the phone, tomorrow they make take the extra step of pulling out the SIM card and unlock with the fingerprint, and sell the data as well.
Your random thief is more worried about cell phone tracking than any data you have on your phone. They will wipe it as soon as possible today, and probably for the next few years; they don't give a crap about your cat photos.
Even if your phone was unlocked, they probably wouldn't bother more than a cursory glance. They have more phones to steal than to bother with is on some random person's phone. When the data is important, the theft will be more targeted.
I see where this assumption comes from, but scraping the personal info off a phone is a thing, and "random thieves" might be the minority when it comes to stealing and reselling phones (at least in europe or asia they are rarely random. It don't know for the US).
I haven't heard of it recently, but a few years ago there was a story on phone operator temporary staff that would offer clients to move their contact info from their old phone to the new one (it's a completely legit service) and keep a backup of the old info to sell it. The price for an entry was something like 2 cents, but data would be sold by batches for about 700~800 dollars.
I didn't find any quick resources in english, just for the numbers there was this piece by trendmicro (to note, they are of course biased to make the number a littre bigger)
http://blog.trendmicro.co.jp/archives/4828
I live in Beijing, the first thing the thief will do here is take the sim out and wipe the phone. They will also hawk the phone as soon as possible to maximize turnover, so it's usually possible to buy your stolons phone back within the hour.
Right. Yesterday, people clamored for a browser API to allow for that stuff to login, now that it is broken it has magically morphed into a mere 'convenience feature', a sidenote, a little fix.
(Of course, this post ends with Apple has succeeded. Sigh.)
That comment perfectly sums up what I have been trying to argue with friends the last day or two! Thank you! Presuming you don't mind I will send this over to them!
If we've learned anything over the past few months, it is that security is an illusion when it comes to Google, Apple and Facebook.
The fingerprint scanner is not intended to protect your personal data from being accessed by nefarious cyber-spooks or crackers. The $5 dollar wrench technique is fairly effective in bypassing such security anyway.
The fingerprint scanner is there so that when your phone is nicked by a mugger, they can't reset to factory defaults and sell it on eBay. If some knife wielding thug that robs me of my phone has the intellectual capability of lifting my fingerprints off the case and then using them to bypass the security, he still has to know my AppleID password before he can remove the 'Find my Phone' feature.
Give Apple a break. This is just another layer of security. It's _not_ the panacea to all our security woes, and they have never claimed it was.
Apple claims that "The technology within Touch ID is some of the most advanced hardware and software we've put in any device." [1]. This attack showed that increasing sensor resolution only requires increasing the resolution on the fake print to match.
This attack is an interesting data point in the debate over using biometrics in access control systems. Apple was hyped to have introduced something new and exciting in this space, but it's quickly been shown to not be a significant advance in fingerprint sensor technology.
Touch ID, however, is still an adequately secure access control check to be useful to consumers.
> This attack showed that increasing sensor resolution only requires increasing the resolution on the fake print to match.
Just to clarify, it wasn't just the increased resolution that was required here, but "latex milk", I assume to simulate a living finger, as well. It's not as simple as print-of-print = unlock.
It's "latex milk" today, tomorrow it might be just "regular milk" that's needed! The point is that the fingerprint security was bypassed so soon after release, and posted on the internet. Sure, it takes a lot of effort with the first generation of this hack.
No matter how cool the fingerprint tech is on iPhones, you wouldn't go as far as using it for your master access to your password manager app or bank account app.
For the purpose of replacing the lock screen pin, or as others have said, no pin at all, I think it's fine.
Past trends do indicate that. However, the very recent past indicates that Apple is getting progressively better at foiling jailbreaks. It's taking greenpois0n and those folks longer and longer to crack each successive version of iOS. Took a long time for there to be an untethered jailbreak of iOS 6 and the latest rev of iOS 6 wasn't cracked til about two weeks ago. There was no jailbreak of any kind on the iPhone 5 for several months after its release, which is a long time considering that the time between device generations is one year.
Only an idiot would buy a jailbroken phone without a clean ESN on it. Those who do, know what they are getting. And you're forgetting Activation Lock, which a jailbreak will not defeat.
You linked to a support document explaining how the technology works. You may have had a point if this was listed on their product page describing the feature, but instead you have them touting the convenience of using your finger to unlock your phone and make purchases:
You check your iPhone dozens and dozens of times a day, probably more. Entering a passcode each time just slows you down. But you do it because making sure no one else has access to your iPhone is important. With iPhone 5s, getting into your phone is faster, easier, and even a little futuristic. Introducing Touch ID — a new fingerprint identity sensor.
Put your finger on the Home button, and just like that your iPhone unlocks. It’s a convenient and highly secure way to access your phone. Your fingerprint can also approve purchases from iTunes Store, the App Store, and the iBooks Store, so you don’t have to enter your password. And Touch ID is capable of 360-degree readability. Which means no matter what its orientation — portrait, landscape, or anything in between — your iPhone reads your fingerprint and knows who you are. And because Touch ID lets you enroll multiple fingerprints, it knows the people you trust, too.
Regardless of whether or not fingerprint scanners are good security wise, it's a bit silly to think that phone robbing thugs are completely dim. The way it works in my first world modern country is that there are shops everywhere that unlock or reset phones as part of their services, and it isn't thugs running them. It's people with an affinity for 'tech' who just happen to deal with a shadier area.
If cracking fingerprint authentication is as easy as this article suggests then there's no doubt that these types of shops will do this readily. Steal a phone -> bring it to a place that does it.
No, this is not the same as sim unlock. Circumventing touch id technology by making fake fingerprints is exactly the same case as being called to unlock a locked doors. The specialist knows when he is liable to crime and cannot make a legal bussines out of illegal access.
Honestly I think you're underestimating the gall of certain businesses. These aren't big multinational chains, they're like booths that pop up and down every year, in the less salubrious parts of town. They might not do it as openly, but there will be places thieves can go to circumvent touch ID if it's hackable...the knife wielding thug wont have to sit in his bedroom fiddling with acetate paper.
Except where I live there is organized phone snatching. A crew of phone hackers hire drug addicts to yoink phones off transit riders and then pay them 10% of the value. They then go to work on the phone changing the IMEI and I would imagine easily bypassing this fingerprint auth. They make use of the data for fraud purposes and then wipe and sell the phone on the street, a block away from where I live outside a run down sketchy bar.
Police caught the "muggers" slipping the phones into faraday bags so they couldn't be remotely wiped which led them to the ringleaders. They were busted but I'm sure there's a new crew doing it
I don't think it's possible to change the IMEI on an iPhone at all, and "easily bypassing" touchID involves collecting the user's fingerprint, which I guess is not included in the drug addicts' service offerings.
You can swap the logic board. They sell these for $80 or just trade with somebody who has a backlisted IMEI in UK/Australia for your US blacklisted phone. There's a bunch of crime forums that offer this service
Plus, you can't get a decent sized adjustable wrench for less than $15 nowadays. Even the cheap Chinese ones that loosen the parallel alignment on the jaws after a few weeks cost more.
Agreed. But they always blow it out of proportion. As if the existing fingerprint systems are extremely insecure and theirs is not. The truth is they are all the same- insecure.
Theirs is better than the standard old fingerprint scanners and far better than using 'nothing' which is what they are replacing. They have blown nothing out of proportion.
if it causes people to behave recklessly because they have the false impression of security, when they would otherwise have taken better custodianship of their device and their data, then yes ... it can be worse than nothing.
> It's _not_ the panacea to all our security woes, and they have never claimed it was.
But they've never said it wasn't, either. It's important that everyone is in the clear about how secure TouchID is. I'm going to use it anyway, but the other decision is how much personal data I want to store on my phone.
* Note: TouchID is not the panacea to all our security woes. will not cure cancer, create world peace, does not kill kittens, [continues on listing everything it's not for 9 trillion pages]
The "How to fake fingerprints" link [1], is one of the scariest things I have seen, given how simple it is, and how much we reply on fingerprints for linking people to crimes.
BTW, for anyone who does not know about Chaos Computer Club (CCC) [2], they run a massive conference in EU. You can look at some of their talks @ http://media.ccc.de/
Frontline had an excellent piece on the (lack of) reliability behind most of crime forensics. Fingerprints in particular are mentioned as being very unreliable and unscientific. The only scientifically rigorous piece of "CSI" is DNA matching.
In addition to the chimeric qualities cited in the NYT article (I skimmed), IIRC some DNA sampling has in the past used and may still use a fairly limited profile of markers. The statistically likelihood of matches between distinct parties is in some cases well under the population of the world. Never read into it in detail, but I was left with the impression that "unique identifier" can be an over-statement/qualification also from this perspective.
>The statistically likelihood of matches between distinct parties is in some cases well under the population of the world.
In addition to that, there are problems with bias and statistical independence. A given marker is unlikely to be present in exactly 50% of the population, and to the extent that it isn't it can reduce the probability by that amount that a test match is a true match. Meanwhile the suspect pool for a given crime is likely to encompass several (perhaps many) members of the same extended family, who for the obvious reason are significantly more likely than random members of the world population to have the tested markers match one another. Even within a city you will generally see concentrations of specific ethnicities who may have a higher statistical incidence of specific genetic markers than other populations, which can screw up the numbers by an amount that historically hasn't even knowable because we don't have good numbers on the statistical incidence of specific markers within geographical populations.
The place where this is most pernicious is when they get a sample from a crime scene and run it against some "DNA database" to find a hit. Then everybody is talking about the probability that X suspect would match the DNA at the crime scene rather than the probability that someone in the database would match even if the actual perpetrator wasn't in the database.
>The place where this is most pernicious is when they get a sample from a crime scene and run it against some "DNA database" to find a hit. Then everybody is talking about the probability that X suspect would match the DNA at the crime scene rather than the probability that someone in the database would match even if the actual perpetrator wasn't in the database.
Or the probability that, match or not, the DNA from the crime scene belongs to the criminal.
And not, say, someone the victim came in contact with earlier, someone that happened to be in the crime scene before the crime took place, or even some third guy the actual criminal took a DNA from in order to frame him.
> The statistically likelihood of matches between distinct parties is in some cases well under the population of the world.
I thought that was pretty much always the case. Which is why DNA evidence is never used alone - you don't take DNA traces found at a scene of crime, run it against a huge database, find a match, close the case and try and sentence the matching person.
Instead you either investigate whether that matching person had means and motive and no alibi, or (more often) you check the DNA only against people you already suspect for whatever reasons.
Both variants reduce the likelihood of false positives by quite a few orders of magnitude.
I don't really know, but this does sound familiar and is part of what I was speaking to. What type and generation of technology was used? How much was the solicitor of the test willing to pay for it (influencing the choice made within the current range of available technologies/capabilities), as well as how many sequence/data points were targeted.
As one example, combine a fairly limited set of targets with gel chromatography, and varying quality/accuracy of analysis/analysts of same... And you have a lot less "uniqueness" than things like the common, public term "DNA fingerprint" imply.
Yes, it may be a useful tool in combination with proper understanding of its limitations. However, we have (in the U.S., for example) and adversarial judicial process and prosecutors have been shown to often not place such understanding even in context let alone as a primary concern. If the defence is lacking, including simply financially to engage its own "expert witnesses"... misbegotten interpretations can and do rule the day.
During his 1999 trial, Schneeberger revealed the method he used to foil the DNA tests. He implanted a 15 cm Penrose drain filled with another man's blood and anticoagulants in his arm. During tests, he tricked the laboratory technician into taking the blood sample from the place the tube was planted.
>That would work in the sort of Hollywood movie where the government has everyone's DNA on file.
You don't have to have "everyone's DNA on file". It's actually pretty trivial even for your neighbor or whoever to get your DNA.
As for the police falsifying evidence, there's a wikipedia-long history of cases, in Europe, Latin America, Asia, etc. Especially in politically charged times, like the sixties and seventies. Heck, something like half of Italy's government in the 70's have been proved in later Italian courts to be involved in such things.
> You don't have to have "everyone's DNA on file". It's actually pretty trivial even for your neighbor or whoever to get your DNA.
Sorry, I wasn't clear. I can dump a gallon of your blood and semen onto a dead guy in an alley, but how would the government trace that blood and semen back to you?
In Schneeberger's case, it seems that he was simply infusing a part of his body with another man's blood and then making sure that the lab tech drawing the blood sample drew it from the same place. Once they tested his hair and saliva, they had a positive match.
> But scientists are finding that it’s quite common for an individual to have multiple genomes. Some people, for example, have groups of cells with mutations that are not found in the rest of the body. Some have genomes that came from other people.
> Women can also gain genomes from their children. After a baby is born, it may leave some fetal cells behind in its mother’s body, where they can travel to different organs and be absorbed into those tissues. “It’s pretty likely that any woman who has been pregnant is a chimera,” Dr. Randolph said
And false positives in case of stem cell transplantation (a treatment of leukemia). There was a case where they got a false positive because of that. They discovered that it was a false positive because the alleged culprit had an alibi: He was in prison.
>The "How to fake fingerprints" link [1], is one of the scariest things I have seen, given how simple it is, and how much we reply on fingerprints for linking people to crimes.
I think DNA evidence is even worse. Given how simple it's for anyone (from an oppresive government to a criminal to take DNA from someone they want to frame and place in on a crime scene. Heck, it's even easier than fingerprints, and it's also thought of as "irefutable".
I think they're missing the point. The passcode on an iPhone defends against other people in your environment - family members, coworkers, roommates - getting your information opportunistically. It doesn't defend against hackers, the government, or even slightly savvy thieves.
Also, if a fingerprint sensor is significantly easier to use, and in practice will deter a class of privacy violations, it could increase overall security. This is a question you can only answer by looking how people behave, not solely with an analysis of the technology.
The fingerprint sensor worries me more that it records biometric information at all. It's one thing to leave fingerprints all around your environment, but there is now the potential to steal your biometrics over the internet. The device supposedly hashes the data derived from your fingerprint, presumably with a hardware-based secret, but I worry someone will find a way around that. (EDIT: maybe this is physically impossible; can someone provide details?)
Also, the issues that CCC discusses about how fingerprint unlocking can be coerced are important. Many law enforcement organizations now have devices that can scan smartphone data, which is bad enough, but at least the use of those devices are controlled. A fingerprint sensor now allows a cop to handcuff someone, jam his or her finger onto the phone, and then to (for instance) delete an incriminating video.
Likewise anyone else willing to use force. Might become the next schoolyard amusement for bullies, if your kid has a smartphone.
> I think they're missing the point. The passcode on an iPhone defends against other people in your environment - family members, coworkers, roommates - getting your information opportunistically. It doesn't defend against hackers, the government, or even slightly savvy thieves.
The Google Chrome Security team begs to differ [1]. According to them giving someone the illusion of security is bad.
Giving someone the illusion of security is bad because it displaces their understanding of security.
An understanding of security will reveal that security is not a binary state of affairs. It's perfectly reasonable to trust known-imperfect mechanisms like the iPhone fingerprint reader to keep honest people honest and discourage ordinary muggers and thieves. I don't need military-grade access control for my personal iPhone, I don't want the inconvenience that would necessarily accompany it, and I damned sure don't want to pay for it.
And the Google Chrome guy is correct in all respects: it's not reasonable to expect an application to provide security that's redundant with security provided by user accounts on the OS it runs on. It would be better to teach users to create separate accounts on their system, if they want to hide their local passwords from other members of their family.
Teaching users to create separate accounts might be better, but so would any number of impractical suggestions.
It is perfectly reasonable to expect an application to provide more security than the user account provides because in the real world, we know that people don't always lock their computers. Not all applications are risky, but one that centralizes a users credentials is clearly so.
Pretending otherwise is simply not acknowledging the real world.
Which is ironic coming from a company known to be sharing information directly with the NSA.
Name one security technology that is 100% foolproof. They don't exist. So the point isn't to rely on one thing, but to rely on many things that, used in concert, increase the risk, complexity and cost associated with subverting the entire system--not its individual components.
In the same way that you'd afford extra scrutiny to a government agent making claims about what encryption methods to use, you should afford the same scrutiny to companies making security claims who are documented collaborators with the TLAs.
An ad hominem isn't always a fallacy, especially when the credibility of the speaker is legitimately in question. Saying they're automatically wrong would be fallacious (not to mention silly), but questioning credibility based on actual, documented behavior is not.
Citing the Google Chrome Security team regarding security is the exact opposite of the appeal to authority fallacy. It's an appropriate expert for the context.
Well, they have to store fuzzy hashes rather than cryptographically secure ones since they're going to get a different section of the finger and slightly different features within that finger each time. There's a good chance that whatever form of fuzzy hashing they're using is reversible in the sense that, given a hash, you can create a fingerprint that isn't necessarily exactly the same as the original but will match that hash.
For example, the obvious approach is to store fingerprint features, which will be then matched by any print that has the same features in the same positions. If you do a good enough job of generating the new print you might even be able to fool police investigations, since they compare prints the same way.
Looks like fingerprints have 30-40ish bits of entropy depending on how forgiving the device is, so unless they're doing some key stretching it should be practical to produce an image of a similar fingerprint by brute-forcing the hash with every biologically likely fingerprint.
Not true at all. There are quite a large number of cases out there that would be hard to lift fingerprints from. If the owner has this sort of case, and if the owner has cleaned the screen recently or just had the phone pocketed, thus wiping the screen off rather well...I think there are a large number of phones from which you would get no prints.
That picture shows a carefully polished phone into which someone has meticulously placed 5 careful fingerprints - as if they were being taken at a police station, nothing like the fingerprints you get in normal use.
I think it's a hot topic in security circles right now that a worm or virus could infect these mobile devices and "phone home" with the data, resulting in a media nightmare.
Not the same result at all. You now have lost your phone and the cop has to argue that you smashed it yourself out of spite. There may be more witnesses or evidence after smashing a phone. Presumably there are even phone company records showing when and where a device went dead.
I am not a lawyer but it seems to me, 9 times out 10, the cop would prefer a cleaner result - they confiscate your device, and oops, when you get it back, the video is gone.
...the people closest to you in your environment ( kids, parents, spouse, boss, co-workers) are the ones who can most easily obtain your fingerprints...
And are probably least easily able to capture a high resolution image and reproduce a 2400 dpi heavy-ink image that is then used to create mould of your print.
Expected. Still much, much better security than no code at all. I will use it (with full knowledge of its downsides and tradeoffs) and it would behoove the CCC to not portray security as a binary state. (Just as much as it would behoove Apple to be truthful in their marketing.)
Don't use it if thieves would consider going through all the effort of faking out the scanner. That's what I take from this no doubt valuable and important work from the CCC.
(I assume that iPhone tracking and activation lock cannot be disabled with the fingerprint, so stolen phones will still be easily remotely wiped and bricked, with fingerprint or without. Thieves will have to be crafty and quick if the want to pull this off.)
Not that expected. I know a lot of people were BSing about how much more secure Apple's fingerprint sensor was and how the usual techniques for faking a finger wouldn't work on it, including some security researchers.
Yes. I anxiously await Gruber's lengthy post-mortem about the fingerprint reader being just as bad as all previous fingerprint readers, equal in number, length and enthusiasm to his previous posts about how wonderful and advanced it is.
I know folks love to have on Gruber, but looking at df.net I don't see where he has compared the security of TouchID to other fingerprint readers - rather he's compared the convenience and performance of TouchID to other fingerprint implementations, and I don't know that anything in the OP would, or should, change his assessment of that.
(not an iPhone or Android user, at least not yet).
There are too many examples to pick from, but here's a recent one.
In his iPhone 5S review he rambles on about how Apple is an innovator and picks out the A7 procesor, TouchID and a new burst-mode camera feature:
"But the real innovation — there’s that word — is software, right there on the device itself, that makes it easy to select only the shots from those bursts that you really want to keep, and to throw away the rest."
Yet Samsung did the same thing for the S3 back in 2012.
So rather than addressing the point, you attack him on something completely different. Presumably because there are actually no examples where he's been wrong about TouchID.
> "You know how iOS touch latency and scrolling performance have always been far ahead of its competition? The way you could just tell that internally, Apple had uncompromising standards for how responsive these things needed to be? That’s what Touch ID is like — it’s to all previous fingerprint scanners I’ve seen what the original iPhone was to previous touchscreen computers."
Make that fawning guff. Convenient that he forgets the uncompromising standards of Apple Maps.
> "Touch ID’s extraordinary performance and accuracy fit right into that story."
No benchmarks or comparisons to justify this hype compared to other fingerprint scanners. How do we know it's not the same as a cheap $1 RF scanner from China?
> " a complete experience hosted entirely on the device. Your fingerprint data is not just “not stored in iCloud yet”, it is not stored in iCloud by design, and according to my sources, never will be."
Rubbish. He knows nothing about Apple's roadmap. He always cites his inside "sources" yet he has NEVER broken any story where he had the lead on a scoop. Not on any products or corporate announcements.
I don't care what an armchair blogger thinks about TouchID. I do however care what the Chaos Computer Club thinks because they actually know what they are talking about.
> Convenient that he forgets the uncompromising standards of Apple Maps.
In the next paragraph, he writes that Apple sucks at online services, and that TouchID is great precisely because it's a completely offline feature. You haven't even read the article. I wish HN would blacklist any mention of Gruber's name.
You haven't actually made any points at all. You've just called him names and added some dismissive words after a few quotes from him. You don't have to convince anyone that you dislike Gruber. That much is obvious.
I was disappointed to see that this hack shows the sensor isn't relying on the "microscopic capacitive surface" being claimed by Apple. So it's really just another CCD camera under the button?
Those techniques still haven't been shown to work in practice because CCC was only ago to unlock the device using a carefully made high quality print, not one lifted in an ecologically valid situation.
What matters is the rate at which copies of real prints are rejected, not the fact that one carefully made print can be made to work.
Yes, we often say security and think it means total protection. It doesn't. Its rare to see any security feature that cannot be bypassed or broken by some means. This is why we implement security in layers. If it were a binary state then a single layer would be sufficient. The idea is to make it so difficult to break through every layer of security that it becomes impractical but there will always be someone who does it.
I also don't think Apple is dishonest in their marketing. Fingerprint scanning is absolutely better than a pass code and the marketing around it all gives the impression that using it ensures no one can unlock your phone without your fingerprint. Nothing dishonest in that. Plus the layperson really has no interest in learning the specifics anyway so I'm not sure it matters what they say about it so long as it sounds cool and futuristic.
> Fingerprint scanning is absolutely better than a pass code
How often can you change your fingerprint? I can change my pass code virtually an infinite number of times. How often do you inadvertently leave your pass code in random places just by touching things?
A good pass code is absolutely better than fingerprint scanning.
That's hyperbolic. How often can someone see your passcode over your shoulder? Or have it picked up by a security camera? Fingerprint scanning absolutely has advantages over pass codes.
Security is all about trade-offs. This result was to be expected (in some form). What will be worry me is if the "secure enclave" where the fingerprint data is stored is cracked (and I wouldn't be surprised if that happens too eventually).
Your point is moot. As soon as your fp is digitally available online.
E.g.,the CCC has captured and published former german minister of the interior, Wolfgang Schäuble's fingerprint in 2008 [1]. This finger of him is not secure any more and readily available via a google image search.
Agreed: that's why I said it would be especially worrying if this "secure enclave" Apple talks about is cracked and if it's then possible to reconstruct fingerprints from the data inside. But unless that happens, the iPhone itself doesn't make my fingerprints any easier to leak; someone can already get them from everything I touch!
Even worse:
Other manufacturers will jump ship and this sort of device becomes omnipresent on smartphones.
Probably, apps will get access to capture raw prints themselves at some time. Someone will start to store real and unhashed fp's in their database. As happening frequently with databases containing CC numbers (and even CC pins), that DB will eventually get copied and accessible on the net.
Buying one's fp data will become possible at some point.
I have accidentally seen basically all of my friends' passcodes as they type it in at bars etc. I could get into their phones easily. TouchID is more secure than that simply because someone needs to take a 2400dpi image of the person's finger to do it.
Locks (when physical access to a device is available) are to keep honest people honest. Most security experts that I know agree that if an intruder has physical access to a device, it can be considered compromised because it is just a matter of time.
Here, have a drink out of this freshly washed glass... no, don't worry, I'll wash the glass for you later. :)
On the last second point regarding access to a device, I could take a week to make up the fake print during which it won't matter if I have it or not. Since your print isn't changing I just need 5 minutes with your device at any point in the future.
Then create a detailed model using said high resolution fingerprint. If someone cares enough about your phone to do that, they can probably break into it by other means anyway (jail break, brute force passcode, etc)
You leave finger prints on the phone. Just snap a photo with a decent camera - it's probably enough detail. Print it. Stick some latex or glue on it (literally available everywhere).
That's it. This is not rocket science or time consuming like brute forcing. You don't even have to shoulder-surf to catch their password.
Importantly, this has been demonstrated. The CCC has been doing it for years and published a howto with material costs in the low one-digit Euro range.
Actually it hasn't been demonstrated at all. They dusted a carefully made high quality fingerprint to defeat TouchID, not an opportunistic one taken from something an unwitting victim left behind.
Until they do that, this doesn't really indicate much about how weak TouchID is in the real world.
> Most security experts that I know agree that if an intruder has physical access to a device, it can be considered compromised because it is just a matter of time.
Anyone who says this is not a security expert. That hasn't been true since full disk encryption became available. A properly encrypted device is a brick if stolen, which is the only reason to have full disk encryption in the first place.
I take it you're not a security researcher either, because "A properly encrypted device is a brick if stolen, which is the only reason to have full disk encryption in the first place" is insufficient, too.
Cold boot attacks, copying the drive and hacking the bootloader to get the drive password the next time you log in are two trivial methods, both of which have been used already.
Once you lose physical access to your hardware, it's game over. You simply cannot trust your computer after that point if you care AT ALL about maximizing security.
I like how you refer to things that you have never tried as "trivial". And the defense against those is easy. Don't reuse it after it was stolen then returned. That's a different threat.
No, the physical access statement still holds true, even with FDE. First, if the machine is powered on, they can just extract the keys from RAM. Second, if you continue to use the device after it has been tampered with, you also lose (aka evil maid attack).
Most people outside of this community are not using disk encryption.
With that said and the caveat that I am not an encryption expert myself: given an infinite amount of computing power and an infinite amount of time, can full disk encryption not be broken? If so, then it is just a question of computing power and time, not of whether it is possible to get to the data.
Combinatorical problems tend to grow in the amount of effort to try out all possible elements quite quickly, and quickly growing things in turns often hit physical limits. The following post on Security.Stackexchange explains it quite nicely; excerpt: the sun doesn't emit enough energy over its lifetime to power an extremely efficient computer able to try all combinations.
So basically we need some new form of computer (one that's not flipping individual physical bits), and not "just faster" ones, to crack certain encryptions by brute force.
Yeah, just a matter of time. Bring a flashlight though, because the sun is projected to burn out far sooner than the largest supercomputer will be able to brute force a 256 bit key.
A comment on another article the other day (can't remember which or I'd link) noted that no-one will magically know your passcode when you sleep or nap, but it might not be too hard for them to gently put your thumb on your phone. One would do well to remember that involuntarily "surrendering" login information doesn't necessarily require hoses or wrenches...
Considering that people generally don't wear gloves when they use their phones this is like having a picture of your key on your door. Combine that with what we know you can do with pictures of keys[1] and yes it's obviously not a very good idea.
This is not being done by lifting an existing print from the existing device. They're taking a photo of the authorised FINGER and using that to create their fake finger...
I don't see how this could be considered a significant issue unless you are going to steal someones phone AND somehow get a still 2400 dpi photo of the surface of their finger
You are incorrect. Second sentence of the article: "A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID."
A meticulously placed fingerprint was made on a clean and polished glass surface as if it was being taken by the police. Nothing like a normal fingerprint left by accident.
It is a phone, you can bypass the passcode with a computer anyway - the passcode/touch is designed to prevent opportunistic unlocks not a determined attacker and it is much better than a passcode at doing that.
My front door does not have a picture of my key on it. My phone has tons of fingerprints though. It's a touch screen phone. One of those words is "touch" which clearly implies your finger coming in contact with it. Even if you wanted to use gloves you need special ones for it to work properly with the capacitive screen. Unless you are continuously wiping it (the screen, not the data) it will have you prints on it.
If you slightly smear your finger every time you remove it from the sensor you shouldn't have this problem. Additionally, if you are keeping your phone in your pocket, as I do, pull it out and take a look (like I just did) and you'll be hard pressed to see much of anything resembling a useful print. I use my phone pretty much all day long and it is devoid of useful prints.
Does that mean you couldn't find my prints in other places? Sure. But I can probably find your keys in other places, too.
We know that SSL is generally not implemented properly, that the CAs are probably all hacked or subverted by the NSA, that the NSA may have developed backdoors to a number of the more popular encryption suites, but I don't hear anyone running around demanding Google or Facebook disable SSL.
If you are doing something that requires sufficient security that you don't want someone to access it via your fingerprint alone, add additional layers of security.
If you are doing something potentially incriminating ... don't do it on your freaking phone because it's probably been exploited in a dozen other ways by various authorities who can use it to find out most of what they need without being in physical possession of the phone anyway.
Most people aren't worried about the mafia or the CIA or the NSA. Most people don't even bother using a passcode, let alone a passphrase on their phones. If you can add something as easy to use as this, then it adds an additional layer of security against the casual abuse most people will find themselves subjected to (random people making calls from your phone, spouses spying on their email, etc.).
If you are worried about the CIA and the NSA, using a phone at all for anything is probably not in your best interest at this point.
Assuming someone did steal your phone and look for prints, they would need to know which print to lift and that it's enrolled with Touch ID. After they, they only get 5 goes to be successful before the phone insists on your passcode.
CCC made it look easy but I bet it didn't work for them first try or even 5th try...
> My front door does not have a picture of my key on it.
Yeah, but as every decent locksmith will attest, very-nearly-almost-all door locks can be easily opened with the right tools. Like picking a lock is a specialist skill, so is lifting a fingerprint and making a copy of it. No security is absolute; it's all trade-offs. Making it such that it's not worth your adversary's time to bother.
Yes, but as the same decent locksmith would attest, it would be foolish to have a picture of a key beside the lock, or anywhere in a public place.
And that is what happens with a finger-print based secure system; you inadvertently place the imprint of the key on the phone's display as well as public places.
But the point is that you don't need a picture of the key beside the lock for a locksmith to break into your house! And, indeed, if there was one it would probably be faster and easier for him to use a lock pick rather than taking the time to cut a new key.
In the comments there is so much focus on the convenient aspect of TouchID. I agree, but the main point I think is that we have a situation where:
- fingerprint authentication will be seen as more casual and mainstream than it was before [1]
- people will still leave fingerprints everywhere, including around and on the fingerprint sensors
- once a high resolution image of a fingerprint is done, it can be re-used for literaly a lifetime (imagine keeping track of someone for years and use his/her fingerprints anytime it's needed)
- if enough applications rely on fingeprint authentication, exchanging fingerprint databases might become lucrative enough
From this point of view, seeing TouchID as just a cute way adding some security to a phone is too candid I think. It will have an immediate positive effect for casual phone locking, but would bring much worse effects down the line.
Optimisticly no one would rely on fingerprints alone to authenticate users for anything important. But the definition of what's important is blurry, and there is so many situations now where weak passwords are used, but it would be so tempting to switch to fingerprints (door unlock for instance...).
[1] laptops had finger unlock features for years now, but it never really made it to the wild masses I think. Fujitsu phones had a fingerprint reader too, but again, I don't remember other makers picking up the feature.
This is a really silly statement -
"This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided."
Sure, maybe you can bypass this mechanism, but as an everyday password, this is still a substantially easier tool than typing in a 4-digit password.
In fact, at least you cannot easily spoof my fingerprint at a public location, while you could certainly easily figure out my password by just standing over me when I type it. I wonder how many mall cameras, street cameras and all sorts of public surveillance cameras have all our passwords?
> this is still a substantially easier tool than typing in a 4-digit password.
I know tons of people, including myself, who don't use any passcode on their phone because the 4 digit stuff is a hassle.
CCC is arguing this isn't pick-proof anti-tampering deadbolt, when right now a huge number of users don't even have a door. It's still a MASSIVE improvement.
Of course they have broken it, I had no doubt it would be broken like any other fingerprint security system.
The issue here is that it's ok, it doesn't really matter. It is all about the amount of security you need. Does a normal user need unbreakable security? No. The security provided with this method is more than ok, it is kinda secure and it's faster (imho) than writing your passcode. After all your "enemies" here are nosy friends or similar...
If you need "unbreakable" security then you shouldn't use iphone or android, or you should use an specific secure storage application (cyphered content, hard to guess pass or whatever). If you need "unbreakable" security you better consider hiring a security consultant.
So, the question here is, are the security systems in mobile devices more than fine for most normal users? I guess so...
Here's an idea that would improve security in conjunction with the new sensor:
Create a random pattern of ridges and, using the technique outlined in the OP, build a latex key. Attach that to your keychain (in some sort of case to improve durability, maybe). Then, enjoy 2-factor auth, between the phone's pass code and the synthetic fingerprint.
What is the resolution of the fingerprint image stored in biometric passport, i.e., the kind of passport you need to enter the US?
Biometric passports store an actual fingerprint image and not just a hash like the iPhone 5S. So if the resolution was high enough, everyone with access to a biometric passport – for example by scanning people carrying such passports around at an airport – could forge fingerprints …
Biometric passports don't necessarily include fingerprint data. For example, current US passports are considered biometric but do not include fingerprint data since fingerprinting is not required to obtain a US passport.
An interesting comment on the YouTube video: Not cleaning your iPhone is likely to leave fingerprint evidence/marks directly on the device's housing that could be faked.
"[I]t is far too easy to make fake fingers out of lifted prints"
Really? It seemed like this was a lot harder then just shoulder-surfing someone entering their passcode. Touch ID may be hackable, but this is still way harder for the average person to hack than a simple passcode.
AND it's way easier to swipe your finger than type in a code! Touch ID can't be worse for security; it appears it's at least a bit better.
I dislike entering a passcode every time I pick up my phone. Yet if someone steals my phone or I leave it somewhere I don't want someone to be able to access my photographs or my data.
Fingerprint sensor sounds like a pretty good solution to me.
Do I want Fort Knox security on my phone? No.
Could someone still access all my data even if it was secured with a passcode, certainly they could with physical access to the device and a couple of debugging tools they could lay it wide open.
So put simply, fingerprint is more convenient than having to type in a passcode. +1 for Apple
Good to know how easy it is to break though so no one gets carried away and starts using it for things worth breaking into.
They tried to make a fingerprint readers more sophisticated and added a temperature registers to avoid fakes or (more in more gruesome case - a cut off finger), but hackers managed to make so called rubber fingers or peel dead finger and fill with a warm salty water. Anything can be hacked.
But I think they are missing the point. If Apple wanted its phones to be a secure gimmick at Pentagon - that was silly. But for average user - nobody is going to steal your prints. It's just a usability. For average Joe it is so much easier to tap with finger than type PIN all the time. But if you get specifically targeted nothing will save you.
The exact same arguments could be made for having crappy passwords, which, I might remind you, are defeated hundreds of thousands of times a day, at a massive cost to its victims.
Actually, this raises an interesting thought. Couldn't a security-conscious user take advantage of this to turn "something you are" into "something you have"? Since you can train the sensor with anything, is there a market for semi-permanent, cryptographically-random... Thumb rings, or something?
From what I've read, Apple's sensor is still more accurate than competing sensors. It works much faster, and is better at recognizing your finger in various positions. It's also faster/easier than a 4 digit passcode.
Let's be fair. Apple said it was easy to use and improved security (compared to the previous iPhone). They didn't say it was designed to the standards needed to protect DOD secrets.
This seems like CCC is just trying to get attention to me; holding the device up to straw-man standards of security.
"They didn't say it was designed to the standards needed to protect DOD secrets."
I'm sorry, but this is so much backpedaling. Do i really need to start pulling out comments from the last discussion where people were quoting Apple's press conference about how revolutionary and secure this was?
Apple made a huge deal about how secure it was an how much of an improvement and how very sophisticated it was. It turns out, it wasn't really.
Now people are saying "well, they never really said it was all that good, or meant to keep you secure", blah blah blah.
Let's start with the basic press release:
"and introducing Touch ID™, an innovative way to simply and securely unlock your phone with just the touch of a finger."
" “iPhone 5s sets a new standard for smartphones, packed into its beautiful and refined design are breakthrough features that really matter to people, like Touch ID, a simple and secure way to unlock your phone with just a touch of your finger.""
"“There’s so much personal stuff on these devices; our email, our photos, our contacts. We have to protect them. The most common way is to set up a passcode. A simple 4-digit passcode, or a more complex one if you want. Unfortunately, some people find it’s too cumbersome and dont set it up. In our research as much as half of people don’t ever set it up.”"
"We’ve set up a new technology that makes this super easy to do. We call it: Touch ID."
"“Your fingerprint is one of the best passwords in the world.”"
This was said by Apple at the iphone 5s press conference.
This says it is meant to replace the passcodes, and it was "one of the best passwords in the world", and supposed to be able to protect personal data.
You can verify from other transcripts as well.
I avoided the slides they had explaining how very sophisticated the sensor technology was.
So what i'm getting at is that most of the comments in this thread smack of "Apple never really meant it to do X, or Apple didn't say it would be all that secure". They did, on both counts.
They said it would replace passwords, and they said it was quite secure.
I think it is a very innovative step by Apple. It's going to convert a lot of people who never lock their devices into people who use quite a secure and easy-to-use method to lock their devices.
Just because it can be hacked does not mean it is a bad method to use.
Well he did approvingly quote some nonsense that the reader would only work on a 'live finger' (presumably it is supposed to be able to detect the presence of a soul?).
I don't think the goal of Touch ID is better security nor is it an attempt by Apple to prevent the loss of iPhones from theft. The goal of Touch ID at the end of the day is to make it easier for people to make purchases, entering passwords to make an iTunes/App store purchase is a hindrance to Apple's bottom line. Currently because of the steps involved, people have the ability to rethink their purchases during the time it takes to enter and confirm they want to make a purchase. Touch ID takes away a few seconds of time to make a purchase, touch your finger on the reader and BAM! instant purchase.
The steps in which the Chaos Computer Club took to break into an iPhone, no criminal would even think of undertaking. In the criminal world the longer it takes to steal something, the higher the chance you'll be caught. It's no different to an engine immobiliser that prevents a car from being stolen. If a criminal were to take their time, they could pop the bonnet and start the car, but most criminals will just take your stereo and car contents and leave the car if they can't get it started within a couple of minutes...
Although, having said that. Apple's marketing speak does make Touch ID sound much more secure than it actually is. This might come back to bite them in the behind one day if the wrong person has their iPhone and data stolen and decides to act upon Apple's somewhat deceivingly clever marketing speak in a court room with dollars to spare.
And besides making it easier for people to spend money without having time to think, a fingerprint scanner to the not-so-technology inclined sounds futuristic and cutting-edge, which in turn will sell millions upon millions of iPhone units. While many who frequent HN can see past the marketing spin and realise a fingerprint scanner isn't all that exciting or new, the lowest common denominator who buys an iPhone sees things differently.
I thought, based on anandtech review, that this scanner is not optical but electrical, hence "sub epidermal scanning", so why does a printed finger work?
- the capacitance of the ridges and crests of one's fingerprint dominates any differences in subcutaneous capacitance (possibly because they are closer to the scanner, or because there simply is too little variance in capacitance between flesh and hair veins)
- subcutaneous structures resembles fingerprints too much (seems quite possible, as there must be a reason that it is hard to permanently change one's fingerprints by using sand paper)
Looking at the chaos computer club video, that becomes plausible/likely (the iPhone UI shows a picture of the fingerprint as a guideline for the quality of the phone's knowledge of the fingerprint, and afaik the sensor does not have a camera, so that is not just an aid for the user.)
Yes, it could also be Johnny Appleseed's fingerprint, used as an image users are familiar with, but http://en.wikipedia.org/wiki/Friction_ridge seems to confirm it, too ("The pattern of ridges they produce in hands and feet". I'm not sure whether they refers to the epidermal cells or to the blood vessels (less likely), but that doesn't matter)
To be fair Apple hasn't said anything about liveness checks or any other safeguards against faked/duplicated fingerprints. All they talked about was how the fingerprint storage itself is secure, hardware level and local. The hack that gets the fingerprints off of the chip by exploiting some implementation related vulnerability would be a big deal.
TouchID is just another fingerprint reader - albeit one that's easier to use.
Apparently a lot of people are much smarter than the people who built the technology. Kinda like everyone is better at cryptography than actual cryptographers. Nothing anyone says here is going to surprise the folks who designed it.
Kind of a "well duh" post. All of the image scan finger print readers are easy to game.
Even the ones that use capacitance can be beaten with a rubber glove and a copy of the finger print, printed on the latex. (the best is actually an Vinyl condom that doesn't come pre-lubed, the ink sticks better and the vinyl is less of an insulator)
The problem is that Apple made a big deal in the announcement about how it was so much more secure than previous implementations, how it used sub-dermal imaging and stuff like that. It appeared from what they were saying, that this would be considerably harder to fake.
Difficulty of lifting a good print is probably proportional to the resolution needed. Ie, you need a higher quality print to get a higher resolution image to contain additional information.
I'm actually pretty skeptical this is the case. Fingerprint data is noisy - it has to tolerate a high degree of error. I suspect the problem is actually that you need to smooth it out appropriately to make the sensor not get tripped up by non-biological noise.
I'd be really curious to see what you could do with a high-resolution smartphone camera and a little image processing.
I am guessing I can beat it with a good pen. As you say it has to be tolerant. If you have a little grunge on your finger, or a cut, or get a tan or there is grunge on the sensor it still has to work.
Also, there are a lot fewer fingerprints than the world has been lead to believe. Especially since we each have 10 to try, since the phone only checks 1.
It doesn't look it. From the description in the article it appears to be a very similar process to what has been used before, just with a higher resolution printer, but not one that is outside the realm of photo printers.
First off I want to say I agree with most of the people here that Touch ID was not meant to be in breakable but rather an easy to use system that vastly improved users security over 4 digit PINs or no PIN.
That said, hypothetically, let's say I get arrested and the police take my phone. My phone has my fingerprints all over it. What is to stop them, legally, from using my prints on the phone to unlock my device?
I say this not to spark an argument but as a real question, I bought an iPhone 5S and I really am interested to know if any law would protect my phone if it was taken in such a situation?
Not seeing anywhere in that article where he had success replicating a print. He did get the iPhone 5S to enroll a fake print and unlock with the same fake print. He was unable, however, to replicate an enrolled fingerprint from a real finger and successfully unlock.
Additionally, all of this was done with molds of the target finger - not from lifted fingerprints. Completely different target.
It seems that that guy directly made a 'copy' of his own fingerprint in a mold. I agree that it is breaking TouchId, but the CCC did a more realistic crack: making a fake fingerprint without the person's finger.
He was not able to use the moulded version of his finger to access Touch ID. Instead he had to "enrol" his fake finger as a new finger, and from that point was able to unlock the phone.
Honestly, TouchID is better than what we have today; a 4 digit useless passcode. If somebody has to take a photo of my fingerprint off a glass surface to gain access to my phone, so be it.
It's not as useless as all that. Assuming Apple has properly used their key derivation function, and the phone locks you out after ~10 failed attempts, and there's no way to access a locked phone's data, then a four digit passcode is actually quite secure.
Wouldn't it? E.g., what if you did the derivation from the PIN in combination with a securely stored random salt (that could, as an added bonus, change every time you changed your key code)? That was, incidentally, what I meant by "properly used their KDF".
iOS lets you choose between a 4 digit pin or an alphanumeric password of whatever length you want. The 4 digit pin is meant to be more convenient, but even then most smartphone owners don't use it.
The point of TouchID was to have a more secure default for most than a 4 digit pin or, more commonly, no pin or password at all. Few people would be happy with having to enter a 12+ character alphanumeric password each time they wanted to use their phone, you're an outlier there.
Sure, a few people use long passwords on their phones (usually when forced to do so by corporate security policies. However, most don't, because it's impractical. Many don't even use a pin lock.
Nice , The mythbusters did this in their fingerprinter scanner episode ,
although they didn't have the iPhone5s but I am sure the same principle/technique would work.
As I remember, after using a similar technique they started working backwards and found a simple photocopy (no gelatin or other simulated finger) would do it. Apple has at least beat that horrifically low bar.
That was a great episode. Beating the thermal sensor was great too.
A further argument against biometrics, for those in the United States, is that your "right to silence" (under the 5th amendment) doesn't protect you against the government compelling you to use your fingerprint to unlock something (however it does protect you against revealing a PIN code)...
Actually, touchscreens are more or less the ideal surface to get the fingerprints from - a smooth glass object frequently touched. I just took my phone out of my pocket and found three very clear prints... Just look at 00:37 in the video they posted (1) - lots of clear prints. If the video was higher resolution, you might even be able to use frames of their video as a print source.
Let's think about the real point of Touch ID technology. Is it to secure your phone against high-tech criminals with a lot of time and resources? No; it's to give you enough time to realize your phone is gone and remote wipe it via iCloud.
I'd be interested on peoples' opinions, is this more or less secure than a 4-digit passcode?
From a real security perspective, users should have alphanumeric password, as far as I know, businesses often enforce this.
Obviously a 4-digit code is easy to brute-force on a computer, but it requires far more technical knowledge to do so - booting custom firmware, using some script to brute force, etc, and if the attacker doesn't have the skills, they are limited to 10 tries, maybe more after waiting a few minutes or an hour.
It seems to me that, excluding users leaving smudges on their screen and seeing the passcode that way, a fingerprint is even easier to break than a 4-digit passcode.
I think you're missing the biggest security hole with passcodes: whenever someone on the subway unlocks their phone, I need to consciously look away or I'll risk inadvertently committing their code to memory. It makes me seriously uncomfortable.
I'll hazard a guess that abuse by acquaintances, intimate or casual, is the most common risk to smartphone users, and that the fingerprint is an incredible improvement over the status quo.
This is true, but this is more down to people not covering their phone. I tend to shield my phone to the point where it would be obvious to me if someone were trying to see my passcode.
I think TouchID provides good security against 'casual attacks' - those by people who see you use your phone a lot, people who aren't going to put much effort into an 'attack', just try and post things on your Facebook account while you're out of the room.
However, in the case of 'real' security, where a person is being targeted for their data, or anything like that, I think it would provide less security.
I find the idea that the typical 4-digit password provides any more security against an attacker dedicated enough to make a copy of your finger pretty hard to credit. You're placing a lot of weight on your "covering" ability. (There have been times I've had to try hard not to infer someone's passcode purely from their hand movements.)
[Regarding the point that this is only supposed to be convenient for users, not to be unhackable...]
Today: "Fingerprint scanning on my phone ... that's super convenient."
Tomorrow: "Fingerprint scan required by government ... oh well, I already use that on my phone."
FTA:
"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token", said Frank Rieger, spokesperson of the CCC. "The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access." Fingerprint biometrics in passports has been introduced in many countries despite the fact that by this global roll-out no security gain can be shown.
iPhone users should avoid protecting sensitive data with their precious biometric fingerprint not only because it can be easily faked, as demonstrated by the CCC team. Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.
This is fairly unsurprising to anyone with even a modicum of understanding as to how these sensors actually work and the decade long history of researchers breaking them with Photoshop, gummy bears, latex and spit. What concerns me more is the claims they make about the "secure enclave". Maybe I'm just paranoid, but historically if data does exist, then it will be abused. The TouchID sensor, coupled with its strong bullshit security claims by Apple, in addition to the claims made about how data is never sent by Apple because of the "secure enclave", makes me think that this would be a very convenient way to create a global voluntary fingerprint database tied to every aspect of everyone's identity without freaking anyone out. If a government were to release something like this, they'd be sued into the ground and screamed against for breaking core privacy covenants. But when Apple does it's just brilliant and revolutionary.
Reasonable technically informed paranoia is what made the NSA releases fairly unsurprising to me as well. My rule with security is that if it can be done, then it will be abused. It's basically a Murphy's law for humanity.
Some people seem to be forgetting what this is being used for.
This is an OPTIONAL replacement for the pass code.
However you feel about its level of security it is definitely more secure than a passcode which is the other option.
If someone wanted to target you for whatever reason then how long would they have to follow you with a high zoom camera before they would see you type the passcode in? The passcode/touch ID is to stop opportunistic unlocks not a determined attacker.
If you're really concerned about this, just register part of the finger that isn't the tip, and get in the habit of smudging the home button afterwards. I usually only touch the phone with my finger tips or palm, and you could register, for example, a part of the finger under the knuckle that almost never touches the device except to authenticate the print.
Of course if CCC knows which finger was registered, AND has a perfect print left on the device AND they know which print corresponds to the finger registered on the device, of course they can crack it. But if they have to guess which print on the device cracks it, I'm willing to bet they trigger the 5 failed attempts which then requires a passcode (and 10 failed attempts wiping the phone, although this is optional).
This means there are more than 10 options (which finger AND what part of each finger) you could use as a print. The oft cited scenario of police being able to compel you to input your print assumes they know what part of your hand unlocks the phone. They can't make me divulge the part of my hand thats registered just like they can't make me divulge my password.
So if some of the worlds most elite biometric hacking experts need 48 hours, knowledge of the registered finger AND an almost perfect print left on the phone, I think it actually proves how secure the system actually is. If this was that easy they would have cracked it Friday, but it clearly took them several attempts despite being (some of, if not) the best in the world at forging fingerprints.
Yes you can't change your fingerprint, but you can change which is registered on the device (or with the bank, or whatever) and I'm guessing financial transactions outside of iTunes might require a passcode also. It's just another layer of optional security. Clearly it shouldn't be relied on as a foolproof, 100% secure authentication system but it certainly shrinks to pool of people who can gain access to my phone from "anyone who sees me unlock it several times a day" to "fingerprint forgery experts and highly sophisticated and motivated criminals."
iOS security is trivial to break if you have physical access to the device. TouchID (and passcodes) should be considered little more than a convenience, not a serious security measure.
Just use brute force or dictionary attack over the wire. Given that most users use 4-digit pass codes, this can be done usually in minutes, almost always in less than an hour.
Or, if your target is paranoid and uses a very long passcode, target the charger rather than the device itself. iOS assumes any physical device to which it is connected when unlocked is secure. Replace the usb brick with a small computer (e.g. Raspberry Pi) in a convincing looking Apple-esque case. Then wait until your target plugs in his iDevice and unlocks it. You can then dump the drive, or side load malicious code.
> Just use brute force or dictionary attack over the wire. Given that most users use 4-digit pass codes, this can be done usually in minutes, almost always in less than an hour.
It's clear you've never actually attempted this. The timeout between passcode entries increases with the number of consecutive failures. Get 10 wrong in a row, and the device is wiped (if the user has chosen that option).
> Or, if your target is paranoid and uses a very long passcode, target the charger rather than the device itself. iOS assumes any physical device to which it is connected when unlocked is secure. Replace the usb brick with a small computer (e.g. Raspberry Pi) in a convincing looking Apple-esque case. Then wait until your target plugs in his iDevice and unlocks it. You can then dump the drive, or side load malicious code.
This no longer works on iOS 7. The user has to manually choose to trust the computer they're attached to prior to any communication going across the wire.
> The timeout between passcode entries increases with the number of consecutive failures. Get 10 wrong in a row, and the device is wiped (if the user has chosen that option).
Only if you're typing in pass codes to the lock screen, which isn't how its done. An attacker would instead image the flash, grab the Dkey from effaceable storage, and decrypt the filesystem. Indeed this is exactly how professional iOS forensic analysis kits work. This will get you access to SMS, photos, and anything else that doesn't fall under Data Protection.
Data Protection, a second level of encryption that uses your passcode to generate keys, is only used on the keychain block and emails by default. To crack Data Protection, use brute force on the copied data, not on the iDevice itself.
>This no longer works on iOS 7. The user has to manually choose to trust the computer they're attached to prior to any communication going across the wire.
"Only if you're typing in pass codes to the lock screen, which isn't how its done. An attacker would instead image the flash, grab the Dkey from effaceable storage, and decrypt the filesystem. Indeed this is exactly how professional iOS forensic analysis kits work. This will get you access to SMS, photos, and anything else that doesn't fall under Data Protection."
Yep, as I suspected, you haven't done this ;) Please don't discuss how "simple" it is if you're getting your info from third parties. You can't image the flash. None of this works how you think it does, because the forensics toolkits left out a crucial detail in their marketing.
The dirty secret? You need a 0day bootrom exploit. The professional kits use the limera1n exploit, which was patched years ago.
Nope, I've never done this live. For this I'm reliant upon what I've read. Feel free to tell me what's wrong. Stating how it works, or pointing the way to an accurate source, is infinitely more helpful than saying "you're wrong", even if it might feel satisfying.
Here's my understanding of how the initial loading works. BootROM uses a series of RSA validity checks on the chain of software components to load the RAMdisk (which is used for update in DFU mode.) To load your own RAMdisk, you need an exploit in bootROM (which are the same exploits used for jailbreaking, and thus of high value for the community to discover.)
I just told you. You need a bootrom exploit. That's the non-trivial part. Nobody has one, and they haven't since 2010. I mean, the NSA might, but the forensics companies don't, and there aren't any public ones. Hence, it's far from trivial.
Even with the multi-thousand dollar forensics kits, you cannot even begin a brute force PIN attack on any bootrom for any iphone or ipad still on sale. The last devices it worked on was iphone 4 (not 4S) and ipad 2.
You clearly know much more about iOS hacking than I do. It's well outside my area of expertise, and I'm grateful for the corrections. I learned a lot getting up to speed on how this actually works over the past couple days.
Pretending to have knowledge when you don't understand the fundamentals of the problem is both a good way to make yourself look foolish, and is certainly the cardinal sin in engineering. For that, I apologize.
For context, the reason I've been insistent is that there is a particular company that claims to be able to pull data from iPhone 5 and below in spite of the encryption. Whether this is true or not, I don't know, but I've heard it from a person I trust in mobile security.
If you keep up with the jailbreak hacking community (which I'm just now getting into), the Grugq (a fairly reputable source) posted on MuscleNerd's twitter that he's heard a private company has a new 0-day bootrom exploit, which would fit with the information I've heard.
Regardless, I should have just shut the f*ck up and let you teach me some science, instead of letting my competitive instincts lead me down a rabbit hole. I'll work on that.
Which "wire" allows you to brute force the passcode? Have you tried this, or are you repeating claims of others? Because I have a feeling that doesn't work like you think it does.
Your latter attack is an entirely different threat model, and can't be used on a stolen device.
On iOS 7 you have to explicitly trust a computer from the device before data is allowed over USB; before that it is in a charge only mode. To trust a computer you must unlock the device.
It is amusing to see thousands of unpaid apple PR workers spring into action, making sure no critical comment exists without a defence. Perhaps they feel their credibility is on the line, given how often they have sermonised on the genius/quality/beauty of their electronic device manufacturer of choice.
According to the adverts by Apple they specifically select certain points on the finger print and analayze then permit access. If such a technology is broken then I would assume their encryption on the A7 chip where the fingerprint is stored also can be broken.
If lots of people do not use passwords on their phones for the sake of comfort then it is not anyones fault that their phones are logged into or information stolen. Information is stolen because the user is lazy to secure the device.
When Apple says one can use finger print to do transactions then I have to assume that the transaction cannot be done by anyone other than me and by any other means through the phone.
I want to see this exact attack repeated based entirely on the fingerprints left on the device itself. It's an all glass surface and we leave fingerprints everywhere, including on the device itself. It you are literally leaving the key all over the screen itself, this is pretty damning. I wouldn't be surprised if an entire photograph of all the partials all over the screen could be used to reconstruct one full fingerprint of the desired digit.
Now that this type of security is on the iPhone, it is likely to become widespread, which will only further increase the value of improving attacks on this particular security measure.
First, the fingerprint of the enroled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone.
Potential side effect of TouchID: Due to the mass marketing of this feature it becomes cool for people to learn how to copy fingerprints, causing a massive headache for forensics teams everywhere.
All the l33t kids will quit their current jobs and go to work busing tables, where they can surreptitiously lift prints from every glass or coffee-mug they carry.
Wouldn't it be ironic if the new iPhone 5S camera had a high enough resolution to take the photo of another user's fingerprint off the screen of his or her phone? ;)
Dont panic! this loophole is easy to fix if AAPL gives free mittens(cuter than gloves) to its users with clear instructions to take them off only when unlocking the phone.
How is it less security though? You don't have to follow someone for very long with a high zoom camera before you can get their passcode and that is a lot easier than duplicating their fingerprint. And yeh it is much much more convenient.
The Touch ID is less secure because you can force a person to put their fingerprint to unlock their own phone. Forcing the passcode out of someone can prove more difficult and the phone will wipe itself after 10 tries (if you have that feature enabled).
I could steal your phone and manage to unlock in the process by taking your hand and unlocking the phone before walking away, somewhat more difficult to do with a passcode.
Random #s: 20dpmm = 5,080dpi? Sounds like 2400dpi sensing is certainly insufficient for research-grade identification... and therefore maybe easy to fool? :)
Can the fingerprint reader work with other parts of your hand ? For example if you can use the back of your finger or part of your palm then it could be a little more secure because you don't leave the prints of these everywhere.
I've seen plenty of people "hack" the 4 digit password simply by observing the user entering it. This kind of hacking seems to involve even more work than that.
The most secure computer is the one locked in a room and unplugged.
There has never been a method of security that is secure. The first thing you learn when dealing with security is there are tradeoffs between opportunity, time, money. and usability.
While I agree with the spirit of your post, there is in fact a method of security that is definitively unbreakable (if used correctly/precluding side-channelling): the one-time-pad.
But as you imply, the reason we don't use it is because the opportunity cost and hassle of using it are too high for many uses.
You proved my point by needing to exclude side-channel attacks. You also need keying material, and a way to communicate that material, for a one-time pad and that's vulnerable to a whole host of attacks.
even though it was almost expected to be bypassed easily, using fingerprints can still be handy if one wants to establish claim on a device. I believe the thinking was to provide a way to uniquely link the device to an entity - security was just a byproduct (but marketing trumpeted it)
Its an improvement. The typical pass has 4 characters so 10,000 possible combinations. Doing about 1 per second would find the password in the worst case scenario in about 3 hours; simply by trying all possible combinations.
I think trying to lift a usable fingerprint off a glass surface would be significantly more difficult than that.
"As for the tech itself, Rogers explains fingerprint scanning as a whole is more secure than the four-digit passcode. Copying someone's fingerprints remains a cumbersome process, not to mention pricey -- as much as $200,000, by some estimates."
" And like the sensor in the iPhone 5S, the sensors ... can detect the ridge and valley pattern of your fingerprint not from the layer of dead skin on the outside of your finger (which a fake finger can easily replicate), but from the living layer of skin under the surface of your finger, using an RF signal. This will protect you from thieves trying to chop off your finger when they mug you for your phone (assuming they’re tech-literate thieves, of course), as well as from people with fake fingers using the fingerprint they lifted from your phone screen."
There are several things here that people in discussion seems to miss och confuse. I've been working with biometrics and can at least try to clear things up.
For authentication (and identification) of a user we have three types of information: Things you have (a hard token generator), things you know (password) and things you are (shape of face, gait, voice, pattern in the iris, arteries in the back of the eye, hand, DNA. And fingerprints). Measuring what you are info and using it is called biometrics.
For good security we normally want to have a combination of at least two of the types. OpenID using for example a Yubikey is a good example.
The good thing with biometrics is that the user always carry the info needed with him/her. There are a few drawbacks though:
(1) The information is not very stable. It changes during the lifetime of the user. Sometimes it can be pretty rapid.
(2) The information is not very unique. Some types of biometrics is better than others. There is also differences in informational quality between individuals and ethnic groups. Depending on type of biometrics we get anything from a few bits to a few ten of bits. This means that it is not better than a good password that is 8 characters or more, but as good as or a bit better than a normal PIN code.
(3) The information is not under the users control and can't readily be replace. This is one thing many here and elsewhere seem to have missed in the CCC announcement. The point is that you as a user can't decide at any given time that you don't trust you token anymore, invalidate it and get a new token. That is why biometrics is foremost a tool _for others_ to identify you (passports, forensics).
The reason fingerprint based biometrics is so popular (compared to other types of biometrics) is that it is possible to build compact, cheap sensors that are pretty easy to use and are simple to integrate into digital systems.
All types of biometrics are fuzzy. We normally talk about False Acceptance Rate (FAR), that is how often do we accept a biometric ID as valid when in fact it is not. And correspondingly we have False Rejection Rate, where a valid ID is rejected. Good biometric systems have FAR, FRR under 10%. But for a busy airport there is still quite a few mistakes during a day.
The way a fingerprint based biometric system normally works is that you have a sensor that creates an image (256 levels of gray scale or similarly). The image is then processed (differential filters etc) followed by feature extraction. The features are called minuae:
Typically sworls, where lines end, merges splits. Normally we find 8-10-15 or a few more good minutae in the image. Based on the location of the minutae we create a graph.
The graph is then stored (if registering a user - called enrollment) or compared to stored graphs. And here comes the fuzziness. The graph will not be similar so we simply can't do a SHA-1 digest and match. The graph will be rotated, scaled, stretched, have fewer or more points. Basically fuzzy congruence matching with threshold.
The feature extraction can be done directly in the sensor. But in the case of TouchID I don't think so. Apple bought Authentec and their area sensors (that can capture a whole image directly. Sweep sensors detect movement of a finger over the sensor, estimate speed and stitch image slices together) simply delivered a raw image. This means that the filtering, feature extraction and matching is done inside A7.
Apple has touted the security of the processing. Basically it is ARM Trust Zone used in several other devices.
TZ is good, but there has been attacks published. And there is nothing that says that Apple has not added a read port from the untrusted enclave into the memory of the trusted enclave. For efficient debug reasons for example.
So. Biometrics is fuzzy and will give false acceptance (as the main problem. rejextion is less of a problem). There is quite probably an image available in the A7 and we really don't know if it and/or the graph database is in fact accessible.
When it comes to the CCC attack - we simply don't know if they tried lower resolution before ending up with 2400 dpi. I wouldn't be surprised if it works (at least sometimes - fuzziness again) with lower resolution. Also attack always gets better. I'm prepared to bet a good IPA that someone within 2 years will show how he/she can unlock a 5S just by smartly pressing on the home button while breathing to activate residue as fingerprint. It has been done with area sensors such as Authentecs before.
TouchID is good if it makes users without PIN to use it. But if it gets users with PINs stop using PINs, it is not as good. What would be great if we could combine TouchID with PIN or password. All the time.
I hope all this explains a few things. And remember, once again, the main problem with biometrics is that it can't be changed at will by the user. Good for others, less so for the user.
Not really anything new here. This was done a decade ago when bio-metrics were shown to be a weak form of authentication/verification. Still, the iPhone scanner is a deterrent and thus adds value.
Despite all the claims of how insecure this is, I've just checked a bunch of my stuff. I cannot find a single clear print. There are a few smudged prints on my laptop and coffee cup. My phone is just smudges all over.
So what is a realistic way to clandestinely grab a print?
This doesn't really translate to an everyday attack vector.
They had to have served the minister a drink that would not cause precipitation to form on the surface of the glass and specifically target him. Then you need to actually process the print.
A better measure would be how easy it is to lift a usable print from a crime scene. But even this has problems. You need to target a person to know whose prints you have.
If you just randomly pick pocket a phone. How do you get the print? How do you identify which finger was used? You need to get lucky or get 10 good prints.
I agree with others. The real question here is, "Is this better than no password?" I think the answer is, yes.
I am not impressed by this so-called hack at all. This is like people expecting encryption to solve both authenticity, integrity and confidentiality altogether by doing c = E(p,k). We want to see real hack as in actually bypass the system without any fingerprint, or a way to forge a fingerprint.
A very large number of people don't put any kind of passcode of any kind on their phone, simply because it's inconvenient. Touch ID is designed for them. It's not designed to secure nuclear footballs.
Touch ID is going to massively reduce the number of totally unsecured iPhones that require zero effort to access. That's the goal.
I think some people see "fingerprint scanner" and think "military-grade security" because that's where we've seen scanners before in movies and such. But this is really very much a solution for the consumer market, where convenience and usability are critical features of a security system. Sometimes infosec folks forget that. If you make it too hard to use (passcodes), people just bypass it. So you can blame the user, or you can try to design something easier to use. If in the end you've improved the overall security landscape, you've succeeded. I think that's what Apple is doing here.