Chaos Computer Club breaks Apple TouchID

Unsurprisingly, that didn't take long.

The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple's TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. [...]

"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token", said Frank Rieger, spokesperson of the CCC. "The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access." Fingerprint biometrics in passports has been introduced in many countries despite the fact that by this global roll-out no security gain can be shown.

iPhone users should avoid protecting sensitive data with their precious biometric fingerprint not only because it can be easily faked, as demonstrated by the CCC team. Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.

Previously, previously, previously.

Tags: , , , ,

35 Responses:

  1. Lloyd says:

    Hey, it's like opening a lock by making a duplicate of the key to it, and using that!

    • jwz says:

      Yes, it's exactly the same! And when that happens all you have to do is change your fingers. Oh wait, I think this analogy has broken down.

  2. nooj says:

    Not only is the key to unlocking the device (your fingerprint) left everywhere, it's left on the face of the device itself!

    Who tapes their key to the front door?

    • Lloyd says:

      It's under the mat, actually. For security.

    • phuzz says:

      How many people keep a spare key hidden within a few meters of the outside of their door? Quite a few I suspect.
      Of course, you can always change your locks/keys if they're compromised.

  3. Although I have no hope that this rush to biometrics will result in anyone implementing them well, I thought fingerprints were particularly stupid for phones. Take a look at someone's phone: what's all over the shiny surfaces?

  4. I'm slightly suspicious of CCC's claim at this point -- the video doesn't prove much, as the phone could have been previously trained on the second finger. I guess their magic is in converting a photograph into a texture, so subdermal details are captured? If so, that's not the same as lifting a fingerprint from a surface -- you don't generally go around leaving high res photos of your fingertips everywhere.

    • halcy says:

      There's no magic. It's the same technique that has been used to defeat fingerprint scanners at airports, and at supermarket checkouts, and everywhere else - you make a fingerprint visible (easy, cyanoacrylat [from superglue] or coloured powder will do). You take a photo. You play with it in photoshop (ramp up the contrast, make it black-white). You laser-print it. You lift that with woodglue. You put that over your finger. Done. Here is a tutorial so that you can reproduce it yourself. The CCC also has literally no reason to lie about this, and all the reasons not to, and historically has not, ever, lied in press releases about security holes.

      No matter how much biometrics manufacturers like to claim that their readers capture "subdermal detail", "blood vessels" or do "pulse detection" or the likes, it's just not true. None of these claims have ever been substantiated. It's snake oil. And all that is not even going into the part where somebody can just use your actual finger while you are asleep, or after you've been arrested.

      Mind you, while the scanner is terribly insecure, it's more secure than nothing - it's just much, much less secure than even a 4 digit passcode, and nobody should go around marketing it as being "highly secure".

      • It's not clear to me whether the linked article is talking about starting from a picture if a fingertip or of a fingerprint left on a surface.

      • nooj says:

        readers supposedly capture "subdermal detail", "blood vessels" or do "pulse detection". None of these claims have ever been substantiated.

        Let's clarify that it doesn't matter if they're true. As jwz said, there is no way to re-key. This is true of every biometric. It's unconscionable to foist this onto the general public.

        • Jal says:

          I can't speak to the general public, but that is life at data centers.

          • Dan Lyke says:

            So I can neither confirm nor deny that at at least one data center where I've got biometrics for access, the emergency credentials stash also contains a fake Halloween rubber hand. Because sometimes one might need to say "I know you're not keyed for the server room, but here's how you find this hidden box which contains a hand and an unmarked RFID card..."

            • grェ says:

              Having been to numerous data centers; and even military equivalents; there may be a ton of biometrics. But they're not good security metrics, particularly if we're talking about physical security - nothing beats a human who can check to see if a person is authorized (maybe even with gasp a phone call to someone who would be able to confirm such things!). The fact that iOS6 was approved for military use, and then this creeps up in the next version, just sounds like the military-industrial feature creep.

              Soon, perhaps Apple too, will have a FIPS-140 compliant iOS! I'm pretty sure Windows 2000 was approved by the time 2003 and more were out (oh, but not with any patches in between the point of evaluation).

              Most things like this are to bolster the military industrial complex, which, doesn't tend to actually do things that do much for security, but does a lot for keeping people employed with vastly over-touted and often excessively expensive 'solutions'. Not that keeping people employed is a bad thing; you wouldn't want some impoverished hacker out there with an axe to grind or anything.

    • phuzz says:

      If you were going to invent an object that would be the most reliable way to collect someone's fingerprints, you'd probably make it out of glass, and make it something that the person touches many times during the day.
      Yes, your iPhone is the perfect place to harvest your fingerprints from.

      • Tim Dierks says:

        Take a look at your phone. Fingerprints are easy to see. I'm guessing you won't see any clear, high-quality prints; the way you tend to handle your phone (sliding your finger across the glass) doesn't lend itself to clear prints. I have a phone with a glassy front and back and I don't have anything that even resembles a clear print on mine; just smears, and in one spot, a partial print (about 1/4 of a finger).

        It's possible that a thief could recover a usable print from a phone, but I think they'd have to get lucky to do so.

        • phuzz says:

          Actually, looking at my phone I can see some pretty good prints, but I think you're right, I was being a bit overly optimistic.
          Mind you, does the new iphone have a glass back still? That might give you some better prints.

        • nooj says:

          You assume a partial print won't unlock the device.

  5. Alrescha says:

    I think context is important. Apple, in their presentation, pointed out that approximately half of iOS users don't bother with any passcode at all. A one digit passcode would be an improvement. To go from nothing to fingerprint technology is off the scale.


    • Colonel says:

      This. Exactly. If you have extremely sensitive info valuable enough that you are likely to be targeted by people who would go through the trouble to fake your fingerprint or knock you unconscious, then obviously you need a good pass code. But for the regular person who doesn't need high security and otherwise wouldn't even bother, biometrics is perfect.

      • jwz says:

        "Regular people have nothing to hide."


        • Alrescha says:

          Circumventing security is nothing but a cost/benefit analysis. "Regular people's" data simply isn't worth the effort.

          • Jal says:

            The point being, you do not do that shit in a civilized places Or we pull out the crowbars. Metaphorically speakiing.

        • hattifattener says:

          It's not about whether "regular people" have anything to hide, it's about whether they otherwise would bother to hide anything. The fingerprint scanner is shitty security, but it's more secure than "slide to unlock". If some people use TouchThingy who would otherwise have not used a passcode at all, then it's a benefit. If some people use TouchThingy who would otherwise have used, say, a 4-digit PIN, then it's probably a net loss (depending on threat model I suppose).

          Or, another way to put it, I know that anyone who wants to could unlock my door in a moment using a bump key, or just break a window; but that doesn't keep me from locking my door when I leave home.

    • Marcello says:

      a weak protection is not an improvement over no protection at all: without a passcode you're conscious that your data is exposed and you act accordingly, with a weak protection you might think your data is secure and act differently (e.g. storing more sensitive data you wouldn't have stored otherwise).

      • Alrescha says:

        By that logic, all incremental improvements in security are without value.

        • jwz says:

          And from a sufficient level of abstraction, true is false.

          The illusion of security is worse than no security. If you don't see that, you're being willfully obtuse.

          • Alrescha says:

            Saying it is an illusion does not make it one. Security is not binary. To a sufficiently funded and motivated attacker, circumventing whatever protocols you might put in place is a walk in the park. If you believe otherwise good luck to you. One puts up barriers to balance the probability of attack. Bruce Schneier uses an air-gap. He did not always do so. His risks are greater now. Fingerprint technology in the hands of the guy on the street with a phone is an reasonable match of barrier to risk.

      • Owen W. says:

        This is similar to the argument the Chrome developers give for why their password manager doesn't have a password. The idea is, if someone has physical access to your computer, they can get at the passwords in the password manager. The password protection for the manager is the screen unlock. But I guess in this comparison, we're talking about the screen unlock.

  6. Mark. says:

    Faking fingerprints to frame innocents (in that case using photographic techniques to make stamps that left bogus ones) goes back to Dr. Thorndyke mystery novels. That's what, near a century old?

  7. another joe says:

    Something you know, something you have, AND something you are. Not or.

  • Previously