Fingerprint security bypassed by Chaos Computer Club

http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid

Basically, you can "print" the collected fingerprint onto latex, make it
a bit humid and then press it against touchID and it will work. (My
guess is that the thief's own figer provide the capacitance to trigger
the mechanism which then sees the latex shape)

 

That didn't prove that they really can fool the fingerprint
sensor that way. For all we know they could have used
the fake finger for the initial fingerprint, not a real finger.

 

I think the video shows the store of valid fingerprints being cleared
and a single authorized one being established before the attack.

 

No, it would be completely trivial to fake that up so that we
didn’t actually see what was being used to supply the valid
fingerprints that is used for the later verification of the fake finger.

 

The article has two links.

1. The video showing him 'training' the phone with his finger and then
using the fake to gain access.

2. Second link shows the process of making a fake print. The only
difference now is that because of the higher resolution of the new
fingerprint scanner on the phone, a higher resolution fake needs to be made.

--
"Political correctness is a doctrine, fostered by a delusional,
illogical minority, and rapidly promoted by mainstream media,
which holds forth the proposition that it is entirely possible
to pick up a piece of shit by the clean end."
-Unknown

 

Well, I guess you're just too smart for me.

 

No surprise there. They've been doing that in Hollyweird movies for
many many years and is a known "fault" of such scanners. Of course that
method still requires obtaining a copy of the authorised fingerprint.

 

Opps! I meant to add that you can easily get an authorised fingerprint
from the back of the iPhone case. ;-)

 

They haven't shown that you can get a good enough one to fool the
sensor that way, or that that very shaky user didn't just have the
fingerprint
of the finger used with the bit of plastic stored in the phone already.

 

The next step is for someone else to show similar results with a similar
technique. The lifting technique they used would work quite well with a
print from the back or screen of a phone.
http://dasalte.ccc.de/biometrie/fingerabdruck_kopieren?language=en


--
"Political correctness is a doctrine, fostered by a delusional,
illogical minority, and rapidly promoted by mainstream media,
which holds forth the proposition that it is entirely possible
to pick up a piece of shit by the clean end."
-Unknown

 

Problem is that it is very difficult to prove with a video
that the finger used with the bit of plastic on it has not
had its fingerprint entered as an authorised fingerprint
with a bit of plastic on it.

The lifting technique they used would work quite well with a

 

A properly done video will be convincing (just as the one above left
questions as you raised). And the more people who try the technique
(earnestly - it's not especially trivial and requires bits of material
not commonly around the house ...)



--
"Political correctness is a doctrine, fostered by a delusional,
illogical minority, and rapidly promoted by mainstream media,
which holds forth the proposition that it is entirely possible
to pick up a piece of shit by the clean end."
-Unknown

 

I'm not convinced that it is possible to prove that those
who made the video had not trained it with finger with
the piece of plastic on it.

(just as the one above left

Yes, that would be proof that it works if it does.

 

I haven't looked into how accurate it is, but there was an episode of a
UK detective show played here last Thursday where they lifted the
fingerprint from the inside of a latex glove using some supplies from
the local hardware and pet store (a fish tank, heating blub, some
superglue). The explanation was that the superglue turns into a gas
within the enclosed heat chamber (fish tank) and that gas only sticks
to the oils / fats (from memory) of the fingerprint on the glove, then
when the glue dries it's "easy" to lift a copy of the fingerprint.

 

Moral of the story, then, is: if you have an iPhone 5S, don't use latex
gloves.

Martin

 

It's a standard crime-lab technique.
<http://www.ccs.neu.edu/home/feneric/cyanoacrylate.html>

 

I saw the 1980s documentary on this. It was invented by a Detroit cop
called Axel Foley, who ended up doing unauthorized undercover work in
Hollywood but solved a major crime ring. (This is the one who put a
banana in the exhaust of the car used by cops tasked to follow him

He demonstrated to 2 friendly Hollywood cops (who are not used to real
crimes) how to lift prints with crazy glue.

 

Looking at the lengths they went to to make it work, I wonder if any iPhone
has anything valuable enough on it to justify the effort. It would be easier
to break into a bank.

 

If they are good enough for the FBI, I'm sure they are good enough to be
useful for fooling the sensor.

That's one of the problems with fingerprint ID: You leave examples of your
"secret" fingerprint everywhere, and you can't change your fingerprints.

 

It can do, most obviously when the net banking is done on that
iphone and if the user is stupid enough to keep the net banking
password on that phone and just uses the fingerprint security to
avoid having to enter a passcode manually multiple times a day,
and the bank's security involves sending an SMS to the phone
etc, it can allow you to loot the bank accounts the user has.

No, and much easier to get caught doing that too.