Fingerprint security bypassed by Chaos Computer Club

Discussion in 'iPhone' started by JF Mezei, Sep 22, 2013.

  1. JF Mezei

    JF Mezei Guest

    http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid

    Basically, you can "print" the collected fingerprint onto latex, make it
    a bit humid and then press it against touchID and it will work. (My
    guess is that the thief's own figer provide the capacitance to trigger
    the mechanism which then sees the latex shape)
     
    JF Mezei, Sep 22, 2013
    #1
    1. Advertisements

  2. JF Mezei

    Rod Speed Guest

    That didn't prove that they really can fool the fingerprint
    sensor that way. For all we know they could have used
    the fake finger for the initial fingerprint, not a real finger.
     
    Rod Speed, Sep 22, 2013
    #2
    1. Advertisements

  3. JF Mezei

    Tom Stiller Guest

    I think the video shows the store of valid fingerprints being cleared
    and a single authorized one being established before the attack.
     
    Tom Stiller, Sep 22, 2013
    #3
  4. JF Mezei

    Rod Speed Guest

    No, it would be completely trivial to fake that up so that we
    didn’t actually see what was being used to supply the valid
    fingerprints that is used for the later verification of the fake finger.
     
    Rod Speed, Sep 22, 2013
    #4
  5. JF Mezei

    Alan Browne Guest


    The article has two links.

    1. The video showing him 'training' the phone with his finger and then
    using the fake to gain access.

    2. Second link shows the process of making a fake print. The only
    difference now is that because of the higher resolution of the new
    fingerprint scanner on the phone, a higher resolution fake needs to be made.

    --
    "Political correctness is a doctrine, fostered by a delusional,
    illogical minority, and rapidly promoted by mainstream media,
    which holds forth the proposition that it is entirely possible
    to pick up a piece of shit by the clean end."
    -Unknown
     
    Alan Browne, Sep 22, 2013
    #5
  6. JF Mezei

    Tom Stiller Guest

    Well, I guess you're just too smart for me.
     
    Tom Stiller, Sep 22, 2013
    #6
  7. JF Mezei

    Your Name Guest

    No surprise there. They've been doing that in Hollyweird movies for
    many many years and is a known "fault" of such scanners. Of course that
    method still requires obtaining a copy of the authorised fingerprint.
     
    Your Name, Sep 22, 2013
    #7
  8. JF Mezei

    Your Name Guest

    Opps! I meant to add that you can easily get an authorised fingerprint
    from the back of the iPhone case. ;-)
     
    Your Name, Sep 22, 2013
    #8
  9. JF Mezei

    joshua Guest

    They haven't shown that you can get a good enough one to fool the
    sensor that way, or that that very shaky user didn't just have the
    fingerprint
    of the finger used with the bit of plastic stored in the phone already.
     
    joshua, Sep 22, 2013
    #9
  10. JF Mezei

    Alan Browne Guest


    The next step is for someone else to show similar results with a similar
    technique. The lifting technique they used would work quite well with a
    print from the back or screen of a phone.
    http://dasalte.ccc.de/biometrie/fingerabdruck_kopieren?language=en


    --
    "Political correctness is a doctrine, fostered by a delusional,
    illogical minority, and rapidly promoted by mainstream media,
    which holds forth the proposition that it is entirely possible
    to pick up a piece of shit by the clean end."
    -Unknown
     
    Alan Browne, Sep 22, 2013
    #10
  11. JF Mezei

    joshua Guest

    Problem is that it is very difficult to prove with a video
    that the finger used with the bit of plastic on it has not
    had its fingerprint entered as an authorised fingerprint
    with a bit of plastic on it.

    The lifting technique they used would work quite well with a
     
    joshua, Sep 22, 2013
    #11
  12. JF Mezei

    Alan Browne Guest

    A properly done video will be convincing (just as the one above left
    questions as you raised). And the more people who try the technique
    (earnestly - it's not especially trivial and requires bits of material
    not commonly around the house ...)



    --
    "Political correctness is a doctrine, fostered by a delusional,
    illogical minority, and rapidly promoted by mainstream media,
    which holds forth the proposition that it is entirely possible
    to pick up a piece of shit by the clean end."
    -Unknown
     
    Alan Browne, Sep 22, 2013
    #12
  13. JF Mezei

    joshua Guest

    I'm not convinced that it is possible to prove that those
    who made the video had not trained it with finger with
    the piece of plastic on it.

    (just as the one above left
    Yes, that would be proof that it works if it does.
     
    joshua, Sep 23, 2013
    #13
  14. JF Mezei

    Your Name Guest

    I haven't looked into how accurate it is, but there was an episode of a
    UK detective show played here last Thursday where they lifted the
    fingerprint from the inside of a latex glove using some supplies from
    the local hardware and pet store (a fish tank, heating blub, some
    superglue). The explanation was that the superglue turns into a gas
    within the enclosed heat chamber (fish tank) and that gas only sticks
    to the oils / fats (from memory) of the fingerprint on the glove, then
    when the glue dries it's "easy" to lift a copy of the fingerprint.
     
    Your Name, Sep 23, 2013
    #14
  15. Moral of the story, then, is: if you have an iPhone 5S, don't use latex
    gloves.

    Martin
     
    Martin Frost me at invalid stanford daht edu, Sep 23, 2013
    #15
  16. It's a standard crime-lab technique.
    <http://www.ccs.neu.edu/home/feneric/cyanoacrylate.html>
     
    Michelle Steiner, Sep 23, 2013
    #16
  17. JF Mezei

    JF Mezei Guest

    I saw the 1980s documentary on this. It was invented by a Detroit cop
    called Axel Foley, who ended up doing unauthorized undercover work in
    Hollywood but solved a major crime ring. (This is the one who put a
    banana in the exhaust of the car used by cops tasked to follow him :)

    He demonstrated to 2 friendly Hollywood cops (who are not used to real
    crimes) how to lift prints with crazy glue.
     
    JF Mezei, Sep 23, 2013
    #17
  18. JF Mezei

    Mxsmanic Guest

    Looking at the lengths they went to to make it work, I wonder if any iPhone
    has anything valuable enough on it to justify the effort. It would be easier
    to break into a bank.
     
    Mxsmanic, Sep 23, 2013
    #18
  19. JF Mezei

    Mxsmanic Guest

    If they are good enough for the FBI, I'm sure they are good enough to be
    useful for fooling the sensor.

    That's one of the problems with fingerprint ID: You leave examples of your
    "secret" fingerprint everywhere, and you can't change your fingerprints.
     
    Mxsmanic, Sep 23, 2013
    #19
  20. JF Mezei

    Rod Speed Guest

    It can do, most obviously when the net banking is done on that
    iphone and if the user is stupid enough to keep the net banking
    password on that phone and just uses the fingerprint security to
    avoid having to enter a passcode manually multiple times a day,
    and the bank's security involves sending an SMS to the phone
    etc, it can allow you to loot the bank accounts the user has.
    No, and much easier to get caught doing that too.
     
    Rod Speed, Sep 23, 2013
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.