457 comments

[ 6.1 ms ] story [ 281 ms ] thread
Kind of a "well duh" post. All of the image scan finger print readers are easy to game.

Even the ones that use capacitance can be beaten with a rubber glove and a copy of the finger print, printed on the latex. (the best is actually an Vinyl condom that doesn't come pre-lubed, the ink sticks better and the vinyl is less of an insulator)

The problem is that Apple made a big deal in the announcement about how it was so much more secure than previous implementations, how it used sub-dermal imaging and stuff like that. It appeared from what they were saying, that this would be considerably harder to fake.
It is considerably harder to fake.
It doesn't look it. From the description in the article it appears to be a very similar process to what has been used before, just with a higher resolution printer, but not one that is outside the realm of photo printers.
Getting a precise enough print is the hard part. Note that they started with a perfect, carefully staged print, so they haven't really cracked it.
Considerably harder? From the article:

"In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake",

Difficulty of lifting a good print is probably proportional to the resolution needed. Ie, you need a higher quality print to get a higher resolution image to contain additional information.
I'm actually pretty skeptical this is the case. Fingerprint data is noisy - it has to tolerate a high degree of error. I suspect the problem is actually that you need to smooth it out appropriately to make the sensor not get tripped up by non-biological noise.

I'd be really curious to see what you could do with a high-resolution smartphone camera and a little image processing.

I am guessing I can beat it with a good pen. As you say it has to be tolerant. If you have a little grunge on your finger, or a cut, or get a tan or there is grunge on the sensor it still has to work.

Also, there are a lot fewer fingerprints than the world has been lead to believe. Especially since we each have 10 to try, since the phone only checks 1.

The "How to fake fingerprints" link [1], is one of the scariest things I have seen, given how simple it is, and how much we reply on fingerprints for linking people to crimes.

BTW, for anyone who does not know about Chaos Computer Club (CCC) [2], they run a massive conference in EU. You can look at some of their talks @ http://media.ccc.de/

[1] http://dasalte.ccc.de/biometrie/fingerabdruck_kopieren?langu...

[2] http://en.wikipedia.org/wiki/Chaos_Computer_Club

Frontline had an excellent piece on the (lack of) reliability behind most of crime forensics. Fingerprints in particular are mentioned as being very unreliable and unscientific. The only scientifically rigorous piece of "CSI" is DNA matching.

http://www.pbs.org/wgbh/pages/frontline/real-csi/

And now even DNA is being called into question.

http://mobile.nytimes.com/2013/09/17/science/dna-double-take...

In addition to the chimeric qualities cited in the NYT article (I skimmed), IIRC some DNA sampling has in the past used and may still use a fairly limited profile of markers. The statistically likelihood of matches between distinct parties is in some cases well under the population of the world. Never read into it in detail, but I was left with the impression that "unique identifier" can be an over-statement/qualification also from this perspective.
>The statistically likelihood of matches between distinct parties is in some cases well under the population of the world.

In addition to that, there are problems with bias and statistical independence. A given marker is unlikely to be present in exactly 50% of the population, and to the extent that it isn't it can reduce the probability by that amount that a test match is a true match. Meanwhile the suspect pool for a given crime is likely to encompass several (perhaps many) members of the same extended family, who for the obvious reason are significantly more likely than random members of the world population to have the tested markers match one another. Even within a city you will generally see concentrations of specific ethnicities who may have a higher statistical incidence of specific genetic markers than other populations, which can screw up the numbers by an amount that historically hasn't even knowable because we don't have good numbers on the statistical incidence of specific markers within geographical populations.

The place where this is most pernicious is when they get a sample from a crime scene and run it against some "DNA database" to find a hit. Then everybody is talking about the probability that X suspect would match the DNA at the crime scene rather than the probability that someone in the database would match even if the actual perpetrator wasn't in the database.

>The place where this is most pernicious is when they get a sample from a crime scene and run it against some "DNA database" to find a hit. Then everybody is talking about the probability that X suspect would match the DNA at the crime scene rather than the probability that someone in the database would match even if the actual perpetrator wasn't in the database.

Or the probability that, match or not, the DNA from the crime scene belongs to the criminal.

And not, say, someone the victim came in contact with earlier, someone that happened to be in the crime scene before the crime took place, or even some third guy the actual criminal took a DNA from in order to frame him.

> The statistically likelihood of matches between distinct parties is in some cases well under the population of the world.

I thought that was pretty much always the case. Which is why DNA evidence is never used alone - you don't take DNA traces found at a scene of crime, run it against a huge database, find a match, close the case and try and sentence the matching person.

Instead you either investigate whether that matching person had means and motive and no alibi, or (more often) you check the DNA only against people you already suspect for whatever reasons.

Both variants reduce the likelihood of false positives by quite a few orders of magnitude.

I thought they used restriction digests with gel electrophoresis, I'm pretty sure full genomic sequencing would be too expensive.
I don't really know, but this does sound familiar and is part of what I was speaking to. What type and generation of technology was used? How much was the solicitor of the test willing to pay for it (influencing the choice made within the current range of available technologies/capabilities), as well as how many sequence/data points were targeted.

As one example, combine a fairly limited set of targets with gel chromatography, and varying quality/accuracy of analysis/analysts of same... And you have a lot less "uniqueness" than things like the common, public term "DNA fingerprint" imply.

Yes, it may be a useful tool in combination with proper understanding of its limitations. However, we have (in the U.S., for example) and adversarial judicial process and prosecutors have been shown to often not place such understanding even in context let alone as a primary concern. If the defence is lacking, including simply financially to engage its own "expert witnesses"... misbegotten interpretations can and do rule the day.

Even DNA can provide false negatives in the case of human chimeras.
Or just someone skilled enough to place fake dna in his body such that the person taking the sample is fooled into taking it from the fake dna.

Yes, this really happened - at least once that we know of: https://en.wikipedia.org/wiki/John_Schneeberger

In Schneeberger's case, it seems that he was simply infusing a part of his body with another man's blood and then making sure that the lab tech drawing the blood sample drew it from the same place. Once they tested his hair and saliva, they had a positive match.
Wow!

During his 1999 trial, Schneeberger revealed the method he used to foil the DNA tests. He implanted a 15 cm Penrose drain filled with another man's blood and anticoagulants in his arm. During tests, he tricked the laboratory technician into taking the blood sample from the place the tube was planted.

Or someone just being careful with his DNA at the crime he commits, that then places someone else's DNA that he wants to frame?
That would work in the sort of Hollywood movie where the government has everyone's DNA on file.

Then again, I guess we've seen that you literally cannot be too paranoid.

>That would work in the sort of Hollywood movie where the government has everyone's DNA on file.

You don't have to have "everyone's DNA on file". It's actually pretty trivial even for your neighbor or whoever to get your DNA.

As for the police falsifying evidence, there's a wikipedia-long history of cases, in Europe, Latin America, Asia, etc. Especially in politically charged times, like the sixties and seventies. Heck, something like half of Italy's government in the 70's have been proved in later Italian courts to be involved in such things.

> You don't have to have "everyone's DNA on file". It's actually pretty trivial even for your neighbor or whoever to get your DNA.

Sorry, I wasn't clear. I can dump a gallon of your blood and semen onto a dead guy in an alley, but how would the government trace that blood and semen back to you?

They don't have to necessarily trace it back to me, as long as they can't trace it back to you.
A, sure.

Well, as the culprit, you can always arrange some things or leave other stuff that also points to me.

Also, your main benefit is that the police will more easily believe that it wasn't you (since your DNA won't match).

How in the world did he get off with only 4 years in prison after "repeatedly" raping multiple people?
And false positives in case of stem cell transplantation (a treatment of leukemia). There was a case where they got a false positive because of that. They discovered that it was a false positive because the alleged culprit had an alibi: He was in prison.
Chimeras are also apparently way more prevalent than we had previously realized.

http://www.nytimes.com/2013/09/17/science/dna-double-take.ht...

> But scientists are finding that it’s quite common for an individual to have multiple genomes. Some people, for example, have groups of cells with mutations that are not found in the rest of the body. Some have genomes that came from other people.

> Women can also gain genomes from their children. After a baby is born, it may leave some fetal cells behind in its mother’s body, where they can travel to different organs and be absorbed into those tissues. “It’s pretty likely that any woman who has been pregnant is a chimera,” Dr. Randolph said

Maybe we should lick the iPhone to provide accurate DNA biometric lol
Isn't it rather easy to obtain somebody's DNA, and also clone it? Seems even easier than obtaining somebody's fingerprints.
It's easy to obtain. You'd need lab gear to make more - the gear is pretty common in wet labs: a PCR machine, desk centrifuge and suitable supplies.

It's much less common than a consumer-grade scanner and some wood glue.

Except laboratory error reduces the claimed reliability of DNA massively (to one in a few thousand levels, iirc - not one in a million).
>The "How to fake fingerprints" link [1], is one of the scariest things I have seen, given how simple it is, and how much we reply on fingerprints for linking people to crimes.

I think DNA evidence is even worse. Given how simple it's for anyone (from an oppresive government to a criminal to take DNA from someone they want to frame and place in on a crime scene. Heck, it's even easier than fingerprints, and it's also thought of as "irefutable".

iOS security is trivial to break if you have physical access to the device. TouchID (and passcodes) should be considered little more than a convenience, not a serious security measure.
Really, how do you trivially break a passcode on an iOS device? There is a way that I know about, and it is very much non-trivial.
Just use brute force or dictionary attack over the wire. Given that most users use 4-digit pass codes, this can be done usually in minutes, almost always in less than an hour.

Or, if your target is paranoid and uses a very long passcode, target the charger rather than the device itself. iOS assumes any physical device to which it is connected when unlocked is secure. Replace the usb brick with a small computer (e.g. Raspberry Pi) in a convincing looking Apple-esque case. Then wait until your target plugs in his iDevice and unlocks it. You can then dump the drive, or side load malicious code.

> Just use brute force or dictionary attack over the wire. Given that most users use 4-digit pass codes, this can be done usually in minutes, almost always in less than an hour.

It's clear you've never actually attempted this. The timeout between passcode entries increases with the number of consecutive failures. Get 10 wrong in a row, and the device is wiped (if the user has chosen that option).

> Or, if your target is paranoid and uses a very long passcode, target the charger rather than the device itself. iOS assumes any physical device to which it is connected when unlocked is secure. Replace the usb brick with a small computer (e.g. Raspberry Pi) in a convincing looking Apple-esque case. Then wait until your target plugs in his iDevice and unlocks it. You can then dump the drive, or side load malicious code.

This no longer works on iOS 7. The user has to manually choose to trust the computer they're attached to prior to any communication going across the wire.

I'll ignore the needless snark.

> The timeout between passcode entries increases with the number of consecutive failures. Get 10 wrong in a row, and the device is wiped (if the user has chosen that option).

Only if you're typing in pass codes to the lock screen, which isn't how its done. An attacker would instead image the flash, grab the Dkey from effaceable storage, and decrypt the filesystem. Indeed this is exactly how professional iOS forensic analysis kits work. This will get you access to SMS, photos, and anything else that doesn't fall under Data Protection.

Data Protection, a second level of encryption that uses your passcode to generate keys, is only used on the keychain block and emails by default. To crack Data Protection, use brute force on the copied data, not on the iDevice itself.

>This no longer works on iOS 7. The user has to manually choose to trust the computer they're attached to prior to any communication going across the wire.

Cool, I didn't know that.

EDIT:

Here's a good overview: http://mobappsectriathlon.blogspot.com/2012/09/how-do-you-pr...

"Only if you're typing in pass codes to the lock screen, which isn't how its done. An attacker would instead image the flash, grab the Dkey from effaceable storage, and decrypt the filesystem. Indeed this is exactly how professional iOS forensic analysis kits work. This will get you access to SMS, photos, and anything else that doesn't fall under Data Protection."

Yep, as I suspected, you haven't done this ;) Please don't discuss how "simple" it is if you're getting your info from third parties. You can't image the flash. None of this works how you think it does, because the forensics toolkits left out a crucial detail in their marketing.

The dirty secret? You need a 0day bootrom exploit. The professional kits use the limera1n exploit, which was patched years ago.

I didn't say "simple." I said "trivial" :)

Nope, I've never done this live. For this I'm reliant upon what I've read. Feel free to tell me what's wrong. Stating how it works, or pointing the way to an accurate source, is infinitely more helpful than saying "you're wrong", even if it might feel satisfying.

Here's my understanding of how the initial loading works. BootROM uses a series of RSA validity checks on the chain of software components to load the RAMdisk (which is used for update in DFU mode.) To load your own RAMdisk, you need an exploit in bootROM (which are the same exploits used for jailbreaking, and thus of high value for the community to discover.)

I just told you. You need a bootrom exploit. That's the non-trivial part. Nobody has one, and they haven't since 2010. I mean, the NSA might, but the forensics companies don't, and there aren't any public ones. Hence, it's far from trivial.

Even with the multi-thousand dollar forensics kits, you cannot even begin a brute force PIN attack on any bootrom for any iphone or ipad still on sale. The last devices it worked on was iphone 4 (not 4S) and ipad 2.

You clearly know much more about iOS hacking than I do. It's well outside my area of expertise, and I'm grateful for the corrections. I learned a lot getting up to speed on how this actually works over the past couple days.

Pretending to have knowledge when you don't understand the fundamentals of the problem is both a good way to make yourself look foolish, and is certainly the cardinal sin in engineering. For that, I apologize.

For context, the reason I've been insistent is that there is a particular company that claims to be able to pull data from iPhone 5 and below in spite of the encryption. Whether this is true or not, I don't know, but I've heard it from a person I trust in mobile security.

If you keep up with the jailbreak hacking community (which I'm just now getting into), the Grugq (a fairly reputable source) posted on MuscleNerd's twitter that he's heard a private company has a new 0-day bootrom exploit, which would fit with the information I've heard.

Regardless, I should have just shut the f*ck up and let you teach me some science, instead of letting my competitive instincts lead me down a rabbit hole. I'll work on that.

On iOS 7 you have to explicitly trust a computer from the device before data is allowed over USB; before that it is in a charge only mode. To trust a computer you must unlock the device.
Which "wire" allows you to brute force the passcode? Have you tried this, or are you repeating claims of others? Because I have a feeling that doesn't work like you think it does.

Your latter attack is an entirely different threat model, and can't be used on a stolen device.

> iOS assumes any physical device to which it is connected when unlocked is secure

I thought this was fixed in iOS7?

"Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access."

Yes

lol, @ "oppression and control" . go back to your conspiracy theory cave. Apple didn't have this in mind, they simply set out to solve a problem.
These findings would have been more surprising if the fingerprints were taken from the phone itself!
Actually, touchscreens are more or less the ideal surface to get the fingerprints from - a smooth glass object frequently touched. I just took my phone out of my pocket and found three very clear prints... Just look at 00:37 in the video they posted (1) - lots of clear prints. If the video was higher resolution, you might even be able to use frames of their video as a print source.

1. http://www.youtube.com/watch?v=HM8b8d8kSNQ&t=37

Expected. Still much, much better security than no code at all. I will use it (with full knowledge of its downsides and tradeoffs) and it would behoove the CCC to not portray security as a binary state. (Just as much as it would behoove Apple to be truthful in their marketing.)

Don't use it if thieves would consider going through all the effort of faking out the scanner. That's what I take from this no doubt valuable and important work from the CCC.

(I assume that iPhone tracking and activation lock cannot be disabled with the fingerprint, so stolen phones will still be easily remotely wiped and bricked, with fingerprint or without. Thieves will have to be crafty and quick if the want to pull this off.)

Yes, we often say security and think it means total protection. It doesn't. Its rare to see any security feature that cannot be bypassed or broken by some means. This is why we implement security in layers. If it were a binary state then a single layer would be sufficient. The idea is to make it so difficult to break through every layer of security that it becomes impractical but there will always be someone who does it.

I also don't think Apple is dishonest in their marketing. Fingerprint scanning is absolutely better than a pass code and the marketing around it all gives the impression that using it ensures no one can unlock your phone without your fingerprint. Nothing dishonest in that. Plus the layperson really has no interest in learning the specifics anyway so I'm not sure it matters what they say about it so long as it sounds cool and futuristic.

> Fingerprint scanning is absolutely better than a pass code

How often can you change your fingerprint? I can change my pass code virtually an infinite number of times. How often do you inadvertently leave your pass code in random places just by touching things?

A good pass code is absolutely better than fingerprint scanning.

That's hyperbolic. How often can someone see your passcode over your shoulder? Or have it picked up by a security camera? Fingerprint scanning absolutely has advantages over pass codes.

Security is all about trade-offs. This result was to be expected (in some form). What will be worry me is if the "secure enclave" where the fingerprint data is stored is cracked (and I wouldn't be surprised if that happens too eventually).

Your point is moot. As soon as your fp is digitally available online. E.g.,the CCC has captured and published former german minister of the interior, Wolfgang Schäuble's fingerprint in 2008 [1]. This finger of him is not secure any more and readily available via a google image search.

[1] http://www.h-online.com/newsticker/news/item/CCC-publishes-f...

Agreed: that's why I said it would be especially worrying if this "secure enclave" Apple talks about is cracked and if it's then possible to reconstruct fingerprints from the data inside. But unless that happens, the iPhone itself doesn't make my fingerprints any easier to leak; someone can already get them from everything I touch!
Even worse: Other manufacturers will jump ship and this sort of device becomes omnipresent on smartphones.

Probably, apps will get access to capture raw prints themselves at some time. Someone will start to store real and unhashed fp's in their database. As happening frequently with databases containing CC numbers (and even CC pins), that DB will eventually get copied and accessible on the net.

Buying one's fp data will become possible at some point.

> Probably, apps will get access to capture raw prints themselves at some time.

Any company that designs their hardware so this is possible deserves the suit they'll get.

Not that expected. I know a lot of people were BSing about how much more secure Apple's fingerprint sensor was and how the usual techniques for faking a finger wouldn't work on it, including some security researchers.
Yes. I anxiously await Gruber's lengthy post-mortem about the fingerprint reader being just as bad as all previous fingerprint readers, equal in number, length and enthusiasm to his previous posts about how wonderful and advanced it is.
I know folks love to have on Gruber, but looking at df.net I don't see where he has compared the security of TouchID to other fingerprint readers - rather he's compared the convenience and performance of TouchID to other fingerprint implementations, and I don't know that anything in the OP would, or should, change his assessment of that.

(not an iPhone or Android user, at least not yet).

Gruber is an ignorant fanboy.

There are too many examples to pick from, but here's a recent one.

In his iPhone 5S review he rambles on about how Apple is an innovator and picks out the A7 procesor, TouchID and a new burst-mode camera feature:

"But the real innovation — there’s that word — is software, right there on the device itself, that makes it easy to select only the shots from those bursts that you really want to keep, and to throw away the rest."

Yet Samsung did the same thing for the S3 back in 2012.

http://www.youtube.com/watch?v=OxXEAyuoyQk

So rather than addressing the point, you attack him on something completely different. Presumably because there are actually no examples where he's been wrong about TouchID.
No, I couldn't be bothered because the man writes guff.

http://daringfireball.net/2013/09/the_iphone_5s_and_5c

> "You know how iOS touch latency and scrolling performance have always been far ahead of its competition? The way you could just tell that internally, Apple had uncompromising standards for how responsive these things needed to be? That’s what Touch ID is like — it’s to all previous fingerprint scanners I’ve seen what the original iPhone was to previous touchscreen computers."

Make that fawning guff. Convenient that he forgets the uncompromising standards of Apple Maps.

> "Touch ID’s extraordinary performance and accuracy fit right into that story."

No benchmarks or comparisons to justify this hype compared to other fingerprint scanners. How do we know it's not the same as a cheap $1 RF scanner from China?

> " a complete experience hosted entirely on the device. Your fingerprint data is not just “not stored in iCloud yet”, it is not stored in iCloud by design, and according to my sources, never will be."

Rubbish. He knows nothing about Apple's roadmap. He always cites his inside "sources" yet he has NEVER broken any story where he had the lead on a scoop. Not on any products or corporate announcements.

I don't care what an armchair blogger thinks about TouchID. I do however care what the Chaos Computer Club thinks because they actually know what they are talking about.

You haven't actually made any points at all. You've just called him names and added some dismissive words after a few quotes from him. You don't have to convince anyone that you dislike Gruber. That much is obvious.
> Convenient that he forgets the uncompromising standards of Apple Maps.

In the next paragraph, he writes that Apple sucks at online services, and that TouchID is great precisely because it's a completely offline feature. You haven't even read the article. I wish HN would blacklist any mention of Gruber's name.

Well, they were wrong. Quite obviously. I'm just saying that I was very much expecting an attack like that to work.
I was disappointed to see that this hack shows the sensor isn't relying on the "microscopic capacitive surface" being claimed by Apple. So it's really just another CCD camera under the button?
Those techniques still haven't been shown to work in practice because CCC was only ago to unlock the device using a carefully made high quality print, not one lifted in an ecologically valid situation.

What matters is the rate at which copies of real prints are rejected, not the fact that one carefully made print can be made to work.

Nice , The mythbusters did this in their fingerprinter scanner episode , although they didn't have the iPhone5s but I am sure the same principle/technique would work.
As I remember, after using a similar technique they started working backwards and found a simple photocopy (no gelatin or other simulated finger) would do it. Apple has at least beat that horrifically low bar.

That was a great episode. Beating the thermal sensor was great too.

Wasn't Gruber getting awfully excited about how amazing and revolutionary Apple's finger print sensor was?

Will he be claim chowdering?

What did he claim?
Along with the other bollocks that has been linked he even chucked this one up just before the weekend, http://daringfireball.net/linked/2013/09/20/touch-id-star trashing the linked news article.

Number 1 on the list from the Toronto Star was "How long before hackers crack the security function?" How 'misinformed' of them.

From what I've read, Apple's sensor is still more accurate than competing sensors. It works much faster, and is better at recognizing your finger in various positions. It's also faster/easier than a 4 digit passcode.

Let's be fair. Apple said it was easy to use and improved security (compared to the previous iPhone). They didn't say it was designed to the standards needed to protect DOD secrets.

This seems like CCC is just trying to get attention to me; holding the device up to straw-man standards of security.

"They didn't say it was designed to the standards needed to protect DOD secrets."

I'm sorry, but this is so much backpedaling. Do i really need to start pulling out comments from the last discussion where people were quoting Apple's press conference about how revolutionary and secure this was?

People will here what they want (you included), i'm not entirely sure what you're getting at though.
Hear what they want?

Apple made a huge deal about how secure it was an how much of an improvement and how very sophisticated it was. It turns out, it wasn't really.

Now people are saying "well, they never really said it was all that good, or meant to keep you secure", blah blah blah.

Let's start with the basic press release:

"and introducing Touch ID™, an innovative way to simply and securely unlock your phone with just the touch of a finger."

" “iPhone 5s sets a new standard for smartphones, packed into its beautiful and refined design are breakthrough features that really matter to people, like Touch ID, a simple and secure way to unlock your phone with just a touch of your finger.""

From http://www.apple.com/pr/library/2013/09/10Apple-Announces-iP...

"“There’s so much personal stuff on these devices; our email, our photos, our contacts. We have to protect them. The most common way is to set up a passcode. A simple 4-digit passcode, or a more complex one if you want. Unfortunately, some people find it’s too cumbersome and dont set it up. In our research as much as half of people don’t ever set it up.”"

"We’ve set up a new technology that makes this super easy to do. We call it: Touch ID."

"“Your fingerprint is one of the best passwords in the world.”"

This was said by Apple at the iphone 5s press conference.

This says it is meant to replace the passcodes, and it was "one of the best passwords in the world", and supposed to be able to protect personal data.

Here's a cite: http://techcrunch.com/2013/09/10/live-blog-from-apples-iphon...

You can verify from other transcripts as well. I avoided the slides they had explaining how very sophisticated the sensor technology was.

So what i'm getting at is that most of the comments in this thread smack of "Apple never really meant it to do X, or Apple didn't say it would be all that secure". They did, on both counts. They said it would replace passwords, and they said it was quite secure.

The claims otherwise are ridiculous.

I think it is a very innovative step by Apple. It's going to convert a lot of people who never lock their devices into people who use quite a secure and easy-to-use method to lock their devices.

Just because it can be hacked does not mean it is a bad method to use.

An interesting comment on the YouTube video: Not cleaning your iPhone is likely to leave fingerprint evidence/marks directly on the device's housing that could be faked.
I'd be interested on peoples' opinions, is this more or less secure than a 4-digit passcode?

From a real security perspective, users should have alphanumeric password, as far as I know, businesses often enforce this.

Obviously a 4-digit code is easy to brute-force on a computer, but it requires far more technical knowledge to do so - booting custom firmware, using some script to brute force, etc, and if the attacker doesn't have the skills, they are limited to 10 tries, maybe more after waiting a few minutes or an hour.

It seems to me that, excluding users leaving smudges on their screen and seeing the passcode that way, a fingerprint is even easier to break than a 4-digit passcode.

I think you're missing the biggest security hole with passcodes: whenever someone on the subway unlocks their phone, I need to consciously look away or I'll risk inadvertently committing their code to memory. It makes me seriously uncomfortable.

I'll hazard a guess that abuse by acquaintances, intimate or casual, is the most common risk to smartphone users, and that the fingerprint is an incredible improvement over the status quo.

This is true, but this is more down to people not covering their phone. I tend to shield my phone to the point where it would be obvious to me if someone were trying to see my passcode.

I think TouchID provides good security against 'casual attacks' - those by people who see you use your phone a lot, people who aren't going to put much effort into an 'attack', just try and post things on your Facebook account while you're out of the room.

However, in the case of 'real' security, where a person is being targeted for their data, or anything like that, I think it would provide less security.

I find the idea that the typical 4-digit password provides any more security against an attacker dedicated enough to make a copy of your finger pretty hard to credit. You're placing a lot of weight on your "covering" ability. (There have been times I've had to try hard not to infer someone's passcode purely from their hand movements.)
It makes me seriously uncomfortable.

Oh I think it's cool to notice, for instance, that a physics major uses 3141.

I agree it'd be cool if it didn't amount to an enormous breach of computer etiquette :)
(comment deleted)
I have accidentally seen basically all of my friends' passcodes as they type it in at bars etc. I could get into their phones easily. TouchID is more secure than that simply because someone needs to take a 2400dpi image of the person's finger to do it.

Locks (when physical access to a device is available) are to keep honest people honest. Most security experts that I know agree that if an intruder has physical access to a device, it can be considered compromised because it is just a matter of time.

...2400dpi image of the person's finger...

Note: Finger Print, not finger.

Here, have a drink out of this freshly washed glass... no, don't worry, I'll wash the glass for you later. :)

On the last second point regarding access to a device, I could take a week to make up the fake print during which it won't matter if I have it or not. Since your print isn't changing I just need 5 minutes with your device at any point in the future.

Then create a detailed model using said high resolution fingerprint. If someone cares enough about your phone to do that, they can probably break into it by other means anyway (jail break, brute force passcode, etc)
You leave finger prints on the phone. Just snap a photo with a decent camera - it's probably enough detail. Print it. Stick some latex or glue on it (literally available everywhere).

That's it. This is not rocket science or time consuming like brute forcing. You don't even have to shoulder-surf to catch their password.

Importantly, this has been demonstrated. The CCC has been doing it for years and published a howto with material costs in the low one-digit Euro range.

http://translate.google.com/translate?sl=de&tl=en&js=n&prev=...

Actually it hasn't been demonstrated at all. They dusted a carefully made high quality fingerprint to defeat TouchID, not an opportunistic one taken from something an unwitting victim left behind.

Until they do that, this doesn't really indicate much about how weak TouchID is in the real world.

I strongly encourage you to try this and let me know how it turns out.

I'll wait.

> Most security experts that I know agree that if an intruder has physical access to a device, it can be considered compromised because it is just a matter of time.

Anyone who says this is not a security expert. That hasn't been true since full disk encryption became available. A properly encrypted device is a brick if stolen, which is the only reason to have full disk encryption in the first place.

Most people outside of this community are not using disk encryption.

With that said and the caveat that I am not an encryption expert myself: given an infinite amount of computing power and an infinite amount of time, can full disk encryption not be broken? If so, then it is just a question of computing power and time, not of whether it is possible to get to the data.

>given an infinite amount of computing power and an infinite amount of time, can full disk encryption not be broken?

Sure. But the difference between "infinite" and "a couple billion years" from a human perspective is minute.

Yeah, just a matter of time. Bring a flashlight though, because the sun is projected to burn out far sooner than the largest supercomputer will be able to brute force a 256 bit key.
Combinatorical problems tend to grow in the amount of effort to try out all possible elements quite quickly, and quickly growing things in turns often hit physical limits. The following post on Security.Stackexchange explains it quite nicely; excerpt: the sun doesn't emit enough energy over its lifetime to power an extremely efficient computer able to try all combinations.

http://security.stackexchange.com/a/25878/25947

So basically we need some new form of computer (one that's not flipping individual physical bits), and not "just faster" ones, to crack certain encryptions by brute force.

No, the physical access statement still holds true, even with FDE. First, if the machine is powered on, they can just extract the keys from RAM. Second, if you continue to use the device after it has been tampered with, you also lose (aka evil maid attack).
I take it you're not a security researcher either, because "A properly encrypted device is a brick if stolen, which is the only reason to have full disk encryption in the first place" is insufficient, too.

Cold boot attacks, copying the drive and hacking the bootloader to get the drive password the next time you log in are two trivial methods, both of which have been used already.

Once you lose physical access to your hardware, it's game over. You simply cannot trust your computer after that point if you care AT ALL about maximizing security.

I like how you refer to things that you have never tried as "trivial". And the defense against those is easy. Don't reuse it after it was stolen then returned. That's a different threat.
I have accidentally seen basically all of my friends' passcodes as they type it in at bars etc. I could get into their phones easily.

And your friends could change their password 365 times per year every year for the rest of their lives.

With fingerprints, they get 10 password changes.

20 if they use their toes.
22 if they also use their nipples.
Then they'll draw even more attention unlocking it at a bar, though.
Does that actually work? I'm having... trouble... googling it.
More if they use their cat's paws.

But then again it might not be too convenient to carry said cat around all the time.

How do you change password with one finger left?

I'd say 9 password changes...

A comment on another article the other day (can't remember which or I'd link) noted that no-one will magically know your passcode when you sleep or nap, but it might not be too hard for them to gently put your thumb on your phone. One would do well to remember that involuntarily "surrendering" login information doesn't necessarily require hoses or wrenches...
If we've learned anything over the past few months, it is that security is an illusion when it comes to Google, Apple and Facebook.

The fingerprint scanner is not intended to protect your personal data from being accessed by nefarious cyber-spooks or crackers. The $5 dollar wrench technique is fairly effective in bypassing such security anyway.

The fingerprint scanner is there so that when your phone is nicked by a mugger, they can't reset to factory defaults and sell it on eBay. If some knife wielding thug that robs me of my phone has the intellectual capability of lifting my fingerprints off the case and then using them to bypass the security, he still has to know my AppleID password before he can remove the 'Find my Phone' feature.

Give Apple a break. This is just another layer of security. It's _not_ the panacea to all our security woes, and they have never claimed it was.

Giving Apple a break? Just another layer of security? That's not how Apple describes it:

http://support.apple.com/kb/HT5949?viewlocale=en_US

And selling a stolen iPhone on eBay does not need a password or a fingerprint, a jailbreak is enough …

Jailbreak is enough... When it exists. And for now it doesn't.
taking past trends into consideration, it looks like you're betting on the wrong horse, here. it will exist.
What are the actual trends on jailbreaks for iOS on current hardware?
Past trends do indicate that. However, the very recent past indicates that Apple is getting progressively better at foiling jailbreaks. It's taking greenpois0n and those folks longer and longer to crack each successive version of iOS. Took a long time for there to be an untethered jailbreak of iOS 6 and the latest rev of iOS 6 wasn't cracked til about two weeks ago. There was no jailbreak of any kind on the iPhone 5 for several months after its release, which is a long time considering that the time between device generations is one year.
Judging by latest Apple TV jailbreak status, it still might never appear.
You linked to a support document explaining how the technology works. You may have had a point if this was listed on their product page describing the feature, but instead you have them touting the convenience of using your finger to unlock your phone and make purchases:

You check your iPhone dozens and dozens of times a day, probably more. Entering a passcode each time just slows you down. But you do it because making sure no one else has access to your iPhone is important. With iPhone 5s, getting into your phone is faster, easier, and even a little futuristic. Introducing Touch ID — a new fingerprint identity sensor.

Put your finger on the Home button, and just like that your iPhone unlocks. It’s a convenient and highly secure way to access your phone. Your fingerprint can also approve purchases from iTunes Store, the App Store, and the iBooks Store, so you don’t have to enter your password. And Touch ID is capable of 360-degree readability. Which means no matter what its orientation — portrait, landscape, or anything in between — your iPhone reads your fingerprint and knows who you are. And because Touch ID lets you enroll multiple fingerprints, it knows the people you trust, too.

Only an idiot would buy a jailbroken phone without a clean ESN on it. Those who do, know what they are getting. And you're forgetting Activation Lock, which a jailbreak will not defeat.
That's not true. Most non-idiots that I know have no idea what an ESN even is.
> The $5 dollar wrench technique

I prefer Schneier's original rubber hose technique. Leaves fewer broken bones and bruises, but just as effective.

Plus, you can't get a decent sized adjustable wrench for less than $15 nowadays. Even the cheap Chinese ones that loosen the parallel alignment on the jaws after a few weeks cost more.
"Thermorectal cryptanalysis" it is called in Russian, and involves a soldering iron.
Agreed. But they always blow it out of proportion. As if the existing fingerprint systems are extremely insecure and theirs is not. The truth is they are all the same- insecure.
Theirs is better than the standard old fingerprint scanners and far better than using 'nothing' which is what they are replacing. They have blown nothing out of proportion.
if it causes people to behave recklessly because they have the false impression of security, when they would otherwise have taken better custodianship of their device and their data, then yes ... it can be worse than nothing.
That shouldn't be an issue considering most people don't have a passcode set.
Another option would be to just require a PIN (or both a PIN and fingerprint).
Yeah, that's going to move consumer devices. "Now harder to use!"
What would you call more reckless than having no passcode at all?
Regardless of whether or not fingerprint scanners are good security wise, it's a bit silly to think that phone robbing thugs are completely dim. The way it works in my first world modern country is that there are shops everywhere that unlock or reset phones as part of their services, and it isn't thugs running them. It's people with an affinity for 'tech' who just happen to deal with a shadier area.

If cracking fingerprint authentication is as easy as this article suggests then there's no doubt that these types of shops will do this readily. Steal a phone -> bring it to a place that does it.

The AppleID password is another thing though.

No, this is not the same as sim unlock. Circumventing touch id technology by making fake fingerprints is exactly the same case as being called to unlock a locked doors. The specialist knows when he is liable to crime and cannot make a legal bussines out of illegal access.
Honestly I think you're underestimating the gall of certain businesses. These aren't big multinational chains, they're like booths that pop up and down every year, in the less salubrious parts of town. They might not do it as openly, but there will be places thieves can go to circumvent touch ID if it's hackable...the knife wielding thug wont have to sit in his bedroom fiddling with acetate paper.
> he still has to know my AppleID password before he can remove the 'Find my Phone' feature.

I don't know if others are experiencing this, but as of iOS 7, that feature turns itself off every time my phone is rebooted.

Apple claims that "The technology within Touch ID is some of the most advanced hardware and software we've put in any device." [1]. This attack showed that increasing sensor resolution only requires increasing the resolution on the fake print to match.

This attack is an interesting data point in the debate over using biometrics in access control systems. Apple was hyped to have introduced something new and exciting in this space, but it's quickly been shown to not be a significant advance in fingerprint sensor technology.

Touch ID, however, is still an adequately secure access control check to be useful to consumers.

[1]http://support.apple.com/kb/HT5949?viewlocale=en_US

Well, since they've never put a fingerprint authentication system in their hardware, I think that their claim still holds...
> This attack showed that increasing sensor resolution only requires increasing the resolution on the fake print to match.

Just to clarify, it wasn't just the increased resolution that was required here, but "latex milk", I assume to simulate a living finger, as well. It's not as simple as print-of-print = unlock.

It's "latex milk" today, tomorrow it might be just "regular milk" that's needed! The point is that the fingerprint security was bypassed so soon after release, and posted on the internet. Sure, it takes a lot of effort with the first generation of this hack.

No matter how cool the fingerprint tech is on iPhones, you wouldn't go as far as using it for your master access to your password manager app or bank account app.

For the purpose of replacing the lock screen pin, or as others have said, no pin at all, I think it's fine.

Latex milk, white glue, grocery-store gelatin— they all work. You just need something thin and flexible that'll take an impression.
Except where I live there is organized phone snatching. A crew of phone hackers hire drug addicts to yoink phones off transit riders and then pay them 10% of the value. They then go to work on the phone changing the IMEI and I would imagine easily bypassing this fingerprint auth. They make use of the data for fraud purposes and then wipe and sell the phone on the street, a block away from where I live outside a run down sketchy bar.

Police caught the "muggers" slipping the phones into faraday bags so they couldn't be remotely wiped which led them to the ringleaders. They were busted but I'm sure there's a new crew doing it

I don't think it's possible to change the IMEI on an iPhone at all, and "easily bypassing" touchID involves collecting the user's fingerprint, which I guess is not included in the drug addicts' service offerings.
You can swap the logic board. They sell these for $80 or just trade with somebody who has a backlisted IMEI in UK/Australia for your US blacklisted phone. There's a bunch of crime forums that offer this service
> It's _not_ the panacea to all our security woes, and they have never claimed it was.

But they've never said it wasn't, either. It's important that everyone is in the clear about how secure TouchID is. I'm going to use it anyway, but the other decision is how much personal data I want to store on my phone.

TouchID*

* Note: TouchID is not the panacea to all our security woes. will not cure cancer, create world peace, does not kill kittens, [continues on listing everything it's not for 9 trillion pages]

Of course they have broken it, I had no doubt it would be broken like any other fingerprint security system.

The issue here is that it's ok, it doesn't really matter. It is all about the amount of security you need. Does a normal user need unbreakable security? No. The security provided with this method is more than ok, it is kinda secure and it's faster (imho) than writing your passcode. After all your "enemies" here are nosy friends or similar...

If you need "unbreakable" security then you shouldn't use iphone or android, or you should use an specific secure storage application (cyphered content, hard to guess pass or whatever). If you need "unbreakable" security you better consider hiring a security consultant.

So, the question here is, are the security systems in mobile devices more than fine for most normal users? I guess so...

Actually, its not okay. The reason is: fingerprints are not a valid protection against government intrusion.

A password is the only thing that really protects you from this. And now Apple are moving consumers over to a less-secure, more government-friendly intrusion ..

What is the resolution of the fingerprint image stored in biometric passport, i.e., the kind of passport you need to enter the US?

Biometric passports store an actual fingerprint image and not just a hash like the iPhone 5S. So if the resolution was high enough, everyone with access to a biometric passport – for example by scanning people carrying such passports around at an airport – could forge fingerprints …

Biometric passports don't necessarily include fingerprint data. For example, current US passports are considered biometric but do not include fingerprint data since fingerprinting is not required to obtain a US passport.
That's interesting, thank you – especially because I had to get a biometric passport with fingerprints in order to enter the US …
I think they're missing the point. The passcode on an iPhone defends against other people in your environment - family members, coworkers, roommates - getting your information opportunistically. It doesn't defend against hackers, the government, or even slightly savvy thieves.

Also, if a fingerprint sensor is significantly easier to use, and in practice will deter a class of privacy violations, it could increase overall security. This is a question you can only answer by looking how people behave, not solely with an analysis of the technology.

The fingerprint sensor worries me more that it records biometric information at all. It's one thing to leave fingerprints all around your environment, but there is now the potential to steal your biometrics over the internet. The device supposedly hashes the data derived from your fingerprint, presumably with a hardware-based secret, but I worry someone will find a way around that. (EDIT: maybe this is physically impossible; can someone provide details?)

Also, the issues that CCC discusses about how fingerprint unlocking can be coerced are important. Many law enforcement organizations now have devices that can scan smartphone data, which is bad enough, but at least the use of those devices are controlled. A fingerprint sensor now allows a cop to handcuff someone, jam his or her finger onto the phone, and then to (for instance) delete an incriminating video.

Likewise anyone else willing to use force. Might become the next schoolyard amusement for bullies, if your kid has a smartphone.

> I think they're missing the point. The passcode on an iPhone defends against other people in your environment - family members, coworkers, roommates - getting your information opportunistically. It doesn't defend against hackers, the government, or even slightly savvy thieves.

The Google Chrome Security team begs to differ [1]. According to them giving someone the illusion of security is bad.

[1] https://news.ycombinator.com/item?id=6165708

Which is an incredibly absurd position, in any context.

Security is not binary.

If it were, it would always be 0.
Which is ironic coming from a company known to be sharing information directly with the NSA.

Name one security technology that is 100% foolproof. They don't exist. So the point isn't to rely on one thing, but to rely on many things that, used in concert, increase the risk, complexity and cost associated with subverting the entire system--not its individual components.

I don't think I've seen anyone parry an appeal to authority with an ad hominem lately. Good one.
Umm... I think the point was to subvert the appeal to authority by pointing out that Google has been compromised.

The main argument is in the second paragraph.

Anyhow, thanks for noticing :)

In this case it's valid.

In the same way that you'd afford extra scrutiny to a government agent making claims about what encryption methods to use, you should afford the same scrutiny to companies making security claims who are documented collaborators with the TLAs.

An ad hominem isn't always a fallacy, especially when the credibility of the speaker is legitimately in question. Saying they're automatically wrong would be fallacious (not to mention silly), but questioning credibility based on actual, documented behavior is not.

Citing the Google Chrome Security team regarding security is the exact opposite of the appeal to authority fallacy. It's an appropriate expert for the context.
No. It's appeal to authority.
It is an appeal to authority, but a non fallacious one. As the authority being quoted has the relevant position.
(comment deleted)
Giving someone the illusion of security is bad because it displaces their understanding of security.

An understanding of security will reveal that security is not a binary state of affairs. It's perfectly reasonable to trust known-imperfect mechanisms like the iPhone fingerprint reader to keep honest people honest and discourage ordinary muggers and thieves. I don't need military-grade access control for my personal iPhone, I don't want the inconvenience that would necessarily accompany it, and I damned sure don't want to pay for it.

And the Google Chrome guy is correct in all respects: it's not reasonable to expect an application to provide security that's redundant with security provided by user accounts on the OS it runs on. It would be better to teach users to create separate accounts on their system, if they want to hide their local passwords from other members of their family.

Teaching users to create separate accounts might be better, but so would any number of impractical suggestions.

It is perfectly reasonable to expect an application to provide more security than the user account provides because in the real world, we know that people don't always lock their computers. Not all applications are risky, but one that centralizes a users credentials is clearly so.

Pretending otherwise is simply not acknowledging the real world.

You are completely detached from normal practical realities, as such your beliefs on security can be safely disregarded.
The first round of sleephack data exposures will put the failure to that point.
> It's one thing to leave fingerprints all around your environment, but there is now the potential to steal your biometrics over the internet.

Correct me if I'm wrong, but the biometric data never leaves the device.

It's also not stored on the device. Hashes, not fingerprints, are stored.

You need the fingerprints themselves to fake out the hardware.

Rare is the phone without the owner's fingerprints stored all over it.
Sure, but his post was about stealing data "over the Internet". That's not possible.

All bets are off with physical access to the hardware, of course.

Nobody has been able to use those low quality fingerprints to defeat TouchID.
Not true at all. There are quite a large number of cases out there that would be hard to lift fingerprints from. If the owner has this sort of case, and if the owner has cleaned the screen recently or just had the phone pocketed, thus wiping the screen off rather well...I think there are a large number of phones from which you would get no prints.
Well, they have to store fuzzy hashes rather than cryptographically secure ones since they're going to get a different section of the finger and slightly different features within that finger each time. There's a good chance that whatever form of fuzzy hashing they're using is reversible in the sense that, given a hash, you can create a fingerprint that isn't necessarily exactly the same as the original but will match that hash.

For example, the obvious approach is to store fingerprint features, which will be then matched by any print that has the same features in the same positions. If you do a good enough job of generating the new print you might even be able to fool police investigations, since they compare prints the same way.

Looks like fingerprints have 30-40ish bits of entropy depending on how forgiving the device is, so unless they're doing some key stretching it should be practical to produce an image of a similar fingerprint by brute-forcing the hash with every biologically likely fingerprint.

http://lukenotricks.blogspot.com/2009/04/on-entropy-of-finge...

I think it's a hot topic in security circles right now that a worm or virus could infect these mobile devices and "phone home" with the data, resulting in a media nightmare.
You are overcomplicatimg things. The hypothetical cop could just smash your phone to pieces. Same result, less effort.
Not the same result at all. You now have lost your phone and the cop has to argue that you smashed it yourself out of spite. There may be more witnesses or evidence after smashing a phone. Presumably there are even phone company records showing when and where a device went dead.

I am not a lawyer but it seems to me, 9 times out 10, the cop would prefer a cleaner result - they confiscate your device, and oops, when you get it back, the video is gone.

Why wouldn't they just confiscate it, and "oops, it fell in a bucket of water"?
If cops wanted clean results, they wouldn't do anything that looks bad on your smartphone camera to begin with.
that's actually kind of ironic...

...the people closest to you in your environment ( kids, parents, spouse, boss, co-workers) are the ones who can most easily obtain your fingerprints...

And are probably least easily able to capture a high resolution image and reproduce a 2400 dpi heavy-ink image that is then used to create mould of your print.
Here's an idea that would improve security in conjunction with the new sensor:

Create a random pattern of ridges and, using the technique outlined in the OP, build a latex key. Attach that to your keychain (in some sort of case to improve durability, maybe). Then, enjoy 2-factor auth, between the phone's pass code and the synthetic fingerprint.

Wow cool idea, someone needs to test that
Presumably solvable by using a digit that isn't normally in contact with your phone - eg the pinky of your non-dominant hand?
Wonder if using your nose would work... A toe surely would but accessing that piece of hardware is an ugly hack in too many ways.
It sounds silly but it's a brilliant idea!
This isn't new, some other guy broke TouchId by making a fake finger from gelatin and soy sauce.

http://blog.fortinet.com/iPhone-5s--Basic-Fingerprint-Replic...

It seems that that guy directly made a 'copy' of his own fingerprint in a mold. I agree that it is breaking TouchId, but the CCC did a more realistic crack: making a fake fingerprint without the person's finger.
He was not able to use the moulded version of his finger to access Touch ID. Instead he had to "enrol" his fake finger as a new finger, and from that point was able to unlock the phone.
Not seeing anywhere in that article where he had success replicating a print. He did get the iPhone 5S to enroll a fake print and unlock with the same fake print. He was unable, however, to replicate an enrolled fingerprint from a real finger and successfully unlock.

Additionally, all of this was done with molds of the target finger - not from lifted fingerprints. Completely different target.

> The method follows the steps outlined in this how-to with materials that can be found in almost every household

I own almost none of the materials they list. They have a very different idea of what materials can be found in almost every household.

By my reading the minimum is: 1) Laser printer 2) transparency sheet 3) white glue.

You might not own a laser printer but surely you have a library or kinkos nearby that makes the distinction academic.

Honestly, TouchID is better than what we have today; a 4 digit useless passcode. If somebody has to take a photo of my fingerprint off a glass surface to gain access to my phone, so be it.
It's not as useless as all that. Assuming Apple has properly used their key derivation function, and the phone locks you out after ~10 failed attempts, and there's no way to access a locked phone's data, then a four digit passcode is actually quite secure.
A KDF wouldn't help with a 4 digit PIN
Wouldn't it? E.g., what if you did the derivation from the PIN in combination with a securely stored random salt (that could, as an added bonus, change every time you changed your key code)? That was, incidentally, what I meant by "properly used their KDF".
4 digit pin? I use a 12+ character alphanumeric password on Android.
To unlock your phone? Each time you need to use / check it?
I have a 5 year old iphone and 6 digit password. So one can be 100 times safer than grandparent without much effort.

I presume longer codes are ok on iphones even today?

iOS lets you choose between a 4 digit pin or an alphanumeric password of whatever length you want. The 4 digit pin is meant to be more convenient, but even then most smartphone owners don't use it.

The point of TouchID was to have a more secure default for most than a 4 digit pin or, more commonly, no pin or password at all. Few people would be happy with having to enter a 12+ character alphanumeric password each time they wanted to use their phone, you're an outlier there.

Sure, a few people use long passwords on their phones (usually when forced to do so by corporate security policies. However, most don't, because it's impractical. Many don't even use a pin lock.
Considering that people generally don't wear gloves when they use their phones this is like having a picture of your key on your door. Combine that with what we know you can do with pictures of keys[1] and yes it's obviously not a very good idea.

[1]: https://news.ycombinator.com/item?id=6167246

So, if this can be accomplished with keys, have you removed all the locks from your house? Do you rotate your locks every 3-6 months?
My front door does not have a picture of my key on it. My phone has tons of fingerprints though. It's a touch screen phone. One of those words is "touch" which clearly implies your finger coming in contact with it. Even if you wanted to use gloves you need special ones for it to work properly with the capacitive screen. Unless you are continuously wiping it (the screen, not the data) it will have you prints on it.
If you slightly smear your finger every time you remove it from the sensor you shouldn't have this problem. Additionally, if you are keeping your phone in your pocket, as I do, pull it out and take a look (like I just did) and you'll be hard pressed to see much of anything resembling a useful print. I use my phone pretty much all day long and it is devoid of useful prints.

Does that mean you couldn't find my prints in other places? Sure. But I can probably find your keys in other places, too.

We know that SSL is generally not implemented properly, that the CAs are probably all hacked or subverted by the NSA, that the NSA may have developed backdoors to a number of the more popular encryption suites, but I don't hear anyone running around demanding Google or Facebook disable SSL.

If you are doing something that requires sufficient security that you don't want someone to access it via your fingerprint alone, add additional layers of security.

If you are doing something potentially incriminating ... don't do it on your freaking phone because it's probably been exploited in a dozen other ways by various authorities who can use it to find out most of what they need without being in physical possession of the phone anyway.

Most people aren't worried about the mafia or the CIA or the NSA. Most people don't even bother using a passcode, let alone a passphrase on their phones. If you can add something as easy to use as this, then it adds an additional layer of security against the casual abuse most people will find themselves subjected to (random people making calls from your phone, spouses spying on their email, etc.).

If you are worried about the CIA and the NSA, using a phone at all for anything is probably not in your best interest at this point.

Assuming someone did steal your phone and look for prints, they would need to know which print to lift and that it's enrolled with Touch ID. After they, they only get 5 goes to be successful before the phone insists on your passcode.

CCC made it look easy but I bet it didn't work for them first try or even 5th try...

> My front door does not have a picture of my key on it.

Yeah, but as every decent locksmith will attest, very-nearly-almost-all door locks can be easily opened with the right tools. Like picking a lock is a specialist skill, so is lifting a fingerprint and making a copy of it. No security is absolute; it's all trade-offs. Making it such that it's not worth your adversary's time to bother.

Yes, but as the same decent locksmith would attest, it would be foolish to have a picture of a key beside the lock, or anywhere in a public place.

And that is what happens with a finger-print based secure system; you inadvertently place the imprint of the key on the phone's display as well as public places.

But the point is that you don't need a picture of the key beside the lock for a locksmith to break into your house! And, indeed, if there was one it would probably be faster and easier for him to use a lock pick rather than taking the time to cut a new key.
It is a phone, you can bypass the passcode with a computer anyway - the passcode/touch is designed to prevent opportunistic unlocks not a determined attacker and it is much better than a passcode at doing that.
no no no no no.

This is not being done by lifting an existing print from the existing device. They're taking a photo of the authorised FINGER and using that to create their fake finger...

I don't see how this could be considered a significant issue unless you are going to steal someones phone AND somehow get a still 2400 dpi photo of the surface of their finger

You are incorrect. Second sentence of the article: "A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID."
Which glass surface? The oleophobic glass on the iPhone itself?

If the print was copied directly from one of the phone surfaces, you'd think that the CCC would want to include that little tidbit.

>> Which glass surface? The oleophobic glass on the iPhone itself?

That brings up another interesting point -- I wonder how many people are going to put screen protectors on their 5S's that are not oleophobic.

A meticulously placed fingerprint was made on a clean and polished glass surface as if it was being taken by the police. Nothing like a normal fingerprint left by accident.
This is a really silly statement - "This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided."

Sure, maybe you can bypass this mechanism, but as an everyday password, this is still a substantially easier tool than typing in a 4-digit password.

In fact, at least you cannot easily spoof my fingerprint at a public location, while you could certainly easily figure out my password by just standing over me when I type it. I wonder how many mall cameras, street cameras and all sorts of public surveillance cameras have all our passwords?

> this is still a substantially easier tool than typing in a 4-digit password.

I know tons of people, including myself, who don't use any passcode on their phone because the 4 digit stuff is a hassle.

CCC is arguing this isn't pick-proof anti-tampering deadbolt, when right now a huge number of users don't even have a door. It's still a MASSIVE improvement.

To be fair Apple hasn't said anything about liveness checks or any other safeguards against faked/duplicated fingerprints. All they talked about was how the fingerprint storage itself is secure, hardware level and local. The hack that gets the fingerprints off of the chip by exploiting some implementation related vulnerability would be a big deal.

TouchID is just another fingerprint reader - albeit one that's easier to use.

At this rate, no method of security is secure.
The most secure computer is the one locked in a room and unplugged.

There has never been a method of security that is secure. The first thing you learn when dealing with security is there are tradeoffs between opportunity, time, money. and usability.

While I agree with the spirit of your post, there is in fact a method of security that is definitively unbreakable (if used correctly/precluding side-channelling): the one-time-pad.

But as you imply, the reason we don't use it is because the opportunity cost and hassle of using it are too high for many uses.

You proved my point by needing to exclude side-channel attacks. You also need keying material, and a way to communicate that material, for a one-time pad and that's vulnerable to a whole host of attacks.
They tried to make a fingerprint readers more sophisticated and added a temperature registers to avoid fakes or (more in more gruesome case - a cut off finger), but hackers managed to make so called rubber fingers or peel dead finger and fill with a warm salty water. Anything can be hacked.

But I think they are missing the point. If Apple wanted its phones to be a secure gimmick at Pentagon - that was silly. But for average user - nobody is going to steal your prints. It's just a usability. For average Joe it is so much easier to tap with finger than type PIN all the time. But if you get specifically targeted nothing will save you.

The exact same arguments could be made for having crappy passwords, which, I might remind you, are defeated hundreds of thousands of times a day, at a massive cost to its victims.
I don't see hundreds of thousands of fingerprints being lifted from people to fabricate 2400 dpi fake fingers 'every day'.