Results 1 to 5 of 5

Thread: 5S & 6 Finger Print Readers - One Year Later - How Secure?

  1. #1
    Join Date
    Sep 2005
    Posts
    157
    Device(s)
    iPhone 3G
    Feedback Score
    0

    5S & 6 Finger Print Readers - One Year Later - How Secure?

    Its now been a year since the 5S hit the street with a finger print sensor and a group in Germany quickly demonstrated how to hack it. Now, a year later, has there been any indication, at all, that iPhones using finger print sensors have been maliciously hacked?

    Not all data on an iPhone is secured in password required applications. Contacts and Notes are two examples that might contain data harmful if in the wrong hands. Now that Apple has announced Apple Pay I am especially interested in understanding how secure it is in real world practice (i.e. number of real problems encountered over the past year).

  2. #2
    Join Date
    Mar 2005
    Posts
    306
    Device(s)
    iPhone 4 (Black)
    Carrier(s)
    AT&T
    Feedback Score
    0
    The banks trust it enough to pay Apple part of their cut because they believe it will result in far less fraud and risk for them. So...

  3. #3
    Join Date
    Sep 2005
    Location
    Monmouth Jct
    Posts
    4,591
    Carrier(s)
    T-Mobile (current)
    Feedback Score
    0
    Quote Originally Posted by RhoXS View Post
    Its now been a year since the 5S hit the street with a finger print sensor and a group in Germany quickly demonstrated how to hack it.
    Let's put this in perspective: "hacking" the fingerprint sensor requires a few things:

    1. Physical access to the phone
    2. "Photosenstive PCB material"
    3. A clean fingerprint which can be photographed at 2400 dpi
    4. A camera or scanner that can image at 2400 dpi
    5. A 1200 dpi laser printer and transparent laser printing sheets
    6. Graphite spray and white wood glue
    7. Time to do all the steps required to photograph, touch up, print, and mold the fake fingerprint, before the user knows what's going on and disables their phone.

    Here's the how-to:
    http://www.ccc.de/en/updates/2013/cc...-apple-touchid

    Is it possible? Yes. Is it practical? I think most thieves would probably find it easier to try to phish their targets instead of physically obtaining their devices and fingerprints.

    Now, a year later, has there been any indication, at all, that iPhones using finger print sensors have been maliciously hacked?

    Not all data on an iPhone is secured in password required applications. Contacts and Notes are two examples that might contain data harmful if in the wrong hands. Now that Apple has announced Apple Pay I am especially interested in understanding how secure it is in real world practice (i.e. number of real problems encountered over the past year).
    So far, there have been no reports that I've heard of, of any real-world attempt to hack a person's iPhone via TouchID, using the above attack or any other method. Again, it's definitely possible to do this. But it requires a LOT of work, and the chances of being discovered while the work is underway would likely be very high. The payoff would have to be enormous to go through the effort, and there would have to be no other easier way to try to get the same information, before someone would seriously try to attempt this in a real world scenario.

    Put another way: There are far easier ways to steal credit card info than to hack the fingerprint scanner of a person's iPhone. So for the foreseeable future, thieves will continue to focus on these other methods, and probably won't be doing a whole lot of TouchID hacking.


    There are of course, other possibilities: Maybe someday a hacker will find a bug, and figure out how to easily disable or bypass TouchID so that no matter what fingerprint you give it, it lets you in. That would be a more effective and serious hack. But so far, there's no sign of that happening.

    Left: iPhone 6+ on T-Mobile. Right: Comcast home internet connection.

  4. #4
    Join Date
    Sep 2005
    Posts
    157
    Device(s)
    iPhone 3G
    Feedback Score
    0
    Thanks for that good response to my question.

    As an example, the scenario that concerns me is losing the phone in say an airport, not realizing its missing until sealed in the airplane, and being relatively helpless to disable the phone for a number of hours. The cost for the equipment needed to lift and duplicate a finger print from the body of the phone seems relatively trivial compared to the gains from having someones full identity including multiple passwords etc.

    Nevertheless, I agree, I think it is safe enough to use but I also think there will be a renewed effort by the bad guys to bypass the finger print access once phones commonly start using something like Apple Pay.

  5. #5
    Join Date
    Nov 2003
    Location
    Earth
    Posts
    2,496
    Device(s)
    iPhone 7 Plus
    Carrier(s)
    Fido
    Feedback Score
    0
    Unless you're a CIA agent, nobody's going to be stupid enough to waste their time to try to use your fingerprints on the device to gain access. First of all it is extremely difficult to do, and even for those people who are able to do it, they need a pristine fingerprint, which usually isn't present in the detail needed. Furthermore, in order to access some of the security features of phone, you still need the four digit passcode. Also, if they fail with the fingerprint access a few times, then they have to type in that four digit passcode too. Remember, the demos of this working on YouTube were set up to be as easy as possible. Basically, someone with all the equipment handy makes a perfect fingerprint on his phone and then proceeds to lift that perfect print, knowing it's that specific print which is necessary to unlock the phone (and not one of the other 15 prints on the phone).

    Also, if anything, I'd consider a passcode for phone unlocking in a public place to be less secure too. I was on the subway the other day and it was so easy to see the passcodes of all the people around me as they accessed their phones. In fact, that pattern unlock method was even easier to see, because it leaves a "trail" on the screen for a second, telling a bystander which buttons were pressed. All someone would have to do is stand by you as you entered your passcode, and then steal the phone at the next subway stop.

    More importantly though, I consider TouchID now a integral and necessary part of my phone. If it doesn't have TouchID, I am not interested in buying it. It is just so so convenient. Unbelievably so. If you haven't experienced it for an extended period, you don't know what you're missing. I was testing out my wife's iPhone 5 for a while, and the number one feature I missed was TouchID. Similarly, I won't buy another iPad until it gets TouchID (and 2 GB RAM). In contrast, those swipe methods for fingerprint access I've tried before are universally irritating to use.
    Last edited by Eug; 09-16-2014 at 06:19 AM.

Similar Threads

  1. Your iphone, one year later
    By dimmy2883 in forum Apple
    Replies: 18
    Last Post: 07-08-2008, 05:26 PM
  2. Replies: 2
    Last Post: 06-29-2008, 07:46 AM
  3. FS: Targus PA460U DEFCON Authenticator Finger Print Reader
    By jumran in forum Other Buy/Sell/Trade
    Replies: 5
    Last Post: 09-30-2006, 11:30 PM
  4. Replies: 7
    Last Post: 12-06-2003, 02:30 AM
  5. Rogers GSM, one year later...
    By alpha tag in forum Rogers/Fido/Chat-r
    Replies: 34
    Last Post: 11-17-2002, 09:29 PM

Bookmarks