The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple’s TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.

Here’s more.

UPDATE: Not just fingerprints work.



  1. Dallas says:

    A bit outraged because I was looking forward to this as a means of quickly logging in and to buy stuff off the iTunes store.

  2. Captain Obvious says:

    Rosenbacher got hacked for $10,000. Most of the press got suckered. And Uncle Dave too?

  3. Tim says:

    He didn’t even have to frame and lift the fingerprint with cyanoacrylate?? — Screw you, NCIS. Anyways, there is a total fingerprintless bypass for cops, anyways —

    http://youtube.com/watch?v=qpJNdfKEIag

  4. bobbo, the pragmatic existential evangelical anti-theist says:

    Well………………………it is definitional…. but is this “really” a hack or a by pass? You still need the original fingerprint. Seems to me a “hack” is something you do to avoid the fingerprint entirely, like entering a code like “666-Apocalypse>>>Beast” and you are in.

    Hey–whatever. All security systems are for that false sense of comfort.

    Enjoy.

    • Tim says:

      The concept you are really bobboing around is ‘exploit’. And yes, there are about three of them that do not require digits to be sequestered. But, I dither.

    • bobbo, the pragmatic existential evangelical anti-theist says:

      Exploit/hack/circumvent/avoid/disable/bypass—I don’t know these fine distinction. I leave the field, vanquished.

      • Tim says:

        Don’t let the firewall fragment your ass on the way out.

        • bobbo, the pragmatic existential evangelical anti-theist says:

          Ha, ha. Clever!

          No common ground??????

          Defined: less than 90% overlap?

          My tangent is longer than your tangent!

          …….where do we dither?

  5. Rodzilla says:

    I’m just going to use my wang print to unlock mine. That’s totally secure because who would want a picture of my prick.

    • Captain Obvious says:

      Wait for it…

      • bobbo, the pragmatic existential evangelical anti-theist says:

        Haaaa, haaaaa. I was going to post that “Rod” was correct>>>no one wants a picture of his wang. But your post makes me wonder if any prick would do.

        Well done.

    • Tim says:

      Eww. I never knew you were circumsized — very chique; I think that will probably catch on.

  6. deowll says:

    Well that’s a kick in the … fish.

  7. Captain Obvious says:

    Now it looks like Rosenbacher has pulled his $10,000. He has looking for press attention, and the press was looking for link bait. A decent attempt at hacking has turned into a farce. I’m not sure which is funnier: the press or the people who eat it like sheep.

    Apple fanbois are easy to troll, but people who hate Apple are even easier.

  8. jimmy says:

    or, OR

    it could be a hoax video to get a bunch of press and YouTube clicks. We see him training the index finger, but we never see that that is the only fingerprint in the phone.

    He could have easily trained his middle finger to unlock the phone before shooting the “proof” of this “hack”.

    I’d like to see more proof before we go all crazy. A longer, start-to-finish video showing NO fingerprints trained, to training one finger, to lifting that print from an everyday object and making the latex mold, to using it on the phone with a different hand.

    For fans of JCD and the No Agenda show, there’s a lot of people jumping on this bandwagon with no proof. If you’re going to be skeptical of a fingerprint reader, you should be even more skeptical of a guy who says he hacked it in a day.

    • Captain Obvious says:

      The force is strong with jimmy.

      Bartender, a refreshing beverage for him.

  9. bobbo, we think words, and flower with movie references says:

    As intimated above–its a false security that gives comfort.

    LOCKS, as dear old dad used to say: “Are to keep honest people out.” There ain’t no stopping a qualified thief, or the gubment.

    Don’t be caught stupid thinking otherwise.

    Yea, verily!

    • Tim says:

      They just keep honest men honest — And out of the car for the extra seconds it takes for zombies to grab you.

      They can be fun, too. My first ‘download’ was a 215 pg. manual on lockpicking {I was new to ‘gopher’} and my first use of a dremmel was cutting out a pick and rake from a car antenna rod. My ‘torque wrench’ was a flattened out coat hanger wire coiled into a neat little jig with feedback stiff springiness one grows comfortable with. I bought a couple locks, one a Master and one a Popular Mechanics brass one, and had quite the little passtime with those two, learning that most Masters of the day are trivial {should the need ever arise}. I bought a larger 7-pin Popular Mechanics with the mushroom drivers, made tools just for it, spent several weeks in frustration never getting the hang of that one, then hit the bottle.

  10. dusanmal says:

    Hack or not hack, true or false – biometrics should never, ever be used in regular life for mundane purposes. High end, well thought out, well implemented biometrics belong in nuclear/medical hazard labs or essential military installations. If we had a reasonable government with aim to protect the individual and its freedoms general use of biometrics should have already be banned except for exclusive places I mention and the like.

    • Captain Obvious says:

      I use biometrics regularly to cross borders. Hardly weapons grade stuff – just avoiding the bureaucracy.

  11. dooby-doo says:

    Club-level theatrics impresses club-level players.

  12. Mike says:

    Did you notice that they used the same finger after setting it up? What about a finger on a different person? Does that work?

    • Tim says:

      Of course, it works. But the really valuable thing with the video is to instruct people how to make backups of their own fingerprints.

      You should make backups of your own fingerprints and wear them around your neck like a medical necklace for when you accidentally stick your hand in the fry-daddy and need to call the doctor, or when the crackhead accidentally cut off the wrong person’s {yours} finger to access the I-phone he found laying on the urinal, that kind of thing.

  13. NewformatSux says:

    So what? The purpose is not to make the Iphones more secure, but to have the government collect the fingerprints of everyone who uses an Iphone.

  14. Captain Obvious says:

    CCC has gone from “maybe” yesterday to saying they’ve succeeded. Good writeup here. I hope they get tons of beer from the donations and celebrate.

    • Tim says:

      Thx, Catpain Ovbious. I almost feel I saw that link under a video somewhere yesterday but that is probably because not only is the government ELFing me but I’m usually pickled beyond all cognative mnemosyne gourd-cleavers, anyways.

      • Captain Obvious says:

        Basically, if you can photograph somebody’s finger at 2400 dpi then create an inverted 3D mold at better than 1200 dpi, then you can beat the scanner.

        I feel an escalation coming on between the hackers and Apple – which is good for consumers.

        I also read that the NYPD was handing out pamphlets asking people to upgrade to iOS 7 because of the anti-theft improvements. Again, good for consumers.

  15. Party on, Garth says:

    So you’re at a party, get poop-faced, and fall asleep.

    Your friends scan your phone with YOUR fingerprint.

    You wake up, go home, and find your credit card is maxed out.

    • Tim says:

      Silly derps. I unlock my phone with YOUR pilfered finger print — If they started giggling mine around in frustration then I’d just wake up momentarily and pee on them.

  16. Glenn E. says:

    A “voice print” lock would have been more secure. Even though your voice could be recorded and played back to the smart phone. If the phone asked for a random combination of words to be spoken, that it already had samples of how its owner sounds. Then a tape of the owners voice, would rarely work. Because the words wouldn’t be something said, in everyday conversation, or in the same order, every time.

  17. Glenn E. says:

    So basically they created this new version of the iPhone, just to get people use to the idea, of giving up their finger prints for rather frivolous reasons. Even if the iphone can’t transmit the prints, outside its case. The idea of getting people to surrender their prints, the same way they surrender their SSN, for every little thing. Is insidious. And this may be the first sign of Apple turning evil, after Steve Jobs’ death.

  18. JimD says:

    Obviously, the print scanner is NOT FOR THE SECURITY OF THE OWNER, but for Apple/NSA/CIA/FBI to CONTROL THE USER !!! Sheep !!!


0

Bad Behavior has blocked 5621 access attempts in the last 7 days.