Sunday, September 22, 2013

MUST READ: Chaos Computer Club Cracks Apple TouchID

CONCLUSION: Forget about fingerprint identification as a secure password.

The Chaos Computer Club reports:
The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple's TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.
The method follows the steps outlined in this how-to with materials that can be found in almost every household: First, the fingerprint of the enroled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.
"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token", said Frank Rieger, spokesperson of the CCC. "The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access." Fingerprint biometrics in passports has been introduced in many countries despite the fact that by this global roll-out no security gain can be shown.

(ht Joris De Donder of


  1. Bob-

    While I think the fingerprint ID system is flawed, the comments at the thread you link shows how the fingerprint ID makes it harder to steal a phone since it is also coupled with a 4 digit PIN if someone steals it.

    The issue is whether the FEDS can access the phone fingerprint and increase (incrementally) the Stasi powers.


  2. That's irrelevant and just plain silly! Everything can be cracked these days - including your 4 digit PIN. How many people are capable of doing what these Chaos Computer Club guys did? Could you do it, Bob? Are you that tech savvy when it comes to Photoshop and what not? I'm guessing no!

    Sure, there are many people who could do it. But similarly there are many people who could crack that small 4 digit PIN. In fact, I'm guessing the PIN code is easier to crack than the finger print. The media is not talking about it because PIN codes are nothing new. But the moment fingerprint is introduced, people are embarrassing themselves by saying stupid things. Take Fitz for example. Are you not an US citizen? Don't they already own your fingerprint? After all, these bio-metric passports have fingerprints in them (did you really think the government deleted these after your passport was printed? Haha!). Or if not, then have you visited the States in the past 10+ years? You do know they take everyone's fingerprint at the boarder? I'm not an US citizen, but I have voluntarily given my fingerprint to the US government at least 5-7 times.

    Further, even if you are not an US citizen and you've never been to the States, it's still very likely that the US government can easily obtain your fingerprints. Again, if you have a bio-metric passport from your own country, then your government has your prints in their database. And unless you live in North Korea, Iran or Russia, the government is most likely to share your prints with the US counterparts (should they ask for them). New Zealand; for example, recently told that they have an agreement with the US government (which includes changing fingerprint databases).

    So please think before you speak. I'm sick and tired of people doing the opposite. Gosh...

    1. What do you do when your password (in general, so that includes a pin code) has been compromised? What do you do when you suspect someone knows your password? And I'm not just talking about smartphones here. You change your password! Any decent security policy and system will even force users to change their passwords on a regular basis and will prevent them from reusing passwords they've used in the past. When you use fingerprints instead of passwords as access tokens you do not have that option. You can't change the patterns on your own fingers!

      But you can use a different finger, you say? Correct, but you only have 10 fingers. If 1 of your fingerprints has been revoked, that's leave 9 other options. At least with a 4 digit pin code, there would be 9999 options left. Trying (at most) 9 fake fingerprint stamps will take a lot less time than trying to guess a 4 digit pin code. Yes, the pin code can be guessed, but it will take a lot longer. Especially when the system forces a time delay on the user whenever it encounters a certain number of failed login attempts within a certain time frame. But ultimately that's no the issue here. Everything can be cracked, but as Frank Rieger said: you can't change you fingerprints. Once someone gets a hold of a copy, they're useless to you as an access token and again as Frank Rieger pointed out: you are leaving them everywhere. You wouldn't consider leaving post-it notes with your passwords on your desktop would you? Then why would you consider using something that you leave all over your desktop as an access token?

    2. You should take your own advice.

      I try to stay away from any sort of ad hominem arguments, but if you think that the steps outlined above are difficult to learn, you have a very low capacity for learning. I bet Bob could indeed follow the steps and fool a finger print scanner.

      I agree the 4-digit pin is also largely worthless. What does that have to do with a fingerprint ALSO being worthless? There have been plenty of articles written on how lousy short pins are for security.

      The reason this is a relevant article is because Apple was touting how their new fingerprint reader was going to be so much more secure. It isn't. Not only is it insecure in theory, it's now shown to be insecure with a concrete example.

      Should they just stay silent and let everyone believe it works?

      Finally, your fatalistic attitude is not really helpful to anyone.


      It took the guy 30 hours to hack Touch ID. Take a look at the video. Are you still convinced Bob could do it? If you give him step-by-step instructions (including phrases like ''Now press Start, look for Adobe Photoshop, now open it''), then sure. Could he figure it out himself? I doubt, as I'm very tech savvy, and even I have no idea what the guy did after printing out the image.

      Btw, it would take an hacker way less than 30 hours to crack your silly PIN code.

      PS: If you are so worried about your safety, then just don't use the Touch ID. Or better yet, always take your phone with you when you go to the men's room at the bar or leave the restaurant for a smoking break. If you keep your phone with you, it cannot be hacked. Well it could when you're sleeping, but how many strangers are around us when we sleep? Your wife or mom is gonna hack it? Why? If you're a cheating SOB, then you deserve to be caught.

      I'm sorry if my attitude is too fatalistic, but I'm just sick and tired of this Apple bashing. Do Apple users spend hours and hours criticizing Samsung Galaxies, Microsoft Windows or Dell computers? NO! But whenever Apple does something (god forbid, makes a mistake), all the non Apple users are all over it. It makes me sick...

  3. Really? Unitedstate passports require getting fingerprinted? Mine didn't. It must be a new thing? Same with entering the unitedstate. When did they start fingerprinting people? That's news to me. I have a very hard time imagining them taking everyone's fingerprint at the boarder. Must be one heck of a backed up line.

    Anyway, I imagine defeating the fingerprint ID is the same way REAL ID facial recognition could be hacked. Just photograph someone, use a 3-D printer to make a mask, and viola.

  4. If something, the shame you really feel will improve your deal with to adhere to your diet
    down the road. Decreasing extra fat tends to be considerably more
    challenging if eating habits fail to have dietary protein.
    However, if you want to lose weight with
    just vegetarian weight loss diet without exercising and
    yet wanted to get positive results, then you got to "work harder" in the way
    you eat your vegetarian weight loss diet.

    Here is my site - Buy Liposom