From b8c64ad742eedf02640cba4de4bc76229c29ce65 Mon Sep 17 00:00:00 2001 From: 46halbe <46halbe@berlin.ccc.de> Date: Sun, 22 Sep 2013 18:11:56 +0000 Subject: committing page revision 1 --- updates/2013/ccc-breaks-apple-touchid.en.md | 72 +++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 updates/2013/ccc-breaks-apple-touchid.en.md (limited to 'updates/2013') diff --git a/updates/2013/ccc-breaks-apple-touchid.en.md b/updates/2013/ccc-breaks-apple-touchid.en.md new file mode 100644 index 00000000..61dfe186 --- /dev/null +++ b/updates/2013/ccc-breaks-apple-touchid.en.md @@ -0,0 +1,72 @@ +title: Chaos Computer Club breaks Apple TouchID +date: 2013-09-21 22:04:00 +updated: 2013-09-22 18:11:56 +author: frank +tags: update, pressemitteilung, biometrie, biometrics, apple, touchid + +The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple's TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided. + + + + +Apple had released the new iPhone with a fingerprint sensor that was +supposedly much more secure than previous fingerprint technology. A lot +of bogus speculation about the marvels of the new technology and how +hard to defeat it supposedly is had dominated the international +technology press for days. + +\ +"In reality, Apple's sensor has just a higher resolution compared to the +sensors so far. So we only needed to ramp up the resolution of our +fake", said the hacker with the nickname Starbug, who performed the +critical experiments that led to the successful circumvention of the +fingerprint locking. "As we have said now for more than years, +fingerprints should not be used to secure anything. You leave them +everywhere, and it is far too easy to make fake fingers out of lifted +prints." \[1\] + +\ +The iPhone TouchID defeat has been documented in a [short +video](http://www.youtube.com/watch?v=HM8b8d8kSNQ). + +\ +The method follows the steps outlined in [this +how-to](http://dasalte.ccc.de/biometrie/fingerabdruck_kopieren?language=en) +with materials that can be found in almost every household: First, the +fingerprint of the enroled user is photographed with 2400 dpi +resolution. The resulting image is then cleaned up, inverted and laser +printed with 1200 dpi onto transparent sheet with a thick toner setting. +Finally, pink latex milk or white woodglue is smeared into the pattern +created by the toner onto the transparent sheet. After it cures, the +thin latex sheet is lifted from the sheet, breathed on to make it a tiny +bit moist and then placed onto the sensor to unlock the phone. This +process has been used with minor refinements and variations against the +vast majority of fingerprint sensors on the market. + +\ +"We hope that this finally puts to rest the illusions people have about +fingerprint biometrics. It is plain stupid to use something that you +can´t change and that you leave everywhere every day as a security +token", said Frank Rieger, spokesperson of the CCC. "The public should +no longer be fooled by the biometrics industry with false security +claims. Biometrics is fundamentally a technology designed for oppression +and control, not for securing everyday device access." Fingerprint +biometrics in passports has been introduced in many countries despite +the fact that by this global roll-out no security gain can be shown. + +iPhone users should avoid protecting sensitive data with their precious +biometric fingerprint not only because it can be easily faked, as +demonstrated by the CCC team. Also, you can easily be forced to unlock +your phone against your will when being arrested. Forcing you to give up +your (hopefully long) passcode is much harder under most jurisdictions +than just casually swiping your phone over your handcuffed hands. + +\ +Many thanks go to the Heise Security team which provided the iPhone 5s +for the hack quickly. More details on the hack will be reported there. + +**Links**: + +\[1\] [Fingerprint Recognition at the Supermarket as insecure as +Biometrics in +Passports](https://ccc.de/en/updates/2007/umsonst-im-supermarkt) (2007) -- cgit v1.2.3