LOL So much for Apple's touch ID "security"

[openwheel]

You're creating scenarios that don't exist. If you're that important you would have other security measures. This isn't a pass code for nuclear warheads. Lol.

Like I said, overblown.

Huh? I have no idea what you think I wrote, but it sounds like you only read what you thought I wrote, which is obviously not the point I was trying to make. I think you should retake sarcasm 101.

Got it?

 

[golem]

That's all I've been trying to say the entire time.

What may not work for me may be perfectly dandy to others.

In that case, we are in agreement.

 

[BoberFett]

I'm not sure how having a burned finger would change anything. It'd just mean re-training TouchID with the burned finger.

I'm merely saying that a password can be changed on demand. A fingerprint cannot. It's a weakness of biometric ID compared to a password, you have no control over it.

I have gloves with capacitive screen support, but they are hit and miss too, so I sometimes take off the gloves anyway in the winter. Mind you, I suspect TouchID would have problems in the cold too, so in the winter I'd probably shut off TouchID when I plan on using the phone a lot outside. It's less of a concern for me though since I don't walk to work.

A feature you have to turn off because it doesn't work under a common condition isn't much of a feature.

This is the best solution for highest safety, but not the best solution for most people IMO, because it's too inconvenient. I certainly wouldn't be using fingerprint + passcode for general phone usage. I'd use either a passcode (like I do now) or TouchID (preferred).

As others have pointed out, if you're going to have false security anyway, just eliminate it and make it truly easy. I don't use a pattern lock on my Android because I think it's going to protect all those unencrypted state secrets I carry on my phone from the Russians. I have it to keep prying eyes out of my phone, and the weaknesses of biometric fail for that purpose.

 

[BoberFett]

I have a question that might reinject some debate.

Has Touch ID really been hacked?

It's my understanding that the accepted hack was done by scanning a high resolution fingerprint of the enrolled individual, not by actually "lifting" a print.

I understand that the concept is the same as faking other finger print readers, but how often will a real data thief have access to a high resolution image the print they're trying to fake?

Who needs to hack it? A scorned significant other will just wait until you're asleep and put your finger on the phone. Voila, instant access.

Yeah, yeah, Apple fanatics will insist that the problem is having a crazy SO. Be that as it may, it's not security.

 

[golem]

I
As others have pointed out, if you're going to have false security anyway, just eliminate it and make it truly easy. I don't use a pattern lock on my Android because I think it's going to protect all those unencrypted state secrets I carry on my phone from the Russians. I have it to keep prying eyes out of my phone, and the weaknesses of biometric fail for that purpose.

Do you mean once someone has your fingerprint they have access to your phone for life? Well that's true, but if you know someone has your fingerprint wouldn't you just use something else to lock your phone?

This would also be a weakness of pattern unlock too. If someone knows your pattern, and you don't know they know and aren't in a habit of changing it, they have access to your phone until you change it.

 

[BoberFett]

Do you mean once someone has your fingerprint they have access to your phone for life? Well that's true, but if you know someone has your fingerprint wouldn't you just use something else to lock your phone?

This would also be a weakness of pattern unlock too. If someone knows your pattern, and you don't know they know and aren't in a habit of changing it, they have access to your phone until you change it.

Yet the fact remains that a person can, if they choose to, change their password at any time.

I have yet to change my fingerprints.

And until pulling my penis out in the middle of a meeting at work to unlock my phone is approved by HR, there are really only 10 fingerprint changes one has available to them...

 

[golem]

Who needs to hack it? A scorned significant other will just wait until you're asleep and put your finger on the phone. Voila, instant access.

Yeah, yeah, Apple fanatics will insist that the problem is having a crazy SO. Be that as it may, it's not security.

No, this is a significant flaw of TouchID and one that isn't a vulnerability of pattern or pin unlock. But pattern unlock have vulnerabilities that TouchID don't. Say someone looking over your shoulder or a hidden camera while you put in your code.

The hidden camera vulnerability is more out there, but I know I've watched friends/family put in there codes in front of me so that's a definite possibility.

 

[golem]

Yet the fact remains that a person can, if they choose to, change their password at any time.

I have yet to change my fingerprints.

And until pulling my penis out in the middle of a meeting at work to unlock my phone is approved by HR, there are really only 10 fingerprint changes one has available to them...

How often do you change your passwords? I know I don't unless I have to. Not to mention the fact that you don't have to use fingerprint unlock. It's an option, if you know it's be compromised, change fingers or use pin unlock.

And realistically, if your phone security is bypassed 10 times without you fingering out something is wrong with the way you do things, or the people around you. You got other issues besides phone security.

 

[MrX8503]

Huh? I have no idea what you think I wrote, but it sounds like you only read what you thought I wrote, which is obviously not the point I was trying to make. I think you should retake sarcasm 101.

Got it?

This is what you said.

I don't think anyone is worried about having their fingerprint stolen from the home screen or a coffee cup. That story is the same with or without iPhone 5S. If they want your fingerprint, and you are important enough, they'll get it somehow, CSI style.

Scenario doesn't exist as the person would have security measures if they were that important.

 

[openwheel]

And until pulling my penis out in the middle of a meeting at work to unlock my phone is approved by HR, there are really only 10 fingerprint changes one has available to them...

 

[thedosbox]

You are I are just looking at this from completely different viewpoints. My career is in Information Security, and I saw Apple's TouchID as an opportunity for them to increase the security of their product. You, like the general public, just see it as a way of making it easier to unlock your phone without care for the decreased security that it creates.

They didn't need to require 2-factor auth, they just needed to make it an option.

Precisely. The advocates of using biometrics ignore (or don't understand) the long term security implications in favor of convenience. I'd happily put money down that if Motorola's implementation had been exactly the same, they'd have a different opinion.

Overall though, this is the point. It's a non-trivial task. It most definitely can be done, but it requires real work and real knowledge/experience to make it work. That is enough for me, given the convenience of TouchID.

http://arstechnica.com/security/2013/09/touchid-hack-was-no-challenge-at-all-hacker-tells-ars/

Ars: How long did it take for you to bypass Touch ID? Was there anything that you found hard or challenging about the hack? Was there anything about Touch ID that you think was well engineered or well implemented?

Starbug: It took me nearly 30 hours from unpacking the iPhone to a [bypass] that worked reliably. With better preparation it would have taken approximately half an hour.

In other words, pretty trivial now the technique is public.

 

[golem]

Precisely. The advocates of using biometrics ignore (or don't understand) the long term security implications in favor of convenience. I'd happily put money down that if Motorola's implementation had been exactly the same, they'd have a different opinion.



http://arstechnica.com/security/2013/09/touchid-hack-was-no-challenge-at-all-hacker-tells-ars/



In other words, pretty trivial now the technique is public.

Who has advocated this system for long term security? I mean besides detractors who put it forward as straw man argument. It's for accessing your phone plus making harder for other to access it without permission, that's it. And I'd happily put down money that if Motorola's implantation had stuck around, some of TouchID's current detractors would have a different opinion too.

Is it less trivial than looking over someone shoulder or following finger trails on a screen? Is it less trivial than accessing a phone with no lock what so ever?

The interviewee himself says it's an added benefit vs no pin. He didn't say it's more secure than a pin unlock, but he doesn't think pin unlocks are secure anyway.

If you trying to use it to protect state secrets or expect it to protect your phone from access if some else has possession of it, then you're in trouble. If you use it for it's intended purpose as extra security vs no unlock, or a replacement for pin/pattern unlock, it's an option.

 

[Eug]

The advocates of using biometrics ignore (or don't understand) the long term security implications in favor of convenience. I'd happily put money down that if Motorola's implementation had been exactly the same, they'd have a different opinion.

That argument doesn't make any sense. The reason Motorola's implementation didn't stick around is because it sucked.

In other words, pretty trivial now the technique is public.

What's interesting is the fact that he says the technique has been available for years... and that is true... but it still took him 30 hours to figure it out... And that's from a guy who knows how to do all this stuff in the first place, and gets his kicks from doing stuff like this, and who had all the equipment and materials at his disposal in advance (with some stuff you don't find in most homes).

Furthermore, as pointed out by the many, what he doesn't tell you is he made it easy for himself because he knew exactly what finger/thumb was used, likely using a pristine print on a clean background.

One of the comments in the article at Ars had a good suggestion. Take a regular iPhone 5S and give it to one of its writers for regular usage. Then give Ars all the equipment and let them read the summary of the technique all they want, and ask them to break into the phone within 48 hours, but without prior knowledge of how the scanner was setup by the user, and without the user providing a pristine print on purpose. That would be a much better assessment of the test's triviality or not.

I suspect they would fail, but even if they didn't, Ars definitely wouldn't be accomplishing this task in 30 mins. That was the point of the other article from the mobile security guy. He says yes it can be done, and he's done it himself, but all the variables involved make this whole process non-trivial.

 

[WelshBloke]

Good god, are you people still arguing about a way to unlock a phone?

Dont like it ---- dont use it.
Like it ---------- use it.

Its not going to change the world either way.

Its just a way to unlock your phone.

 

[thedosbox]

That argument doesn't make any sense. The reason Motorola's implementation didn't stick around is because it sucked.

It's a bad idea. Period. Doesn't matter whether Motorola did it, HTC is going do it, or apple does it.

What's interesting is the fact that he says the technique has been available for years... and that is true... but it still took him 30 hours to figure it out... And that's from a guy who knows how to do all this stuff in the first place, and gets his kicks from doing stuff like this, and who had all the equipment and materials at his disposal in advance (with some stuff you don't find in most homes).

Right - he spent most of that time looking for the sensor specs.

Also, security by difficulty is not security. A quick trip to Radio Shack would get anyone the materials they need. Sure, your average mugger isn't going to go to these efforts, but it's safe to assume that there will be a market for people who do this. THAT is the long term concern if this popularizes consumer use of fingerprints for authentication. All for the convenience of not having to enter a few digits.

 

[Eug]

It's a bad idea. Period. Doesn't matter whether Motorola did it, HTC is going do it, or apple does it.

Of course it does. Nobody adopted Motorola's version, because it was simply dumb.

OTOH, millions will likely adopt Apple's version in short order. In fact I suspect millions have already.

Also, security by difficulty is not security.

Of course it is. In fact, that's the one of the main points of increasingly difficult-to-bypass security systems. The harder it is to bypass, the less likely it will be bypassed, unless it is by an extremely interested party esp. if s/he has specialized tools and specialized knowledge.

All for the convenience of not having to enter a few digits.

Exactly.

 

[colonelciller]

There are 10,000 combinations for a 4 digit pin. Quite frankly that's easier than trying to acquire 9 million+ finger prints and that doesn't even count multiple fingers.

The butthurt over touch ID is comical. I suspect jealousy is in the air.

all the govt has to do to acquire the unhashed fingerprints is send a request to apple under threat... then they have them. ...and they will have them... probably already have a copy of every single fingerprint that has been scanned.

big bro is orgasmic over this

 

[colonelciller]

Good god, are you people still arguing about a way to unlock a phone?

Dont like it ---- dont use it.
Like it ---------- use it.

Its not going to change the world either way.

Its just a way to unlock your phone.

use your fingerprint for this system and you've wasted it forever.
in 10 years let's say a secure fingerprint lock is created for use in a particularly important application... ahh well too bad, you've already wasted your fingerprint on a plastic toy. not very smart.

govt has a copy of all fingerprints uploaded and as such all fingerprint data is subject to abuse... not very smart.

corporations and the average joes running them now have access to massive databases of boimetric data which is now subject to abuse... not very smart.

the intended use of this is a gimmick... not very smart

Apple is highly irresponsible for introducing this crap... of course big bro would say Apple is highly responsible and behaving "correctly"

 

[Red Storm]

Good god, are you people still arguing about a way to unlock a phone?

Dont like it ---- dont use it.
Like it ---------- use it.

Its not going to change the world either way.

Its just a way to unlock your phone.

I think this says it best.

 

[openwheel]

Anyone can open your phone while you sleep, drunk, passed out...etc. There is no solution to such common, simple and vulnerable scenario.

It's simply NOT a solution for "security", but a solution for convenience and marketing.

 

[TheStu]

all the govt has to do to acquire the unhashed fingerprints is send a request to apple under threat... then they have them. ...and they will have them... probably already have a copy of every single fingerprint that has been scanned.

big bro is orgasmic over this

The data never leaves the device. It isn't stored in iCloud, and it isn't transmitted to anything ever. Apple was on stage telling us this, and you don't even have to trust them to be honest, you just have to trust them to not publicly bone themselves that way. Because if it does transmit, there is going to be some hacker (I use the term as a catch-all) that is going to find out about it in short order, and that will be a huge PR problem for Apple.

 

[thedosbox]

Of course it does. Nobody adopted Motorola's version, because it was simply dumb.

OTOH, millions will likely adopt Apple's version in short order. In fact I suspect millions have already.

Just to be clear, fingerprint authentication is a bad idea. Doesn't matter who offers it.

Of course it is. In fact, that's the one of the main points of increasingly difficult-to-bypass security systems. The harder it is to bypass, the less likely it will be bypassed, unless it is by an extremely interested party.

Now you're being obtuse. The technique has been published, and is claimed to be repeatable in 30 minutes. The difficulty in developing the technique has been overcome - hence is irrelevant.

Anyhow, I'm done. This debate has ended up as yet another apple vs non-apple discussion, and attempts to discuss the real issues are falling on deaf ears.

 

[Eug]

A quick trip to Radio Shack would get anyone the materials they need.

A quick trip to Radio Shack doesn't suddenly make you an expert. I can attest to that.

Sure, your average mugger isn't going to go to these efforts

Bingo.

Just to be clear, fingerprint authentication is a bad idea. Doesn't matter who offers it.

In your opinion, not mine, and not in the opinion of some security experts too.

I think a nice boost for it though would be if Apple offered 2-factor authentication, for stuff like financial transactions.

Now you're being obtuse. The technique has been published, and is claimed to be repeatable in 30 minutes. The difficulty in developing the technique has been overcome - hence is irrelevant.

Not according to experts in the field, who have already outlined why. Instead, you're using an example of a single individual who has acquired significant skill in doing this over years, using ideal and controlled conditions to demonstrate the bypass.

Anyhow, I'm done. This debate has ended up as yet another apple vs non-apple discussion, and attempts to discuss the real issues are falling on deaf ears.

Leave the door open on the way out. We will welcome you back if you change your mind.

For the record though, I do not see this as an Apple-only feature. This will be a more common feature on future non-Apple phones, now that someone (Apple) has shown the manufacturers that it can be done with success (at least if Apple doesn't try to sue those who try to copy this particular type of implementation).

And I welcome them. In fact, I think this is one of the biggest advances for mobile phones in recent years. Not on par with high dpi screens, but big nonetheless.

The data never leaves the device. It isn't stored in iCloud, and it isn't transmitted to anything ever. Apple was on stage telling us this, and you don't even have to trust them to be honest, you just have to trust them to not publicly bone themselves that way. Because if it does transmit, there is going to be some hacker (I use the term as a catch-all) that is going to find out about it in short order, and that will be a huge PR problem for Apple.

Exactly. Apple gets no benefit from having a database of fingerprints. If anything it would be a complete nightmare for them to even think about doing this. Now if the conspiracy theorists don't believe that, then they're free not to use this feature. However, they'd probably be better off not using a smartphone at all, esp. one that uses Google apps like iOS or esp. Android.

 

[Red Storm]

In fact, I think this is one of the biggest advances for mobile phones in recent years. Not on par with high dpi screens, but big nonetheless.

One of the biggest? I find that very hard to agree with. It's an alternate form of password entry, that's it. It's as big a deal as Face Unlock was, which is to say not very.

 

[Eug]

One of the biggest? I find that very hard to agree with. It's an alternate form of password entry, that's it. It's as big a deal as Face Unlock was, which is to say not very.

Face unlock is useless.

TouchID is a huge advance IMO.

But obviously we disagree.