The F-Stop wrote:
steal the phone.. Dust it using talc, lift a print off it with scotch tape n you have it! Mission impossable!

You're missing a key step here... the actual use of that bit of dusty scotch tape to unlock the phone.

Wye wrote:
It's a very specific hack they're looking for...

1) register fingerprint with iOS
2) leave print on iPhone screen (or some other surface)
3) lift print
4) somehow use that print to unlock the device (eg. make a fake finger, etc)

Do you mean like this?

http://www.theregister.co.uk/2002/05/16 … t_sensors/


Note the date when this attack was demonstrated.

Lohkee wrote:

Do you mean like this?

http://www.theregister.co.uk/2002/05/16 … t_sensors/


Note the date when this attack was demonstrated.

Cool.  So they traveled forward in time from 2002, bought an iPhone 5 and then traveled back to 2002 to test their gummi bear hack.

That's cool.

Though I think the time machine will make them more money than the TouchID hack.

In other words.. this sensor isn't the 2002 sensor.  The only way to know if these hacks work is to try them tomorrow.  Anything up until then is pure speculation.

Wye wrote:
Cool.  So they traveled forward in time from 2002, bought an iPhone 5 and then traveled back to 2002 to test their gummi bear hack.

That's cool.

Though I think the time machine will make them more money than the TouchID hack.

In other words.. this sensor isn't the 2002 sensor.  The only way to know if these hacks work is to try them tomorrow.  Anything up until then is pure speculation.

Chuckles. There are only so many parameters one can measure on a touch screen (or  with any sensor for that matter). Therein lays the problem (with bio-metric devices in general). If we make the device too sensitive it will reject the legitimate user thus making them very unhappy (especially if they have to call 911). Thus the need to build in some wiggle room which leads to easily exploited vulnerabilities. All bio-metric approaches have been defeated using low-tech attacks as of three years ago (I will quite happily admit that I have no clue what advances have been made since I retired as a security researcher/analyst).

Your snarkyness is really uncalled for.

Wye wrote:

Cool.  So they traveled forward in time from 2002, bought an iPhone 5 and then traveled back to 2002 to test their gummi bear hack.

That's cool.

Though I think the time machine will make them more money than the TouchID hack.

In other words.. this sensor isn't the 2002 sensor.  The only way to know if these hacks work is to try them tomorrow.  Anything up until then is pure speculation.

Fingerprint sensors have been around before iPhone 5.  All of our registers have fingerprint sensors which are used for the cashier to sign into the register.  I take their fingerprints and put them into the system.

Lohkee wrote:

Chuckles. There are only so many parameters one can measure on a touch screen (or  with any sensor for that matter). Therein lays the problem (with bio-metric devices in general). If we make the device too sensitive it will reject the legitimate user thus making them very unhappy (especially if they have to call 911). Thus the need to build in some wiggle room which leads to easily exploited vulnerabilities. All bio-metric approaches have been defeated using low-tech attacks as of three years ago (I will quite happily admit that I have no clue what advances have been made since I retired as a security researcher/analyst).

iPhones don't need authentication to make emergency calls.

I have no idea how well this sensor will work.  I'm on record as being skeptical about its security and usability.

I merely think it borders on the absurd to comment on something nobody has physical access to yet.

Jerry Nemeth wrote:

Fingerprint sensors have been around before iPhone 5.  All of our registers have fingerprint sensors which are used for the cashier to sign into the register.  I take their fingerprints and put them into the system.

Where in anything I've written are you reading that I think the iPhone 5S is the first device ever in the universe to have a fingerprint sensor?  Please give me a link so I can correct the error.

Lohkee wrote:
I suspect though, that Apple is going to regret this challenge.

Other vendors have offered the fingerprint stuff in the past, and eventually dropped it once the "cool" factor wore off. Most users don't need anything like that, and after a while realize that it's just a gimmick which doesn't really add any real value.

Besides, Apple is probably using pre-existing technologies as the basis (they didn't invent fingerprint technology) which have the same inherent risks that any other software solutions are prone to.

Real security for any system is much more of a mindset than any single solution/approach. Real security involves constant vigilance in terms of remaining current with software, firmware, using proper procedures to insure physical security, and of course a whole range of things to secure anything that uses any sort of network (the toughest part of all).

On the other hand, gimmicks are fun... I thought the PocketPC was sort of cool a decade ago when they came out with the same sort of thing... even though I had no practical use for it.

Wye wrote:
I merely think it borders on the absurd to comment on something nobody has physical access to yet.

I'm pretty sure there are patents one can read to understand how the device works without having one in hand.

Lightcraft Studio wrote:

Other vendors have offered the fingerprint stuff in the past, and eventually dropped it once the "cool" factor wore off. Most users don't need anything like that, and after a while realize that it's just a gimmick which doesn't really add any real value.

Besides, Apple is probably using pre-existing technologies as the basis (they didn't invent fingerprint technology) which have the same inherent risks that any other software solutions are prone to.

Real security for any system is much more of a mindset than any single solution/approach. Real security involves constant vigilance in terms of remaining current with software, firmware, using proper procedures to insure physical security, and of course a whole range of things to secure anything that uses any sort of network (the toughest part of all).

On the other hand, gimmicks are fun... I thought the PocketPC was sort of cool a decade ago when they came out with the same sort of thing... even though I had no practical use for it.

Correction: Apple did not issue the challenge. My bad.

Lohkee wrote:
Using the print for financial transactions is where I start to get very concerned because it is a game changer with regard to the effort someone might be willing to expend bypassing the legitimate print.

Any system is only as strong as its weakest point. Doing financial transactions means using a network... and no network is totally secure. Some are better than others of course... but when yours makes up a large share of the users, then yours also becomes a worthwhile target for developers of hacking "solutions".

Wye wrote:
iPhones don't need authentication to make emergency calls.

/snip


I merely think it borders on the absurd to comment on something nobody has physical access to yet.

I'm sure you can appreciate the irony here, yes?

Lightcraft Studio wrote:

Any system is only as strong as its weakest point. Doing financial transactions means using a network... and no network is totally secure. Some are better than others of course... but when yours makes up a large share of the users, then yours also becomes a worthwhile target for developers of hacking "solutions".

No argument from me

Lohkee wrote:
To clarify. Even if Apple's scanner is easily defeated, this may not be a bad thing **depending** on how the print is used. If it is used for the sole purpose of unlocking the phone then it is probably going to prove very effective at preventing the casual thief from using the phone as it would not be worth the time to hack it. Of course, this creates another problem. What if you are incapacitated in an emergency and your phone is the only one available?

Using the print for financial transactions is where I start to get very concerned because it is a game changer with regard to the effort someone might be willing to expend bypassing the legitimate print.

Currently iOS only allows you to use the fingerprint to unlock your phone (again.. not needed for emergency calls and the PIN password is still active.. you can't set your phone to unlock ONLY by the fingerprint) and make iTunes store purchases.  You can turn on or off the two uses independently.

So.. potentially someone *could* rack up a huge bill for your iTunes account..but that would be a nuisance hack since they would get no financial gain from it. And they would *still* need to have physical access to your device.

Lohkee wrote:

I'm sure you can appreciate the irony here, yes?

No irony.  It is 100% certain that iPhones don't need authentication to make emergency calls.  There's no need to have the device in my hands to know that.  It's been a stock feature of the operating system for the last 6 years and hasn't changed.

Wye wrote:
So.. potentially someone *could* rack up a huge bill for your iTunes account..but that would be a nuisance hack since they would get no financial gain from it.

Just Google "iTunes account hacked". It looks like there are plenty of other ways to rip you off with your iTunes (or any networked service) than gaining access to your physical device.

Lightcraft Studio wrote:

Just Google "iTunes account hacked". It looks like there are plenty of other ways to rip you off with your iTunes (or any networked service) than gaining access to your physical device.

I know that.  We're talking about the fingerprint sensor being a vector for this kind of attack.

Wye wrote:
No irony.  It is 100% certain that iPhones don't need authentication to make emergency calls.  There's no need to have the device in my hands to know that.  It's been a stock feature of the operating system for the last 6 years and hasn't changed.

We are not talking about the OS. How the finger-print service runs (and interacts with the OS) and what it will be used for are quite a different matter. As you have pointed out, there is a lot we don't know at this point. The devil is in the details.  I suppose we will all just have to wait and see what the future brings.

Wye wrote:

I know that.  We're talking about the fingerprint sensor being a vector for this kind of attack.

So what happens if the user has stored the authentication data for their banks, etc in a file on their device?

Lohkee wrote:

I'm sure you can appreciate the irony here, yes?

What irony?  the iPhone has always allowed for emergency calls.  I don't see how that impacts the devices security...except if there is a known exploit and Apple doesn't correct it.

Wye wrote:

I know that.  We're talking about the fingerprint sensor being a vector for this kind of attack.

Having worked with systems security much of my life, I know that the weakest link to any set of security approaches is the human factor. For example, force people to use very strong passwords and they're more likely to write them on a post-it note stuck to the monitor.

The real problem with any advancement in security in one area is that it tends to make people get sloppy in other areas... a false sense of security if you will. That's just human nature.

Security is a lifestyle, and unfortunately there's never any simple cure-all solution. Some cures can easily create brand new vulnerabilities that no one thought about... especially in the first few versions of any new technology.

Christopher Hartman wrote:

What irony?  the iPhone has always allowed for emergency calls.  I don't see how that impacts the devices security...except if there is a known exploit and Apple doesn't correct it.

Already answered.

Lohkee wrote:

We are not talking about the OS. How the finger-print service runs (and interacts with the OS) and what it will be used for are quite a different matter. As you have pointed out, there is a lot we don't know at this point. The devil is in the details.  I suppose we will all just have to wait and see what the future brings.

Yes we are.  The ability to make a 911 call on a locked iPhone is not even a little bit in question.  It's a guaranteed certainty.

Do you have an iOS device?

When you are at the lock screen you have the option to make an emergency call.  The addition of the fingerprint sensor doesn't change this. 

You're barking up the wrong tree here.

Lohkee wrote:

So what happens if the user has stored the authentication data for their banks, etc in a file on their device?

How would that be different that someone storing the same information but instead of having a fingerprint reader, they have a 4 or more digit code to unlock the device.

The new iPhone is likely to NOT be less secure.

With a code, some clever person may watch you and remember your code as you enter it.

Or, with some research, know a little bit about the victim and predict what the code will be.

With a finger print reader, there is nothing for an observer to watch to gain advantage.  There is nothing about a person using their fingerprint out in the open in front of a bunch phone thieves that is going to make it easier for them to gain access to the phone.

It's just a NEW security feature to add on top of the existing one.  And they are introducing it in hopes that more people will turn ON the additional security on their phone rather than do what apparently a lot of people do, leave their phones UNSECURE.

Lightcraft Studio wrote:

Having worked with systems security much of my life, I know that the weakest link to any set of security approaches is the human factor. For example, force people to use very strong passwords and they're more likely to write them on a post-it note stuck to the monitor.

The real problem with any advancement in security in one area is that it tends to make people get sloppy in other areas... a false sense of security if you will. That's just human nature.

Security is a lifestyle, and unfortunately there's never any simple cure-all solution. Some cures can easily create brand new vulnerabilities that no one thought about... especially in the first few versions of any new technology.

Exactly. A large part of my job with the gov was pen testing so-called "secure" systems. I defeated every. single. one. Some ideas are really quite good. The problem comes in during the implementation.

One example. Those really high tech elevator-style security doors that need a smart card to open can often be defeated by simply sliding a credit card where the doors meet (it triggers the safety device that automatically opens the door in case someone gets caught between them as they close). Like I said, the devil is always in the details.

Lohkee wrote:

So what happens if the user has stored the authentication data for their banks, etc in a file on their device?

Where? Like in a sticky note or something?  My banking app requires a password whenever I want to access it.  I don't keep personal data just lying around in an unprotected note.  Everything is behind a password (sometimes multiple).

You may as well say that PIN numbers on bank cards are no good because some idiots keep their pin number in their wallet.

Wye wrote:

Yes we are.  The ability to make a 911 call on a locked iPhone is not even a little bit in question.  It's a guaranteed certainty.

Do you have an iOS device?

When you are at the lock screen you have the option to make an emergency call.  The addition of the fingerprint sensor doesn't change this. 

You're barking up the wrong tree here.

Maybe I am. And I'm fine with that. But as you keep pointing out, we have not had a chance to see how it actually works yet, or do you have some special inside information?

Wye wrote:
Where? Like in a sticky note or something?  My banking app requires a password whenever I want to access it.  I don't keep personal data just lying around in an unprotected note.  Everything is behind a password (sometimes multiple).

You may as well say that PIN numbers on bank cards are no good because some idiots keep their pin number in their wallet.

No sure what any of this has to do with the viability of fingerprints as an effective attack vector. Some people store things where they shouldn't be stored

Lohkee wrote:

Exactly. A large part of my job with the gov was pen testing so-called "secure" systems. I defeated every. single. one. Some ideas are really quite good. The problem comes in during the implementation.

One example. Those really high tech elevator-style security doors that need a smart card to open can often be defeated by simply sliding a credit card where the doors meet (it triggers the safety device that automatically opens the door in case someone gets caught between them as they close). Like I said, the devil is always in the details.

My company used to regularly hire outside companies who would come in and try and penetrate our security measures. That's pretty much been a way of life for me and the systems I was responsible with. I had a huge awakening the first few times when this happened, and watched them rifle through people's desks and even through the dumpster behind the building. I had been sweating the tests for months, making sure every latest patch is applied, that every user has secure and frequently changed passwords, etc.... and some clown comes in and pieces together shredded scraps from a dumpster to obtain someone's SS number or something.

Lohkee wrote:

Maybe I am. And I'm fine with that. But as you keep pointing out, we have not had a chance to see how it actually works yet, or do you have some special inside information?

None needed.

The 4 digit (or longer) passcode is the fallback for when the fingerprint sensor doesn't work.  When you enter the passcode you have a button for emergency call.

That hasn't changed.

You may as well ask "has the addition of touchid sensor made it so I can't change the volume on my phone".

Sleepy Weasel wrote:
My question is if someone is sleeping or passed out, how hard would it be to hack into their phone by using their actual finger to get a print?

I imagine that's very possible and likely to occur, and probably not that difficult.

Wouldn't be hard at all.  Just hold their finger to the sensor and it will unlock.

Wye wrote:

None needed.

The 4 digit (or longer) passcode is the fallback for when the fingerprint sensor doesn't work.  When you enter the passcode you have a button for emergency call.

That hasn't changed.

You may as well ask "has the addition of touchid sensor made it so I can't change the volume on my phone".

The passcode is not necessary for emergency phone calls. I think you mean when the passcode screen appears, there is a red button (iOS 6 and earlier) that says emergency call and when you press that, the key pad comes up. I suspect this will then only accept 911 calls. 

with iOS 7, there is no red button, but in the lower left corner, it says Emergency.

When I press it, I get the key pad.  No matter what number I punch in, including 411, it will say at the top in red, Emergency Calls only and does so in multiple languages.  I'm not going to test 911, but I suspect it and other known emergency numbers work.

Christopher Hartman wrote:

The passcode is not necessary for emergency phone calls. I think you mean when the passcode screen appears, there is a red button (iOS 6 and earlier) that says emergency call and when you press that, the key pad comes up. I suspect this will then only accept 911 calls. 

with iOS 7, there is no red button, but in the lower left corner, it says Emergency.

When I press it, I get the key pad.  No matter what number I punch in, including 411, it will say at the top in red, Emergency Calls only and does so in multiple languages.  I'm not going to test 911, but I suspect it and other known emergency numbers work.

That's exactly what I'm saying.

When you get to the passcode entry you can make the emergency call.  This hasn't changed one bit (aside from the GUI) in the past 6 years.

Lightcraft Studio wrote:
My company used to regularly hire outside companies who would come in and try and penetrate our security measures. That's pretty much been a way of life for me and the systems I was responsible with. I had a huge awakening the first few times when this happened, and watched them rifle through people's desks and even through the dumpster behind the building. I had been sweating the tests for months, making sure every latest patch is applied, that every user has secure and frequently changed passwords, etc.... and some clown comes in and pieces together shredded scraps from a dumpster to obtain someone's SS number or something.

Chuckles. I will confess to kind of feeling bad about some aspects of my work. I've met a lot of **very** talented SA's and programmers who did everything possible to protect their systems because I always knew that no matter how good they were, management was going to make their life a living hell when I won the game and the report came out. Not really fair given the limits of technology, budgets, etc. It is what it is, and the devil is always in the details.

BTW, dumpster diving and going through desks is old school. A key-logger is fast and effective