Pdf Face Experiments And Human Morphs On Using Id Fraudulent rCSwtxCU


Credit: Apple


You know, the fingerprint sensor built into the Home button on the new iPhone(s aapl) 5s. It’s for unlocking the handset and buying stuff through iTunes and the App Store.

I thought the fingerprint was stored in some secure chip. How’d it get hacked?

It is, and this isn’t a hardcore technological hack so much as a good old-fashioned fake fingerprint technique. You find the iPhone owner’s print somewhere (the device itself may carry a few on its glossy surfaces), put some powder on it to make it more visible, then photograph or scan it at high resolution. Clean up the reversed image, print it at high resolution using thick ink, then use that to make a thin latex dummy, which you can put on your finger and use to unlock the iPhone.

I thought TouchID was supposed to be smarter than that.

Well it was, and I admit I’m a bit confused by what was revealed on the weekend.

A big selling point of the new generation of fingerprint readers, including that in the iPhone 5s, is that they don’t simply read the outer, dead layer of skin – instead, they use a radio frequency (RF) scanner to read a living layer of skin underneath. According to a Citeworld report, this assures the system that it’s dealing with a living finger, nixing both the old lift-a-print trick (see above) and the chop-off-some-poor-person’s-finger-to-unlock-their-phone trick.

But according to the Chaos Computer Club (CCC) and hacker Starbug, who claimed TouchID’s breakage on Sunday, “the marvels of the new technology” are less impressive than touted. Here’s what Starbug said in a statement:

Id On Morphs Fraudulent Pdf Experiments And Human Using Face “In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake.”

If that’s correct – and it should be noted that Apple itself only talks about taking “a high-resolution image from small sections of your fingerprint from the subepidermal layers of your skin” in its online FAQ — then TouchID isn’t actually that good at making sure it’s dealing with a living finger. It appears that it can be fooled by, as Starbug describes, breathing on the latex sheet “to make it a tiny bit moist” before using it on the sensor.

“We’re quite surprised that it just works out of the box, the same attack that we published 10 years ago,” CCC spokesman Dirk Engling told me on Monday.

Noting that there are several ways of detecting living tissue — current flowing between the finger and device; minuscule changes in the fingerprint’s geometry to indicate a pulse — Engling suggested that Apple may have allowed the flaw when trying to balance security and ease of use. “In the end you have to shift the balance to more comfort, and that’s apparently what Apple did,” he said. “Out in the field, people would have problems unlocking their iPhones if they were to be too strict. This is a basic problem of biometrics.”

I’m waiting for Apple to comment on all this, and will add in the response as and when I get it.

Can we trust “Starbug”?

In the first of the two videos Starbug has published on YouTube(s goog), someone programs the iPhone with their index finger, then puts the latex sheet on another finger to unlock the device. In the second, a completely different person dons the sheet to fool the phone. It looks legit:

Starbug has been around for a while. Also, even though there’s a crowdfunded bug bounty out there for cracking TouchID, the CCC is Europe’s largest hacker organization and it has a reputation to uphold. I sincerely doubt anyone’s pranking the world on this one.

As an iPhone 5s user, should I be afraid?

Depends on the scenario you’ve got in your head. If it’s pickpocketing you’re worried about, then bear in mind that your iPhone is probably covered in your fingerprints. That said, making a fake print of the quality we’re talking about here is not trivial and it also takes a while, making it likely that the owner would just remotely wipe the device before anything can be accessed. So I guess it depends on the caliber of pickpocket, and their desire to do more than simply steal and sell the hardware.

If it’s muggers or overzealous law enforcement or border agents that you’re thinking about, then this “hack” doesn’t make a blind bit of difference. Merely having a biometric access mechanism makes it possible to grab your hand and use it to unlock the phone – much simpler than having to go through the tedious process of passcode extraction (or making fake prints).

The only real worry here relates to a more targeted attack, perhaps by a private investigator who’s after some juicy corporate secrets. If the victim’s fingerprint has already been lifted from somewhere – which any idiot with a degree of patience could achieve — and a corresponding latex sheet made, then a skilled pickpocket armed with that sheet could get very quick access indeed.


So for most people this won’t be a problem. And indeed, if you’re the type who forgoes passcodes because they slow you down, it’s better to use TouchID than to use no security at all. Also, it’s not like we’re talking about someone hacking into the phone’s secure A7 chip.

But do remember that, compared with passcodes, the inclusion of biometric access can in certain circumstances make it just that little bit easier for someone to get into your phone. And if that phone carries secrets that others really want to steal, you may want to bear this new risk in mind.

This story was updated at 5.20am PT to include quotes from CCC spokesman Dirk Engling.


His Shadow

The fact that the majority of the hack blogs that reported this used the terms hacked, cracked or broken is an indication of just how dense most of the people writing for tech blogs really are these days.

If I have a high resolution copy of your house keys and use it to create a copy of your house key, I can get into your house. Thank you, Captain Obvious.

Is Best Program What Review For Site The ratings An Ecommerce qZEddx1wrF

Use your dominant hand pinky to log in. Your iPhone is far less likely to have a pinky smudge from your dominant hand. Or, use a textured leather case on your iPhone. It’s very difficult to pull a useable print. Lastly, this technique is rather complicated for the normal hacker. Unless James Bond is after your data, you’re unlikely to be the victim of this kind of fake finger hack.

Iphone Anybody Would The Marketwatch Why Buy Xs q68x5IAw

this is a stupid argument. biometrics can be hacked but who cares, you can take all of the fingerprints you want, but you still need that persons phone in your possession. hold onto your phone and you wont have a problem.


With only 5 attempts, if you want a little more security, use a non-obvious finger, perhaps one you never use on the screen. Also person lifting your fingerprint has a lot of complexity getting the correct finger. There are lots of prints of lots of fingers on your phone and they only have 5 shots!

Faking your own fingerprint on your own phone is a proof of concept but not a real world scenario.

Morphs Face Fraudulent On Experiments Pdf Id Using And Human Really depends on how valuable is your information. And if it’s really valuable then vigilence to notice when it’s been taken is a big piece of the security picture as well.

Joe Liebman

“But do remember that, compared with passcodes, the inclusion of biometric access can in certain circumstances make it just that little bit easier for someone to get into your phone. ” The flaw in your premise is that these certain circumstances require a lot of pre-planning and surveillance. Couldn’t the same resources be put into watching you type your passcode into the phone? Then you are in the same place as the finger print lifting without all the trouble of making a latex fingerprint and hoping it works in one of the first 5 attempts.


The hack also assumes knowledge of which finger you use to unlock the phone.

TouchID is meant for the masses, not James Bond. No one wants into my phone or the phone of anyone I know because of the content. Thieves want the phone to sell it for some quick cash. Turn on Find My Phone and the thief needs your AppleID and password to wipe the phone even after they break in with your fingerprint copy. The really great thing about TouchID is that people will actually use it because it is fast and simple.

Is What Is Australia A If It There Side Bad Quora To 0rgU0Rqw

Even if they hoped to get some sort of banking info or other valuable data (which I don’t keep on the phone) they would probably have go online to use it at which point I’d wipe the phone with Find My Phone.

Hiram Walker

And On Human Id Fraudulent Morphs Face Experiments Pdf Using I don’t think that the market for Apple’s phone was supposed to be secret agents. People with enough time and resources can hack anything. This keeps your co-workers and acquaintances from reading your emails and avoids the hassle of entering a PIN every time you check your phone. Mission accomplished. Sorry James Bond, Ask Q to whip you up something special.


Experiments Using On Human Fraudulent Pdf Id And Face Morphs Apple states that The Touch Id can ba hacked at a rate of 1/50000. Using a simple 4 digit passcode would be 1/10000 ( 10 x10x10x10). If you use the two togwether (passcode and Touch ID) it will be 1 in 500 million. I like those odds and if your phone information is that valuable then one should use both together.


Just buy a Samsung. Crapple suck end of. Use last years technology, and all their little fanboy lapdogs will go rushing out for it.


Uh, I wonder what markets SAmDung has created ( touch Screen phones, tablets)??
What have they innovated except copy Apple and steal it’s intellectual property.
Go play with your Android derivative crap

mike sanders

and then you make the latex mask and then you jump out of the window of the Burj al Arab in Dubai and then…. the guys in the white suits come for you.
Your mission if you should accept it is to enjoy your new iPhone 5S.


You seem to neglect in your article that there is a setting to add a passcode along with TouchID to unlock your iPhone. This is two level security for those that may require or desire greater security.

David Meyer

That is a good point, and the more layers the better – though you have to accept the tradeoff in convenience.


“But do remember that, compared with passcodes, the inclusion of biometric access can in certain circumstances make it just that little bit easier for someone to get into your phone. ”

I think the first part of your statement is too general and mis-leading… If the phone is using the simple 4 digit passcode, then the biometric access is better. Once you start using a passphrase type of password, then it would depend on the complexity of your passphrase as to which is easier to use in gaining access to the phone.

Also keep in mind that the person breaking into the phone would have to accomplish this feat within the allowed passcode attempts set by the phone owner

David Meyer

If the attacker has access to both your phone and you, biometric access is less secure, regardless of whether it’s being compared with a passcode or passphrase. No guesswork required – just take the finger and put it on the sensor. Same goes for the carefully preplanned attack of the type demonstrated by the CCC.

But those are very specific circumstances, as I said. If the attacker doesn’t have physical access to your finger or has not been able to make a dummy off a lifted print, then sure, this kind of biometric access is more secure — in theory. Because as you say, there should only be a limited number of attempts available, which should eliminate the possibility of a brute force attack and make a well-chosen passcode good enough.

At the end of the day, the biometric feature is primarily there to be more secure than nothing and easier to use than a passcode, while being no less secure than a passcode in all but very specific circumstances.

Zach Hoffman

Yeah, and keep in mind that even if a thief forces you to open your phone:

A: they can do that even if you only use a password.
B: they still can’t turn off or lock your phone without the password or fingerprint
C: if they want you to change the password of fingerprint, they have to get you to do that for them, which takes time. Wasting time is bad for a thief, as it increases the chances that they’ll get caught.


Hoax. The testers have previously stored their real prints on the phone before using the fake finger. iPhone 5S can store 5 different prints.


It might be a fake, but then they will have had to scanned the fake latex finger print and that points to it working with fake latex finger prints.


The video is a proof of concept but note a lot of things would have to work perfectly for this spoof to succeed – you only have 5 tries to unlock the phone.

It’s a little different when you’re trying this spoof over and over again on your own phone and you know the PIN.

On a stolen phone after 5 tries you’d have lost your shot.

Steroid Be I Ever The ' Dose Users For A On Think Quest 'll I 8r4vrC

Fingerprints only ever work in multiple factor authentication systems.