iPhone 5S Touch ID hacked by fake fingerprints !!!!!

In another life, we use to joke about fingerprints and their supposed utility in security. Fingerprints are special in that they are unique to you and are tough to physically remove from your person - they follow you. However, there is nothing about them that makes them especially tough to copy or reproduce from a sample. Because they are tied to you, you leave samples of them everywhere and few people clean up all the samples they leave behind. It's still a cool convenience feature and something few snatch and grab jerks are going to exploit.
I'm boring as well and would probably have my phone remotely wiped within a few hours if it was swiped. I don't use it for banking or anything important. There is nothing stored on it of consequence other than my schedule and my family's addresses. My family all shoot competently and distrust strangers, so I'm not too worried.

chas_m said:

I'd say your iPhone 5s is WAY more secure than any phone you've ever had in your life.

Click to expand...

No it's not (here, here) and until there are definitive reports that any one platform is objectively more secure and less vulnerable than the others (has anyone does an objective study including iOS 7?), it's impossible to make this claim without any qualifications. The inclusion of a fingerprint scanner and activation lock only limited access at a hardware level and do nothing to plug the bugs at the software level.

chas_m said:

Fingerprints and any other security methods can conceivably be "hacked" (not that its usually a practical or realistic "hack") but people who focus on that miss the point badly: your car can still get stolen even with the best alarm; your house can still get robbed even with every door locked and bolted. The idea is to REDUCE YOUR RISK by setting up enough barriers that a thief will go for the easier pickings. Between the passcode, fingerprint, Activation Lock and Find My iPhone, Apple has *successfully* reduced the attractiveness of stealing an iPhone. Without making it one bit harder for users to use. THAT is the point.

Click to expand...

From a security standpoint, I can probably go along with this. From a position rooted in the realities of the iPhone's position in the (North American) market, not even close. Apple's continued mythologizing of the device and high level rhetoric about it's "purposefully imagined" existence and the inclusion of the "most advanced technology" (their words) only means that the allure is increased. Look at a typical university campus - no one is going to steal the ugly Lenovo machine on the desk if a Mac is there.

vansmith said:

No it's not (here, here)

Click to expand...

Seriously dude? SERIOUSLY? Your second link is just a gloss over of the first. Besides, what exactly are these "vulnerabilities" anyway? Just how are these actually being used? That article is big on claims, but does nothing to substantiate them. The comments on the ZDNET article call them out on it. I found this little gem from that article interesting:

"With Android devices, cybercriminals see less reason to look for vulnerabilities to penetrate smartphones, he added. Android's open platform already easily opens up for third party and malicious apps to be easily created for users to download, he explained."

Translation: Android is easily.... EASILY... compromised.

...and until there are definitive reports that any one platform is objectively more secure and less vulnerable than the others (has anyone does an objective study including iOS 7?), it's impossible to make this claim without any qualifications. The inclusion of a fingerprint scanner and activation lock only limited access at a hardware level and do nothing to plug the bugs at the software level.

Click to expand...

Apple has already plugged the lockscreen bugs. No others exist that I have read of, though it may take time to discover more. Otherwise, there is no malware on iOS (short of a couple proofs of concepts). Android is riddled with it. Also, remind me again of how long it took iOS 6 to be jailbroken? A process that requires vulnerabilities? And where are they with iOS 7? And for comparison, perhaps you can elaborate on how hard it is (or not hard) to root Android?

From a security standpoint, I can probably go along with this. From a position rooted in the realities of the iPhone's position in the (North American) market, not even close. Apple's continued mythologizing of the device and high level rhetoric about it's "purposefully imagined" existence and the inclusion of the "most advanced technology" (their words) only means that the allure is increased. Look at a typical university campus - no one is going to steal the ugly Lenovo machine on the desk if a Mac is there.

Click to expand...

If the Mac is worth more on the black market, then of course it will be more likely to get stolen. That has nothing to do with the security of the OS or the iPhone.

lifeisabeach said:

Seriously dude? SERIOUSLY? Your second link is just a gloss over of the first. Besides, what exactly are these "vulnerabilities" anyway? Just how are these actually being used? That article is big on claims, but does nothing to substantiate them. The comments on the ZDNET article call them out on it. I found this little gem from that article interesting:

Click to expand...

Well, seeing as how I'm not making the claim in the affirmative, I shouldn't have to provide any evidence. However, here's a list of 302 common vulnerabilities and exposures in iOS.

lifeisabeach said:

"With Android devices, cybercriminals see less reason to look for vulnerabilities to penetrate smartphones, he added. Android's open platform already easily opens up for third party and malicious apps to be easily created for users to download, he explained." Translation: Android is easily.... EASILY... compromised.

Click to expand...

I never brought Android into this but I'm glad you did because this makes it really easy for me. Android has 29 common vulnerabilities and exposures compared to iOS' 302 (source). At least numerically, you're wrong. At this point, I have to ask you: seriously? Unless you can prove that those are easier to hack, you might want to rethink your defensive tone. And, if you want to take up the claim that iOS is more secure than anything else, please provide some evidence. I'm also going to preempt the inevitable "Android is easy to hack" argument because not only is that irrelevant but, if you're going to make the claim that it's more secure than everything, provide evidence for everything.

lifeisabeach said:

Apple has already plugged the lockscreen bugs. No others exist that I have read of, though it may take time to discover more. Otherwise, there is no malware on iOS (short of a couple proofs of concepts). Android is riddled with it.

Click to expand...

Once again, I never brought up Android nor did I bring up malware. Malware does not equal vulnerabilities (my original argument). At no point did I say that Android was free of malware nor did I ever say that iOS was riddled with it.

lifeisabeach said:

Also, remind me again of how long it took iOS 6 to be jailbroken? A process that requires vulnerabilities? And where are they with iOS 7? And for comparison, perhaps you can elaborate on how hard it is (or not hard) to root Android?

Click to expand...

Equating rooting with jailbreaking is an invalid comparison since rooting is about gaining administrative privileges. What you've done here is effectively equated exploiting a vulnerability with getting the admin password for an account on a Mac. Here's something that explains your false comparison:

Root access is sometimes compared to jailbreaking devices running the Apple iOS operating system. However, these are different concepts. In the tightly-controlled iOS world, technical restrictions prevent (1) installing or booting into a modified or entirely new operating system (a "locked bootloader" prevents this), (2) sideloading unsigned applications onto the device, and (3) user-installed apps from having root privileges (and are run in a secure sandboxed environment). Bypassing all these restrictions together constitute the expansive term "jailbreaking" of Apple devices. That is, jailbreaking entails overcoming several types of iOS security features simultaneously. By contrast, only a minority of Android devices lock their bootloaders—and many vendors such as HTC, Sony, Asus and Google explicitly provide the ability to unlock devices, and even replace the operating system entirely.[2][3][4] Similarly, the ability to sideload apps is typically permissible on Android devices without root permissions. Thus, primarily the third aspect of iOS jailbreaking, relating to superuser privileges, correlates to Android rooting.

Click to expand...

I don't actually care about the answer to the question of "what is most secure" because not only does the answer change day to day but being smart can make any platform secure. I have no vested interest in taking a side here but rather, I'm interested in trying to unsettle any complacency about the security of iOS (and any other platform if that comes up) because nothing is more secure than everything else at all times in every circumstance. iOS has holes and hiding behind a veil of "Android is weak" does nothing to address the problems that iOS has.

vansmith said:

I don't actually care about the answer to the question of "what is most secure" because not only does the answer change day to day but being smart can make any platform secure. I have no vested interest in taking a side here but rather, I'm interested in trying to unsettle any complacency about the security of iOS (and any other platform if that comes up) because nothing is more secure than everything else at all times in every circumstance. iOS has holes and hiding behind a veil of "Android is weak" does nothing to address the problems that iOS has.

Click to expand...

And yet, in day to day usage, how exactly are these reported iOS vulnerabilities being exploited? If the OS itself is fundamentally insecure, then WHY is it not being exploited? You are making claims and providing "proof" that it is insecure, yet no real world evidence that these supposed insecurities are being exploited, despite "'Apple's continued mythologizing of the device and high level rhetoric about it's 'purposefully imagined' existence and the inclusion of the 'most advanced technology' (their words) only means that the allure is increased.'"

Just gonna leave this here:

Feds: Overwhelming majority of mobile malware on Android | Electronista

But ignoring the overall security argument for a minute, Van also seems to have ignored the very section I reposted a second time.

Sorry, dude, but you are NEVER going to convince me that an iPhone that has a complex passcode, Touch ID, Find My iPhone AND activation lock is less secure than a typical Android phone with a gesture lock and that's it.

The reason you're never going to convince is the same reason you're not going to convince me that the earth is flat in spite of the fact that I personally have never been in orbit.

lifeisabeach said:

And yet, in day to day usage, how exactly are these reported iOS vulnerabilities being exploited? If the OS itself is fundamentally insecure, then WHY is it not being exploited?

Click to expand...

What do you think jailbreaks are?

chas_m said:

Just gonna leave this here:

Feds: Overwhelming majority of mobile malware on Android | Electronista

But ignoring the overall security argument for a minute, Van also seems to have ignored the very section I reposted a second time.

Sorry, dude, but you are NEVER going to convince me that an iPhone that has a complex passcode, Touch ID, Find My iPhone AND activation lock is less secure than a typical Android phone with a gesture lock and that's it.

Click to expand...

Did you read my post? I clearly said that I wasn't talking about malware...

chas_m said:

The reason you're never going to convince is the same reason you're not going to convince me that the earth is flat in spite of the fact that I personally have never been in orbit.

Click to expand...

Saying that the Earth is flat is objectively wrong. Saying that iOS is, without question, more secure, is not. That's a false comparison.

As for your section:

"Fingerprints and any other security methods can conceivably be 'hacked' (not that its usually a practical or realistic "hack") but people who focus on that miss the point badly: your car can still get stolen even with the best alarm; your house can still get robbed even with every door locked and bolted. The idea is to REDUCE YOUR RISK by setting up enough barriers that a thief will go for the easier pickings. Between the passcode, fingerprint, Activation Lock and Find My iPhone, Apple has *successfully* reduced the attractiveness of stealing an iPhone. Without making it one bit harder for users to use. THAT is the point."

Click to expand...

I highlighted the very important part of your own words. At no point did I say that anything was impervious to vulnerabilities nor did I ever make the claim that anything else was perfect. Indeed, the only thing companies can do is reduce the entry points for vulnerabilities and plug them when they appear. The same goes for any platform.

I don't understand the defensiveness in the responses here - I'm pointing out the realities of vulnerabilities (which keep getting conflated with either malware or passcode access, neither of which have anything to do with vulnerabilities by the way in and of themselves). I'm not trying to make the claim that any platform is better than any other (despite the repeated attempts to drag Android into the discussion). In fact, all I'm trying to do is shine a light on the reality of the existence of vulnerabilities. You can make the claim that they're not exploited but that's just silly. That's akin to walking into a room with people who have the flu and saying "I haven't taken my flu shot but I don't have the flu so everything is fine." If you want to take that approach, so be it. However, it would seem more prudent to realize the CVE realities of each platform we use, whether or not it's likely or not. As I mentioned above, they are used in the real world - this is how jailbreaks work (again, I'm not talking about malware).

At the base level, I agree that iOS is probably more secure in real world conditions but I'm not going to espouse perfection or a rhetoric of safety. As long as iOS has a long list of vulnerabilities (as with any other platform), there's no point in saying that it is, without question, more secure than anything else.

And again, because my argument doesn't seem to be clear (I'm trying to make this as clear as possible): malware is not the same thing as a vulnerability and iOS has vulnerabilities (whether you choose to acknowledge them or not).

I'm not jumping into this fight, but just as a fact-checker, when vansmith cited the 302 vulnerabilities

However, here's a list of 302 common vulnerabilities and exposures in iOS.

Click to expand...

he forgot to mention that not all of them are in fact in IOS, and none of them (at this point) are for IOS7. Not to say there aren't any in IOS 7, but at this point they aren't on that list that I could find. And only 6 of those vulnerabilities had exploits, all of them against iPhones/IOS older than 4.0.2. No exploits since then. As for the utility of fingerprint access, the fact that the iPhone has it makes it more likely that people will use it, and any security is better than no security. I am one of those who turned off the security passcode on every iphone I've had because I didn't want to be fussed with entering it every time I wanted to use it. If the fingerprinting on the 5s works as advertised and described, I'll leave it on because it's easy to use. I already press the Home button to open the phone anyway, so it's no additional steps to let the fingerprint thing do what it does. And that is the single best benefit of the fingerprint, that more people will be inclined to use it because it's easy.

MacInWin said:

I'm not jumping into this fight, but just as a fact-checker, when vansmith cited the 302 vulnerabilities he forgot to mention that not all of them are in fact in IOS, and none of them (at this point) are for IOS7. Not to say there aren't any in IOS 7, but at this point they aren't on that list that I could find. And only 6 of those vulnerabilities had exploits, all of them against iPhones/IOS older than 4.0.2. No exploits since then.

Click to expand...

Good find. Who doesn't appreciate a good fact check?

My only comment to that is that this doesn't negate my argument (they've been and remain present, regardless of version) and I imagine that, since it's a piece of software like any other, vulnerabilities will surface. However, a lack of them now is better than having them now.

MacInWin said:

As for the utility of fingerprint access, the fact that the iPhone has it makes it more likely that people will use it, and any security is better than no security. I am one of those who turned off the security passcode on every iphone I've had because I didn't want to be fussed with entering it every time I wanted to use it. If the fingerprinting on the 5s works as advertised and described, I'll leave it on because it's easy to use. I already press the Home button to open the phone anyway, so it's no additional steps to let the fingerprint thing do what it does. And that is the single best benefit of the fingerprint, that more people will be inclined to use it because it's easy.

Click to expand...

Couldn't agree more. As we all know, people are generally lazy when it comes to security and having something simple is a great way to get around this (however much changing people's mindset would be a better option).

vansmith said:

What do you think jailbreaks are?

Click to expand...

I know what jailbreaks are. And it took, what, nearly a year to find a combination of vulnerabilities to crack iOS 6? What other platform has proved to be more difficult to compromise?

lifeisabeach said:

I know what jailbreaks are. And it took, what, nearly a year to find a combination of vulnerabilities to crack iOS 6?

Click to expand...

It took 0 days to exploit a vulnerability in iOS 6.

Does it matter though? I'm making an argument about their very existence, nothing more. I'm not trying to suggest that the software is of a bad quality (I even implied this above). In fact, I think iOS is of good quality from a security standpoint. That said, I'm not going to hide my head in the sand and think it's somehow immune to the inherent truth of software development - if it can be made, it can be (and likely will be) exploited.

vansmith said:

It took 0 days to exploit a vulnerability in iOS 6.

Does it matter though? I'm making an argument about their very existence, nothing more. I'm not trying to suggest that the software is of a bad quality (I even implied this above). In fact, I think iOS is of good quality from a security standpoint. That said, I'm not going to hide my head in the sand and think it's somehow immune to the inherent truth of software development - if it can be made, it can be (and likely will be) exploited.

Click to expand...

But nobody has claimed it cant be. Just that with the mentioned security features its very hard to exploit it.

danny842003 said:

But nobody has claimed it cant be. Just that with the mentioned security features its very hard to exploit it.

Click to expand...

I wouldn't even say "very hard," just harder than not having it. Remember, I don't need to outrun the bear that's chasing us, I just have to be faster than you. Same in security. Nothing's perfect, it just needs to be somewhat better.

The method that was used to hack the fingerprint id recognition is impractical because to get the thumb or finger impression of any person you will have to cut is finger or may be ask him to give you the impression which is much like stealing and has nothing to do with hacking or code hacking in person.