committing page revision 1

1 files changed, 72 insertions, 0 deletions

diff --git a/updates/2013/ccc-breaks-apple-touchid.en.md b/updates/2013/ccc-breaks-apple-touchid.en.md
new file mode 100644
index 00000000..61dfe186
--- /dev/null
+++ b/updates/2013/ccc-breaks-apple-touchid.en.md
@@ -0,0 +1,72 @@
+title: Chaos Computer Club breaks Apple TouchID
+date: 2013-09-21 22:04:00 
+updated: 2013-09-22 18:11:56 
+author: frank
+tags: update, pressemitteilung, biometrie, biometrics, apple, touchid
+
+The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple's TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.

+
+
+<!-- TEASER_END -->
+
+Apple had released the new iPhone with a fingerprint sensor that was
+supposedly much more secure than previous fingerprint technology. A lot
+of bogus speculation about the marvels of the new technology and how
+hard to defeat it supposedly is had dominated the international
+technology press for days.
+
+\
+"In reality, Apple's sensor has just a higher resolution compared to the
+sensors so far. So we only needed to ramp up the resolution of our
+fake", said the hacker with the nickname Starbug, who performed the
+critical experiments that led to the successful circumvention of the
+fingerprint locking. "As we have said now for more than years,
+fingerprints should not be used to secure anything. You leave them
+everywhere, and it is far too easy to make fake fingers out of lifted
+prints." \[1\]
+
+\
+The iPhone TouchID defeat has been documented in a [short
+video](http://www.youtube.com/watch?v=HM8b8d8kSNQ).
+
+\
+The method follows the steps outlined in [this
+how-to](http://dasalte.ccc.de/biometrie/fingerabdruck_kopieren?language=en)
+with materials that can be found in almost every household: First, the
+fingerprint of the enroled user is photographed with 2400 dpi
+resolution. The resulting image is then cleaned up, inverted and laser
+printed with 1200 dpi onto transparent sheet with a thick toner setting.
+Finally, pink latex milk or white woodglue is smeared into the pattern
+created by the toner onto the transparent sheet. After it cures, the
+thin latex sheet is lifted from the sheet, breathed on to make it a tiny
+bit moist and then placed onto the sensor to unlock the phone. This
+process has been used with minor refinements and variations against the
+vast majority of fingerprint sensors on the market.
+
+\
+"We hope that this finally puts to rest the illusions people have about
+fingerprint biometrics. It is plain stupid to use something that you
+can´t change and that you leave everywhere every day as a security
+token", said Frank Rieger, spokesperson of the CCC. "The public should
+no longer be fooled by the biometrics industry with false security
+claims. Biometrics is fundamentally a technology designed for oppression
+and control, not for securing everyday device access." Fingerprint
+biometrics in passports has been introduced in many countries despite
+the fact that by this global roll-out no security gain can be shown.
+
+iPhone users should avoid protecting sensitive data with their precious
+biometric fingerprint not only because it can be easily faked, as
+demonstrated by the CCC team. Also, you can easily be forced to unlock
+your phone against your will when being arrested. Forcing you to give up
+your (hopefully long) passcode is much harder under most jurisdictions
+than just casually swiping your phone over your handcuffed hands.
+
+\
+Many thanks go to the Heise Security team which provided the iPhone 5s
+for the hack quickly. More details on the hack will be reported there.
+
+**Links**:
+
+\[1\] [Fingerprint Recognition at the Supermarket as insecure as
+Biometrics in
+Passports](https://ccc.de/en/updates/2007/umsonst-im-supermarkt) (2007)