All we need is ONE car producer to use it...........insurance company will reduce the costs because the car is MUCH harder to steal..........& Bingo.
Mike

All we need is ONE car producer to use it...........insurance company will reduce the costs because the car is MUCH harder to steal..........& Bingo. Mike

All we need is ONE car producer to use it...........insurance company will reduce the costs because the car is MUCH harder to steal..........& Bingo.

That all sounds good until you are unable to use your car because of some software bug, or someone hacks into it and circumvents the entire validation process.

The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple's TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.


Apple had released the new iPhone with a fingerprint sensor that was supposedly much more secure than previous fingerprint technology. A lot of bogus speculation about the marvels of the new technology and how hard to defeat it supposedly is had dominated the international technology press for days.

"In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake", said the hacker with the nickname Starbug, who performed the critical experiments that led to the successful circumvention of the fingerprint locking. "As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints." [1]

The iPhone TouchID defeat has been documented in a short video.

The method follows the steps outlined in this how-to with materials that can be found in almost every household: First, the fingerprint of the enroled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.

"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token", said Frank Rieger, spokesperson of the CCC. "The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access." Fingerprint biometrics in passports has been introduced in many countries despite the fact that by this global roll-out no security gain can be shown.
iPhone users should avoid protecting sensitive data with their precious biometric fingerprint not only because it can be easily faked, as demonstrated by the CCC team. Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.

Many thanks go to the Heise Security team which provided the iPhone 5s for the hack quickly. More details on the hack will be reported there.

Well, that didn't take long at all. The iPhone 5s finger scanner has been busted using an easily-made fake finger.

From "Chaos Computer Club Breaks Apple TouchID"

Fake finger/fingerprint access doesn't bode well for the biometric security system on the TruTouch alcohol sensor device either. This becomes particularly problematic if a TruTouch (medical) device database gets hacked/spoofed for two critical reasons: 1. Liability to TruTouch (and its customers) if counterfeit fingerprints used in the device allow an inebriated employee/intruder into a restricted, high risk area resulting in a serious or fatal accident; and 2. Hacked fingerprint database in a medical setting (hospital emergency room, etc) would result in severe fines for HIPPA violations (and possible product recall) as well as civil claims and class action lawsuits for invasion of privacy. There are also identity theft issues that will further complicate things if innocent persons are wrongfully accused and terminated because their prints got hacked.

I'd love to know where the biometric information of the fingerprints is stored.

- Strictly local on the device, inaccessible for Apple or third-parties?
- In the cloud with locally cached copies?
- something else?

It is almost certainly local, but equally will likely get synced onto your PC by iTunes - and from there can be accessible by anyone with internet access and access to iTunes (i.e. Apple and the NSA).

I'd also note that it is extremely unlikely that the data in question is anything but a mathematical model - it is this stage where the operating system level hacks would target.

Interesting. How might they do that? Just speculating, but would it mean that instead of storing an actual image of the fingerprint, a computer would capture certain unique/easily identifiable data points from the print (such as the distance from point A to point B on the image and/ or the number of circular segments within a defined area, etc) and then assign a unique/random number or code to that particular pattern via some kind of algorithm? So once you hacked the random number or code, you would no longer need the actual fingerprint to gain access to secure areas.

Interesting. How might they do that? Just speculating, but would it mean that instead of storing an actual image of the fingerprint, a computer would capture certain unique/easily identifiable data points from the print (such as the distance from point A to point B on the image and/ or the number of circular segments within a defined area, etc) and then assign a unique/random number or code to that particular pattern via some kind of algorithm? So once you hacked the random number or code, you would no longer need the actual fingerprint to gain access to secure areas.

For all intents and purposes, it's Game Over if a hacker gets access to the software that runs on a system.