Video reveals how the Touch ID hack was performed – ‘trivial’ attack that took 30 hours

The German hacker who successfully defeated Touch ID using a fingerprint lifted from the back of an iPhone has posted a video showing exactly how it was done.

While the hacker – who goes by the nickname Starbug – described the attack as “very straightforward and trivial,” he revealed in an email interview with arsTechnica that it required 30 hours of work using a scanner, high-res laserprinter and a printed circuit board etching kit.

It took me nearly 30 hours from unpacking the iPhone to a [bypass] that worked reliably. With better preparation it would have taken approximately half an hour. I spent significantly more time trying to find out information on the technical specification of the sensor than I actually spent bypassing it.

I was very disappointed, as I hoped to hack on it for a week or two. There was no challenge at all; the attack was very straightforward and trivial.

Should 5s owners worry that, now that the technique is known, it could be replicated in 30 mins? The answer is ‘it depends, but probably not’ …  Read more

Apple comments on Gizmodo/Wired writer’s account hacking, here’s how it went down…

We reported over the weekend on the hacking of the digital life of Wired’s Mat Honan.

Mat Honan wrote up his whole story over at Wired. The scariest part is that they were able to reproduce the hack using two pieces of publicly available information and a phone call.

We talked to Apple directly about its security policy, and company spokesperson Natalie Kerris told Wired, “Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password. In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”

On Monday, Wired tried to verify the hackers’ access technique by performing it on a different account. We were successful. This means, ultimately, all you need in addition to someone’s email address are those two easily acquired pieces of information: a billing address and the last four digits of a credit card on file. Here’s the story of how the hackers got them.

Scary. Scary. Scary. Read more