Fake Fingerprint Stickers Let You Access a Protected Phone While Wearing Gloves (gizmodo.com) 74
A new Kickstarter campaign aims to sell you fingerprint stickers that, when applied to a pair of gloves, allow you to unlock a mobile device that's protected with a fingerprint scanner. The sticker is powered by Nanotips and is "made with an extremely adhesive conductive material that can be applied to any surface for touch capability." Gizmodo reports: You can of course still access a fingerprint-secured smartphone using regular touchscreen-friendly gloves by simply punching in your passcode on-screen, but why should we have to give up the convenience of a feature like Touch ID for months on end just because it's cold outside? We shouldn't, and these Taps stickers will allow you to use your mobile device's touchscreen and fingerprint reader, for unlocking your phone or making a purchase, even while your actual fingers (and fingerprints) are being kept warm and toasty inside a glove. After applying a textured stick to the tip of your glove, you just have to register it as an approved fingerprint using your smartphone's security settings. You might assume this would mean that anyone with a Taps sticker on their gloves could access anyone else's protected phone. But according to its creators, using nanoparticle technology every single Taps sticker has an individual and unique artificial print ensuring that only your gloves can access your device. That being said, there is still the risk of someone stealing your gloves, which is easier than stealing your fingerprints, so you'll have to weigh the security risks introduced versus the added convenience these offer.
Re: (Score:2)
Re: (Score:2)
hand?
pick one: convenience, privacy (Score:5, Insightful)
You can of course still access a fingerprint-secured smartphone using regular touchscreen-friendly gloves by simply punching in your passcode on-screen, but why should we have to give up the convenience of a feature like Touch ID for months on end just because it's cold outside?
Because this: Feds Walk Into a Building, Demand Everyone's Fingerprints To Open Phones [slashdot.org]
Using a pass code is protected by the Fifth Amendment, using a fingerprint is not.
Re: pick one: convenience, privacy (Score:5, Interesting)
Re: pick one: convenience, privacy (Score:4, Funny)
Every time I get pulled over or whatever, I force reboot my phone to require passcode.
I'm guessing there's probably an App for that to add an "I've been pulled over" button to the lock screen for forcing a reboot.
Re: pick one: convenience, privacy (Score:1)
You retard. He's talking about i devices.
Every few days or every reboot you need to enter your pwd or pin just in case someone did steal your prints.
Re: (Score:2)
Re: (Score:2)
Seems a bit OTT. Why not just have a passcode or swipe pattern as the standard lock?
You have a choice. If you don't want to use fingerprints, you don't have to. I use fingerprint access on my iPhone and it's about as opt-in a feature as you could want. They changed from 4 letter passcode to 6 now.
Can it be spoofed? Sure. But they'll have to know which finger or body part I used to set up, and there is so little of interest on my phone that it would be a waste of time to even try. I mean I texted the word "poop" once. But that's about it.
Re: (Score:2)
Can it be spoofed? Sure. But they'll have to know which finger or body part I used to set up,
Security 101. Any security system is only as strong as the likelihood of volunteering the password when an attacker jams a screwdriver in your ear.
You wouldn't be the first person to refuse to co-operate with the cops. I'm pretty sure they have well worn methods for extracting information from uncooperative suspects.
Re: pick one: convenience, privacy (Score:5, Funny)
Just how often do you get pulled over?
Re: pick one: convenience, privacy (Score:4, Insightful)
Just how often do you get pulled over?
They may be African-American and it could be a daily occurrence.
Re: pick one: convenience, privacy (Score:1)
Another good tip is to keep all your passwords in plain text in a word document on your desktop. That way you never have to remember your passwords and you can have different ones for each site/account. Of course someone could just open it and look at it / copy it, but the convenience! /sarcasm what a stupid product. Take your glove off for the 2 seconds it takes to scan your finger or, like the article says, just out in your passcode.
Re: (Score:2)
Re: (Score:3)
Because this: Feds Walk Into a Building, Demand Everyone's Fingerprints To Open Phones [slashdot.org]
Using a pass code is protected by the Fifth Amendment, using a fingerprint is not.
Why not use the 'sticker' part of the glove _instead_ of one of your actual fingers? Then you could visibly try every finger and plausibly deny that the phone is yours.
Re: (Score:1)
They've got a point, the fingerprint is the username not the password.
'Because it's convenient' does not make it security.
Re: (Score:3)
Re: (Score:1)
You can of course still access a fingerprint-secured smartphone using regular touchscreen-friendly gloves by simply punching in your passcode on-screen, but why should we have to give up the convenience of a feature like Touch ID for months on end just because it's cold outside?
Because this: Feds Walk Into a Building, Demand Everyone's Fingerprints To Open Phones [slashdot.org]
Using a pass code is protected by the Fifth Amendment, using a fingerprint is not.
I think most people have forgotten the presentation / keynote where Touch ID was introduced:
In that segment Jobs pulled out a statistic that something like over 70% of people don't put a PIN on their iPhone, Why didn't they? Because it was a pain in the ass. Touch ID allows you to conveniently unlock your phone, but to activate it, you need to enter a PIN. Now, with newer iPhones, probably something like 100% of people have PINs.
I don't anyone reasonable is saying that fingerprints are the be-all and end-al
Re: (Score:2)
I think most people have forgotten the presentation / keynote where Touch ID was introduced:
In that segment Jobs pulled out a statistic that something like over 70% of people don't put a PIN on their iPhone, Why didn't they? Because it was a pain in the ass. Touch ID allows you to conveniently unlock your phone, but to activate it, you need to enter a PIN. Now, with newer iPhones, probably something like 100% of people have PINs.
A person who finds entering a 4 digit passcode (now 6) is going to really have issues with setting up touch ID.
But you are right, peeps be lazy.
My wife doesn't even want a passcode or TouchID. I told her in that case, no ApplePay or any purchases with it until you do.
Re: (Score:2)
Re: (Score:2)
And it is less secure, because if I can put these on a glove, so can somebody else.
Well, I'm sure no Kickstarter campaign ever made unrealistic claims about their product.
Re: (Score:2)
Using a pass code is NOT protected by the fifth amendment. Nor is using encryption. A judge can require you to give up your pass code and/or your encryption key, and if you refuse, you can go to jail for contempt of court forever (until you reconsider and comply). Just like your DNA is not protected -- you can be compelled to give it up. Just like your writings in general are not protected. The only thing that is protected is your right not to be compelled to testify in a court room if your honest te
Re: (Score:2)
4 digit phone codes are also obviously a waste of time in the first place. So are six digit codes. Or eight digit codes. Eight CHARACTER keys on strong encryption is a weak opener -- maybe the feeb can't crack that with in-house resources, but I wouldn't bet against the NSA, and in principle the feeb can call on the NSA in any circumstances that would warrant it.
We see this sort of thing with old school locks. They are secure in minutes, so to speak. An accomplished cracker can break into a certain lock in a certain amount of time.
So its kind of like a two factor authentification. You have the device that delays entry, and you have the person checking on it every so often. Yeah, someone is going to be able to crack a four digit code without too much trouble. But given that the phone locks after X number of failed inputs and they have to wait a while before trying
Re: (Score:2)
Or, they could just take the data out of the phone, put it into a special OS shell that doesn't have the lockout feature, and rip through all 10000 four digit codes in the time wasted between keystrokes in this reply. Or they could look at the smudges on the screen, make an educated guess as to the numbers being pressed, and reduce the search space to the permutation of 4 or fewer digits.
The point is that 4 digits is very, very fundamentally insecure. Oh, it's probably fine to protect your data from a pho
Re: (Score:2)
Which is a black box to you, but very transparent to apple.
Re: (Score:2)
Which is a black box to you, but very transparent to apple.
You mean the encryption is bad because it isn't "by obscurity"? Apple is very open about how it works, and people who know more about the matter than you say its fine.
Re: (Score:2)
Because IT IS by obscurity. The hardware is a black box, which i need to trust, while i have very little reason to do so.
You have two options:
- Make it secure in software. Everyone can verify this. Example: Key-Stretching, which is implemented in software still slows down brute-force attacks very good.
- Make it secure in hardware (example: apple secure enclave). It can be secure, you can publish the specs openly. But the actual part in my iphone is a black box. I do not know, if it matches a given spec. And
Re: pick one: convenience, privacy (Score:4, Informative)
Or, they could just take the data out of the phone, put it into a special OS shell that doesn't have the lockout feature, and rip through all 10000 four digit codes in the time wasted between keystrokes in this reply.
Or, or, and or. I'd be the last person to argue for or against any so called security features on a phone. I do not consider anything about a phone to be secure at all ever. So if I were to be doing something illegal, I sure as hell wouldn't put it on my phone.
The whole thing is people demanding an inherently non-secure device to be secure. It's like buying a billboard, putting something classified on it, or kiddie porn, and demanding that people not see what is on it because you demand your right to privacy.
It simply is not secure.
Re: (Score:1)
Obligatory Mythbusters (Score:2)
Fingerprint locks can be foiled. [youtube.com]
Re: (Score:2)
I already knew it from before. And shared the link, because Mythbusters.
Fingerprint stealing made easy (Score:2)
Re: (Score:3)
Re: (Score:2)
Easier, then.
Re: (Score:2)
Re: (Score:2, Insightful)
Don't get a glove with YOUR fingerprint. My phone can accept multiple fingerprints, the glove can be a new one. If I lose the glove, I reset the fingerprints to mine without the glove.
--XYZZY--
Re: (Score:2)
Don't get a glove with YOUR fingerprint. My phone can accept multiple fingerprints, the glove can be a new one. If I lose the glove, I reset the fingerprints to mine without the glove.
Logic...
A rare yet beautiful thing.
Re: (Score:3)
Probably don't have to steal them. I reckon gloves must be among the most misplaced or lost items in places where winter is cold enough to require wearing them. Of course finding gloves with attached fingerprint sticker doesn't help link them to an owner and a device to unlock, but it does give you a fingerprint to leave around somewhere to say, mess up a crime scene investigation. Has a cast-iron alibi ever been overturned in court because of fingerprint evidence?
Re: (Score:2)
Or, just stealing your fingers. They are removable, after all...
Key chain finger (Score:2)
What would be really handy is a simulated finger I can keep on my key chain.
Re: (Score:2)
Re: (Score:3, Funny)
commentsubject (Score:3)
Stopped reading here. A new record.
unique (Score:2)
I'm sure they're made them unique, but is it unique for touch devices or just in the lab?
"there is still the risk of someone stealing your gloves, which is easier than stealing your fingerprints"
I think I pay less attention to where my finger prints are left compared to a pair of gloves.
Knows nose (Score:4, Interesting)
In cold weather I register the end of my nose as a fingerprint. It works! And the feds will never figure it out, they can try all my fingers and still not get in.
If you want to keep finger functionality, use your imagination- the back of a knuckle or the side of a thumb are just as unique as a fingerprint, and work just as well.
Unlocking ones phone with one's nose will occasionally be met with wisecracks- trying to operate a phone with a nose will probably get you beaten up or arrested. So be careful :)
cw
Re:Knows nose (Score:4, Interesting)
It just makes me question the uniqueness being measured (we know fingerprints are "unique" enough for convictions, but if your nose passes muster to a fingerprint reader as a valid fingerprint, surely it's not measuring that much uniqueness in the first place?). Noses just don't have unique, large, raised, patterning like fingerprints do. You can SEE and FEEL fingerprints, that's how large the features are. You can't see much difference between one squished nose and another.
All this tells me is that fingerprint readers on smartphones are naff toys. And I don't for a second buy the "it depends on the glove used" tripe either.
I looked into a fingerprint reader that schools were using for access. It turns out to be a scanner. With some Linux tools and jiggery-pokery you can pull out a black-and-white scanned TIFF from the sensor, which just feeds it into software which does the "uniqueness" bit (finding edges and comparing corner points, mostly).
So I printed out the TIFF, swiped that, and it accepted it. I'm sure they've come on leaps and bounds since, but they are still susecptible to the same old attacks. You don't need to find "a finger that's correct", just a sufficiently convincing model of that finger. That can be anything from a flat piece of paper, to a PCB-etched one, to some gummi bears moulded from that. But still, outside of humongously expensive things, nothing really that good at detecting fakes.
The heartbeat sensor in my phone uses the colour of the skin to measure heartrate "accurately enough". It's literally just a colour sensor, like a scanner, with sufficient red illumination to make your pulse "visible". That could easily form another part of a smartphone fingerprint sensor. And would STILL be just as susceptible to, say, a smartphone display showing the fingerprint and red-pulse that it expects.
It's the analogue hole all over again. If you can copy the data stream sufficiently, you don't need the original any more.
And that just makes fingerprints worthless.
Re: (Score:1)
Easy (Score:2)
"but why should we have to give up the convenience of a feature like Touch ID for months on end just because it's cold outside?"
Why? So that the police can't get at your phone's contents. Your fingerprint can be forced onto the phone, a password can't.
How long will it take for the real deal? (Score:1)
Would you print your PIN on your gloves? (Score:3)
I can change my PIN whenever I want (Score:2)
Re: (Score:2)
Can you change your fingerprints when you want?
I don't believe it is a digital print out of your actual finger. Based on what I have read, it looks like it's just a unique pattern you can use as a fingerprint on your device. Then, if you lose the sticker, you just remove it from your security settings and use a new one.
This is a robbery.... (Score:1)
Give me your wallet, phone and gloves, please.
Useful stickers (Score:2)
Those stickers sound useful, as they are the only safe way (when available without gloves) to use a fingerprint scanner. You leave your fingerprint everywhere and cannot change it. So it's useless as pass code. But you can buy new stickers, if you want to change your "fingerprint" login.