Trying to replace broken (usual flex cable) Home Button Assembly with TouchID (up of iPhone 5S) we see attempts to break in. Connecting TO (C) or NOT (N) to iTunes is essential (part 1). SIGNED IN (SI) or SIGNED OUT (SO) (button 'Sign in' visible) also (part 2). The Apple servers behind the Activation Lock Service (Find my iPhone) is (part 3). Consider in part 1 not only USB-to-Lightning cable but also OverTheAir (OTA) possibility to connect in part 1. We add on thinking 3 states of device status NewBorn (NB) means sealed and unused, Used (U) incl. in-use, used or shut off for long time, ReNewBorn (RBN) is the state of a resetted device ('erase all content and settings', 2nd button from top). In the lab we observed a constellation of N, SO (result of N) of a RNB with accepting a replacement Touch ID to unlock the phone. The device before was TouchID locked.
So far so complex.
How to visualize the possible constellation setups, we faced that we need a visualizationt tool to
design the test procedure of all possible combinations.
Before continuing one thing to think of Mobile Payment (several on the market, but focussing on looming ApplePay in Europe), breaking the security of TouchID and fingerprints is interesting.
Question Who is interested to start a shared platform for Tripple-I (3I) including iPhone, AppleWatch and ApplePay testing and discussions? As close to CashCrime essential to protect Criminals from outside to learn from this subject.
Why all this? Obfuscating a stolen device and able to pay is crime to enforce.
Ready to start firing 😉
RoGu
Upd Suspects do everything to hide. Mobile Broadbands are highly observed by Lawful Interception (LI function, 3GPP TS 23.271). Break into Secured Wifis or steal and misuse stuff to hide a form of. The more interception the more misuse of innocents. 3I proj in short 'steal, break & pay' focuses strong on misuse of connectivity (SIMs often fast blocked but Wifi still able) and money laundering (in form of bank accounts or debit/credit card misuse). AppleWatch2 comes in March (macrumors, appleinsider, 9to5mac).
Highly prepared crime uses few hours to jump in and succeed. Users do not realize whats
going on. But we LEs have to know.
Who joins the gang? Only collab-based will succeed. Come-on Geeks -)
RoGu
Upd Got a helpful advice as my first post is not understandable.
On a iPhone 6S the home button assembly was replaced. The owner before had Touch ID (fingerprint) enabled to unlock the device. After replacing the device could be unlocked without Touch ID - which I confess sounds weird.
Theoretically not possible by design of Apple. But a real case observed. To figure out how this could happen I kindly ask iOS crypto guys to help me. By design Touch ID and A8 (or up) are 'married for live'.
So just to discuss the possibility if this realy can be is helpful. As we did not test structured but
observed the case, we are not able to replay the break.
Always open for refining and learning -))
Hi RoGo,
Your post makes for an interesting read, however, i am still a little unclear as to what you mean exactly when yous say
After replacing the device could be unlocked without Touch ID
Do you mean there was no longer a lock at all on the device at all? As if there was no lock in the first place?
Thanks,
JJH
After changing the home button assembly the iPhone 6S was unlockeable WITHOUT fingerprint (TouchID). Before it was locked WITH fingerprint.
Cannot be in real to overcome the fingerprint security element by replacing the home button assembly! The TouchID is 'married' with the A8 by design.
Hi,
Thanks for your post. I am interested in this approach but for clarification purposes can you confirm if my understanding of your approach is correct.
You have an Apple Iphone 6s, which is locked with TouchID and you do not know the password or pin code to bypass the Touch ID.
You physically replaced the TouchID sensor yourself, which unlocked the phone, allowing you access to the data. Is this correct?
Thanks
#badgera correct. Lets for mutual understanding define the elements as follows a) The physical home button assembly consists of 4 parts sapphire crystal (glas) - where the finger touches, steel detection ring, Touch ID sensor (electronic sensor) - sandwiched, not physically touched by the finger, think of kind of scanner sensor through the crystal), tactile switch (provides the common 'home button' function - the 'click'. The whole of this is called 'home button assembly'
and available as spare part. Apple announced that the Touch ID in the 6S-line is improved and the version 2 of Touch IDs.
Its about Touch ID v2 - not backwards v1 built in older devices. So its all about 6S devices.
The Touch ID takes the fingerprint receipt which gets hashed and stored locally in the Secure Enclave (located within a zone on the A7 and A8 ref
RoGu
You mean this one?
http//
For mutual understanding, let's use a picture
https://
We are talking of this thingy here, right?
jaclaz
exactly, thanks for the link and pics
RoGu
Good. )
This behaviour, once confirmed, gives a whole new meaning to the sentence
https://
Original iPhone 6 and 6 Plus home button flex with Touch ID sensor
Please note, due to the nature of the parts security the touch ID feature wont function due to the parts being paired with your phones mother board - this will only function as the home button until a fix has been released to enable the Touch ID
jaclaz