The iPhone 5s TouchID Fingerprint Hack Doesn't Matter

Apple  (NASDAQ: AAPL  )  is in fierce competition in the smartphone market with Android OS by Google and, to a lesser degree, Windows Phone 8 by Microsoft (NASDAQ: MSFT  ) . Both competitors have been gaining smartphone market share over Apple's iOS-driven iPhone, and in this race, perception as an innovator is crucial to continued success. New features need to draw significant attention. But they can't compromise security.

The new iPhone 5s

The new iPhone 5s has made quite a stir by introducing two new technologies that leave Android and WP8 phones behind. The first is a 64-bit CPU, something no other smartphone can boast.

Tests by the respected site AnandTech have shown that the 5s is very fast, handily beating competitors in most of the benchmarks. On the Geekbench benchmark, an overall computational set, gains were mixed, except in one important area – cryptographic tests: AES over 800%, and SHA1 245% improvements.

The AES and SHA1 gains are a direct result of the new cryptographic instructions that are a part of ARMv8. The AES test in particular shows nearly an order of magnitude performance improvement. [Emphasis added.]

One wonders what Apple has in mind for cryptographic services.

Apple's TouchID

One possibility, of course, is the second radical improvement, the fingerprint scanner, dubbed TouchID, that allows you to open your locked iPhone without needing to enter your password. Reviewers have hailed this as a great advance.

It should be noted that Motorola – now a part of Google – used to have a phone model, Atrix 4G, that used fingerprint scanning, but it was both awkward and so unreliable that they discontinued the feature . By most accounts, Apple's TouchID system works simply and reliably.

The Chaos Computer Club

The Chaos Computer Club is "Europe's largest association of hackers." They quickly developed a method to fool the fingerprint sensor on the iPhone 5s, and released a statement:

The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple's TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.

Basically they took a fingerprint off of glass, scanned it under fairly high resolution, then used that image to make a latex spoof. It is easy to do and anyone can do it at home with inexpensive equipment.

The question is: Is their warning warranted? Is it true that "fingerprint biometrics is unsuitable as access control method and should be avoided?"


 

[Making a spoof fingerprint]

Does it matter?

That depends.

The reply is another question: Why would anyone want access to your phone? Obviously a thief would want that. However, someone who surreptitiously slips your phone from your pocket or off your café table is not going to stick around to ask for your fingerprints. If you are cornered in a back ally by five guys with AK-47s, you'd just give over your password regardless ... and you'd probably have bigger concerns than your iPhone password.

The Chaos crew admitted that it took a fairly high-quality scan for the spoof to work. Therefore, you need a high-quality original print. Drinking glasses and doorknobs can be good sources, but it's questionable whether a print left casually on a beer bottle would be complete and clean enough for a lift for this purpose.

And this raises another question. Why would someone do this to you? If you're carrying state or corporate secrets on your iPhone, you have close acquaintances who want to rip you off, or you're hiding compromising photos from your spouse, you might want to avoid TouchID. Otherwise, it's not much of an issue.

The common thief is going to have more luck peeking over your shoulder to steal your passcode than finding and spoofing a usable print.

So unless there is some very special reason for someone to want your data, you have little to worry about. In fact, since TouchID will encourage you to use auto-lock, it's probably more secure than leaving the iPhone unlocked.

As for Chaos, this is part of a campaign against the use of anti-biometric security. They wrote an earlier piece on the use of fingerprint scanning to allow payments at supermarkets, etc., a system being tested in Europe. The security risk there is certainly much higher. With the iPhone, you need a particular fingerprint with a particular iPhone. With the payment system all you need is the fingerprint, and you can then use it at any payment center in the system. That is a much greater risk.

Conclusion

iPhone sales are critical to Apple, making up 51% of revenue last quarter, and cutting-edge features are important for winning new users. On the flip side, any significant security issues could threaten sales.

But while we owe gratitude to the Chaos group for raising the issue, this would not seem to rise to the level of significant. As Chaos wrote:

iPhone users should avoid protecting sensitive data with their precious biometric fingerprint not only because it can be easily faked, as demonstrated by the CCC team ... you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.

I would agree. If you plan on going to political demonstrations and photographing what happens, this could be an issue. If you're willing to take that risk, I think TouchID is a very attractive new feature for the iPhone.

What's next for Apple?

Apple has a history of cranking out revolutionary products... and then creatively destroying them with something better. Read about the future of Apple in the free report, “Apple Will Destroy Its Greatest Product.” Can Apple really disrupt its own iPhones and iPads? Find out by clicking here.


Read/Post Comments (15) | Recommend This Article (3)

Comments from our Foolish Readers

Help us keep this a respectfully Foolish area! This is a place for our readers to discuss, debate, and learn more about the Foolish investing topic you read about above. Help us keep it clean and safe. If you believe a comment is abusive or otherwise violates our Fool's Rules, please report it via the Report this Comment Report this Comment icon found on every comment.

  • Report this Comment On September 24, 2013, at 3:14 PM, 1bigdeal wrote:

    Change which finger is used or jus tuse the standard password mode This is all pretty silly nonsense about lfting fingerprints high res scan and then molding a dummy print...seriously?? Have they posted a video? I doubt it.

  • Report this Comment On September 24, 2013, at 3:19 PM, Mrappnyc wrote:

    Umm...what about prints left on the iPhone screen or touch ID itself??

  • Report this Comment On September 24, 2013, at 3:35 PM, Mreiher wrote:

    Good they could do this, but does not seem to matter for the average user of a phone.

    I'm more worried about my wallet getting lost and my credit cards getting in the wrong hands. That's more likely than someone going through all this to open my phone.

  • Report this Comment On September 24, 2013, at 3:52 PM, makelvin wrote:

    @Mrappnyc, "...what about prints left on the iPhone screen or touch ID itself..."

    The iPhone glass as well as all iOS devices' glass surface is coated with oleophobic coating. This prevents oily residue from sticky to the glass surface. As a result, it is difficult to obtain a good clear fingerprint image directly from the glass surface of iPhone itself.

    Secondly, since the fingerprint sensor is directly located right on the Home button, if your authentication finger is different from the finger you would use on that button normally, by the time your device gets turned off, any image residue that might still remain on the sensor would have been obscured and smudged to beyond any usefulness.

  • Report this Comment On September 24, 2013, at 4:25 PM, Justice007 wrote:

    It matters to me, for at the very least, Apple lied about their fingerprint reader scanning at the subepidermal level. If it scans at that level, then it should not have been able to hack it in the manner it was. If Apple lied about that, what else are they lying about?

  • Report this Comment On September 24, 2013, at 4:51 PM, dapperone wrote:

    Much ado about not much. The press keeps reporting that Chaos "hacked" the fingerprint sensor, which is not correct. They only demonstrated that with a set of circumstances that are highly unlikely to be replicated by a thief, it is possible to fool the sensor into allowing phone access without the owner being present.

  • Report this Comment On September 24, 2013, at 5:09 PM, Awebb30 wrote:

    A blowtorch would surely get past "The Club" auto security device that I use in my car, but no thief has ever bothered going through with it.

    I'm just not concerned about this either.

  • Report this Comment On September 24, 2013, at 5:21 PM, tychicum wrote:

    All a hacker needs to do is cut all 10 fingers off of the iPhone owner and shazzam! In like Flin ...

  • Report this Comment On September 24, 2013, at 5:32 PM, SuntanIronMan wrote:

    Anybody remember the episode of Myth Busters a few years back about this? Myth Confirmed.

  • Report this Comment On September 24, 2013, at 6:23 PM, Mrappnyc wrote:

    @makelvin - I (like, I'd imagine, many others) tend to use my thumb on the home button. Glancing at it right now I can see a pretty visible finger print. I don't think the concern is negligible.

  • Report this Comment On September 24, 2013, at 8:33 PM, Justice007 wrote:

    @rcapprotti is that your big girl response? How about debating the merit of what I said. Am I to assume you lack the capacity to do so? Like I have stated many times prior, I have an iPhone but it doesn't define who I am. So I can be objective when it comes to things about Apple products.

  • Report this Comment On September 24, 2013, at 8:34 PM, JaanS wrote:

    @ Mrappnyc

    Then use your left ring finger to validate. Not too difficult.

    Furthermore, remember you need a really clean print to copy. As has been noted above - because of the frequent touches, the button is unlikely to have such a clean print.

    Regards

  • Report this Comment On September 25, 2013, at 6:26 AM, SuntanIronMan wrote:

    Maybe it doesn't matter to Apple specifically, but it does matter to the whole idea of fingerprint security.

    That matter being that a fingerprint is just not a good way to secure anything. My house is covered in my own fingerprints. My workplace is covered in my own fingerprints. The restaurant glass I used at lunch is covered in my own fingerprints (at least it was... I sure hope they cleaned that glass by now... that's disgusting to think about... haha).

    I can change my passwords (as I do, often), but I can't change my fingerprints (... I suppose you could... but it would be kind of painful... certainly something I wouldn't want to do on a regular basis). And bonus, I don't write my passwords on dozens of Post-It notes and leave them randomly around town every day (which is basically what you do with your fingerprints).

    @ Mrappnyc

    You can still pull that particular fingerprint off the back of the phone then. Or the side of the phone or however you normally hold the phone in your hand during everyday use. Your fingerprints will end up somewhere on that phone eventually. Unless, maybe, you purposefully never touch anything with your left ring finger... ever.

  • Report this Comment On September 25, 2013, at 6:29 AM, SuntanIronMan wrote:

    Sorry, I meant to @ that last part @ Mr. Manness.

  • Report this Comment On September 26, 2013, at 11:10 AM, JaanS wrote:

    @ Which...

    So what if your fingerprints are all over your house. So are everyone else's.

    How is someone to know which are the right ones?

    How is someone to find one that is sufficiently complete. If you hold your phone all the time then it will be covered by hundreds of mixed up prints that are useless.

    If you read the linked Chaos article on how it is done, you will see that they need a complete and very clear print. Easy to do in a lab. Not to find in reality.

    It is easier to do if you are highly motivated to get one particular person's phone, but not easy to do opportunistically. Which is my point.

Add your comment.

Sponsored Links

Leaked: Apple's Next Smart Device
(Warning, it may shock you)
The secret is out... experts are predicting 458 million of these types of devices will be sold per year. 1 hyper-growth company stands to rake in maximum profit - and it's NOT Apple. Show me Apple's new smart gizmo!

DocumentId: 2652388, ~/Articles/ArticleHandler.aspx, 8/30/2014 10:30:09 PM

Report This Comment

Use this area to report a comment that you believe is in violation of the community guidelines. Our team will review the entry and take any appropriate action.

Sending report...


Advertisement