Apple's iPhone Fingerprint Reader Successfully Hacked

Nice hack from the Chaos Computer Club:

The method follows the steps outlined in this how-to with materials that can be found in almost every household: First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.

I’m not surprised. In my essay on Apple’s technology, I wrote: “I’m sure that someone with a good enough copy of your fingerprint and some rudimentary materials engineering capability—or maybe just a good enough printer—can authenticate his way into your iPhone.”

I don’t agree with CCC’s conclusion, though:

“We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token”, said Frank Rieger, spokesperson of the CCC. “The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.”

Apple is trying to balance security with convenience. This is a cell phone, not a ICBM launcher or even a bank account withdrawal device. Apple is offering an option to replace a four-digit PIN—something that a lot of iPhone users don’t even bother with—with a fingerprint. Despite its drawbacks, I think it’s a good trade-off for a lot of people.

EDITED TO ADD (10/13): The print for the CCC hack was lifted from the iPhone.

Tags: , , , , , ,

Posted on September 24, 2013 at 9:20 AM71 Comments

Comments

John Campbell September 24, 2013 9:54 AM

I wonder how quickly the NSA– and then the rest of the TLAs, like the FBI, DEA, etc, etc, etc– will get a copy of the fingerprint and compare them against the existing databases.

cassiel September 24, 2013 10:06 AM

This is a cell phone, not a ICBM launcher or even a bank account withdrawal device.

Various pundits are suggesting that the fingerprint security scheme will allow for “secure” payment transfers.

Edd Black September 24, 2013 10:07 AM

Therein lies the rub. Is the primary e-mail tied to that phone? That will get you into everything. Nowadays, people are better off activating the “waterproofing” app and dunking their phones in water.

David Leppik September 24, 2013 10:14 AM

@cassiel: yes, but is it any less secure than the authentication currently used for credit cards and the electronic withdrawals that are now used for paper checks?

Authentication is only one part of fraud detection, and these days it’s the least important part.

Bauke Jan Douma September 24, 2013 10:15 AM

Bruce,

Your dissent on CCC’s conclusion (which, addmittedly, is loaded) surprisingly
misses the point that is addressed in the first comment here, by John Campbell.

bjd

David Leppik September 24, 2013 10:16 AM

One thing that does worry me about fingerprints in particular for authentication on the iPhone is how well the screen collects finger smudges. There’s a good chance a thief will have a sample fingerprint with the stolen phone.

Steven Hoober September 24, 2013 10:18 AM

Apple is trying to balance security with convenience.
So why don’t they try to balance input methods? All I can think now is (e.g.) a fingerprint reader with a simple pattern unlock. What they’ve done is gone to effectively single factor security (phones are left unattended periodically so possession is not really a security feature here).

Various pundits are suggesting that the fingerprint security scheme will allow for “secure” payment transfers.
Extremely this. Everyone assumes at first any security is perfect, and anything new is better than anything old, so all sorts of crazy things have been posited as a result of this biometric reader.
It is a key failing in the link between security and every other practice area in digital products. How do we get everyone to think about consequences. I mean, a lot more than “after 48 hours use your PIN anyway.”

nico September 24, 2013 10:23 AM

When I read this first on Heise, I thought about what you had written. It’s a clear case and a security improvement nontheless.

Those folks who have things on their iPhones that should not be protected by this level of security surely have their stuff snatched away after or before it hits their phone anyway…

Zach September 24, 2013 10:25 AM

How much of a breach of security is this, really? They took a photograph of a thumb pressed against glass at 2400 DPI in order to get enough detail to fool the device. Is it possible to lift someone’s fingerprint (say, off a glass or door handle) with enough detail to fool the device? If they have to go through such lengths to get a copy of your fingerprint aren’t there easier ways to gain access to the device?

Zach September 24, 2013 10:29 AM

@John Campbell-

If you believe what Apple has said about the device, all the processing of your fingerprint data happens inside the reader itself, and the only data stored is a hash of your fingerprint. The hashing algorithm includes the fingerprint reader’s unique ID, so you can’t transfer the stored data between devices.

I can’t rule out that Apple is mistaken or lying about the design of this system, but taking what they’ve said at face value I don’t see how a government could even access the fingerprint data, and if they did I don’t see how it would be useful to them.

Nicholas Weaver September 24, 2013 10:32 AM

Especially since thats far more effort than breaking a 4-digit pin: the iPhone’s pin lock can be brute forced through a USB cable. The phone uses a password generation hash using an on-chip secret key/salt, so it can’t be brute-forced off the phone, and it takes about 1s per try.

But it still means that brute-force only takes about 20 minutes to unlock the phone if its protected with a random 4-digit pin. This is far more work to create a fake fingerprint!

More important is Apple’s change to “Find my iPhone”. If enabled, it now requires the ICLOUD password to disable or wipe the phone, you can set an arbitrary password remotely, and still track remotely.

With iOS7 and “Find my iPhone” enabled, it really is a plague for thieves: easy to track, hard to wipe and resel.

Mike September 24, 2013 10:36 AM

I think the bigger concern here was well articulated in the CCC article–you can’t change your fingerprints and you leave them everywhere. This does not necessarily negate using biometric authentication, but I think it ought to be coupled with some other token, such as a PIN (preferably of an arbitrary length), voice (perhaps with multiple phrases), or physical token (near-field fob, smart card, PRNG dongle, etc).

maxCohen September 24, 2013 10:36 AM

I thought you could use the fingerprint to purchase through iTunes.

There is plausible deniability that you can’t remember your PIN number/password when at the boarder or when in court but wouldn’t biometerics removes that deniability?

As for the iPhone, you could use a finger that you don’t use for the device, like a pinky or ring finger.

maxCohen September 24, 2013 10:41 AM

“As for the iPhone, you could use a finger that you don’t use for the device, like a pinky or ring finger.”

Or you could just lift the print from the sensor’s glass.

Alex September 24, 2013 10:44 AM

I actually (mostly) agree with CCC’s conclusion: I dislike biometrics in that you can’t change them if need be. That is a major concern of mine, particularly having handled the issuing of credentials and access control at more than one of my jobs over the years. Yes, the most common problem with credentials is theft/loss of them, but we did occasionally see credentials used fraudulently. How am I to re-issue fingerprints to a compromised account/person?

At least in my experiences, fingerprint readers were more of a pain and generally only solved the lost/forgotten credential issue. It didn’t do much good for anything else.

Two-factor authentication works well and generally is tolerated by users. It’s certainly far more secure and tolerated than idiotic password policies which think Th#1x! is a secure password. My rainbow tables love those idiotic policies though, and my clients certainly appreciate how little billable time it requires. Thanks idiot, book-learned IT guys!

Anonymous123 September 24, 2013 10:44 AM

In the vein of what used to be conspiracy theory: Making a small jump, reverse the process. Hack the fingerprint from the iPhone, print it, pour it, and cure it. And that ladies and gentlemen is how my fingerprints ended up on the rifle that shot JFK two decades before I was born. Excepting that I don’t buy Appleware. And of course this will never be possible because Apple says so. Or an NSL says Apple says so, or a secret court, yep continuous colossal conundrum cortex copulation

Richard Schwartz September 24, 2013 11:01 AM

I agree that it’s a good tradeoff versus for a lot of people, but I think the reaction to this is more about countering all the initial hype that Apple’s fingerprint technology was better and more secure than other consumer-grade fingerprint technology. Clearly it wasn’t, and most people didn’t know that, and Apple was perfectly content to let them think it was.

And why the false choice between the fingerprint and a 4 digit PIN? If that was the only choice, wouldn’t pointing out the inadequacy of both for some people be more appropriate? You can set a longer passcode on an iPhone. You can still use all digits if you prefer, and while I’m not an iPhone user myself, my understanding is that if you do that the iPhone will still just display a number pad for entry, so you won’t have to deal with the full keyboard just to unlock it.

Clive Robinson September 24, 2013 11:01 AM

Whilst the CCC is right, they are only looking at one side of security with regards an object.

Bruce is considering other MORE likely aspects of an every day user of a phone.

That is you are more likely to have the phone stolen or be mugged than have a Federal Officer ordering you to unlock your phone.

For the majority of people that is only likely to happen when crossing the boarder of a nation.

Though in the US having the border area be one hundred miles deep kind of potentialy effects over 99% of people in the US either continuously or fairly frequently.

DNS666 September 24, 2013 11:01 AM

@ Zach

The print for the CCC hack was lifted straight from the iPhone as detailed in this interview with the person responsible for the hack: https://netzpolitik.org/2013/interview-zum-hack-der-iphone-touchid-erschreckend-einfach/

Since it’s in German, here’s a quick translation of the relevant answer:

“For this hack, I lifted the print straight from the iPhone’s display. Its surface is perfect for this purpose, and what could be better than having the print readily available on the device you want to hack? But of course prints left on bottles or door handles would work just as well.”

stvs September 24, 2013 11:05 AM

The iPhone fingerprint reader is about a lot more secure than a four digit PIN, measured in the cost required to crack the device.

How long should the PIN on an iPhone be? Who the hell wants type type in xkcd’s “correct horse battery staple” every time they want to make a phone call?! The NSA recommends practical iOS passcodes of at least six random alphanumeric characters.

Using the assumptions from Colin Percival’s paper “Stronger Key Derivation via Sequential Memory-Hard Functions“, the cost in USD to crack an iOS 7 passcode (95 printable ASCII characters, 10,000 PBKDF2 iterations) in one year is plotted on Wolfram Alpha as a function of the passcode length. The ROM figures are:

passcode length 6: 10 cents
passcode length 7: $10
passcode length 8: $1000
passcode length 9: $100,000
passcode length 10: $10 million
passcode length 11: $1 billion

So for most people, a random passcode 9 printable ASCII characters long is exceedingly strong. By the way, a four-digit passcode costs a nanodollar/year to crack using Percival’s assumptions—a lot less than defeating a fingerprint reader.

A simple perl command to generate strong iOS passcodes, assuming a modern PBKDF2 hash, is:

$ perl -le ‘print map { (map {chr} 32..126)[rand 95] } 1..9’

If you believe that it’s worthwhile for someone to theoretically spend $100,000/yr to crack your phone, then add characters. And unless you don’t trust key stretching, ignore this: http://xkcd.com/936/.

The real iOS problem that needs fixing is that the new biometrics isn’t used for two-factor authentication, and that authentication lasts for days.

Ian McNee September 24, 2013 11:08 AM

Edd Black is right on the money here and unusually Bruce seems to be engaged in setting up a straw man: no a smartphone isn’t an ICBM launcher but associated with a person’s primary e-mail account (very likely) it is the simplest and fastest route to identity theft available to a criminal. I would say that makes this a moderate risk with high impact for a very large number of individuals.

On a related note, coming from the UK, I notice that commentary from the tech media and their readers is very different in the US. In the US the tone is much more to play down this problem as for example Bruce has done here and the generally respectable (IMHO) Dan Goodin has on Ars Technica. Related to market share and Apple’s reuptation in USA?

Alex September 24, 2013 11:12 AM

@Ian McNee: MANY people in the USA have Apple shares (stock) as part of their retirement packages. It’s still a darling in the eyes of Wall Street. Why, I’m not sure, but so is Amazon and technically Amazon’s never turned a profit. Wall Street’s just a poker game. If you can read the bluffs, you can make some serious money.

Scott September 24, 2013 11:14 AM

To me, this is more for the end users piece of mind; you just want to make sure that some random person is going to, with significantly less effort, wipe and sell your phone rather than steal your information. In this case, it’s much better than a pin, although it isn’t like everyone even uses that in the first place. The best thing you can do is treat your phone like you do your credit card, if it is physically lost or stolen, change your account passwords; if you store credit card numbers on your phone, report your cards as stolen.

Even without fingerprint scanning, getting credit card information from your phone is significantly more tedious than just finding poorly secured websites taking credit card information, in terms of effort per card. If we were really serious about protecting data, we would develop a system so that knowing someone’s credit card/bank information wasn’t enough to charge to their account. It’s actually not that difficult to do, it’s just a matter of banks not liking change.

Adam September 24, 2013 11:26 AM

If you don’t agree with Apple’s solution to the “password suck” problem (ergo people either use crappy ones or don’t use them at all), then propose something that does solve the problem that you do support.

Here, I’ll start with an example:
http://www.kickstarter.com/projects/mclear/nfc-ring

Use an RFID ring as one factor and a long, complex password for a second factor. For people who don’t like passwords and don’t care much about security, they can just stick to the ring by itself… or a PIN by itself (which is no worse than the pre-iPhone5S scenario). If you lose your ring, you can just grab your phone and revoke that key. If you lose both your phone and ring (or they get confiscated, e.g. when you are accused of a crime), they still don’t know your password (hopefully).

If you lose all three at once, maybe you can remote brick your phone, maybe not. However, that is a separate issue and shouldn’t be confused with authentication. Some people will want the ability to remote brick their phone, other people won’t be comfortable with the possibility that such a feature would be used against them. This decision is independent of authentication.

Personally, I’ll stick to my dumbphone which has virtually no data on it (just phone numbers and recent SMSes).

Wael September 24, 2013 11:26 AM

@ John Campbell,

I wonder how quickly the NSA– and then the rest of the TLAs, like the FBI, DEA, etc, etc, etc– will get a copy of the fingerprint and compare them against the existing databases.

They already have your finger print since the day you were born, along with a DNA sample as well. Comparing that to a database is minor.

Anony September 24, 2013 11:45 AM

If the fingerprint is only hashed, why do you see it on the screen when you are setting the device up?

Didn’t we have a rash a thefts a while back where the gang was stealing not only the electronic items but also cutting off the fingers needed to unlock them?

Fingerprints are all over the device. This is security through obfuscation, just the effort needed to lift and reproduce the print.

Question: Once the thieves have my fingerprint, and have unlocked the device, what else will they find to do with said fingerprint? After all, it cost them time and effort to create that fake. Waste not, want not. Where will my fingerprints turn up next?

And how do I get a new set after they are compromised? Seems a poor tradeoff with long-term consequences for minimal security now.

Wouldn’t entering a passcode, or an Android-style swipe pattern, be better?

paranoia destroys ya September 24, 2013 11:50 AM

A counter to this crack is for the iPhone to be able to store multiple fingerprints. Then allow a user to set a sequence for them.
If one makes middle, pinky, index the unlock pattern then index, pinky, ring wouldn’t work.

A brute force attack on 3 digits may not take long unless we are talking about digits on your hand.

Clive Robinson September 24, 2013 11:53 AM

@ Bruce,

The CCC are not the only ones to do this.

You might want to add this link with your comments,

https://blog.lookout.com/blog/2013/09/23/why-i-hacked-apples-touchid-and-still-think-it-is-awesome/

Oh and whilst I remember people are going on about the expense of the camera…

There is a much cheaper way of doing it. Have a scan around the Internet for 35mm film scanners there are quite a few around and some low cost ones will do the equivalent of 2400 DPI which should be sufficient with a little hand touching up.

Wael September 24, 2013 12:20 PM

I’d be interested to see RF fingerprint scanners “hacked”. Camera ones have been spoofed long time ago using various techniques. The funniest one I saw was during a demo, when the application engineer stated their fingerprint scanner cannot be spoofed (low FAR; False Acceptance Rate), and a low FRR (False Rejection Rate). We were in a dark room, because of the presentation. One of us enrolled through the FP scanner, and it worked fine. Windows session was logged out, presentation was over, all fine and dandy. When we turned the lights on, We were logged into windows again 🙂 — I guess the fingerprint remained on the surface, and light going through it appeared like a legitimate finger scan! That was back in the early 90’s…

The Application Engineer shouted with a Russian accent (no offense to my Russian friends) F#&%^ 🙂

Doug Coulter September 24, 2013 12:22 PM

They can’t be using a real hash. A single bit different in the input makes a completely different hash, which is the entire point of one. There will be read bit errors, no matter what.

I used to maintain the computers at the FBI that originally automated print scanning, and know the tech they used (and still do). They have to pick out a few “critical points” or vector intersections, and use that – maybe 6-10 of them. There’s almost no way to code that kind of thing in a hash and have it ever let in the intended user, much less anyone else.

And we already know – most failures of biometric systems are due to very loose thresholds being set so as to let in at least the desired folk – or a good enough picture of one of them.

Which one of 20 authorized people you are is a heck of a lot easier to get right (or which 20 fingerprint files for the FBI to pull and then examine manually) is a lot – a ton – easier than what Apple is claiming to try here.

Bruce might be right, it’s better than nothing. But with how dumb users are, it’s going to be a mess – it will certainly end in tears for a few at least – people keep far too much security related stuff on phones as is.

Wael September 24, 2013 12:39 PM

@ Doug Coulter

few “critical points” or vector intersections, and use that – maybe 6-10 of them. There’s almost no way to code that kind of thing in a hash and have it ever let in the intended user, much less anyone else.

Correct! They use minutia points, but with significantly denser encoding than 6-8 of them. Last I checked it was around 1k (I think).

The challenge is when you have a many-to-one mapping between hundreds of users and one device (or many-to-many). Then the balance between FAR and FRR becomes more delicate, and one of them (FAR/FRR) has to “give”.

Brian M. September 24, 2013 1:08 PM

How many phones are stolen for the data, and how many phones are stolen for the phone?

The (vast) majority of phones are stolen for the phone, to be sold to someone else who probably lives in another country. By the time someone gets around to trying to wipe the phone, are your fingerprints still going to be on it?

So +1 for using something other than your thumb or index finger for unlocking the phone. While I’ve read of an instance where a guy got his throat slashed while a thief grabbed his laptop, I really doubt that a thief will grab the phone and stop to chop off a person’s hands, too.

iOS 7 includes a new background mode for apps which allows an app to sleep in the background, and then occasionally wake up to perform an action. New app: scream “rape” like a little girl at full volume! Nothing like theft deterrent to have devices that scream.

Carlos September 24, 2013 1:55 PM

Jeeezz…

Yeah, the fingerprint thingy is broken, and yeah, since lots (I’d say most, actually) iPhone users also use them to check their e-mail, stealing the phone is probably an easy path to stealing the phone owner’s identity.

That said, the current situation is, lots of people don’t bother setting up a PIN to unlock their iPhones and one of the reasons they don’t do it is because they can’t be bothered to enter a PIN every time to unlock it: check Marissa Mayer’s interview from a few weeks back if in doubt about this point.

Since swiping the fingerprint reader is actually easy and you’d have to press the home button anyway to “wake” the phone, I can see how lots of people that don’t use a PIN will use this.

Also, the thief would need to get a good finger print. Yes, the screen (and pretty much the entire phone) if full of fingerprints, but most are partial and/or smudged.

AC2 September 24, 2013 2:02 PM

From http://www.apple.com/iphone-5s/features/:

“You check your iPhone dozens and dozens of times a day, probably more. Entering a passcode each time just slows you down. But you do it because making sure no one else has access to your iPhone is important. With iPhone 5s, getting into your phone is faster, easier, and even a little futuristic. Introducing Touch ID — a new fingerprint identity sensor.

Put your finger on the Home button, and just like that your iPhone unlocks. It’s a convenient and highly secure way to access your phone. Your fingerprint can also approve purchases from iTunes Store, the App Store, and the iBooks Store, so you don’t have to enter your password. And Touch ID is capable of 360-degree readability. Which means no matter what its orientation — portrait, landscape, or anything in between — your iPhone reads your fingerprint and knows who you are. And because Touch ID lets you enroll multiple fingerprints, it knows the people you trust, too.”

If indeed “a lot of iPhone users don’t even bother with” a 4-digit PIN, how many of these people are going to go thru the fingerprint registration process… And, by the way, “uou must also set up a passcode (as a fallback identification system in case fingerprint recognition fails).”

Ref: http://support.apple.com/kb/HT5949?viewlocale=en_US&locale=en_US

Very expensive snake oil IMHO…

John Campbell September 24, 2013 2:12 PM

@Zach: Who do you really trust?

While I, personally, am likely, if I had a 5S, to be matched with my “real” identity– I had a job back in the 1974-1975 time-frame that required a fingerprint record– anyone doing so would find my life to be a cure for insomnia.

All right, how are fingerprints encoded and rendered searchable within various LEO databases? What if the “signature” that Apple uses, as a hash, is the same basic mechanism, allowing key comparisons?

We don’t know. We can’t know, it is not an open source implementation.

In the midst of scandals w/r/t overstepping authority by various organizations, this is likely one of the stupidest ideas to sell as well as it has, but, then, remember, Apple has a lot of street cred and likely has deep penetration with those whose business is on the fringes.

Look, I’ve worked on Unix and Network security, so my paranoia usually hovers at eleven… occasionally much higher. (I had my paranoia made special, with a dial that goes over 10…) I am likely NOT PARANOID ENOUGH in the post-NSA-exposure world and can only take comfort in my utterly uninteresting life.

John Campbell September 24, 2013 2:17 PM

@Wael: Actually very likely; I’ve seen plenty of people who look more like me than I do, so, as near as I can ascertain, when God gets it right, he stamps out as many copies as he can.

Of course, I could be nothing more than chaff.

Wyatt September 24, 2013 2:17 PM

This may be a great opportunity for someone to see how many duplicate fingerprints there are among apple users.

Wael September 24, 2013 2:39 PM

@ John Campbell ,

I guess God got it right with you, and created plenty of your copy 🙂
Then again, maybe the purpose is to separate wheat from chaff 😉 Sorry, you set yourself up for that one 🙂

Zach September 24, 2013 2:45 PM

@DNS666- That’s definitely a bad sign, then. I’ll probably still use the fingerprint reader (with a strong 8 character password) because I think anyone with the resources to devote to that is likely to have my in custody anyway, and can force me to unlock my phone against my will. However, it disappoints me that the reader is not as secure as apple says it is.

@John Campbell- I trust Apple way more than I trust our government, but I’m not sure it matters when the trust level for both is already so low.

TimH September 24, 2013 2:57 PM

There’s one security model that the fingerprint unlock fails.

You can’t refuse to unlock your phone for police/customs anywhere. They have you, they can put your finger on the phone.

Rich September 24, 2013 3:30 PM

Even if Apple is doing The Right Thing and storing a hash of the fingerprint, what about some three letter agency remotely installing malware on your phone … they’ll be able to intercept the raw fingerprint before the hash function. If NSA can do that today, J. Random Spammer will have the same technology in a couple years.

To be secure, the iThing needs to make the scan and create the hash in hardware before any circuit trace leading to any programmable chip.

martinr September 24, 2013 3:47 PM

I strongly disagree with Bruce, Fingerprint readers make a bad security trade-off, especially when they’re advertised (and believed to be security-enhancing) like they will to a non-marginal amount of clueless Apple 5* owners.

While it is possible that some folks who are not currently using any PIN/Password might enable the fingerprint unlock, this will very probably outweighed by the newly created problems — folks that had been using a PIN/password switching to using a fingerprint — falling for the fake security and starting to want the fingerprint opening option for other devices/areas/usages as well.
A stolen iPhone with fingerprint access enabled is not just weak security, it is also a verifier for the thieve that they can reproduce the original holders fingerprint with sufficient quality that they are likely to trick other fingerprint readers where that fingerprint gives access immediately on 1st attempt. OUCH!

N September 24, 2013 5:13 PM

If anything, the fingerprint is a replacement for the user ID not the password. It uniquely identifies who you are but should not be used for authentication or authorization.

@stvs – “Who the hell wants type type in xkcd’s ‘correct horse battery staple” every time they want to make a phone call?!”

…with an optimized auto-complete database (that only had the XKCD dictionary) and an on-screen keyboard (that only shows letters and dash character), it might be almost as easy to type an XKCD password as it is to type a PIN.

Perhaps not quick enough for every time you unlock, but for higher priority things (perhaps mobile payments, phone power-up) it could be very useful.

-N.

Thomas September 24, 2013 5:39 PM

@Bruce
Apple is trying to balance security with convenience. This is a cell phone, not a ICBM launcher or even a bank account withdrawal device.

I’m sure there’s an App for that…

@Nicholas Weaver
Especially since thats far more effort than breaking a 4-digit pin: the iPhone’s pin lock can be brute forced through a USB cable … and it takes about 1s per try.

I can only assume I’m reading that wrong. There must be an exponential timeout or somesuch to prevent brute force.

4-digit pin
pro: easy to change, should take weeks to brute force (assuming 15-min timeout between tries)
con: shoulder surfing, marks left on screen, probably “1234”

fingerprint
pro: impossible to forget, non-trivial to copy
con: impossible to change, easily available

It seems to be that a decent PIN with sane brute-force prevention should be more secure than a fingerprint reader. 2-factor would be great, but apparently that not an option (yet?).

While the fingerprint reader provides some security, it may provide the worst kind: a false sense of it.

RQ September 24, 2013 5:57 PM

This post by Bruce is mainly on the subject of his difference of opinion to Frank Rieger of the CCC.

Frank says that Biometrics are most suitable as a tool of oppression, Bruce counters that biometrics provide better security than none.

Therein lies the irreconcilability of the two positions.

Frank is expressing a political opinion. As a member of the CCC I feel confident in saying that we are a techno-political group of people, for the most part. i certainly feel that the place of technology is for the betterment of society, and that therefore technology is a political instrument. As does Frank.

Bruce however is a mathematician and cryptologist. He is of the opinion that a technology can be weighed against another based solely on a logical appreciation of their attributes.

Bruce can not debate Frank fully until he accepts the premises on which Frank’s reasoning rests: that security is a political endeavour.

As it stands, this is a non-debate.

Skeptical September 24, 2013 5:59 PM

I think Bruce’s argument here is persuasive. The purpose is to defeat unauthorized access by common criminals (or nosy flatmates, friends, acquaintances, etc.). It’s not to keep SVR officers from sniffing through your phone while you drift into a pharmacologically enhanced sleep.

DB September 24, 2013 7:14 PM

@adam don’t forget your “dumbphone” recorded your location every few seconds of most of your life…

Muddy Road September 24, 2013 7:55 PM

The consumer jury has voted. They are buying millions of the phones and thus has acquitted Apple of any bad engineering, bad intent or bad marketing.

At this point we might as well let this run awhile and see what happens.

I could easily see a government order for a unique biometric to open all electronic devices.

Alternately, I could see that people tire of the print gimmick and simply leave their phones wide open, as always.

Tony Evans September 24, 2013 11:20 PM

Has anyone realized that if you can fabricate a replica fingerprint from a hires scan (and some photo-manipulation to clean it up), you can also fabricate random ‘pseudo-fingerprints’ that have nothing to do with your own biometrics?

Make a one-off physical copy of some random sequence and register that as your fingerprint. Then keep it on your key chain or in your wallet. It’s now something you carry with you rather than something that is a part of you.

Don’t want someone accessing your device with the physical copy – just destroy it before they can use it (or keep it well protected). There should already be a recovery feature if you can’t access your fingerprint (actually I think it stops accepting fingerprints after a few days of not using it, need to check for a reference). Make it biodegradable or from something that falls apart after some time frame or under certain conditions. Then create a new one, kind of like how you would change your password every so many units of time.

Legal issues of destroying a little rubbery, fingerprint-like object when proper authorities want to access the device? (You could always say you were just playing around with some silly putty for stress release.)

A little less convenient than just sticking your finger on the device since you have to pull out the physical device each time – but it’s no longer tied to your biometrics. The convenience factor is probably the main point of using a fingerprint to access the device, but since people have already tried other body parts and even their cat’s paws, I’m not sure it matters. (Just make sure your cat doesn’t use their Twitter account to post links to hires copies of their paw print.)

TKS September 25, 2013 1:30 AM

I disagree with you, the CCC’s conclusion is perfectly valid.

When your password/pin is compromised, you can change it.

Your fingerprint will be compromised forever!

I’ve read in some blog you’ve changed your PGP/GPG and OTR Keys…

Mike the goat September 25, 2013 1:32 AM

Tony: empirical tests have shown that there isn’t much validation Applied to the scanned print metrics, e.g. someone unlocked their phone with their cat’s paw (not sure what the cat thought of it), another used their penis (no kidding). So I would assume you could use anything with defined contours and ridges and it would accept it as a ‘print’ for future unlocking. That said, I can’t think of any reason why you would want to do this.

What would really be cool is if apple used the metrics as an encryption key. I imagine though it would have to be ‘fuzzy’ enough to account for differing appearances as a result of relative humidity etc. to the extent that prints generating the same key would be common and the equivilant key length would be so low that brute forcing would be trivial. Oh and think of new amputees – not only do they lose their finger but they lose access to their data too 😉

Figureitout September 25, 2013 1:41 AM

Bruce, it’s not an ICBM, but certainly can place targets for them or control a drone at least. It can do more than my arduino and my transceiver and they can both do a lot. Plus, missiles apparently can be directed to your signal and the 6-ft radius of error doesn’t matter as you get your limbs blown at least 100 ft away.

surprised at Bruce downplaying the risks September 25, 2013 2:13 AM

I too am surprised at Bruce’s saying “it’s a good trade-off for a lot of people.”

1.

Using fingerprints as a password is a form of password re-use: as this kind of fingerprint technology catches on, people will be reusing their passwords (fingerprints) for many things, not just their phones, and we know that using the same password for multiple accounts is a Bad Practice.

And you cannot change your fingerprint, unlike a text password.

2.

Access to someone’s smartphone IS dangerous because of access to their email account, which practically speaking gives access to all their other accounts, including financial accounts.

3.

Finally, there is no way in hell I would trust the privacy of my personal unchangeable fingerprint being given to proprietary software like that. Apple and other companies have demonstrably lied about protecting users’ privacy.

Figureitout September 25, 2013 2:25 AM

The fact of the matter is Bruce, like almost all of you out there, cannot deal w/ the awkwardness of pulling out your “flipper” “dumb” phone when someone asks you for your number. You are being socially controlled and your security is being compromised b/c of it; I only know of one adult whom I respect a lot who doesn’t carry a cell on him at all. Think how much more aware of your surroundings you are and the day-to-day physical security is enhanced. Someone robs you they won’t get a phone.

Clive Robinson September 25, 2013 2:57 AM

@ Jacob,

Yes “taking the 5th” has become a contentious issue (remember the old law that a wife could not testify against her husband…).

In my post above I give a link to an article which actually has a case of 5th/compulsion over encrypted media mentioned in it.

bobke_lap September 25, 2013 10:03 AM

Using biometrics as a solely access mechanism is imho fundamentally flawed for following 2 obvious reasons.

1) you can’t revoke a biometric feat as you can with a password or a token
2) a biometric feat is not a secret

An other general misconception about biometrics is about the hashing. They are only storing the hash so I don’t have to be afraid of stealing it… Well not quite right.
Because each biometric reading is slightly different. Hashing it will result in completely different hashes each time. Therefore something like a ‘compressed image’ is stored in stead of a hash. Theoretically it is possible to revert this compressed image to something that appears authentic enough to fool biometric readers.

So to conclude i agree with the statement of CCC about
‘The public should no longer be fooled by the biometrics industry with false security claims.’

While for the users the tradeoff might make sense. I personally belief that the ‘general public’ should make this tradeoff on objective information not only on claims of security of the biometric industry

Dave September 25, 2013 10:32 AM

This is a cell phone, not a ICBM launcher or even a bank account withdrawal device.

A cell phone is certainly a potential “bank account withdrawal device”.

Somebody September 25, 2013 11:35 AM

@Dave A cell phone is certainly a potential “bank account withdrawal device”.

Everything is a potential bank account withdrawal device.
Whether something is a bank account withdrawal device not an attribute of a device. It is a decision of the bank (and account holder). If the bank wanted to they could allow a piece of paper with a scrawled ‘X’ be a bank account withdrawal device.

So the problem is not that a smartphone is unsuitable as a bank account withdrawal device. The problem is with people who use, or encourage the use of, an an unsuitable device. Similarly for using insecure email accounts as a back door and people who use utility power for life support and then insist it must be five 9’s reliable.

There is nothing inherently wrong with a phone or email that is not secure. There is nothing inherently wrong with power that works “most of the time”. There is a lot wrong with people who treat unsecured communications as suitable for sensitive information or don’t supply backup power supplies where needed.

Dirk Praet September 25, 2013 12:34 PM

Al Franken, Chairman of The Senate Judiciary Subcommittee on Privacy, Technology and the Law has addressed a letter to Apple CEO Tim Cook with quite some pertinent questions, formal answers to which I believe would clarify some of the FUD currently surrounding the matter.

In my opinion, Touch ID in essence is sexy security theater for the layman who can’t be bothered with typing in a strong password, and that may also come with a catch. For everybody else, my recommendation is not to use it. To Apple’s credit, it is a good thing that you still have to unlock your device after a reboot and after 48 hours of not unlocking your phone.

@ Figureitout

I only know of one adult whom I respect a lot who doesn’t carry a cell on him at all.

You can add Susan Landau to that list.

retw September 26, 2013 6:19 AM

I think that Bruce Schneier and the CCC are talking at cross purposes here. The CCC are talking about public perceptions of the effectiveness of biometrics in general, while Bruce Schneier is talking about the effectiveness of Apple’s implementation of a particular security system.

Given that it’s likely that some politicians will cite Apple’s use of biometrics in the Iphone when pushing for a wider use of biometric controls in other areas, I think the CCC are right to take the long view here.

adam September 26, 2013 9:44 AM

Apple is offering an option to replace a four-digit PIN — something that a lot of iPhone users don’t even bother with — with a fingerprint.

I’m going to echo what martinr said already. This may be an improvement for those with no PIN on their phone now, but this is going to weaken security for many of those who switch from PIN to fingerprint.

Dave September 27, 2013 6:53 AM

To fix the problem they will use a color template to assert if the finger is real and not dead. This will then fail in use in the Okavango region in Africa where the sole of the hands are black and not of a pale verity like European. I have experience this will doing pension payment in Nambia. Where the payments were verified by finger print.

Wael September 27, 2013 7:08 AM

@ Dave,

To fix the problem they will use a color template to assert if the finger is real and not dead. This will then fail …

That’s pretty funny:)
Btw, did you mean Namibia ? Reminds me of George Bush and his talk about a park in “Batswana” lol

David Mayadas October 17, 2013 12:10 AM

Why bother with fingerprints. I should be able to register ‘anything’ readable by the fingerprint reader and use that to authenticate. I can change my ‘anything’ with something else so its just like changing my password. Examples of anything could be my fingerprint, a bar code, a photo, a gesture etc. as long as it can be read by the reader.

I believe the above would be as convenient as presenting my thumb and more secure because its my secret thing that only I have which I present to the reader for authentication.

John D January 7, 2015 10:44 PM

Given that Apple has rolled out ApplePay which links your credit card to their simple touch payment system, and many people also store most of their other personal data on their phones, enabling identify theft, being able to easily lift a print and use that to unlock their phone is definitely a major security concern.

I personally see banks liking Apple Pay because it can save them money on implementing PIN and CHIP credit card security. And combined with the thumbprint vulnerability, this will keep the US continue to be the top fraud target globally and with the lowest security standards.

It represents a major step backwards in security.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.