Sign in with
Sign up | Sign in

Is iPhone Fingerprint Security Secure At All? (Op-Ed)

By , Kevin O'Brien, CloudLock - Source: Tom's Guide US | B 25 comments

Kevin O'Brien, currently working with the cloud security vendor CloudLock Inc. as an enterprise security architect, has been part of the security community for more than a decade. O'Brien contributed this article to Tom's Guide's Expert Voices: Op-Ed & Insights.

With iOS 7 released this week, the security community has been reflecting on the impact of Apple's new fingerprint authentication mechanism that comes as part of the iPhone 5s' hardware, weighing the consequences for both data integrity and personal privacy that ubiquitous biometrics will bring.

Like many in the industry, I watched Apple present the technology on a darkened stage earlier this month, and as an outsize digit appeared behind him on the presentation screen, I listened to Phil Shiller, senior vice president of worldwide marketing at Apple, make the pitch for scanning each user's finger as a login mechanism. Apple's core message was not complicated: More than half of the mobile users they surveyed admitted to not using any type of lock code on their devices, citing inconvenience as the reason for allowing their data to go unsecured should they lose direct physical control of their phones. By integrating a scanner into the primary button on the device, Cupertino's designers planned to enhance mobile security for those users, leveraging what Morelli described as "a key we have with us everywhere we go."

There is, however, reason to pause and consider exactly what that means. Two of the most important questions raised during the keynote address (and that are still unanswered at this point, even as this data is being collected and used) are the following: First, can Apple's claim that the biometric data is being stored in an indirect way and in secure storage on the new phones be trusted, and second, are the company's motivations for implementing the technology as noble as it claims? On both accounts, I have my doubts.

The fallacy of physical security

Some years ago, I was sitting in a coffee shop in Kendall Square, in Cambridge, Mass., looking at a hardware security token that was supposedly unhackable. Across the table, a hacker from the sadly long-gone @stake research and development team was taking a group of us through his findings on how easy it was to gain access to the high-value encrypted data on the device.

USB security keys were new in 2000, and one of the early ideas for their application was to store cryptographic and sensitive data on them, allowing the information to be removed from a computer when not in use, effectively air-gapping a person or organization's most important information from the Internet. In this case, the device manufacturer had built in a number of tamper-proofing features, such as coating the chip in a special epoxy to prevent hackers from identifying it, as well as a robust set of software controls that supposedly made it impossible for a hacker to gain unprivileged viewership permissions of the cryptographic data stored on the chip.

A hobby knife and heat gun bypassed the tamper proofing; a quick dip in some chemicals from a high-school chemistry set removed the epoxy coating without causing any damage to the hardware beneath it. The software defenses — a hashed and obfuscated copy of the administrative credentials used to protect the critical data — were similarly trivial to bypass. In a few minutes, with a combination of hardware and software available for less than $20, the entire file system was decrypted and exported.

MORE:13 Security and Privacy Tips for the Truly Paranoid

The lesson from that late-summer afternoon has stuck with me since, across different domains in the security industry, and it still informs my response to countless promises from hardware vendors and experts touting some new "uncrackable" device: Given physical access, no security will suffice against a dedicated and skilled attacker.

This is a weakness in the iPhone defense strategy that Apple cannot easily dismiss. In suggesting that users' fingerprint data will be secure because it will be stored in an encrypted hash on the processor, Apple is opening itself up to a tremendous number of potential weaknesses, from poor implementations to weak entropy pools to simple encryption bypass attacks.

While the specifics of where the cracks in this type of defense will emerge require additional time, research and attention, Apple's logic relies upon an argument that has never been true. Especially with the physical hardware readily available, it is highly likely that any and all hardware and software vulnerabilities will be found and exploited in short order.

Of course, it may be the case that the sly hacker will never need to crack open the case, or find a flaw in the phone's A7 chip; this supposedly secure data may very well fall to simple social engineering. In July, Juniper Networks published a report noting a 614 percent increase since 2012 in the number of malware apps on the mobile market — largely, but not exclusively, targeting Android devices — but as the value of the data on Apple's devices increases, it may well be that an app will simply find a way to exploit the hardware or even convince a user to provide it openly. One can easily imagine a maliciously coded video game, just legitimate enough to slip under the walls of Apple's App Store, that, in practice, can read fingerprints directly and shuffle them off to parts unknown.

Cui bono, Cupertino?

The second, and perhaps more interesting, line of questioning is whether Apple's case for using fingerprints for authentication is as it appears to be.

Discussions of security and privacy have changed over the past few months. While this sort of information once would have entailed a theoretical or academic investigation into reversing cryptographic hashes or exploiting insecure chip design, it must now be viewed through the lenses of both political will and corporate credibility.

Last month's most recent revelations from the ongoing breach of U.S. National Security Agency (NSA) files by Edward Snowden described how the agency was collecting data on vast numbers of different media, primarily through privileged telecommunication network access. Therefore, many supposedly secure mechanics are intentionally compromised, presumably under order from the United States' most secretive intelligence agency. Chatter among the security literati has suggested that even the most powerful consumer cryptographic hardware has been outright bypassed by NSA order. Apple's claims may be that it isn't like Intel, but at the risk of encamping with the tinfoil crowd, couldn't the company be lying, and being forced to do so under penalty of law? Worse, can anyone really be certain that Apple hasn't been organizationally compromised, its device security faulty unbeknownst even to its own internal design teams?

One must be cautious about seeing threats in every shadow. However, extending an argument about potential risk to its extremes can highlight fundamental questions about what is at stake. We know now, beyond any doubt, that both incredibly well-funded government agencies and a myriad of hackers, each with their own agendas and ideologies, are laying siege to any and all online data. To paraphrase from pop culture, if you put it out there, they will come.

So why is this data there to begin with? Is the supposed benefit — more secure cellphones that can't be accessed easily by common thieves — worth the cost? There is an old maxim in security, attributed to security technologist Bruce Schneier himself, that seems apropos here:

"The only secure computer in the world is unplugged, encased in concrete and buried underground — and even that one might be vulnerable."

Apple claims that its use of fingerprints will be secure; users' biometric data will be stored in a secured chip, and only in hashed form. It sounds good, but each person only gets a single set of fingerprints in his or her lifetime. No one knows what the future holds for the use of fingerprints as authentication tokens, but using them for relatively low-value devices' security seems ill-advised — no matter how ardently the device manufacturer argues for the unassailable defenses that are in place, this information is simply less secure by merit of being present on consumer-grade iPhones — subject to so many different attacks, weakness and manipulations — than if it were absent.

If the concern were that users were not using a passphrase — if Apple had decided to become the champion of iPhone security — why not simply enforce a login code on all devices, rather than using deeply personal biometrics to access a comparatively vulnerable environment?

Who really benefits from this innovation?

The views expressed are those of the author and do not necessarily reflect the views of the publisher. This version of the article was originally published on Tom's Guide.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 0 Hide
    tiedwai , September 20, 2013 10:52 PM
    I'm really sad I wasted 3 minutes reading this article, but since I did...

    1. Wow, really, nothing is truly secure??? MIND BREAKING NEWS!!! ( Don't know why it needed to take so many paragraphs to illustrate this point)

    2. The fingerprint sensor's purpose is not to be the ultimate shield of digital information. It is for the lazy
  • -4 Hide
    lansiman , September 20, 2013 11:33 PM
    why not enforce all phone to login code?because its hassle if you type password 128 times a day.

    this article suggest nothing is secure so we should do nothing bout it. idiotic mind,this is just the first step of security tech evolution,everyone think like you there will be no advancement in technology,just sit and picking fault
  • 1 Hide
    edogawa , September 20, 2013 11:45 PM
    Nothing is secure, never separate yourself from your phone, and you will be safe. I use an APP locker on my phone and can locate it with GPS using any PC too in case something were to happen.
  • Display all 25 comments.
  • -9 Hide
    Panssarikauha , September 20, 2013 11:53 PM
    Horrible journalism... The proof here was that there are malware apps, theorycrafting and cracking a
  • 6 Hide
    otacon , September 21, 2013 12:07 AM
    Given enough time, anything that is stored electronically can be accessed. Any security measure in place is to simply buy the user enough time to wipe data from the device if it is ever stolen. The notion of securing your device is an illusion.
  • 8 Hide
    aisalem , September 21, 2013 12:38 AM
    If you all will read with understanding then you will catch the point of the whole article. It's not about telling that nothing is secure but to point that you cannot change your fingerprints (like passwords) and by putting it on cheap, low level of security device you're simply compromising one of your biological IDs that might be used in future for something more than just unlocking your phone.
  • -3 Hide
    brucek2 , September 21, 2013 1:28 AM
    Apple is offering this feature as a convenience, not as a new breakthrough in maximum security applications. This article reads like a rebuttal to a claim that was never made in the first place.

    If press reports are to be believed any law enforcement organization or anyone who knows anyone in that community can already obtain an adapter that will quickly download all memory & storage from any iphone that they can gain even brief physical possession of, with or without any unlock code.

    Few if any ordinary individuals currently take any action to protect their own fingerprints, which are therefore already obtainable by anyone with access to their office, home, car, or places they frequent -- or phone that they obtain.
  • -5 Hide
    Akizu , September 21, 2013 1:45 AM
    If someone steals your iphone to get your fingerprints he doesn't have to hack it as your fingerprints are all over it and a professional will have a way to scan them. And for all the thieves that steal iphones to resell them... They don't care about your fingerprint data... They just want to remove the lock and wipe your data clean so they can resell the phone. Some may look for credit card data, passwords, etc. but most don't bother.
    As long as there is decent control over which apps can access this data and fingerprint sensor, everything will be fine.
    I just hope that some Android phones will get fingerprint readers too in near future as its a good feature.
  • -5 Hide
    dirmanian , September 21, 2013 2:38 AM
    stupid article
  • -3 Hide
    unrealswat , September 21, 2013 4:43 AM
    Just to point out, whilst it may be some people are lazy, remember the accessibility issues regarding someone that is blind using their iPhone, they have no benefit to a pass code lock as they require the iPhone to read out the character they are about to press. So therefore all they've done is tell everyone their passcode, even if they use a headphone unless they are using both what's to say nobody else has picked up and is listening to the other one, it sounds silly but they can't SEE it.

    Finger print security makes sense for these people, an easy way to have some privacy on their phone AND still be easy to use.
  • 2 Hide
    jldevoy , September 21, 2013 5:12 AM
    I was under the belief that fingerprint systems only store key point data, not the actual fingerprint itself.
  • 2 Hide
    cemerian , September 21, 2013 7:49 AM
    ok too all the pro fingerprint safety, that technoly is the most insecure one imaginable.
    http://youtu.be/3Hji3kp_i9k
  • -5 Hide
    truerock , September 21, 2013 8:08 AM
    I'll agree that this was a very poorly written article. The questions raised are legitimate - the analysis was irrational.

    Apple has implemented the first widely used biometric security technology. It will be interesting to see how well it plays out. My initial impression is that this might be a significant improvement to smart phone access security.

    I currently use RoboForm as my smart-phone credentials database. I assume that within a year or 2 Apple will have a superior solution.
  • -2 Hide
    popatim , September 21, 2013 12:16 PM
    Has no one but me realized that the print used to access the 5 will be ALL OVER THE CASE already?

    LMAO.
    60 seconds with a fingerprint brush, black and bi-chromatic powder, and lifting tape will get you all the access you want..
  • 0 Hide
    danwat1234 , September 21, 2013 2:14 PM
    Kevin O'brien is 1 of the main guys over at storagereview.com that does reviews.
  • 1 Hide
    maddad , September 21, 2013 4:54 PM
    My 3-4 yr old Motorola Atrix 4g has a fingerprint reader. I like it much better than having to type in a password all the time. Is it accurate, can it be spoofed? It doesn't even like my finger half the time. Why is it this only gets criticism when "Apple" adds it to a device.
  • 1 Hide
    ap3x , September 21, 2013 6:14 PM
    Popatim, You do realize that the iPhone 5s fingerprint reader is sub dermal right. It is actually a capacitance reader. The outer layer where your finger print is non-conductive, the sub-dermal layer is actually conductive. So the iPhone's Biometric sensor is actually reading the differences in conductivity to create the print. You won't be able to bypass it with just a lifted print as your suggesting.

    Also, keep in mind that the outer ring is used to let the sensor know to activate. It may also be emitting a small current to make the capacitance clearer to read. This would also explain why it works even when your finger is placed on the button in a different position. This is something that a traditional finger print reader would have a hard time with.

    At some point you guys should just give them a little credit. The way they have engineered this thing is pretty solid.
  • 0 Hide
    rwinches , September 21, 2013 11:28 PM
    You drop your iPhone it slides across the pavement and scratches the sapphire surface oops it can't read your print. Then what?
  • -1 Hide
    dizzy_davidh , September 22, 2013 12:03 AM
    I just don't see what the big deal is. Most folk lock their phone with a four digit key combo which is hardly the Engima code!

    As for the integrity of the finger-print data itself the answer is simply don't use it for anything other than unlocking your phone and keep all your other pass-codes away from the likes of 'remember me' cookies, pass-code and login key-chains and anything that would allow access to your mail.

    Realistically nothing is secure, hell RSA has just told it's customers not to use the tech that relies on it's Ignition algorithm which includes about about 40 million number-generator key-fobs they produced in the past decade all of which are supposedly compromised (I remember a website that lived for about a day that let you predict the next number of an RSA token, and 'Yes' it worked, so it should not have been news that Ignition is busted but as an NSA/CIA hit sqaud probably killed the site owner, the story never got far).
Display more comments
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter