So the iPhone 5s, Apple’s newest shiniest consumer thing, has had its new biometric security broken by no less than the famous Chaos Computer Club (CCC). Using a simple spoofing attack which involves taking a print of the registered finger on a latex sheet, the phone’s sensor can be fooled into thinking it’s seeing the original digit. By applying a simple trick which can apparently defeat the majority of fingerprint sensors, CCC have demonstrated a weakness in Apple’s security and will hopefully claim one of the many prizes which have been offered for the first successful hack.
Except… does it really matter? Let’s be realistic here. A successful ‘real world’ attack on an iPhone 5s – or any other fingerprint sensor – where the subject is not compliant (and one assumes is unaware of the attack), requires the bringing together of the phone and a good copy of the fingerprint. Not beyond the wit of a skilled team of fraudsters, but hardly likely to be used by a casual attacker. In most real-world situations, the fingerprint is still an improvement over a four-digit PIN, which could easily be shoulder-surfed by an observer, and would be an irrelevance to the likes of the NSA.*
Some of the whackier articles out there suggest that the biometric approach is vulnerable to being used whilst the victim sleeps (which suggests a level of intimacy where getting the PIN would be much simpler), or that the owner’s cat might be able to unlock it. All this will work in Apple’s favour in the long run, but in the short term the stories distract from Apple’s ‘privacy by design‘ approach to their sensor.
What’s really welcome in Apple’s design approach is the use of a fingerprint hash within a secure element in the iPhone 5s. The phone does not* store a copy of the fingerprint itself, but instead a hash of the print, such that the original image cannot* be recovered by an attacker because it simply doesn’t exist* within the device.
This philosophy is an important (if obvious) step for the broader acceptance of biometric technologies. As CCC have shown, a fingerprint image can be stolen, either physically or electronically. But a hash, which is a one-way* mathematical function, cannot be used to recover the original image. This matters somewhat, since most of us only have nine password resets available to us before we have to start using alternative appendages, or alternative biometric technologies.
A really significant headline here would be the *electronic* copying and spoofing of the fingerprint image, in a way which would facilitate a remote attack. But that’s not happened yet, has it?*
* NSA/GCHQ caveats – if everything we’ve read about PRISM and related surveillance, interception, and engineered weaknesses in online security systems is indeed true, then all discussions of commercial security need to be subject to a standard disclaimer that the security doesn’t apply to the NSA/GCHQ. More on that later.
Declaration of interests: I’m an Apple user. I don’t own a 5s and have no plans to do so. I’m a fan of well-designed biometrics systems.