Just to keep things in perspective, the goal of Touch ID is not to be unhackable. The goal is to get more consumers to move from zero security to pretty good security.
A very large number of people don't put any kind of passcode of any kind on their phone, simply because it's inconvenient. Touch ID is designed for them. It's not designed to secure nuclear footballs.
Touch ID is going to massively reduce the number of totally unsecured iPhones that require zero effort to access. That's the goal.
I think some people see "fingerprint scanner" and think "military-grade security" because that's where we've seen scanners before in movies and such. But this is really very much a solution for the consumer market, where convenience and usability are critical features of a security system. Sometimes infosec folks forget that. If you make it too hard to use (passcodes), people just bypass it. So you can blame the user, or you can try to design something easier to use. If in the end you've improved the overall security landscape, you've succeeded. I think that's what Apple is doing here.
Here's Apple's main marketing text on the subject:
> Put your finger on the Home button, and just like that your iPhone unlocks. It’s a convenient and highly secure way to access your phone. Your fingerprint can also approve purchases from iTunes Store, the App Store, and the iBooks Store, so you don’t have to enter your password.
It is definitely intended to replace passwords. Pretty good security would be to require both the fingerprint and a PIN (for unlocking the phone, at that stage a fingerprint is fine for authenticating iTunes' digital purchases).
I think it's more than adequate security for App Store purchases.
My debit card, for example, has "paywave" short range payment support. So anybody who has my card can go around making small purchases, no PIN, no signature needed. I'm fine with this because the convenience far outweighs the security concern.
With the iPhone an attacker who replicates your fingerprint can make purchases to your iTunes account using your phone. They can't purchase to a different account, they can't purchase to a different device. In that sense, requiring a valid fingerprint is more than secure enough — even if faked it's not going to do much damage.
Creating a fake print that can fool the scanner is so much harder than stealing someone's debit/credit card. It's also so much less damaging to the victim (making purchases on their iTunes account vs. making any arbitrary purchase).
I think the balance between security and convenience for this technology is more than reasonable.
"you don’t have to enter your password" != "you don't need a password"
As I understand it every now and again Apple will prompt you to enter your passcode/password, such as when you restart your device or if you haven't unlocked it in two days. Hardly a signal that passwords are done.
>You check your iPhone dozens and dozens of times a day, probably more. Entering a passcode each time just slows you down. But you do it because making sure no one else has access to your iPhone is important. With iPhone 5s, getting into your phone is faster, easier, and even a little futuristic. Introducing Touch ID — a new fingerprint identity sensor.
Put your finger on the Home button, and just like that your iPhone unlocks. It’s a convenient and highly secure way to access your phone. Your fingerprint can also approve purchases from iTunes Store, the App Store, and the iBooks Store, so you don’t have to enter your password. And Touch ID is capable of 360-degree readability. Which means no matter what its orientation — portrait, landscape, or anything in between — your iPhone reads your fingerprint and knows who you are. And because Touch ID lets you enroll multiple fingerprints, it knows the people you trust, too.
That's what I was thinking, too. The fingerprint scanner is a bit like a LoJack - it's still possible to steal a car with a "The Club" on it, but most thieves will probably just move on to another car (although I've heard that car thieves, like pick pockets, don't really steal cars anymore, just components and loose gear.)
To corroborate your point, here is the transcript from the 5S launch:
"The third feature is all about security. Now we have so much personal information on our devices that we want to protect. <snipped> So we have to protect them. The most common wave of course is to set up a passcode. Simple four digit passcode or more complex one if you want. This is something you do, dozens of times a day to unlock and get access to your phone. Unfortunately, some people find that's too cumbersome and they don't set it up. In fact in our research about half of smartphone customers do not set up a passcode on the device and they really, really should. That's the team has worked so hard in the brand new technology to make this easy and fun to do."
Touch ID is not "pretty good security" it's not even "good security" it's simply very bad security.
Touch ID is better than nothing and that people use Touch ID instead of nothing is better than the current state but not by much and this definitely isn't a huge achievement. Which is really the biggest issue with Touch ID, it's advertised as such and people believe it.
I'd be willing to bet that over the next couple of years millions of people will try to log into somebodys iPhone that they shouldn't have access to, but in the process are prevented from doing so by the fingerprint based security.
I also bet, in 99.9999% or more of those cases, the attacker doesn't even attempt to bypass the security by faking the users fingerprint.
I'd also be willing to bet that these figures are substantially better than the current situation where people don't bother to lock their phone at all. People will use it because it's a gimmick, not because of it's security properties, but it will still work.
> Touch ID is better than nothing... but not by much
You can't be serious. A completely unlocked phone that anybody can trivially access with a swipe.. vs. a scanner that you'd have to lift and reconstruct someone's fingerprint to bypass. That is definitely a significant improvement.
While I don't have data to back it up, I believe most Android users use the draw pattern to unlock method. This feature is absolutely trivial to defeat - you can simply hold the phone up to the light, see the trails of oil left on the phone, and follow that trail. People have done this to my own phone with just a few tries.
TouchID represents a massive increase in security over draw pattern to unlock, and it's easier to use at the same time.
It probably also represents an increase in security over 4 digit PIN codes, though that's shakier.
Having a lock in your front door is not perfect but it is much better than not having one at all.
The way that Apple haters use stunts like this to suspend normal logic and reasoning in order to express their juvenile spite is staggering.
No one, ever, claimed TouchID was impregnable, but it is very good security and is better than what the vast majority of people do at present.
Anyone prepared to devote the time and resources that CCC did to breaking your phone has other simpler means at their disposal. I personally believe that no one else will replicate this achievement because it is simply a publicity stunt to get clicks and feed the hordes of anti-Apple zealots.
Touch ID is competing against pins chosen from a universe of 10,000. This isn't great security, but it's appropriate security for unlocking a device you already must have physical access to.
I was going to argue with your statements but than I turned the screen in my phone off and realized that the front part of the screen is covered with my thumb prints, and they are ripe for photographing.
I took a security class where, amongst other things, we learned how to pick locks. After we learned how to do so with provided equipment, the instructor said "So since these locks are insecure, should I have them in my home? Yes, because if a motivated intruder wanted to come into my home, I still have windows."
Except, there is a larger point that CCC is making:
> fingerprint biometrics is unsuitable as access control method and should be avoided.
What happens when the next set of hackers figure out how to remotely access and extract the fingerprints (hashed, secured, whatever) stored on the iPhone itself?
I don't really think it is relevant. The iTunes authorisation for example wouldn't be sent the fingerprint information, it would be sent the response 'yes the person passed the test'.
The fingerprint information stored in the 'secure enclave' of the A7 is a combination of the data related to the fingerprint combined with unique information for that specific device. So even if the data could be extracted, using it for any purpose other than unlocking that specific phone would be impossible.
Usually when I see smart people talking about security, they think about what attack vector/situation you are trying to protect against. In this case, the situation you are trying to protect against is not keeping your phone locked when you are in custody or at gun point. The situation is someone unlocking your phone if someone swipes it from your pocket, you lose your phone, or simply leave it on your desk for a few moments as you go to the bathroom at the office. So, yes, a biometric scanner, even one that is easily beaten by an attacker, is good for this purpose.
Whatever the case, maybe we should step back and get some more perspective. How many of us don't put locks on our shared computers and phones because we don't want the inconvenience of ensuring everybody that should be allowed to use it can? My phone is a shared device and I removed any and all locks on it as I got very tired of "oh, let me unlock that for you." Basically, I want everybody that can reach it physically (when it isn't lost or stolen) to be able to access it and make calls, surf the web, use the map, search contacts, play games, etc. Is any phone locking mechanism going to work perfectly, probably not. Being able to set up my phone to unlock for anybody in my family and friends circle by something like fingerprints is a pretty good start.
> Touch ID is going to massively reduce the number of totally unsecured iPhones that require zero effort to access.
I feel like we just went through this very same drill with the Chrome team refusing to hide web site passwords behind a master password, something that all browsers, except Chrome, support. Given how stubborn the Chrome team has been in its handling of this situation, I think fighting that TouchId battle is going to be equally challenging.
Common sense is, sadly, not very common, not even among the security circles.
What worries me the most is that biometrics can be used to authorize payments, and for anyone that has crafty teenage (or younger) kinds this might sounds a bit risky. Getting access to your parents fingerprint is easy while getting access to their password is much harder.
>Just to keep things in perspective, the goal of Touch ID is not to be unhackable. The goal is to get more consumers to move from zero security to pretty good security.
Agreed. Complaining about this hack would be like people saying locks are "hackable" if you steal someones key and make a copy. There's always a way around any system, if a criminal is dedicated enough to get past it.
Piss poor excuse - think of all the users using a password now downgrading their security, but Apple advertising it as "high security".
I like what you're saying, massively allow users to secure their phones without the pain of entering a password, but when it comes at a compromise of "little is better than none" is not the mentality people need for security. I'd rather see corporations rewarding and encouraging proper security strategies rather than creating some compromise for marketing.
>Piss poor excuse - think of all the users using a password now downgrading their security, but Apple advertising it as "high security".
If you're talking aggregate security, TouchID will still increase security (even with current PIN users moving to a FP Scan) as currently about 50% don't use any sort of pass code now.
If you're talking about the ability for current PIN users to maintain their level of security if they wish, -they can still use a PIN.
Bottom line is that there will be fewer successful unauthorized login attempts in the wild.
> The goal is to get more consumers to move from zero security to pretty good security.
One might argue that Touch ID is too strong to be used where there was no security before. In an arms race with thefts and hackers, leaping too far forwards might not be the best option in the long term.
Right. Yesterday, people clamored for a browser API to allow for that stuff to login, now that it is broken it has magically morphed into a mere 'convenience feature', a sidenote, a little fix.
(Of course, this post ends with Apple has succeeded. Sigh.)
That comment perfectly sums up what I have been trying to argue with friends the last day or two! Thank you! Presuming you don't mind I will send this over to them!
If we've learned anything over the past few months, it is that security is an illusion when it comes to Google, Apple and Facebook.
The fingerprint scanner is not intended to protect your personal data from being accessed by nefarious cyber-spooks or crackers. The $5 dollar wrench technique is fairly effective in bypassing such security anyway.
The fingerprint scanner is there so that when your phone is nicked by a mugger, they can't reset to factory defaults and sell it on eBay. If some knife wielding thug that robs me of my phone has the intellectual capability of lifting my fingerprints off the case and then using them to bypass the security, he still has to know my AppleID password before he can remove the 'Find my Phone' feature.
Give Apple a break. This is just another layer of security. It's _not_ the panacea to all our security woes, and they have never claimed it was.
Apple claims that "The technology within Touch ID is some of the most advanced hardware and software we've put in any device." [1]. This attack showed that increasing sensor resolution only requires increasing the resolution on the fake print to match.
This attack is an interesting data point in the debate over using biometrics in access control systems. Apple was hyped to have introduced something new and exciting in this space, but it's quickly been shown to not be a significant advance in fingerprint sensor technology.
Touch ID, however, is still an adequately secure access control check to be useful to consumers.
> This attack showed that increasing sensor resolution only requires increasing the resolution on the fake print to match.
Just to clarify, it wasn't just the increased resolution that was required here, but "latex milk", I assume to simulate a living finger, as well. It's not as simple as print-of-print = unlock.
Only an idiot would buy a jailbroken phone without a clean ESN on it. Those who do, know what they are getting. And you're forgetting Activation Lock, which a jailbreak will not defeat.
You linked to a support document explaining how the technology works. You may have had a point if this was listed on their product page describing the feature, but instead you have them touting the convenience of using your finger to unlock your phone and make purchases:
You check your iPhone dozens and dozens of times a day, probably more. Entering a passcode each time just slows you down. But you do it because making sure no one else has access to your iPhone is important. With iPhone 5s, getting into your phone is faster, easier, and even a little futuristic. Introducing Touch ID — a new fingerprint identity sensor.
Put your finger on the Home button, and just like that your iPhone unlocks. It’s a convenient and highly secure way to access your phone. Your fingerprint can also approve purchases from iTunes Store, the App Store, and the iBooks Store, so you don’t have to enter your password. And Touch ID is capable of 360-degree readability. Which means no matter what its orientation — portrait, landscape, or anything in between — your iPhone reads your fingerprint and knows who you are. And because Touch ID lets you enroll multiple fingerprints, it knows the people you trust, too.
Regardless of whether or not fingerprint scanners are good security wise, it's a bit silly to think that phone robbing thugs are completely dim. The way it works in my first world modern country is that there are shops everywhere that unlock or reset phones as part of their services, and it isn't thugs running them. It's people with an affinity for 'tech' who just happen to deal with a shadier area.
If cracking fingerprint authentication is as easy as this article suggests then there's no doubt that these types of shops will do this readily. Steal a phone -> bring it to a place that does it.
No, this is not the same as sim unlock. Circumventing touch id technology by making fake fingerprints is exactly the same case as being called to unlock a locked doors. The specialist knows when he is liable to crime and cannot make a legal bussines out of illegal access.
Except where I live there is organized phone snatching. A crew of phone hackers hire drug addicts to yoink phones off transit riders and then pay them 10% of the value. They then go to work on the phone changing the IMEI and I would imagine easily bypassing this fingerprint auth. They make use of the data for fraud purposes and then wipe and sell the phone on the street, a block away from where I live outside a run down sketchy bar.
Police caught the "muggers" slipping the phones into faraday bags so they couldn't be remotely wiped which led them to the ringleaders. They were busted but I'm sure there's a new crew doing it
I don't think it's possible to change the IMEI on an iPhone at all, and "easily bypassing" touchID involves collecting the user's fingerprint, which I guess is not included in the drug addicts' service offerings.
Plus, you can't get a decent sized adjustable wrench for less than $15 nowadays. Even the cheap Chinese ones that loosen the parallel alignment on the jaws after a few weeks cost more.
Agreed. But they always blow it out of proportion. As if the existing fingerprint systems are extremely insecure and theirs is not. The truth is they are all the same- insecure.
Theirs is better than the standard old fingerprint scanners and far better than using 'nothing' which is what they are replacing. They have blown nothing out of proportion.
> It's _not_ the panacea to all our security woes, and they have never claimed it was.
But they've never said it wasn't, either. It's important that everyone is in the clear about how secure TouchID is. I'm going to use it anyway, but the other decision is how much personal data I want to store on my phone.
* Note: TouchID is not the panacea to all our security woes. will not cure cancer, create world peace, does not kill kittens, [continues on listing everything it's not for 9 trillion pages]
The "How to fake fingerprints" link [1], is one of the scariest things I have seen, given how simple it is, and how much we reply on fingerprints for linking people to crimes.
BTW, for anyone who does not know about Chaos Computer Club (CCC) [2], they run a massive conference in EU. You can look at some of their talks @ http://media.ccc.de/
Frontline had an excellent piece on the (lack of) reliability behind most of crime forensics. Fingerprints in particular are mentioned as being very unreliable and unscientific. The only scientifically rigorous piece of "CSI" is DNA matching.
>The "How to fake fingerprints" link [1], is one of the scariest things I have seen, given how simple it is, and how much we reply on fingerprints for linking people to crimes.
I think DNA evidence is even worse. Given how simple it's for anyone (from an oppresive government to a criminal to take DNA from someone they want to frame and place in on a crime scene. Heck, it's even easier than fingerprints, and it's also thought of as "irefutable".
I think they're missing the point. The passcode on an iPhone defends against other people in your environment - family members, coworkers, roommates - getting your information opportunistically. It doesn't defend against hackers, the government, or even slightly savvy thieves.
Also, if a fingerprint sensor is significantly easier to use, and in practice will deter a class of privacy violations, it could increase overall security. This is a question you can only answer by looking how people behave, not solely with an analysis of the technology.
The fingerprint sensor worries me more that it records biometric information at all. It's one thing to leave fingerprints all around your environment, but there is now the potential to steal your biometrics over the internet. The device supposedly hashes the data derived from your fingerprint, presumably with a hardware-based secret, but I worry someone will find a way around that. (EDIT: maybe this is physically impossible; can someone provide details?)
Also, the issues that CCC discusses about how fingerprint unlocking can be coerced are important. Many law enforcement organizations now have devices that can scan smartphone data, which is bad enough, but at least the use of those devices are controlled. A fingerprint sensor now allows a cop to handcuff someone, jam his or her finger onto the phone, and then to (for instance) delete an incriminating video.
Likewise anyone else willing to use force. Might become the next schoolyard amusement for bullies, if your kid has a smartphone.
> I think they're missing the point. The passcode on an iPhone defends against other people in your environment - family members, coworkers, roommates - getting your information opportunistically. It doesn't defend against hackers, the government, or even slightly savvy thieves.
The Google Chrome Security team begs to differ [1]. According to them giving someone the illusion of security is bad.
Giving someone the illusion of security is bad because it displaces their understanding of security.
An understanding of security will reveal that security is not a binary state of affairs. It's perfectly reasonable to trust known-imperfect mechanisms like the iPhone fingerprint reader to keep honest people honest and discourage ordinary muggers and thieves. I don't need military-grade access control for my personal iPhone, I don't want the inconvenience that would necessarily accompany it, and I damned sure don't want to pay for it.
And the Google Chrome guy is correct in all respects: it's not reasonable to expect an application to provide security that's redundant with security provided by user accounts on the OS it runs on. It would be better to teach users to create separate accounts on their system, if they want to hide their local passwords from other members of their family.
Which is ironic coming from a company known to be sharing information directly with the NSA.
Name one security technology that is 100% foolproof. They don't exist. So the point isn't to rely on one thing, but to rely on many things that, used in concert, increase the risk, complexity and cost associated with subverting the entire system--not its individual components.
I think it's a hot topic in security circles right now that a worm or virus could infect these mobile devices and "phone home" with the data, resulting in a media nightmare.
Not the same result at all. You now have lost your phone and the cop has to argue that you smashed it yourself out of spite. There may be more witnesses or evidence after smashing a phone. Presumably there are even phone company records showing when and where a device went dead.
I am not a lawyer but it seems to me, 9 times out 10, the cop would prefer a cleaner result - they confiscate your device, and oops, when you get it back, the video is gone.
...the people closest to you in your environment ( kids, parents, spouse, boss, co-workers) are the ones who can most easily obtain your fingerprints...
And are probably least easily able to capture a high resolution image and reproduce a 2400 dpi heavy-ink image that is then used to create mould of your print.
Expected. Still much, much better security than no code at all. I will use it (with full knowledge of its downsides and tradeoffs) and it would behoove the CCC to not portray security as a binary state. (Just as much as it would behoove Apple to be truthful in their marketing.)
Don't use it if thieves would consider going through all the effort of faking out the scanner. That's what I take from this no doubt valuable and important work from the CCC.
(I assume that iPhone tracking and activation lock cannot be disabled with the fingerprint, so stolen phones will still be easily remotely wiped and bricked, with fingerprint or without. Thieves will have to be crafty and quick if the want to pull this off.)
Not that expected. I know a lot of people were BSing about how much more secure Apple's fingerprint sensor was and how the usual techniques for faking a finger wouldn't work on it, including some security researchers.
Yes. I anxiously await Gruber's lengthy post-mortem about the fingerprint reader being just as bad as all previous fingerprint readers, equal in number, length and enthusiasm to his previous posts about how wonderful and advanced it is.
I was disappointed to see that this hack shows the sensor isn't relying on the "microscopic capacitive surface" being claimed by Apple. So it's really just another CCD camera under the button?
Those techniques still haven't been shown to work in practice because CCC was only ago to unlock the device using a carefully made high quality print, not one lifted in an ecologically valid situation.
What matters is the rate at which copies of real prints are rejected, not the fact that one carefully made print can be made to work.
Yes, we often say security and think it means total protection. It doesn't. Its rare to see any security feature that cannot be bypassed or broken by some means. This is why we implement security in layers. If it were a binary state then a single layer would be sufficient. The idea is to make it so difficult to break through every layer of security that it becomes impractical but there will always be someone who does it.
I also don't think Apple is dishonest in their marketing. Fingerprint scanning is absolutely better than a pass code and the marketing around it all gives the impression that using it ensures no one can unlock your phone without your fingerprint. Nothing dishonest in that. Plus the layperson really has no interest in learning the specifics anyway so I'm not sure it matters what they say about it so long as it sounds cool and futuristic.
> Fingerprint scanning is absolutely better than a pass code
How often can you change your fingerprint? I can change my pass code virtually an infinite number of times. How often do you inadvertently leave your pass code in random places just by touching things?
A good pass code is absolutely better than fingerprint scanning.
I have accidentally seen basically all of my friends' passcodes as they type it in at bars etc. I could get into their phones easily. TouchID is more secure than that simply because someone needs to take a 2400dpi image of the person's finger to do it.
Locks (when physical access to a device is available) are to keep honest people honest. Most security experts that I know agree that if an intruder has physical access to a device, it can be considered compromised because it is just a matter of time.
Here, have a drink out of this freshly washed glass... no, don't worry, I'll wash the glass for you later. :)
On the last second point regarding access to a device, I could take a week to make up the fake print during which it won't matter if I have it or not. Since your print isn't changing I just need 5 minutes with your device at any point in the future.
Then create a detailed model using said high resolution fingerprint. If someone cares enough about your phone to do that, they can probably break into it by other means anyway (jail break, brute force passcode, etc)
> Most security experts that I know agree that if an intruder has physical access to a device, it can be considered compromised because it is just a matter of time.
Anyone who says this is not a security expert. That hasn't been true since full disk encryption became available. A properly encrypted device is a brick if stolen, which is the only reason to have full disk encryption in the first place.
I take it you're not a security researcher either, because "A properly encrypted device is a brick if stolen, which is the only reason to have full disk encryption in the first place" is insufficient, too.
Cold boot attacks, copying the drive and hacking the bootloader to get the drive password the next time you log in are two trivial methods, both of which have been used already.
Once you lose physical access to your hardware, it's game over. You simply cannot trust your computer after that point if you care AT ALL about maximizing security.
No, the physical access statement still holds true, even with FDE. First, if the machine is powered on, they can just extract the keys from RAM. Second, if you continue to use the device after it has been tampered with, you also lose (aka evil maid attack).
Most people outside of this community are not using disk encryption.
With that said and the caveat that I am not an encryption expert myself: given an infinite amount of computing power and an infinite amount of time, can full disk encryption not be broken? If so, then it is just a question of computing power and time, not of whether it is possible to get to the data.
A comment on another article the other day (can't remember which or I'd link) noted that no-one will magically know your passcode when you sleep or nap, but it might not be too hard for them to gently put your thumb on your phone. One would do well to remember that involuntarily "surrendering" login information doesn't necessarily require hoses or wrenches...
Considering that people generally don't wear gloves when they use their phones this is like having a picture of your key on your door. Combine that with what we know you can do with pictures of keys[1] and yes it's obviously not a very good idea.
This is not being done by lifting an existing print from the existing device. They're taking a photo of the authorised FINGER and using that to create their fake finger...
I don't see how this could be considered a significant issue unless you are going to steal someones phone AND somehow get a still 2400 dpi photo of the surface of their finger
You are incorrect. Second sentence of the article: "A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID."
It is a phone, you can bypass the passcode with a computer anyway - the passcode/touch is designed to prevent opportunistic unlocks not a determined attacker and it is much better than a passcode at doing that.
My front door does not have a picture of my key on it. My phone has tons of fingerprints though. It's a touch screen phone. One of those words is "touch" which clearly implies your finger coming in contact with it. Even if you wanted to use gloves you need special ones for it to work properly with the capacitive screen. Unless you are continuously wiping it (the screen, not the data) it will have you prints on it.
In the comments there is so much focus on the convenient aspect of TouchID. I agree, but the main point I think is that we have a situation where:
- fingerprint authentication will be seen as more casual and mainstream than it was before [1]
- people will still leave fingerprints everywhere, including around and on the fingerprint sensors
- once a high resolution image of a fingerprint is done, it can be re-used for literaly a lifetime (imagine keeping track of someone for years and use his/her fingerprints anytime it's needed)
- if enough applications rely on fingeprint authentication, exchanging fingerprint databases might become lucrative enough
From this point of view, seeing TouchID as just a cute way adding some security to a phone is too candid I think. It will have an immediate positive effect for casual phone locking, but would bring much worse effects down the line.
Optimisticly no one would rely on fingerprints alone to authenticate users for anything important. But the definition of what's important is blurry, and there is so many situations now where weak passwords are used, but it would be so tempting to switch to fingerprints (door unlock for instance...).
[1] laptops had finger unlock features for years now, but it never really made it to the wild masses I think. Fujitsu phones had a fingerprint reader too, but again, I don't remember other makers picking up the feature.
Readit News
A very large number of people don't put any kind of passcode of any kind on their phone, simply because it's inconvenient. Touch ID is designed for them. It's not designed to secure nuclear footballs.
Touch ID is going to massively reduce the number of totally unsecured iPhones that require zero effort to access. That's the goal.
I think some people see "fingerprint scanner" and think "military-grade security" because that's where we've seen scanners before in movies and such. But this is really very much a solution for the consumer market, where convenience and usability are critical features of a security system. Sometimes infosec folks forget that. If you make it too hard to use (passcodes), people just bypass it. So you can blame the user, or you can try to design something easier to use. If in the end you've improved the overall security landscape, you've succeeded. I think that's what Apple is doing here.
> Put your finger on the Home button, and just like that your iPhone unlocks. It’s a convenient and highly secure way to access your phone. Your fingerprint can also approve purchases from iTunes Store, the App Store, and the iBooks Store, so you don’t have to enter your password.
It is definitely intended to replace passwords. Pretty good security would be to require both the fingerprint and a PIN (for unlocking the phone, at that stage a fingerprint is fine for authenticating iTunes' digital purchases).
My debit card, for example, has "paywave" short range payment support. So anybody who has my card can go around making small purchases, no PIN, no signature needed. I'm fine with this because the convenience far outweighs the security concern.
With the iPhone an attacker who replicates your fingerprint can make purchases to your iTunes account using your phone. They can't purchase to a different account, they can't purchase to a different device. In that sense, requiring a valid fingerprint is more than secure enough — even if faked it's not going to do much damage.
Creating a fake print that can fool the scanner is so much harder than stealing someone's debit/credit card. It's also so much less damaging to the victim (making purchases on their iTunes account vs. making any arbitrary purchase).
I think the balance between security and convenience for this technology is more than reasonable.
You're missing the point. Right now lots of people have no password at all. Touch ID is a big improvement over having no password.
As I understand it every now and again Apple will prompt you to enter your passcode/password, such as when you restart your device or if you haven't unlocked it in two days. Hardly a signal that passwords are done.
>You check your iPhone dozens and dozens of times a day, probably more. Entering a passcode each time just slows you down. But you do it because making sure no one else has access to your iPhone is important. With iPhone 5s, getting into your phone is faster, easier, and even a little futuristic. Introducing Touch ID — a new fingerprint identity sensor.
Put your finger on the Home button, and just like that your iPhone unlocks. It’s a convenient and highly secure way to access your phone. Your fingerprint can also approve purchases from iTunes Store, the App Store, and the iBooks Store, so you don’t have to enter your password. And Touch ID is capable of 360-degree readability. Which means no matter what its orientation — portrait, landscape, or anything in between — your iPhone reads your fingerprint and knows who you are. And because Touch ID lets you enroll multiple fingerprints, it knows the people you trust, too.
-- the phone
-- a 2400 dpi resolution image of the correct fingerprint
-- a 1200 dpi laser printer & transparent paper
-- pink latex milk or white woodglue
-- a non-trivial amount of time
The code is in someone's head, or you have to deconvolute it from screen smudges. Your fingerprints are literally everywhere you go.
"The third feature is all about security. Now we have so much personal information on our devices that we want to protect. <snipped> So we have to protect them. The most common wave of course is to set up a passcode. Simple four digit passcode or more complex one if you want. This is something you do, dozens of times a day to unlock and get access to your phone. Unfortunately, some people find that's too cumbersome and they don't set it up. In fact in our research about half of smartphone customers do not set up a passcode on the device and they really, really should. That's the team has worked so hard in the brand new technology to make this easy and fun to do."
http://www.earningsimpact.com/Transcript/83555/AAPL/Launch-o...
Touch ID is better than nothing and that people use Touch ID instead of nothing is better than the current state but not by much and this definitely isn't a huge achievement. Which is really the biggest issue with Touch ID, it's advertised as such and people believe it.
I also bet, in 99.9999% or more of those cases, the attacker doesn't even attempt to bypass the security by faking the users fingerprint.
I'd also be willing to bet that these figures are substantially better than the current situation where people don't bother to lock their phone at all. People will use it because it's a gimmick, not because of it's security properties, but it will still work.
You can't be serious. A completely unlocked phone that anybody can trivially access with a swipe.. vs. a scanner that you'd have to lift and reconstruct someone's fingerprint to bypass. That is definitely a significant improvement.
TouchID represents a massive increase in security over draw pattern to unlock, and it's easier to use at the same time.
It probably also represents an increase in security over 4 digit PIN codes, though that's shakier.
The way that Apple haters use stunts like this to suspend normal logic and reasoning in order to express their juvenile spite is staggering.
No one, ever, claimed TouchID was impregnable, but it is very good security and is better than what the vast majority of people do at present.
Anyone prepared to devote the time and resources that CCC did to breaking your phone has other simpler means at their disposal. I personally believe that no one else will replicate this achievement because it is simply a publicity stunt to get clicks and feed the hordes of anti-Apple zealots.
That makes it great security.
> fingerprint biometrics is unsuitable as access control method and should be avoided.
What happens when the next set of hackers figure out how to remotely access and extract the fingerprints (hashed, secured, whatever) stored on the iPhone itself?
The fingerprint information stored in the 'secure enclave' of the A7 is a combination of the data related to the fingerprint combined with unique information for that specific device. So even if the data could be extracted, using it for any purpose other than unlocking that specific phone would be impossible.
Whatever the case, maybe we should step back and get some more perspective. How many of us don't put locks on our shared computers and phones because we don't want the inconvenience of ensuring everybody that should be allowed to use it can? My phone is a shared device and I removed any and all locks on it as I got very tired of "oh, let me unlock that for you." Basically, I want everybody that can reach it physically (when it isn't lost or stolen) to be able to access it and make calls, surf the web, use the map, search contacts, play games, etc. Is any phone locking mechanism going to work perfectly, probably not. Being able to set up my phone to unlock for anybody in my family and friends circle by something like fingerprints is a pretty good start.
I feel like we just went through this very same drill with the Chrome team refusing to hide web site passwords behind a master password, something that all browsers, except Chrome, support. Given how stubborn the Chrome team has been in its handling of this situation, I think fighting that TouchId battle is going to be equally challenging.
Common sense is, sadly, not very common, not even among the security circles.
Agreed. Complaining about this hack would be like people saying locks are "hackable" if you steal someones key and make a copy. There's always a way around any system, if a criminal is dedicated enough to get past it.
I like what you're saying, massively allow users to secure their phones without the pain of entering a password, but when it comes at a compromise of "little is better than none" is not the mentality people need for security. I'd rather see corporations rewarding and encouraging proper security strategies rather than creating some compromise for marketing.
If you're talking aggregate security, TouchID will still increase security (even with current PIN users moving to a FP Scan) as currently about 50% don't use any sort of pass code now.
If you're talking about the ability for current PIN users to maintain their level of security if they wish, -they can still use a PIN.
Bottom line is that there will be fewer successful unauthorized login attempts in the wild.
One might argue that Touch ID is too strong to be used where there was no security before. In an arms race with thefts and hackers, leaping too far forwards might not be the best option in the long term.
(Of course, this post ends with Apple has succeeded. Sigh.)
...while lowering the security of a massive number of iPhones previously secured by PINs.
Dead Comment
The fingerprint scanner is not intended to protect your personal data from being accessed by nefarious cyber-spooks or crackers. The $5 dollar wrench technique is fairly effective in bypassing such security anyway.
The fingerprint scanner is there so that when your phone is nicked by a mugger, they can't reset to factory defaults and sell it on eBay. If some knife wielding thug that robs me of my phone has the intellectual capability of lifting my fingerprints off the case and then using them to bypass the security, he still has to know my AppleID password before he can remove the 'Find my Phone' feature.
Give Apple a break. This is just another layer of security. It's _not_ the panacea to all our security woes, and they have never claimed it was.
This attack is an interesting data point in the debate over using biometrics in access control systems. Apple was hyped to have introduced something new and exciting in this space, but it's quickly been shown to not be a significant advance in fingerprint sensor technology.
Touch ID, however, is still an adequately secure access control check to be useful to consumers.
[1]http://support.apple.com/kb/HT5949?viewlocale=en_US
Just to clarify, it wasn't just the increased resolution that was required here, but "latex milk", I assume to simulate a living finger, as well. It's not as simple as print-of-print = unlock.
http://support.apple.com/kb/HT5949?viewlocale=en_US
And selling a stolen iPhone on eBay does not need a password or a fingerprint, a jailbreak is enough …
You check your iPhone dozens and dozens of times a day, probably more. Entering a passcode each time just slows you down. But you do it because making sure no one else has access to your iPhone is important. With iPhone 5s, getting into your phone is faster, easier, and even a little futuristic. Introducing Touch ID — a new fingerprint identity sensor.
Put your finger on the Home button, and just like that your iPhone unlocks. It’s a convenient and highly secure way to access your phone. Your fingerprint can also approve purchases from iTunes Store, the App Store, and the iBooks Store, so you don’t have to enter your password. And Touch ID is capable of 360-degree readability. Which means no matter what its orientation — portrait, landscape, or anything in between — your iPhone reads your fingerprint and knows who you are. And because Touch ID lets you enroll multiple fingerprints, it knows the people you trust, too.
If cracking fingerprint authentication is as easy as this article suggests then there's no doubt that these types of shops will do this readily. Steal a phone -> bring it to a place that does it.
The AppleID password is another thing though.
Police caught the "muggers" slipping the phones into faraday bags so they couldn't be remotely wiped which led them to the ringleaders. They were busted but I'm sure there's a new crew doing it
I prefer Schneier's original rubber hose technique. Leaves fewer broken bones and bruises, but just as effective.
I don't know if others are experiencing this, but as of iOS 7, that feature turns itself off every time my phone is rebooted.
But they've never said it wasn't, either. It's important that everyone is in the clear about how secure TouchID is. I'm going to use it anyway, but the other decision is how much personal data I want to store on my phone.
* Note: TouchID is not the panacea to all our security woes. will not cure cancer, create world peace, does not kill kittens, [continues on listing everything it's not for 9 trillion pages]
BTW, for anyone who does not know about Chaos Computer Club (CCC) [2], they run a massive conference in EU. You can look at some of their talks @ http://media.ccc.de/
[1] http://dasalte.ccc.de/biometrie/fingerabdruck_kopieren?langu...
[2] http://en.wikipedia.org/wiki/Chaos_Computer_Club
http://www.pbs.org/wgbh/pages/frontline/real-csi/
http://mobile.nytimes.com/2013/09/17/science/dna-double-take...
I think DNA evidence is even worse. Given how simple it's for anyone (from an oppresive government to a criminal to take DNA from someone they want to frame and place in on a crime scene. Heck, it's even easier than fingerprints, and it's also thought of as "irefutable".
It's a bit old now but it's still as valid.
Also, if a fingerprint sensor is significantly easier to use, and in practice will deter a class of privacy violations, it could increase overall security. This is a question you can only answer by looking how people behave, not solely with an analysis of the technology.
The fingerprint sensor worries me more that it records biometric information at all. It's one thing to leave fingerprints all around your environment, but there is now the potential to steal your biometrics over the internet. The device supposedly hashes the data derived from your fingerprint, presumably with a hardware-based secret, but I worry someone will find a way around that. (EDIT: maybe this is physically impossible; can someone provide details?)
Also, the issues that CCC discusses about how fingerprint unlocking can be coerced are important. Many law enforcement organizations now have devices that can scan smartphone data, which is bad enough, but at least the use of those devices are controlled. A fingerprint sensor now allows a cop to handcuff someone, jam his or her finger onto the phone, and then to (for instance) delete an incriminating video.
Likewise anyone else willing to use force. Might become the next schoolyard amusement for bullies, if your kid has a smartphone.
The Google Chrome Security team begs to differ [1]. According to them giving someone the illusion of security is bad.
[1] https://news.ycombinator.com/item?id=6165708
An understanding of security will reveal that security is not a binary state of affairs. It's perfectly reasonable to trust known-imperfect mechanisms like the iPhone fingerprint reader to keep honest people honest and discourage ordinary muggers and thieves. I don't need military-grade access control for my personal iPhone, I don't want the inconvenience that would necessarily accompany it, and I damned sure don't want to pay for it.
And the Google Chrome guy is correct in all respects: it's not reasonable to expect an application to provide security that's redundant with security provided by user accounts on the OS it runs on. It would be better to teach users to create separate accounts on their system, if they want to hide their local passwords from other members of their family.
Name one security technology that is 100% foolproof. They don't exist. So the point isn't to rely on one thing, but to rely on many things that, used in concert, increase the risk, complexity and cost associated with subverting the entire system--not its individual components.
Security is not binary.
Correct me if I'm wrong, but the biometric data never leaves the device.
You need the fingerprints themselves to fake out the hardware.
I am not a lawyer but it seems to me, 9 times out 10, the cop would prefer a cleaner result - they confiscate your device, and oops, when you get it back, the video is gone.
...the people closest to you in your environment ( kids, parents, spouse, boss, co-workers) are the ones who can most easily obtain your fingerprints...
Don't use it if thieves would consider going through all the effort of faking out the scanner. That's what I take from this no doubt valuable and important work from the CCC.
(I assume that iPhone tracking and activation lock cannot be disabled with the fingerprint, so stolen phones will still be easily remotely wiped and bricked, with fingerprint or without. Thieves will have to be crafty and quick if the want to pull this off.)
What matters is the rate at which copies of real prints are rejected, not the fact that one carefully made print can be made to work.
I also don't think Apple is dishonest in their marketing. Fingerprint scanning is absolutely better than a pass code and the marketing around it all gives the impression that using it ensures no one can unlock your phone without your fingerprint. Nothing dishonest in that. Plus the layperson really has no interest in learning the specifics anyway so I'm not sure it matters what they say about it so long as it sounds cool and futuristic.
How often can you change your fingerprint? I can change my pass code virtually an infinite number of times. How often do you inadvertently leave your pass code in random places just by touching things?
A good pass code is absolutely better than fingerprint scanning.
Locks (when physical access to a device is available) are to keep honest people honest. Most security experts that I know agree that if an intruder has physical access to a device, it can be considered compromised because it is just a matter of time.
Note: Finger Print, not finger.
Here, have a drink out of this freshly washed glass... no, don't worry, I'll wash the glass for you later. :)
On the last second point regarding access to a device, I could take a week to make up the fake print during which it won't matter if I have it or not. Since your print isn't changing I just need 5 minutes with your device at any point in the future.
And your friends could change their password 365 times per year every year for the rest of their lives.
With fingerprints, they get 10 password changes.
I'd say 9 password changes...
Anyone who says this is not a security expert. That hasn't been true since full disk encryption became available. A properly encrypted device is a brick if stolen, which is the only reason to have full disk encryption in the first place.
Cold boot attacks, copying the drive and hacking the bootloader to get the drive password the next time you log in are two trivial methods, both of which have been used already.
Once you lose physical access to your hardware, it's game over. You simply cannot trust your computer after that point if you care AT ALL about maximizing security.
With that said and the caveat that I am not an encryption expert myself: given an infinite amount of computing power and an infinite amount of time, can full disk encryption not be broken? If so, then it is just a question of computing power and time, not of whether it is possible to get to the data.
[1]: https://news.ycombinator.com/item?id=6167246
This is not being done by lifting an existing print from the existing device. They're taking a photo of the authorised FINGER and using that to create their fake finger...
I don't see how this could be considered a significant issue unless you are going to steal someones phone AND somehow get a still 2400 dpi photo of the surface of their finger
- fingerprint authentication will be seen as more casual and mainstream than it was before [1]
- people will still leave fingerprints everywhere, including around and on the fingerprint sensors
- once a high resolution image of a fingerprint is done, it can be re-used for literaly a lifetime (imagine keeping track of someone for years and use his/her fingerprints anytime it's needed)
- if enough applications rely on fingeprint authentication, exchanging fingerprint databases might become lucrative enough
From this point of view, seeing TouchID as just a cute way adding some security to a phone is too candid I think. It will have an immediate positive effect for casual phone locking, but would bring much worse effects down the line.
Optimisticly no one would rely on fingerprints alone to authenticate users for anything important. But the definition of what's important is blurry, and there is so many situations now where weak passwords are used, but it would be so tempting to switch to fingerprints (door unlock for instance...).
[1] laptops had finger unlock features for years now, but it never really made it to the wild masses I think. Fujitsu phones had a fingerprint reader too, but again, I don't remember other makers picking up the feature.
Deleted Comment