The iPhone 5s Biometric Unlock

The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple's TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.

Apple had released the new iPhone with a fingerprint sensor that was supposedly much more secure than previous fingerprint technology. A lot of bogus speculation about the marvels of the new technology and how hard to defeat it supposedly is had dominated the international technology press for days.

"In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake", said the hacker with the nickname Starbug, who performed the critical experiments that led to the successful circumvention of the fingerprint locking. "As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."[1]

[1] via CCC | Chaos Computer Club breaks Apple TouchID.

The new iPhone has a biometric unlock option. It took all of three days for a break to show up for it, as was generally expected as well. While this is obviously an indictment of its security, I do somewhat agree with Apple and several other commentators regarding it retaining value.

Apple technology security is strictly weaker in many ways than similar Android options. Apple, for instance, can decrypt iPhones, whereas Google appears to have no such capability. They have also historically shown how their infrastructure allows for attackers to destroy data, although Google is not impervious to this either. I personally use Android (cyanogenmod on a Galaxy S3), with full device encryption and a screen password far longer than is healthy. Unlocking my phone can take up to ten seconds, which most people simply will not put up with.

That is the value in the biometric unlock for the iPhone. A dedicated opponent will be able to get you to unlock it, easier with physical intimidation than an information-based key perhaps. Screen pins should be seen as opposition from casual data theft. Someone who steals your phone, or takes it from a table to try to get some information quickly, often faces absolutely no barrier. Apple’s talking points point out a majority of users have no security pin utilized currently (although I have not found the specific number, if it is available). Tools exist to remotely wipe a phone if custody is lost, and a small barrier may be enough to give time to use that capability.

The one potentially huge concern to this method of unlock however is in allowing Apple aggregation of biometric information. As of now, Apple stores the information locally on the iPhone in question. Any government would love that information and, as demonstrated above, they have those ties with Apple. There is also the question as to if that information can be transferred off the phone if someone has physical access to the device. These are issues that should be addressed, and until they are my support is tentative. Regardless, something that encourages adaptation of a security mindset is helpful.