Why Hacking the iPhone 5s Fingerprint Reader is No Big Deal
On Sunday, just two days after the iPhone 5s shipped, a German hacker group known as the Chaos Computer Club claimed it had managed to fool the new device’s fingerprint reader. I can’t say I’m surprised.
Years ago, I was involved in a project that reviewed more than 20 biometric fingerprint products. The goal of the project was to determine which fingerprint readers could be fooled and how easily. It was an eye-opening experience, especially in seeing how easily many of the readers could be tricked. With little effort, we were able to bypass all of the readers. With some, we could actually reactivate latent prints by cupping our hands over the scanner glass and blowing warm, moist air over them. Voilà! You were in.
[ Newly updated: Mobile security for iOS vs. Android vs. BlackBerry vs. Windows Phone. | InfoWorld presents the Bossies 2013, covering the best open source software for security, mobile, and more. | Keep up with key security issues with InfoWorld'sSecurity Central newsletter. ]
That method, fortunately, can’t be used with the reader on the iPhone 5s. Instead of scanning an image of a fingerprint, the reader uses capacitance, the same basic tech employed by touchscreens to track your fingertip. When you register your fingerprint, the ridges and valleys of your print are recorded as high- and low-capacitance areas. To fool the iPhone 5s, a fingerprint image won’t work. You need to create a 3D replica of the fingerprint.
That’s what the Chaos Computing Club did. After digitizing and enhancing a latent fingerprint, the group printed it out on a transparency and created a mold using wood glue. A 2008 episode of “MythBusters” described a similar method. In other words, it takes some skill, and you have to be highly motivated.
But the larger point is that fingerprint readers, without another authentication factor, are really more about convenience than strong authentication.
People don’t like entering passwords, PINs, or really anything else that slows them down for one second. In the near future, I suspect the pervasive authentication scheme will be something that allows immediate access when the legitimate user interfaces with the device. I’m not sure if it will be voice recognition, DNA comparison, or what, but hopefully one day, we will make strong authentication easy and less cumbersome. Until then, we have to live with what we have.
A short PIN, with a lockout or wipe threat, is more secure than a fingerprint alone. The fingerprint reader is unlikely to have a lockout or wipe threat because fingerprint readers are also notorious for false-negative readings.
For security purposes, all biometric readers should always be paired with another authentication factor, like a short PIN, and should not accept biometric proofs that were identical to the last verifier. If you add those two requirements, I can at least accept biometrics as a stronger authentication factor.
There are two other caveats to remember around biometric IDs. First: What do you do if your biometric identity is compromised? For example, suppose someone steals your fingerprint using the Chaos Computing Club’s method and uses it to log on as you. What are you supposed to do now? How do you repudiate your valid fingerprint? One answer is to use another finger, unless the bad guys get all your fingerprints. Another obvious answer is to turn off the biometric identity and use something else more secure, like your PIN — or require a PIN along with the biometric verifier.
Last but not least, remember that most successful exploits don’t care whether you logged on using a PIN, password, or biometric identity. That’s because they hit you and your computer after you’ve successfully authenticated. (Think Trojan horse program or computer virus.) Many attacks don’t care if you’ve logged on. (Think remote buffer overflow.)
If biometric identities were really the answer to putting down computer crime, we would have long ago all implemented whatever worked. We’d all have fingerprint readers by now. But biometric identities solve just a little bit of the problem and come with their own issues.