Apple finally gets something right

08.10.2013 by Dave Kearns

Apple’s new iPhone (the 5S model) is equipped with the Touch ID fingerprint reader. Its release just a couple of weeks ago has generated more discussion (and bloviating) about biometrics, fingerprints in particular, than all other fingerprint systems together. Not only that, but it’s forcing me to do something I’ve rarely – if ever – done before: say something nice about Apple.

In the twenty years I’ve been writing and opining about technology I’ve occasionally ranted about Apple, its products, its management and its fans, but for the first time, today, I can say bravo Apple.

Bravo Apple for introducing millions of users to the benefits of biometrics.

There’s been a lot of urban mythology about Touch ID being spread already, so here’s a look at some of the more outrageous claims, and why they are outrageous.

  • The NSA will now have your fingerprints (variations include the CIA, the local police, GCHQ, the DGSE, and the Chinese secret police)
  • Criminals can get your fingerprints and plant them at crime scenes (variation: so can the police)

The iPhone neither sends your fingerprint data to Apple, the Cloud or anywhere else (it’s only stored locally on the phone), nor is there a picture of your fingerprint stored anywhere. Like all portable devices (smart phones, “dumb” phones, tablets, etc.) there are probably latent fingerprints all over the screen and the cover. Anyone in possession of your phone could “lift” these prints for whatever purpose, criminal or benign. But that has nothing to do with the Touch ID function.

  • The iPhone reader is easily hacked; it even works with your cat’s paw!

Germany’s Chaos Computer Club claims to have “…successfully bypassed the biometric security of Apple’s Touch ID using easy everyday means.” Everyday means? Here’s how they describe the process:

First, the residual fingerprint from the phone is either photographed or scanned with a flatbed scanner at 2400 dpi. Then the image is converted to black & white, inverted and mirrored. This image is then printed onto transparent sheet at 1200 dpi. To create the mold, the mask is then used to expose the fingerprint structure on photo-sensitive PCB material. The PCB material is then developed, etched and cleaned. After this process, the mold is ready. A thin coat of graphite spray is applied to ensure an improved capacitive response. This also makes it easier to remove the fake fingerprint. Finally a thin film of white wood glue is smeared into the mold. After the glue cures the new fake fingerprint is ready for use.

What? You don’t keep “photo-sensitive PCB material” around the house?

As to the “cat’s paw” statement, one user found that he could enroll the cat by swiping its paw on the Touch ID button. You could also enroll just about any ridged surface. And that same ridged surface would be validated and unlock the device when applied subsequently. It’s not that your cat’s paw could be mistaken for your finger!

  • Fingerprint matching is notoriously unreliable

Fingerprint matching is not 100% reliable. The false positives and false negatives, though, are generally proportional to the number of fingerprints being matched to. Take one fingerprint and try to get a match against the millions in the FBI database and there’s a small, but significant, chance of a false match. But take one fingerprint and try to get a match against the one dataset stored on your iPhone and you’ll find it’s almost always accurate. An occasional mis-read because you swiped your finger poorly is hardly the fault of the hardware and software.

  • Fingerprints are a poor replacement for passwords. What happens if they’re compromised? You can’t change your fingerprint

This is a fallacious argument because in addition to having ten fingers (which can be used in multiple combinations, millions of them in fact) the algorithm used to transform your fingerprint data into a private key could also be changed rendering millions more possibilities. But I will partially agree with this. Biometrics shouldn’t be used to replace passwords. Instead, they should be used to replace usernames.

Usernames need to be unique. While there’s no specific proof that fingerprints (or iris scans or heart waves) are unique, it’s easy enough in any particular namespace to ensure that the biometric is unique at the time of enrollment by comparison to those already enrolled (just as Gmail, for example, tells you that “dkearns is already in use. Would you like to be dkearns1043?”). Also, in the 150 years or so that we’ve been using fingerprints for identification there’s never been a proven instance of two sets being alike. I think we can safely say there’s a Theory of Unique Fingerprints, at least until someone can refute the theory.

In the past I’ve suggested that an email address (which does have to be unique throughout the internet) makes an ideal username. But it’s ridiculously easy to know (or guess) someone’s email address. Standard usernames (first initial and seven letters of last name, for example) are frequently the part of the email address to the left of the “@,” so again, easily guessed. But you can’t guess a fingerprint. You can’t discover it through social engineering, either. It can be collected, but despite what the Chaos Computer Club says, that’s not particularly easy for the average person (e.g., one who could guess your username or email).

For unlocking your iPhone, a swipe of your finger is “secure enough” for most situations. But if Apple wants to also use the finger swipe to authorize access to apps (or “outside the phone” data), then coupling the swipe with a PIN, password or pass phrase makes a lot of sense. It’s not absolutely secure, but it is strong enough for the average user, their average device and the average data they need to access. Even if someone has stolen (or hacked) your password, they still need to re-create your fingerprint. Not at all easy, as we’ve seen. Fear not, swipe away!


  • http://twitter.com/Steve_Lockstep @Steve_Lockstep

    I don't see how you've debunked the concerns about biometric compromise. You say "the algorithm used to transform your fingerprint data into a private key could also be changed rendering millions more possibilities" but what good is that if someone has made a replica finger?

  • http://twitter.com/Steve_Lockstep @Steve_Lockstep

    [continued; my comment got truncated] I for one do not think the sky is falling after the CCC spoof but I do take the demonstration seriously, mainly because it was something that Apple claimed flat out could not done. Apple said the iPhone 5S has liveness detection. The systemic problem with biometrics as a security method is that there are no real world performance standards or test methodologies. Vendors like Apple don't even feel the need to publish bench tests. Absent accuracy specifications, there is no proper basis to do threat & risk assessment. So to say the biometric is "secure enough" is just guesswork (and it's telling that you yourself use the phrase in quote marks). No other security field gets away with such lax standards. It's all based on anecdotes, and far too many security analysts just go along for the ride.

Services
© 2014 Dave Kearns, KuppingerCole