iPhone hack shows security isn't at our fingertips just yet

Sep 24, 2013 by Eerke Boiten, The Conversation
Finger or falsie? It’s too hard to tell. Credit: hawaii

We've come to expect something radically different from Apple every time it launches a new product and sure enough, the fingerprint sensor unveiled as part of the iPhone 5s, seemed like a revolution in phone security.

But almost as soon as the technology was announced, fans and foes set about trying to crack the fingerprint system. Sure enough, a group in Germany now claims to have succeeded, just days after the new iPhone became available.

From the first announcement by Apple, the commentary suggested forging of might be an issue. It looks like the German Chaos Computer Club has achieved this security breach for the Touch ID sensor. The group claims to have created a fake finger using just a fingerprint left on glass. It says the hack proves that is not a suitable method for controlling access to mobile phones.

The club's technique may not have been as simple and low-tech as the legendary gummibear attack by Matsumoto, but it still looks relatively easy. There also appears to be a between the claims made by the CCC and Apple's assertion that the technology uses "sub-epidermal" scanning, which would distinguish live fingers from fakes, but the claim from the CCC is nevertheless credible.

Apple's underlying motivation for offering fingerprint locking was good: people too often do not bother to lock their phones, password-based security drives users up the wall and is increasingly at risk from brute force cracking.

There is little doubt that multi-factor authentication is the future. This involves double protection using something you know, like a password, as well as something you have, like a phone, or something you are. This last category relies heavily on a long history of biometrics research, recording characteristics of voice, eyes, writing and fingerprints.

Like any biometric technology, fingerprint sensors must have a high degree of precision. This characterises the quality of the compromise between "false negatives" (failing to recognise someone) and "false positives" (recognising the wrong person). For individual consumers, the first is a frustrating usability issue – the second is a much less visible security problem.

The technology in the iPhone's Touch ID feature is said to be highly advanced. With the profits the company makes and the amount it can spend on research, Apple could well have achieved a breakthrough in fingerprinting sensor precision.

The promotional video for the new phone shows an awareness of the potential security problems related to losing fingerprint data. It was quick to announce that the information would only be stored in an encrypted form, and only in a secure area on the phone chip itself.

The revelations made so far about the extent to which the NSA is able to spy on consumers do not actually suggest that Apple has given the NSA full access to its iPhones, so we may still be safe when using our iPhones. Conscious that security issues are at the forefront of its customers' minds these days, Apple promised it will not allow third party applications access to Touch ID. This suggests it has learned from the privacy issues raised by its careless leaking of location and contact information. However, it does restrict the introduction of potentially improved authentication facilities.

The CCC breach is not necessarily a reason for people to junk their brand new iPhones – no more so than other problems found such as ways of circumventing lock screens. The new security feature certainly looks more user-friendly than using a pincode. Of the 50% of people who do not use any phone security right now, some may take this up, and that is a step forward. For critical operations such as iStore purchases, Apple customers will still use a password in addition to the fingerprint, so is at least not reduced in that sense.

In the longer term, there is no doubt that passwords by themselves will become a thing of the past. A breakthrough in usable and secure multi-factor authentication would have been very welcome. As it turns out, the Apple Touch ID isn't it.

Explore further: Hacker group develops method to circumvent iPhone Touch ID system (w/ Video)

add to favorites email to friend print save as pdf

Related Stories

iPhone 5S fingerprint scanning: Thumbs up or down?

Sep 13, 2013

Technology to acquire and use biometric data such as fingerprints has been around for several decades and has made its way from forensic investigation to laptop computers – and now, with this week's introduction ...

Recommended for you

UN study: Cellphones can improve literacy

22 hours ago

A study by the U.N. education agency says cellphones are getting more and more people to read in countries where books are rare and illiteracy is high.

Gates-funded student data group to shut down

Apr 21, 2014

The head of a student data processing organization says it will shut down in the coming months following criticism that led to the recent loss of its last active client—New York state.

Four questions about missing Malaysian plane answered

Apr 19, 2014

Travelers at Asian airports have asked questions about the March 8 disappearance of Malaysia Airlines Flight 370 while en route from Kuala Lumpur to Beijing. Here are some of them, followed by answers.

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

Technophebe
not rated yet Sep 25, 2013
"We've come to expect something radically different from Apple every time it launches a new product..."

I disagree strongly with this statement and contend that Apple hasn't done any significant innovation since Steve Jobs left.

More news stories

SK Hynix posts Q1 surge in net profit

South Korea's SK Hynix Inc said Thursday its first-quarter net profit surged nearly 350 percent from the previous year on a spike in sales of PC memory chips.

FCC to propose pay-for-priority Internet standards

The Federal Communications Commission is set to propose new open Internet rules that would allow content companies to pay for faster delivery over the so-called "last mile" connection to people's homes.

Brazil enacts Internet 'Bill of Rights'

Brazil's president signed into law on Wednesday a "Bill of Rights" for the digital age that aims to protect online privacy and promote the Internet as a public utility by barring telecommunications companies ...

Phase transiting to a new quantum universe

(Phys.org) —Recent insight and discovery of a new class of quantum transition opens the way for a whole new subfield of materials physics and quantum technologies.

Imaging turns a corner

(Phys.org) —Scientists have developed a new microscope which enables a dramatically improved view of biological cells.