The iPhone 5s fingerprint hack – a sense of perspective

iphone5sSo, the Chaos Computer Club (bless ’em) have already come up with a way of hacking the fingerprint sensor on the iPhone 5s. Somehow I knew that, if anyone was going to do it, they would. But does this mean the system is fatally flawed?


We need a bit of perspective on this, something that isn’t always readily available in the information security world. It’s commonplace for researchers (ie, hackers) to come up with exploits that cause a stir inside the infosec community, and sometimes outside, and lead to widespread rending of garments, twisting of knickers and proclamations of doom. Only, when you actually examine what’s going on, and what the exploit requires – and assuming you have some sanity remaining – you realise that it’s unlikely the exploit will ever be used.

This is such a case, I suspect, because this is not a Gummy Bear attack (about which more later). It actually requires some significant effort.

The CCC explanation of what they did is here. But The Guardian has a more concise description of the process It begins with:

a high-quality fingerprint lifted from a glass, doorknob or glossy surface. The print, which essentially consists of fat and sweat, is made visible using graphite powder or a component of superglue, and then photographed at high resolution to create a 2400 pixel-per-inch scan. That is then printed onto an overhead projector plastic slide using a laser print, forming a relief. That is then covered with wood glue, cut and attached to a real finger.

Wow! Really? All that just so you can spend money on someone else’s iTunes account? Notice that you have to start with a perfect print (because of the high resolution of Apple’s scanner) – something that won’t be at all easy to obtain (ask any forensic scientist). I can’t see it happening, can you?

Okay, I know what you’re going to say. Smartphones are able to get behind corporate defences now, thanks to the Bring Your Own Device (BYOD) phenomenon. And they are often used to access sensitive corporate data. That would make the phone a tempting target for, say, state-sponsored hackers.

But in situations where that’s the case, you shouldn’t be relying on something as simple as a PIN-replacement technology to secure the data. I mean, would you allow someone to access the plans for your new stealth fighter just because they’d entered a four-digit PIN? I hope not. And if you do, then you have bigger problems than a fingerprint hack – like terminal stupidity.

What we need to keep in perspective is that the fingerprint sensor is being used on the iPhone 5s as a replacement for the four-digit passcode (itself not the greatest form of security). And this has been done before: many laptops have shipped with face recognition systems doing the same. (These, of course, were met with similar derision.)

This technology is not meant to turn your phone into Fort Knox. No security is impervious, nor does it need to be. Security technology is required simply to raise the level of cost for an attacker. It doesn’t need to be impregnable – it just needs to be hard.

So, ironically (and assuming we can get past the clueless hysteria the CCC’s antics are likely to create), the CCC hack has actually done Apple a favour. It has proved that defeating this security takes a lot of effort – effort that simply isn’t worth expending for the result that you get.

I’m now off to check my inbox. Why? Well, because when this sort of thing happens, I can guarantee that I’ll be flooded with PR emails offering ‘comment’ on the story. These are mostly from vendors who have a vested interest in seeing fingerprint biometrics fail (eg, firms flogging two-factor authentication tokens). These will be the people you’ll most commonly see quoted in the press as declaring that this ‘proves’ that biometrics cannot be trusted.

I’ve already had a lot of these, following the launch of the iPhone 5s, and it’s amazing how so many referenced the Gummy Bear attack – in which a jelly-like sweet was used to lift fingerprints and fool biometric scanners. But that was more than a decade ago, and the technology has moved on since then. The only thing these ‘commentators’ illustrate with these ‘comments’ is their own ignorance of the technology.

And that’s the biggest problem with biometrics – the failure of the biometrics industry itself to educate people about how its technology actually works.

There may be more flaws found in Apple’s fingerprint technology, and if any of them turn out to be as easy as the Gummy Bear attack then, indeed, the technology will be proved to be weak. But that hasn’t happened yet. Quite the reverse.

To recap, does the CCC exploit show that the iPhone 5s’s fingerprint security can be defeated? Absolutely. Well done them. Does it prove that it will be in the real world? No.

1 thought on “The iPhone 5s fingerprint hack – a sense of perspective

  1. Steve Wilson (@Steve_Lockstep)

    Ok, but let’s look at the context of the CCC attack.

    The iPhone 5S is released with a much vaunted biometric scanner; Forrester goes so far as to say that “S” stands for Security. It’s supposed to be the state-of-the-art in fingerprint scanning, with Authentec’s liveness detection. Apple says that a dead finger won’t trigger the detector, and says that the False Reject Rate is nearly zero.
    But apart from that … nothing. Apples gives us no security performance specs, No FAR, FRR or Fail to Enrol figures. No standards, and no independent test results.

    So in this light, the CCC attacks is actually very significant, if only because it re-balances the biometric mythology. The liveness detector is defeated by merely breathing on the replica finger! And these demos seem to be the only way we’re going to get real life stats on False Accept Rate.

    The broader context is that yet again fingerprint detection is shown manifestly to be a toy. You can get away with it in 1:1 authentication, where for example your iPhone remains safe against attack if you don’t misplace it. But meanwhile single factor, 1:N fingerprint authentication continues to be put forward in applications like payments.

    I don’t think you can call for “perspective” when Apple releases a fingerprint security solution with no real security specs, waits meekly for it to fail, and then lets all sorts of apologists rush to its defence with ad hoc justification that the mechanism is “good enough”. C’mon. This is not how proper security is designed and managed.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.