So, the Chaos Computer Club (bless ’em) have already come up with a way of hacking the fingerprint sensor on the iPhone 5s. Somehow I knew that, if anyone was going to do it, they would. But does this mean the system is fatally flawed?
We need a bit of perspective on this, something that isn’t always readily available in the information security world. It’s commonplace for researchers (ie, hackers) to come up with exploits that cause a stir inside the infosec community, and sometimes outside, and lead to widespread rending of garments, twisting of knickers and proclamations of doom. Only, when you actually examine what’s going on, and what the exploit requires – and assuming you have some sanity remaining – you realise that it’s unlikely the exploit will ever be used.
This is such a case, I suspect, because this is not a Gummy Bear attack (about which more later). It actually requires some significant effort.
a high-quality fingerprint lifted from a glass, doorknob or glossy surface. The print, which essentially consists of fat and sweat, is made visible using graphite powder or a component of superglue, and then photographed at high resolution to create a 2400 pixel-per-inch scan. That is then printed onto an overhead projector plastic slide using a laser print, forming a relief. That is then covered with wood glue, cut and attached to a real finger.
Wow! Really? All that just so you can spend money on someone else’s iTunes account? Notice that you have to start with a perfect print (because of the high resolution of Apple’s scanner) – something that won’t be at all easy to obtain (ask any forensic scientist). I can’t see it happening, can you?
Okay, I know what you’re going to say. Smartphones are able to get behind corporate defences now, thanks to the Bring Your Own Device (BYOD) phenomenon. And they are often used to access sensitive corporate data. That would make the phone a tempting target for, say, state-sponsored hackers.
But in situations where that’s the case, you shouldn’t be relying on something as simple as a PIN-replacement technology to secure the data. I mean, would you allow someone to access the plans for your new stealth fighter just because they’d entered a four-digit PIN? I hope not. And if you do, then you have bigger problems than a fingerprint hack – like terminal stupidity.
What we need to keep in perspective is that the fingerprint sensor is being used on the iPhone 5s as a replacement for the four-digit passcode (itself not the greatest form of security). And this has been done before: many laptops have shipped with face recognition systems doing the same. (These, of course, were met with similar derision.)
This technology is not meant to turn your phone into Fort Knox. No security is impervious, nor does it need to be. Security technology is required simply to raise the level of cost for an attacker. It doesn’t need to be impregnable – it just needs to be hard.
So, ironically (and assuming we can get past the clueless hysteria the CCC’s antics are likely to create), the CCC hack has actually done Apple a favour. It has proved that defeating this security takes a lot of effort – effort that simply isn’t worth expending for the result that you get.
I’m now off to check my inbox. Why? Well, because when this sort of thing happens, I can guarantee that I’ll be flooded with PR emails offering ‘comment’ on the story. These are mostly from vendors who have a vested interest in seeing fingerprint biometrics fail (eg, firms flogging two-factor authentication tokens). These will be the people you’ll most commonly see quoted in the press as declaring that this ‘proves’ that biometrics cannot be trusted.
I’ve already had a lot of these, following the launch of the iPhone 5s, and it’s amazing how so many referenced the Gummy Bear attack – in which a jelly-like sweet was used to lift fingerprints and fool biometric scanners. But that was more than a decade ago, and the technology has moved on since then. The only thing these ‘commentators’ illustrate with these ‘comments’ is their own ignorance of the technology.
And that’s the biggest problem with biometrics – the failure of the biometrics industry itself to educate people about how its technology actually works.
There may be more flaws found in Apple’s fingerprint technology, and if any of them turn out to be as easy as the Gummy Bear attack then, indeed, the technology will be proved to be weak. But that hasn’t happened yet. Quite the reverse.
To recap, does the CCC exploit show that the iPhone 5s’s fingerprint security can be defeated? Absolutely. Well done them. Does it prove that it will be in the real world? No.