by David Shear and Joe Stewart
On September 10th Apple announced the new iPhone 5s. With many new upgrades, there was one new additional feature that particularly drew the interest of both the media and consumer. It was the announcement of the new fingerprint biometrics included in the iPhone known as the Touch ID®. Finger print technology as a means for identification in the security industry has been utilized for years. Apple is the first smart phone company to incorporate it into a hand held consumer device. The Touch ID® security is described as a way to use your fingerprint as a passcode. Apple has reported that “over 50% of smartphone users don’t use a passcode.” Apple's Touch ID® is an easier way for the consumer to activate the feature and secure the contents of the device. As with all security related software, it is just a matter of time before someone breaks the code and designs a work-around. Ten days after the launch, the hacking team known as Computer Chaos Club (CCC) designed a work-around for the new fingerprint security system. The interesting thing is that the process CCC used to compromise the Touch ID security is an update to a well-known technique known in security circles for years. According to news reports, in 2002 a Japanese cryptographer used gelatin (found in food items) and a plastic mold to create a fake finger which was used to fool fingerprint detectors four times out of five.
The process is outlined in greater detail on CCC’s website:
- Locate an item with a generally glossy surface such as a glass, doorknob, etc.
- Apply Cyanoacrylate (a main ingredient in super glue) to the aforementioned fingerprint.
- A reaction occurs with the residue left from the fingerprint, leaving a solid white substance.
- Take a high resolution photo of the fingerprint.
- Upload the image to your computer.
- Now to get an exact image to use as a fingerprint, you must print the image on a transparency slide (commonly used with projectors).
- The toner will form a relief which will then be followed by wood glue coating to make a dummy of the fingerprint.
- Once done, cover the dummy fingerprint with wood glue.
- Remove fingerprint and cut to finger size.
- Glue the dummy fingerprint to your own finger and you can use it to bypass the scanner.
CCC made a video to document the experiment which can be found here.
As with any technology, we have to look at it through the mind of the criminal element. The information on the smart device would have to be of great value to entertain the process utilized above. For the average consumer, the information on their particular device is probably not worth the time or effort to compromise the data. The critical element here is the print itself. I would suspect it would have to be in very good, if not pristine condition. The slightest smudge would render the print ineffective for counterfeit purposes. The current work-around would more likely be used in a James Bond movie rather than to compromise an everyday consumer’s iPhone.
If you are an individual concerned by the above scenario then a secure data storage application would be an additional line of defense to protect your data. The encrypted data would be very difficult to access unless the perpetrator was versed in the application being utilized to protect the information. Once again, what does the average consumer have on their smart device that would be worth the effort to go through the process described by CCC? Remember, the perpetrator has only five attempts to break through the scanner or the security feature falls back to the passcode.
For anyone generally concerned about security on their new iPhone 5s, a few tips that can help further secure your phone:
- Turn Simple Passcode off. This alone will allow you to implement a passcode which is something longer and more secure with a variety of symbols, numbers, upper and lower case letters.
- Constantly delete/backup any information you would not someone else to have access to.
- Use of encrypted data storage applications to store information that you don’t want accessed by others. Some of those applications include “Stash,” “GoodReader,” “Vault,” etc.
Also, a comprehensive BYOD (bring-your-own-device) policy would be very beneficial. The amount of smartphone users is on the rise, but mobile security is still in its infancy. Using the steps listed above would be incredibly beneficial in limiting the scope of compromises and attempts to access the data on your device. The best security practice is to not store sensitive data on your phone or device. Each individual’s device and security needs are unique. There is no cookie cutter system for everyone. The level of security should be dictated based on needs of the user/consumer. For the majority of the iPhone 5s users, the Touch ID® security component is drastically more secure than just a four digit passcode. Nothing is ever 100% secure, but this additional feature is a step in the right direction. You will more likely be targeted by a phishing campaign than a targeted iPhone attack. Safe security implementations will allow you to be secure, and decrease the chance of your data being compromised.
Can my fingerprint now be stored or accessed by Apple?
Lately, there has been concern from some consumers that companies are sharing their data with government entities, and thus there is some worry that your fingerprint can be stored and accessed by outside entities (government, applications, etc.). The IPhone 5s FAQ page states:
“Touch ID® does not store any images of your fingerprint. It stores only a mathematical representation of your fingerprint. It isn't possible for your actual fingerprint image to be reverse-engineered from this mathematical representation. IPhone 5s also includes a new advanced security architecture called the Secure Enclave within the A7 chip, which was developed to protect passcode and fingerprint data. Fingerprint data is encrypted and protected with a key available only to the Secure Enclave. Fingerprint data is used only by the Secure Enclave to verify that your fingerprint matches the enrolled fingerprint data. The Secure Enclave is walled off from the rest of A7, as well as the rest of IOS. Therefore, your fingerprint data is never accessed by IOS or other apps, never stored on Apple servers, and never backed up to iCloud or anywhere else. Only Touch ID uses it and it can't be used to match against other fingerprint databases.”
The implication here is that the fingerprint is in no way accessible by anything but Touch ID®.
Senator Al Franken asked Apple specific questions regarding the overall privacy of the Touch ID® system. Perhaps the most important question was whether Apple would share the fingerprint data with intelligence agencies. If the claims supported by Apple are true, then there would be no way for them to share the data with any company, agency, etc. In conclusion, as with all technology, many entities will try and crack the security features. However, a publicly available system for breaking the “mathematical representation” of an individual’s fingerprint is not known of, and it is not known if any government agency has cracked this code. Even then, this feature is optional. Adopting security practices are an individual’s responsibility and Apple is just offering you an upgraded capability to secure your data via the IPhone 5s.