Schneier is, not surprisingly, all over this.
Short version: “It’s fine if your fingers unlock your phone. It’s a different matter entirely if your fingerprint is used to authenticate your iCloud account.”
This would be plausible if the iPhone’s sensor didn’t require capacitance to be present in a pattern that matches the fingerprint – no chopped off digits or high resolution print outs will work. It may be possible to do some Mission:Impossible style overlay that adjusts the capacitance of an existing fingerprint to match a scan of somebody else’s, but by that point you’ve probably got bigger things to worry about than whether the super spy wants to read your phone.
This is why I thought that scene from TDKR where Bane took Bruce Wayne’s entire fortune with little more than a fingerprint seemed to be either a major stretch of credibility or an even bigger security hole.
It may well be that the capacitive sensors are harder to fool than some of the risible early models; but (if you have a copy of the print) it still won’t be rocket surgery to coat a finger-shaped chunk of approximately-human-meat-level-conductive material (such as, among other things, the rubbery stuff that a zillion cheap capacitive styluses are made of, or a hot dog. Not spook stuff) with a patterned dielectric layer modeled after the print.
Probably harder than the jell-o and bad attitude method; but doable.
The article about being mutilated by thieves is a fun bit of pointless scaremongering. I’ll take Cory’s statement of “if you’re willing to cut off someone’s fingertip to unlock his phone, you’re probably also willing to torture him into giving up his PIN” a bit further: If you’re under attack by someone who is willing and able to mutilate someone else to see what they might have in their Notepad app, then you’re boned, regardless of what personal tech you might or might not have on you.
You have 10 fingers with different finger prints, use more than one (say 4) and change the sequence periodically. Now you have a 4 digit pin…Doh!
What’re the attacks against retina scan id? I heard from a guy who worked in the department that made the security gadgets guarding U.S.S.R. missile silos that the Russians were worried about severed heads and so on so they made theirs so that the blood vessels in the eye being scanned had to pulse with a heartbeat and that the whole eye had to microscopically jiggle. Otherwise it was considered to be a “compromised” eyeball. The scan was 3D as well so a printout or a screen wouldn’t work.
Admittedly, the best part of these retinal scan authentications was the “Notary Public” aspect of them that certified that only a live head was used: lots of guys with guns watching the reader station. However I think in fixed installations where you could get a scanner with some good optics, such as an ATM or car, a retinal scan could be OK. Be interested to see if I’m wrong about that.
mythbusters fooled it with a printout that they licked and stuck to their thumb…
Hmmm… I think I’ve finally found a really good use for a small 3D printer.
“Unless you never venture into public without a clean-room bunny-suit, mirrorshades, and sharp gravel in your shoes,”
If you do that, you don’t need ID. Everyone knows it’s you.
By the way, I’m all over impressed you got Mr. Rogers on the record about this. He’s never fooled by make believe.
biomerics are fantasic, when there is a trusted path from the authenticator to the person authenticated.
A great example: a thumbrint scanning door lock that can be fooled by a fake fingerprint embossed in gelatine and stuck to a hotdog is completely vulnerable if it’s sitting on its own on the front of a building. The exact same door lock with an armed guard who will haul you away at gunpoint if you start fooling around with sausages on the thumbprint scanner, is very secure.
Severed fingers and casts made from fingerprints need not apply:
[The iPhone 5S fingerprint sensor] can detect the ridge and valley pattern of your fingerprint not from the layer of dead skin on the outside of your finger (which a fake finger can easily replicate), but from the living layer of skin under the surface of your finger, using an RF signal. That only works on a live finger; not one that’s been severed from your body.
Good article. On the “severed finger” front, it’s probably not going to be necessary to torture anyone. Phone robbers, (it’s the iPhone 5S that triggered the interest), need only shout “Unlock it, &^%#!!” as the victim hands it over, then add their own prints to the phone’s database. Crude, I admit, next to all the 3D printed meat snacks, but it’s the likeliest scenario that I came up with.
A seven year-old optical scanner using completely different tech from the iPhone was fooled? That’s it. The 5S is toast.
I laughed hard at the Independent article yesterday and the comments below it debunk many of these paranoid points. First of all reporter Katie does not name a source. Then as many point out, the Touch ID does not go for the actual print, but something something science-fancy … dead fingers and replicas won’t work.
I think it is just fun to write paranoia articles about everything new that comes around …
There are major flaws in the section “Does my iPhone store my fingerprint?”. It assumes you can store fingerpint templates like passwords – salt and hash. It doesn’t work that way. Because biometrics never offer perfect matches, you can’t just hash them – you will never get a bit for bit match, which hashing assumes. There are some systems that try to address this (search “biometric encryption”), but they are not in common usage (if Apple used this, they certainly would be advertising it).
Also, this idea that you can’t reconstruct a biometric from the template has been debunked. Search “biometric hill-climbing attack”. But, it doesn’t really matter – the template contains all the discriminating features needed to recognize someone. Having the original image is nearly irrelevant.
There’s no question that Touch ID is meant to be a convenience feature, not a serious security feature. Simply, all biometric systems can fail in a variety of ways, and no serious security system would be based only on a single factor biometric system. As Schneier says, adding a guard with a big gun to prevent messing around is very effective.
Also, this is completely true:
The iPhone does not do this.
Full disclosure: I’m the CEO of Bionym, which makes the Nymi. It’s a 3-factor authentication system, and the idea is to build a chain of trust between the user and a wearable device (the wristband), and then the wristband securely communicates identity (not biometric data) to other devices. The biometric is only utilized to secure a short section of chain of trust.
I’m not particularly worried about this vulnerability (if you’re
willing to cut off someone’s fingertip to unlock his phone, you’re
probably also willing to torture him into giving up his PIN)…
But maybe the advantage of PINs and keys over fingertips isn’t that the data or car is more secure - just that when it’s not worth it, you can give them up before you are permanently injured, keeping you more secure.