Today, Germany’s Chaos Computer Club claims to have hacked the iPhone 5s Touch ID. Since I now get paid to think about Identity stuff all the time, I’ll think out loud about the question: “Is Touch ID a good idea?”

Let’s assume that:

  • The CCC isn’t lying.

  • The crack isn’t trivial; you’re going to need some materials, time, and expertise.

Let’s split our question: First, is Touch ID worthwhile? Second, is it better or worse than a four-digit PIN? [BTW, just because banks use four digits doesn’t mean you have to; I use five and know people who use six.]

BTW, I think it’s fair to say that as of today, Touch ID and Android Face Unlock are qualitatively a wash, security-wise.

Is Touch ID Worth Having? · I’d say yes (cautiously). John Gruber points out that pre-Touch-ID, the most popular iPhone lock method was none, swipe and you’re in. If this changes that, it’s probably worthwhile.

I should note that the CCC disagrees. I’d urge everyone who cares to read their essay on the crack carefully. I quote: “We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can’t change and that you leave everywhere every day as a security token.” Well, yeah... if what you’re mostly worried about is a skilled, determined adversary; such as a government official.

So let’s look at scenarios.

Scenario: Your phone is stolen · I’m thinking that Touch ID and a PIN stack up about equal here. First, because most thieves are after the hardware not the information. Second, because unless you’re really unlucky, you can probably remote-wipe the phone before the bad guys get their act together to replicate the CCC crack.

On the other hand, if you’re James Bond and Goldfinger gets your phone, you’re going to wish you’d done the PIN thing to buy time till you can shoot your way into his HQ.

And if you’re Ed Snowden and the NSA gets your phone, you just know they’re going to put it in a Faraday cage and use better gear than CCC has, so you’re toast either way.

Scenario: You’re arrested · It really depends who arrests you. If it’s the forces of Bashar el-Assad, they’d probably rather torture you for the PIN than do the icky fingerprint-hack work, anyhow.

If it’s the border agents of the US or Great Britain, you have no rights and they can take their time doing the CCC hack, so you’re better off with a PIN. Except for the UK law seems to say that if you don’t cough up the PIN they can throw you in jail for the duration.

If it’s the employees of a reasonably civilized government, chances are they can hold your finger up against the phone accidentally-on-purpose, or alternately use the packaged-for-Law-Enforcement version of the CCC hack which will probably be shipping by year-end 2013 from major vendors. So you’re probably better off with the PIN. This is assuming they don’t have good reason to think you’ve got kiddie porn on the phone, and that you’ve got a good lawyer who’ll get you out before they wear you down.

You may have noticed that the preceding paragraphs rely on a lot of very situationally-specific assumptions. So, the answer is, it depends on who you are, what you do, and where you go.

Me, I’d stick with my 5-digit PIN for the foreseeable future.



Contributions

Comment feed for ongoing:Comments feed

From: James (Sep 22 2013, at 16:51)

Why do all the commenters on Apples TouchId not spend a few minutes to understand how it works?

The fact is that to use the fingerprint unlock you must also have a pin--it's not optional. Using the fingerprint scanner affords most people the option of having much more secure pin--even better than a paltry 5-digits.

If the scanner isn't used on a couple of days, iOS requires entry of the pin. This info is all available if you spent just a few minutes to educate yourself before commenting.

[link]

From: Gareth Simpson (Sep 22 2013, at 19:25)

I'm not sure I share your conclusions here.

Physical access to a device has always been considered game over and you've lost to the hackers.

Law enforcement, for example, are going to plug in a cable and run something like XRY ( http://www.msab.com/xry/what-is-xry ), not faff about making fake fingerprints.

Pin codes and Touch ID are about keeping out opportunists, hopefully long enough for you to do Find My iPhone and/or remote wipe.

So you while you acknowledge the big win here, you dismiss its significance, to wit, Touch ID might be a wash compared to a passcode, but it's a big step up from no password at all.

[link]

From: John Roth (Sep 22 2013, at 21:08)

I have to agree with the person who said "if someone has physical access, it's basically game over." The Chaos Computer Club's point is that there are too many people who are regarding biometrics as equivalent to the Holy Grail.

I'm more interested in whether someone can do a remote crack involving the fingerprint hardware and software, or whether they can crack it if they have the device but they don't have a scan of the finger.

[link]

From: Fred (Sep 22 2013, at 23:16)

Also keep in mind that the PIN is useless vs. law enforcement.

The design is theoretically secure — but qualified po-po can send devices to Apple, where they maintain a lab that will load a specially signed bootloader onto it that will brute-force the key with the lockout protections disabled.

[link]

From: dave (Sep 23 2013, at 01:21)

If you are arrested with your phone, and the police wanted access to your phone, wouldn't they just directly press your finger against the sensor instead of bothering with fingerprinting you, then replicating your print?

[link]

From: Andrea (Sep 23 2013, at 02:18)

About the "you're arrested" scenario.

The torturer can simply cut your hands off and try each and every finger to unlock the phone.

That's why it's better to register other body parts as a touch ID token.

Regarding the better body part, let's leave it at "other".

[link]

From: Free Markets rule (Sep 23 2013, at 07:54)

Well, Apple sold a record 9 million iPhone this weekend, so let the competition keep the free markets system well lubricated and ultra competitive. So long as we never have a monopoly (did you hear that Ray Kurzweil Mr. Singularity? The iPhone is not going anywhere so don't dream of an Android monopoly anytime soon).

[link]

From: Dave Walker (Sep 26 2013, at 08:50)

I'd like to add another scenario, being a variant on "your phone is stolen" - "your phone is snatched out of your hand while you're using it, by a thief who then makes good his escape".

The key, here, is that you're using your phone - so you're already authenticated to it, by whatever means you use, and it's unlocked. The thief can therefore make use of any apps which don't require secondary authentication, and naturally the first thing he'll do will be to disable your phone auto-lock before it times out.

Various police forces will confirm that this is a common criminal MO.

Now, something you could potentially do with the fingerprint sensor (and the Face Unlock feature, on Android) would be a process of continuous authentication, if the API lets you.

On Android, if I've authenticated to my 'phone and am using it, I'm either holding it up to my ear (which is likely to be problematic, unless Android device front-facing cameras are better in low light that I'm aware), or holding it in my hand(s), looking at it and typing on it. For this second case, a variant of the Face Unlock capability - using the same bunch of DSP, anyway - could check, perhaps on a per-keystroke granularity, that I'm still in the frame - or at least, that a bunch of pixels in the middle of the frame haven't changed beyond a given threshold. If they have changed, then drop any transactions and lock.

Similarly with the fingerprint sensor, having it on the Home button is a sensible move; it's ambidexterous, and it's (probably) not awkward to shift one's grip so the thumb is always resting on the sensor when in use - OK, it throws 2-handed typing in landscape out the window, but portrait use is still good 2-handed. Having played with an iPhone 5S in an Apple Store for long enough to register my thumb and perform a few crude unlock speed tests, the sensor is fast enough to be able to read a print at every keystroke (<0.2s to read), and again drop transactions and passwd-lock if the thumb goes away, then the effort needed to subvert the sensor means it's still useful to mitigate the unlocked 'phone-snatch threat.

Just a thought...

[link]

From: Unlocked (Sep 28 2013, at 15:44)

"BTW, I think it’s fair to say that as of today, Touch ID and Android Face Unlock are qualitatively a wash, security-wise."

One requires a 2400 dpi scan of the finger print then a 1200 dpi print onto a transparent sheet, as well as requiring that the phone owner has authenticated their device with the TouchID in the last 24 hours.

The other requires Google Image search (or Facebook, or any other image source). http://thenextweb.com/google/2011/11/11/android-4-0-face-unlock-feature-defeated-using-a-photo-video/

One requires skill and specialized hardware. The other my sister in elementary could do. Qualitatively a wash by all means.

[link]

author · Dad
colophon · rights
picture of the day
September 22, 2013
· Technology (90 fragments)
· · Identity (44 more)

By .

The opinions expressed here
are my own, and no other party
necessarily agrees with them.

A full disclosure of my
professional interests is
on the author page.

I’m on Mastodon!