Apple's advanced fingerprint technology is hacked; should you worry?

Apple's advanced fingerprint technology is hacked; should you worry?

Summary: Less than 48 hours after the iPhone 5s went on sale, a group of German hackers claimed to have lifted a fingerprint and created a fake finger that could spoof Apple's "advanced" biometric technology. But anyone who's been paying attention to biometrics wasn't surprised.

SHARE:
TOPICS: Apple, Security
110

It took only days for the hackers of Germany’s Chaos Computer Club to claim victory in the challenge to break Apple’s vaunted new security feature in the iPhone 5s. The CCC “biometrics hacking team” used a photo of a fingerprint from a glass surface to fashion a fake finger that they then used to fool the newest iPhone into unlocking. “This demonstrates – again,”  the group said in a statement, “that fingerprint biometrics is unsuitable as access control method and should be avoided.”

Actually, it demonstrates no such thing.

The new iPhone debuted on Friday, September 20. The CCC team announced their successful hack roughly 48 hours later. But if you think this is a crushing defeat for Apple, think again. Apple's technology is good enough for most common applications. But no fingerprint reader is unhackable.

Biometric information like fingerprints and retina scans are useful pieces of a multi-factor authentication puzzle. Although the CCC claims they used “materials that can be found in almost every household,” it’s unlikely that many households have the imaging technology to capture a fingerprint in a 2400 dpi photograph, clean up the resulting image and print it at 1200 dpi “onto transparent sheet with a thick toner setting,” and then “smear pink latex milk or white woodglue” into the pattern to make a fake finger like the one that successfully bypassed the security of Touch ID.

Despite the slightly high-end lab equipment, this isn’t exactly rocket science. The source fingerprint probably looked like this:

fingerprint-hack

And the lab bench where the fake finger was created probably looked something like this:

fingerprint-hack-2003

Images: Hacking Fingerprints (2003), Antti Kaseva and Antti Stén  

Cool, huh? Except those pictures aren't from the CCC. They're from a similar hack that was publicized more than a decade ago. Back in 2003, another group led by researchers Antti Kaseva and Antti Stén posted an almost identical description of a fingerprint hack using a Windows-based fingerprint scanner that was, at the time, state of the art:

The hack is to create an artificial finger using a mold that is manufactured from a latent fingerprint left by the legitimate user. The fingerprint can be obtained from just about anywhere, mug, door handle, rail etc. With this artificial finger the hacker should be able to intrude a system if the mandatory smart card required for logon is available and in use.

And they demonstrated that they could do exactly that. In 2003. The only difference between that hack from a decade ago and the one from this weekend is the resolution of the captured fingerprint.

As usual, Apple has managed to blur the thin line between technical reality and marketing claims. Apple’s support document, “iPhone 5s: About Touch ID security,” is practically oozing with buzzwords and marketing-speak:

The technology within Touch ID is some of the most advanced hardware and software we've put in any device. To fit within the Home button, the Touch ID sensor is only 170 microns thin, not much thicker than a human hair. This high-resolution 500 ppi sensor can read extremely fine details of your fingerprint. The button itself is made from sapphire crystal—one of the clearest, hardest materials available. This protects the sensor and acts as a lens to precisely focus it on your finger. The steel ring surrounding the button detects your finger and tells Touch ID to start reading your fingerprint. The sensor uses advanced capacitive touch to take a high-resolution image from small sections of your fingerprint from the subepidermal layers of your skin. Touch ID then intelligently analyzes this information with a remarkable degree of detail and precision. … Touch ID uses all of this to provide an accurate match and a very high level of security.

The article goes on to note that the odds of a random stranger’s fingerprint matching yours is in the neighborhood of 1 in 50,000, which is “much better than the 1 in 10,000 odds of guessing a typical 4-digit passcode.”

Unless they've captured a 2400 dpi image of your fingerprint, in which case the odds improve dramatically.

The underlying technology in the iPhone 5s was undoubtedly influenced, if not outright authored, by Authentec, a pioneer in fingerprint and NFC technology, which Apple acquired for a reported $365 million a little over a year ago. Authentec's technology has been part of the PC landscape for years, mostly on enterprise-class notebook PCs.

And the company wasn’t shy about tooting its own horn in regard to its technical chops. This claim, for example, is on an archived “Technology” page from the now-shuttered Authentec website:

Anti-Spoofing

AuthenTec's anti-spoofing technology dynamically measures the properties of finger skin placed on the sensor while the finger is being scanned. This patented technology ensures that only real fingerprints are read by converting the properties of the skin into digital data which are delivered to the host computer for analysis. AuthenTec anti-spoofing technology then compares the data with expected properties to ensure fingerprint authentication. [emphasis added]

Oops.

Oddly, the current version of the Authentec.com website does not mention the company’s acquisition by Apple.  If you visit the site looking for updated Windows drivers or software, you’re redirected to a support page that cryptically notes: “AuthenTec was acquired in October 2012 and the new owner has discontinued the products and services supported on this site.”

“The new owner,” of course, is Apple. But that name doesn’t appear anywhere on the authentec.com domain, which has been scrubbed of most of its PC-era content.

The real lesson in all of this isn’t that fingerprints are untrustworthy. In fact, the opposite is true. For everyday use, a fingerprint is far more secure than a four-digit passcode.

If your data is valuable enough for an attacker to go to the trouble of stealing a super-high-resolution photo of your fingerprint and molding a fake finger, you probably should be using multi-factor authentication. And in fact the iPhone already does that. Your fingerprint enrollment information is stored in a secure area in the A7 processor that powers the iPhone 5s. If someone manages to steal your fingerprint, they also need to steal your phone. That fake finger by itself won’t work with another iPhone unless you also have your Apple account credentials.

Windows 8.1, which was released to manufacturing a month before iOS 7 but won’t hit shelves until October, has similar technology. A fingerprint identification framework designed for use with the same type of reader as is found in the new iPhone (a big improvement over older swipe-based fingerprint readers) is built into Windows 8.1. It can be combined with the Trusted Platform Module (TPM) in a Windows 8.1 device to create a virtual smartcard that makes spoofing of enterprise network credentials very difficult.

In its part-marketing/part-technical document, Apple says it's come up with a solution that offers the same secure storage of biometric data, without any of the standards support that TPM includes:

iPhone 5s also includes a new advanced security architecture called the Secure Enclave within the A7 chip, which was developed to protect passcode and fingerprint data. Fingerprint data is encrypted and protected with a key available only to the Secure Enclave. Fingerprint data is used only by the Secure Enclave to verify that your fingerprint matches the enrolled fingerprint data. The Secure Enclave is walled off from the rest of A7 and as well as the rest of iOS. Therefore, your fingerprint data is never accessed by iOS or other apps, never stored on Apple servers, and never backed up to iCloud or anywhere else. Only Touch ID uses it and it can't be used to match against other fingerprint databases.

Regardless of the platform you’re using, high-value data should never be secured by a single factor. You’re in pretty good shape if you insist on a successful fingerprint identification combined with a strong passcode (more than a simple four digits) and a device that’s been registered with the network. If you’re a thief and you can successfully combine all those factors, congratulations. You should be in a John Le Carré novel.

Meanwhile, back here on Earth, your fingerprint is a convenient way to protect the garden-variety secrets and shopping we all keep. Combine it with a reasonably strong passcode and you should be perfectly safe. Unless you’re also a character in a spy novel.

Topics: Apple, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

110 comments
Log in or register to join the discussion
  • Finger worry

    The part that worries me is that Apple's claim that only a live (attached) finger will do is apparently false.
    Don Reba
    • You're aren't paying attention.

      They demoed the hack with a "live (attached) finger" that's not the problem, so it's safe to assume that's required.
      matthew_maurice
      • Likely this technology is for law enforcement requests

        Good article, Ed; and Matt/Don, your right!

        For those that didn't see the video, or understand it (because they are in Germany), I believe the point trying to be made was showing that the stored finger print data, in the phone, was based on an actual fingerprint.

        So the hackers didn't want to show how to collect the print. Maybe part of the demonstration is best.

        The scary thing, however, is that for many legal-related issues, fingerprints are collected by police, using collection of prints. If authorities ever execute a warrant, they'll get your fingerprints, and using this documented process, police could lawfully search your phone.

        If correct, it's more likely that the new technology is in response to an article I read online about Apple's backlog and ability to lawfully unlock phones to satisfy a warrants in ongoing legal investigations. If a warrant is executed, and the person refuses to provide the passcode, or in situations, per-se of "Wrongful Death Investigations" where investigations are stopped, it was taking Apple 3-6 months to unlock and download information from iPhones and iDevices.

        Other info disclosed was that Apple's fingerprint sensor chip was of higher resolution. The fingerprint had to be "scanned into a computer at 2400dpi". Likely this was because when it was brought into a program like Photoshop or GIMP, where the photo is inverted, and excess dust or finger print ink can be cleaned and removed.

        Still, you're at a point where prints need to be collected, scanned, and smudges have to be removed, then cleaned from the print. This is a lot of work.

        Still, it remains more secure than Android's Facial Recognition Technology to unlock a device. Merely holding a photograph in front of a phone's camera would unlock an Android.
        MalcolmTucker
        • They did not demoed anything yet -- for now

          Not confirmed; this is make proper language.
          DDERSSS
        • Um..

          Woah stop right there... Yes, the police collecti fingerprints.. but they also have this lovely thing they can get called a warrent where they can just make the phone companies give up the dats.

          The observation that it's a lot to go through to break the security is still a valid one.
          Benjamin NElson
          • umm

            Actually their general term was called writs of assistance.
            slickjim
          • NSA

            well that's all true except its not if they have it they will do it look at it

            take the nsa they have all USA data and all phonecalll recorded and stored in utah all photos and txts every data bit is stored and decripted NO WARRANTS NONE

            and they use the data they collect on Americans to help arrest drug dealers etc and then try to back fill after aresting and finding things they can clain triggered there arrests
            livevegetable
      • You're aren't paying attention

        could not find any mention about "demoed the hack with a live finger", at least not in this article. It only refers to a "fake finger".
        Rhuephus Phuche
        • Did you watch the video?

          I don't know where Bott got the "fake finger" thing, but in the video "demo" it's clearly a real finger with the fake fingerprint applied to its surface.
          matthew_maurice
          • For the unobservant.

            First go to the second link in the article, http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid and then go to the demo link from there, http://www.youtube.com/watch?v=HM8b8d8kSNQ Then you will see that they didn't use a fake finger, but a fake fingerprint on a real finger.
            matthew_maurice
          • IN my eyes.

            that would be a real finger.. just as wearing a glove wouldn't make it a fake one..
            Benjamin NElson
        • Don't think that really matters one way or another...

          For most people, supplying a real finger instead of a fake one isn't exactly a problem (And per other comments, the demo uses a real one).
          ChickenLiver
      • Umm

        You said, "To Fashion a Fake Finger" and now you're telling him he isn't paying attention.

        Also, they demoed this very technique more than 25 years ago in Beverly Hills Cop so, it really isn't as hard as you're making it out to be.

        Even further, this equipment will be chump change for groups looking to buy the stolen phones because it now gives them access to all your account information as well.

        Fingerprint recognition is unreliable and I would have to agree with the Germans and say it isn't a sufficient means of protecting data. Maybe heartbeat patterns or something would be better. A key fob on a necklace or maybe a smart watch holding the access token (no token, no access period).
        slickjim
        • sorry

          Just realized you're not Ed! Didn't mean to imply you were wrong in your assertion.
          slickjim
        • It isn't that Fingerprint Biometrics is unreliable!

          It's that Apple purchased far inferior technology compared to it's competitors like Samsung now choosing Validity Inc after Apple bought Authentec out from under them. Which were used on a Samsung Galaxy device demo early this year. After Apple bought Anthentec and all their current customers got tossed into the gutter. But now Validity has contracts with Microsoft for Windows phones and Samsung for theirs, just to name two. HTC might be using Validity as well. So although Authentec has been hacked..... again..... now people know they aren't the only biometric sensor company on the planet. Nor most of all even the best!
          KronJohn
      • Live yes..... but it wasn't the actual enrolled person's finger!

        It's a spoof pure and simple. Because Authentec's technology isn't even close to the best. Apple bought Authentec just to keep Samsung from launching Galaxy S3 with it's already planned and patented Authentec sensor in it's home button!

        The truth is Samsung was already using Authentec, well before Apple bought them out from under them. Fact: Samsung had already planned on using an Authentec sensor in the Galaxy S3 as evidenced by this image pulled out of a GS3's firmware:
        http://www.biometricupdate.com/201305/rumors-point-to-an-embedded-fingerprint-sensor-for-galaxy-devices

        Samsung had applied for a patent on a Biometric Sensor in GS3's Home Button well before Apple had bought Authentec in November 2011. Then Apple after buying Authentec applied for patents themselves that were..... yes immediately granted by the USPTO while they continue to sit on Samsung's "First to File" patent that may never be granted!

        If this isn't a case of bonafide deceptive collusion between Apple and the USPTO, I don't know what is. We've seen it with Apple against Google too. Where the USPTO will grant patents to certain companies before other companies. So now Samsung though they were actually set to include a Biometric Sensor in the Galaxy S3 way before Apple even thought of it, will be second...... but hey.... guess what? With Validity's LiveFlex scan technology that fingerprint spoof wouldn't work. Because it scans the live tissue layers beneath the dead skin layers. The hacker's finger has to not only be LIVE.... but it had better be the same Live finger of the enrolled user!

        This why even enterprise users were worried over using Authentec's technology (first hacked 10yrs ago), and then used on HP's laptop computers later in the 90's. Now if Ed is suggesting that everybody will use both fingerprint and a pin on Apple's iPhones or laptops like HP with Pro on it's Macs, he's sadly mistaken. We are talking about users that think just because it's Apple's device it's secure and God Like already. Because with such trusting and simple minded users, all they'll ever use is one. At this point the fingerprint spoof is the most vulnerable, it's quicker and easier than using a brute force hack to get your pin to. All that hacker did is scan a print off the touchscreen. So guess what? Those using the fingerprint only log in will be getting hacked first. Which means probably over 80% of Apple's users will be vulnerable to this simple biometric hack!

        So simple is this fingerprint hack, that Apple's users have been opened up to a whole lot of harassment, practical jokes by friends and then thieves won't be far behind that. So like with the biometric sensors on HP's Notebook computers, it's bound to become just another ignored hardware feature on Apple's devices too. Samsung and the many others working with Validity Inc for Sensors, already have the far better odds in their favor. Nothing perfect, but at least Validity's sensors won't fall to this simple of a hack!

        http://www.validityinc.com/technology.php#liveflex
        KronJohn
    • What about normal usage too..?

      Another concern is in areas where it rains, or is humid, if water gets under the button, you'll likely have to replace the phone at least once during the contract. Especially if the design is similar to previous versions....

      Sometimes I receive important calls while taking a shower, or when I had wet hands. To take the call, I got water on the button, and the button didn't work after that. After research, I was able to get it to work (without the needed repairs) by spraying a drop of WD-40 between the cracks.

      However, with an image sensor, this trick likely won't work; If water gets between the glass and sensor, likely images would be blurred.

      I imagine the device is pretty much hosed and expensive to repair if it meets a drop of water, or cleaned with Windex.
      MalcolmTucker
      • Re: Sometimes I receive important calls while taking a shower

        You have two immediate solutions:

        1. Put your iPhone in one of those waterproof pouches/cases. There is plenty of choice here so you can select what fits your bath style.

        2. You know, there are waterproof phones out there. That is, phones made especially to be used in extreme weather conditions etc. You just put one of these in your bathroom and be done. You don't really need a smartphone to answer phone calls, do you?
        danbi
        • Of course he does.

          Those important phone calls are from a Mr. Carlos Danger.
          jvitous
          • lol

            and many lulz were had that day.
            Jacob VanWagoner