It took only days for the hackers of Germany’s Chaos Computer Club to claim victory in the challenge to break Apple’s vaunted new security feature in the iPhone 5s. The CCC “biometrics hacking team” used a photo of a fingerprint from a glass surface to fashion a fake finger that they then used to fool the newest iPhone into unlocking. “This demonstrates – again,” the group said in a statement, “that fingerprint biometrics is unsuitable as access control method and should be avoided.”
Actually, it demonstrates no such thing.
The new iPhone debuted on Friday, September 20. The CCC team announced their successful hack roughly 48 hours later. But if you think this is a crushing defeat for Apple, think again. Apple's technology is good enough for most common applications. But no fingerprint reader is unhackable.
Biometric information like fingerprints and retina scans are useful pieces of a multi-factor authentication puzzle. Although the CCC claims they used “materials that can be found in almost every household,” it’s unlikely that many households have the imaging technology to capture a fingerprint in a 2400 dpi photograph, clean up the resulting image and print it at 1200 dpi “onto transparent sheet with a thick toner setting,” and then “smear pink latex milk or white woodglue” into the pattern to make a fake finger like the one that successfully bypassed the security of Touch ID.
Despite the slightly high-end lab equipment, this isn’t exactly rocket science. The source fingerprint probably looked like this:
And the lab bench where the fake finger was created probably looked something like this:
Images: Hacking Fingerprints (2003), Antti Kaseva and Antti Stén
Cool, huh? Except those pictures aren't from the CCC. They're from a similar hack that was publicized more than a decade ago. Back in 2003, another group led by researchers Antti Kaseva and Antti Stén posted an almost identical description of a fingerprint hack using a Windows-based fingerprint scanner that was, at the time, state of the art:
The hack is to create an artificial finger using a mold that is manufactured from a latent fingerprint left by the legitimate user. The fingerprint can be obtained from just about anywhere, mug, door handle, rail etc. With this artificial finger the hacker should be able to intrude a system if the mandatory smart card required for logon is available and in use.
And they demonstrated that they could do exactly that. In 2003. The only difference between that hack from a decade ago and the one from this weekend is the resolution of the captured fingerprint.
As usual, Apple has managed to blur the thin line between technical reality and marketing claims. Apple’s support document, “iPhone 5s: About Touch ID security,” is practically oozing with buzzwords and marketing-speak:
The technology within Touch ID is some of the most advanced hardware and software we've put in any device. To fit within the Home button, the Touch ID sensor is only 170 microns thin, not much thicker than a human hair. This high-resolution 500 ppi sensor can read extremely fine details of your fingerprint. The button itself is made from sapphire crystal—one of the clearest, hardest materials available. This protects the sensor and acts as a lens to precisely focus it on your finger. The steel ring surrounding the button detects your finger and tells Touch ID to start reading your fingerprint. The sensor uses advanced capacitive touch to take a high-resolution image from small sections of your fingerprint from the subepidermal layers of your skin. Touch ID then intelligently analyzes this information with a remarkable degree of detail and precision. … Touch ID uses all of this to provide an accurate match and a very high level of security.
The article goes on to note that the odds of a random stranger’s fingerprint matching yours is in the neighborhood of 1 in 50,000, which is “much better than the 1 in 10,000 odds of guessing a typical 4-digit passcode.”
Unless they've captured a 2400 dpi image of your fingerprint, in which case the odds improve dramatically.
The underlying technology in the iPhone 5s was undoubtedly influenced, if not outright authored, by Authentec, a pioneer in fingerprint and NFC technology, which Apple acquired for a reported $365 million a little over a year ago. Authentec's technology has been part of the PC landscape for years, mostly on enterprise-class notebook PCs.
And the company wasn’t shy about tooting its own horn in regard to its technical chops. This claim, for example, is on an archived “Technology” page from the now-shuttered Authentec website:
AuthenTec's anti-spoofing technology dynamically measures the properties of finger skin placed on the sensor while the finger is being scanned. This patented technology ensures that only real fingerprints are read by converting the properties of the skin into digital data which are delivered to the host computer for analysis. AuthenTec anti-spoofing technology then compares the data with expected properties to ensure fingerprint authentication. [emphasis added]
Oddly, the current version of the Authentec.com website does not mention the company’s acquisition by Apple. If you visit the site looking for updated Windows drivers or software, you’re redirected to a support page that cryptically notes: “AuthenTec was acquired in October 2012 and the new owner has discontinued the products and services supported on this site.”
“The new owner,” of course, is Apple. But that name doesn’t appear anywhere on the authentec.com domain, which has been scrubbed of most of its PC-era content.
The real lesson in all of this isn’t that fingerprints are untrustworthy. In fact, the opposite is true. For everyday use, a fingerprint is far more secure than a four-digit passcode.
If your data is valuable enough for an attacker to go to the trouble of stealing a super-high-resolution photo of your fingerprint and molding a fake finger, you probably should be using multi-factor authentication. And in fact the iPhone already does that. Your fingerprint enrollment information is stored in a secure area in the A7 processor that powers the iPhone 5s. If someone manages to steal your fingerprint, they also need to steal your phone. That fake finger by itself won’t work with another iPhone unless you also have your Apple account credentials.
Windows 8.1, which was released to manufacturing a month before iOS 7 but won’t hit shelves until October, has similar technology. A fingerprint identification framework designed for use with the same type of reader as is found in the new iPhone (a big improvement over older swipe-based fingerprint readers) is built into Windows 8.1. It can be combined with the Trusted Platform Module (TPM) in a Windows 8.1 device to create a virtual smartcard that makes spoofing of enterprise network credentials very difficult.
In its part-marketing/part-technical document, Apple says it's come up with a solution that offers the same secure storage of biometric data, without any of the standards support that TPM includes:
iPhone 5s also includes a new advanced security architecture called the Secure Enclave within the A7 chip, which was developed to protect passcode and fingerprint data. Fingerprint data is encrypted and protected with a key available only to the Secure Enclave. Fingerprint data is used only by the Secure Enclave to verify that your fingerprint matches the enrolled fingerprint data. The Secure Enclave is walled off from the rest of A7 and as well as the rest of iOS. Therefore, your fingerprint data is never accessed by iOS or other apps, never stored on Apple servers, and never backed up to iCloud or anywhere else. Only Touch ID uses it and it can't be used to match against other fingerprint databases.
Regardless of the platform you’re using, high-value data should never be secured by a single factor. You’re in pretty good shape if you insist on a successful fingerprint identification combined with a strong passcode (more than a simple four digits) and a device that’s been registered with the network. If you’re a thief and you can successfully combine all those factors, congratulations. You should be in a John Le Carré novel.
Meanwhile, back here on Earth, your fingerprint is a convenient way to protect the garden-variety secrets and shopping we all keep. Combine it with a reasonably strong passcode and you should be perfectly safe. Unless you’re also a character in a spy novel.