On September 20, Apple released the iPhone 5S with TouchID, a fingerprint scanner meant to add a new layer of security to the smartphone. On September 22, someone hacked it. Yeah, that didn't take long.
So TouchID is nothing but a big insecure sham, right? Well, mobile security company Lookout's Marc Rogers says no. "TouchID has flaws, and yes, it’s possible to exploit those flaws and unlock an iPhone," Rogers writes in a Lookout blog. "But, the reality is these flaws are not something that the average consumer should worry about. Why? Because exploiting them was anything but trivial. Hacking TouchID relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician."
Rogers' blog runs through the challenges of faking out Apple's TouchID sensor. First comes figuring out which fingerprint to lift in the first place, since it has to be a print mapped by the sensor, and can't be smudged from motion. The obvious choice, the thumb, isn't so easy. "The thumb doesn't often come into full contact with the phone and when it does it's usually in motion," he writes. "This means they tend to be smudged."
Even if you can get a print, you have to go through the process of developing the fingerprint with fumes and powder and lifting it without fingerprint tape. Again, without smudging it. It's not as easy as it is on TV. And once you have that print, you have to go through an even more complex process to make a fingerprint mold that involves printing onto a transparent film and messing around with a bunch more chemicals.
Rogers emphasizes that TouchID is a convenient security control, which ultimately may be more important than a very strong security control. People who find PINs inconvenient may opt in to TouchID, and the average mugger isn't going to be able to break into the phone with TouchID in the way.
The blog makes a strong case for two-factor authentications using PINs and fingerprint scanning. Rogers also points out that the biggest security concerns around TouchID have to do with how Apple handles the fingerprint data it's getting. "What data does Apple capture from a finger as it is enrolled?" he asks. "How is this data stored and how is it accessed? Can this data be used to recreate a user's fingerprint mathematically or through visual reconstruction? ... Fingerprints are viewed quite differently to passwords and PINs in the eyes of the law. For example, the police or other law enforcement officials can compel you to surrender your fingerprints, something they currently can’t do quite as easily with passwords or PINs despite some recent judicial challenges to that position."
When Apple announced TouchID, it made a point of stating that the fingerprints wouldn't be stored in the cloud, so we at least don't have to worry about a large-scale fingerprint theft situation.
Want to see a fake fingerprint bypass Apple's sensor? Check out the first video of the hack in action.