What does it mean that Touch ID was “hacked”?

So Apple designs a solution to those people, Touch ID. And some Germans guy discovered a decade old technique to fool the sensor. The negative hype on the Web is a bit misguided. Security conscious geeks are not the target audience for TouchID. The people who have no PIN or passcode at all are.

Earlier this year, security software vendor McAfee concluded a survey which indicates that almost a third of smart phone users find passwords and PINs so frustrating or inconvenient that they don't bother setting one. They are opting for no security.

Bruce Schneier offered some perspective in an article he wrote for Wired:

There are two ways an authentication system can fail. It can mistakenly allow an unauthorized person access, or it can mistakenly deny access to an authorized person. In any consumer system, the second failure is far worse than the first. Yes, it can be problematic if an iPhone fingerprint system occasionally allows someone else access to your phone. But it’s much worse if you can’t reliably access your own phone — you’d junk the system after a week.If Apple’s iPhone Has Fingerprint Authentication, Can It Be Hacked?

So Apple designs a solution to those people, Touch ID. And some Germans guy discovered a decade old technique to fool the sensor. The negative hype on the Web is a bit misguided. Security conscious geeks are not the target audience for TouchID. The people who have no PIN or pass code at all are.

The iPhone 5s is the first mobile device to make fingerprint access quick, reliable and simple enough that the masses will use it without hesitation. So much so that there’s really no excuse to not have it enabled on your phone anymore.

...

To be clear, the goal of Touch ID is not to be unhackable. The goal is to get more consumers to move from no security at all to some security.Smashing through the media hype: iPhone 5s fingerprint reader not really “less secure” or “hacked”

I think we will see that in a few years, finger print technology will be ubiquitous on mobile devices. Apple could improve on TouchID in one way though. It would be nice to have the ability to enable Touch ID with a PIN. Maybe it will in a future iOS patch. The user could have three options:

  • Use passcode or PIN
  • Use Touch ID
  • Use Touch ID with a PIN or passcode.

For now if you want to use Touch ID with increased security, register it to use the last two fingers on either hand (pinky and ring finger). Those are the fingers less likely to leave a print.

However, I'm just happy that Touch ID exists for those ignorant (stupid?) enough to not use a PIN or passcode. Let's get those people on board first. Let's be happy for those people. Then ... we can send Apple our geek checklist.

Apple's Touch ID Busted?

Forbes and others reported that a German computer group, Chaos Computer Club, has found a way to foil the sensor in Touch ID, Apple's biometric finger printer scanner for the the iPhone 5S.

The results and the methods used have yet to be corroborated (by anyone) but debate has already erupted on the internet.

These statements by reader makelvin argue the points I would have made so I'll just post them here.

Let me make one thing perfectly clear. There are no such thing as a 100% hack proof security measure. It does not exist. So the point of most security measure are to make it more and more difficult for unauthorized people to gain access to certain information that they should not have. So at the end, it about the trade-off between the amount of effort that it takes in order to obtain the unauthorized information you want to get.

In this scenario described by CCC, you will need a clear image of the fingerprint. They have to then scan it at 2400 dpi. Invert the image and print it out with a laser printer at 1200 dpi. They then pour milky latex or white glue to let it cure before peel it and try to use it on the sensor. How long did it take for the whole process to take? Did it take longer or shorter than trying to brute force 10,000 combination? And since the iPhone has a GPS with a Find My iPhone app; will the owner of the device have sufficient time to locate their stolen device and/or have its sensitive data whipped out before the hacker can break in?

The fingerprint sensor is not just about providing a better security measure than the PIN code. It is also about convenience while maintaining the necessary security. In the case of PIN code, people can try to brute force their way in with random combination; with fingerprint biometric, you HAVE to have a clear image of the authorized person’s finger. Without it, you have no chance of trying to break it at all.

So at end, regardless of whether CCC can accomplish what they described is real or not; they did not disprove the usefulness of the biometric sensor for iPhone. If someone truly want to disprove its usefulness, they need to hack in without needing the actual image of the person’s fingerprint. And they should be able to do within 15 minutes before the original owner have a chance to lock them out remotely. Until that happens, these type of demonstration is nothing more than just FUD to discourage people from using any additional security measure to protect their private information thereby allowing hackers easier access to other people data.

makelvin