Featuring the new Touch ID, the Apple iPhone 5s was released last week. The new technology includes a fingerprint sensor built into the home button that uses a laser-cut sapphire crystal and touch sensor to take high-resolution images of your fingerprint.
In its press release, Apple promises that “all fingerprint information is encrypted and stored securely in the Secure Enclave inside the A7 chip on the iPhone 5s; it’s never stored on Apple servers or backed up to iCloud.” Touch ID will enable the user to unlock their phone and even make purchases on iTunes and the App store by simply placing a finger on the home button.
However, Germany’s Chaos Computer Club (CCC) claims it cracked the Touch ID system only two days after the release of the new phone. The CCC posted a statement on their website describing how they hacked the system using a photograph of a fingerprint on glass, a laser printer, and latex. They even included a video of a hacker bypassing the fingerprint scanner and a link to step-by-step instructions on how to replicate their verified hacking method.
Using someone’s fingerprint as an authentication method is an example of biometrics — using biological data as a password. The benefit of using biometric authentication is that it is completely unique to each person; no two fingerprints are exactly the same. In addition, a fingerprint is not something a criminal can guess, such as a password using your birthdate or the ever-popular abc123. Infiltration may be more difficult since a criminal will not be able to look over your shoulder to steal your 4-digit passcode.
Although there are positives to using biometric authentication, here are two areas of concern:
- Biometric data, unlike a username and password, is a permanent and unchangeable piece of information about you. If someone does get their hands on a sufficient scan of your fingerprint that is capable of tricking the Touch ID system, you can’t change the configuration of your fingerprint to stop the criminal from gaining access to your secure files and information. As fingerprint scanning becomes more ubiquitous, this may become a significant problem because with one fingerprint, a criminal may have access to multiple accounts and other services that use fingerprint authentication.
- What happens if Apple (or another company that starts using fingerprint authentication) is asked to turn over millions of American fingerprints or fingerprint information to federal agencies? With the public discovery of the NSA PRISM surveillance program, people are wary of handing over their personal information. The good thing is that the Touch ID system will not store an actual image of your fingerprint and the CCC did not manage to hack the Secure Enclave inside the A7 chip. It will likely scan and measure the differences in conductivity caused by the fingerprint pattern in your finger and use this to create an encrypted algorithm of your fingerprint. Your fingerprint will be scanned and the values put through the same algorithm as your original scan and if the end results are the same, you will successfully unlock your phone. So an actual image of your fingerprint will not be stored but this encrypted algorithm will be.
Considering the recent hack and privacy concerns with the Touch ID system, you may want to reconsider using it until Apple has fixed the system if you have extremely valuable or private information on your phone.
However, the CCC hack is fairly complex and requires some work, so if your only fears are the prying eyes of your friends and family, you’re probably going to be safe using the fingerprint scanner.