Home Your IT Mobility iPhone 5 – S for Secure?

Apple’s new iPhone 5S fingerprint sensor - Touch ID - portends the end of the PIN. Leading security experts question whether it is the right path to Biometric authentication.

Let’s start with a little Biometrics 101 before we analyse Apple's offering.

Biometrics is the identification of humans by their characteristics or traits - most often used for access control or surveillance tracking.

Biometric identifiers are physiological or behavioural characteristics, or a combination.

Physiological characteristics include body shape, fingerprint, face recognition, DNA, palm print, hand geometry, iris recognition, retina, and odour/scent. If you believe Hollywood, these characteristics have the greatest potential for fraud. A 3D printer can replicate a fingerprint - or a whole hand or microthin glove - or render a realistic facemask as thin and lifelike as to fool even infrared imaging.

Behavioural characteristics include the pattern of behaviour of a person, like typing rhythm, gait, and voice. As these are harder to copy, attempts to use recorded or edited utterances are rejected. See iTWire article for more on voice biometrics.

Simple summary – Fingerprints can be copied. The question is why Apple embarked on this course instead of using Siri - Voice biometrics is almost impossible to copy.

Why Apple added fingerprint authentication and what are the issues.

We now know that the Apple A7, 64-bit chip is based on an ARM v8 processor core. A feature of the v8 is that it supports cryptographic acceleration that speeds up authentication, therefore fingerprint recognition is a no brainer, and all ARM 64-bit smartphones will eventually have it. So, there was relatively little complexity in adding a sensor and an app to drive it.

In the short term, it provides a level of security not found in other smartphones, particularly for those people who do not PIN protect their phone. Analysts, however, see this purely as focusing on the ‘apparently trivial problem of entering a password instead of the greater issue of secure authentication for e-commerce’.

Security expert Bruce Schneier says fingerprint technology can be easily subverted: “Your fingerprint is not a secret; you leave it everywhere you touch. Failures will be more common in cold weather, when your shrivelled fingers just got out to the shower, and so on.”

Schneier’s article is here, published without him having seen the 5S, so please take it as an academic essay. Only time will tell if the 5S can be hacked. A summary follows:

  • Fingerprint readers have a long history of vulnerabilities. Some can be fooled with a good ‘photocopy’ – the better ones have pulse and finger temperature measurement as a safeguard - the 5S does not.
  • A fingerprint reader only authenticates that the enrolled (on record) fingerprint matches the scanned fingerprint. It does not verify to whom the print belongs.
  • The fingerprint system has a vulnerable PIN failover system - once logged in fingerprint recognition can be disabled.
  • Fingerprint authentication can be hacked especially with the advent of low cost, high detail 3D scanning, and printing. If someone goes to all this trouble, the iPhone owner probably has greater security issues at stake.
  • Apple has apparently decided to store the fingerprint on the phone instead of in the cloud that would be an enormous security risk. Storing in the phone limits the useability of the authentication and it could be dangerous to use it as the sole authentication for e-commerce transactions.

Commentary ranges from old wives tales about people who have had fingers chopped off to circumvent fingerprint security systems to the NSA having access to hundreds of millions of iPhone 5S user’s fingerprints and personal details. In the latter case, NSA et al will likely have some backdoor access, but as the authentication is not cloud-based then they cannot do much on a phone-by-phone basis.

Another thread is about loaning the phone to family members. Yes, it does support multiple fingerprints but unfortunately not multiple user profiles.

The most common thread is that fingerprint authentication is really intended for the majority of people who do not lock the phone at all! Fingerprint authentication will not stop a determined adversary.

Opinion

Until the crooks have had time to work out hacks, I applaud Apple for including fingerprint Touch ID in the 5S, and therefore popularising this technology and the need for more security.

Sadly, I think Siri voice recognition and conjoint facial recognition is the answer but that would put a processing load - and potentially unnecessarily long login time - onto the phone so that won’t be popular.

On the e-commerce front, it will be limited to use as a secure way to approve purchases from the iTunes Store, App Store, or iBooks Store. I really hope that it does not become the standard for all e-commerce, as it is too easy to circumvent.

Fingerprint readers can indeed be useful at the convenience end of the access control spectrum.

A little bit of humour

On a phone, fingerprints can be very useful for selective access control. Given "locked screen" state:

  • Left middle finger / "Salute to authority": Immediately shuts down device and rerases everything (and good luck with the NSA backdoor key).
  • Right index finger / "Nothing to see here, officer": Unlocks vanilla applications only.
  • Right middle finger / "Salute to authority with cherry on top": Same as "nothing to see here,” but also sets up video and audio stream to American Civil Liberties Union servers.
  • Left pinky, if applied during secret time window after screen activation / "Dr Evil mode": Unlocks all apps.
  • No Finger – NSA does not need one

FREE REPORT - IT MONITORING TOOLS COMPARISON

Are you looking to find the most efficient IT Monitoring tool available?

IT Monitoring is an essential part of the operations of any organisation with a significant network architecture.

Multiple IT monitoring platforms are available on the market today, supporting the various needs of small, medium-sized, and large enterprises, as well as managed service providers (MSPs).

This new report studies and compares eight different IT monitoring products in terms of functionality, operations, and usability on the same server platform with 100 end devices.

Which product is easiest to deploy, has the best maintenance mode capabilities, the best mobile access and custom reporting, dynamic thresholds setting, and enhanced discovery capabilities?

Download your free report to find out.

DOWNLOAD!

Ray Shaw

joomla stats

Ray Shaw ray@im.com.au  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!

Connect