Is the iPhone’s Fingerprint Unlock Hack-proof?
More consumers are taking the plunge and using their fingerprint as a means of unlocking their smartphones. As the technical and legal implications start to play out, you just have to wonder: is your phone’s fingerprint authentication mechanism completely secure? Is it really as hack-proof and secure as leading smartphone manufacturers have led us to believe?
Hack My What?
Chaos Computer Club, the largest group of hackers in Europe claims it can use photos (where a person’s fingers are visible) to reproduce fingerprints. A group member, Jan “Starbug” Krissler explained at the group’s 31st annual convention held in Germany, how he copied the thumb impression of German Defense Minister Ursula von der Leyen.
Krissler claims a regular photo camera can be used to capture fingerprints of people at public events and then put through biometric authentication in order to identify them. He went on to further say that commercially available software, VeriFinger, was used to get a close-up shot of von der Leyen’s thumb, along with photos taken from a variety of angles to complete the fingerprint.
If this method can really be replicated the way Krissler describes it, it could mean a significant blow to how secure fingerprints are used as a means of authentication. Krissler believes after his demonstration, worried politicians might start wearing gloves when making public appearances. It must be noted however, even if hackers are able to reproduce a fingerprint in order to break into a system, it doesn’t mean fingerprints in security systems are near-useless.
Fingerprints are actually far more secure than PIN codes, and can be conveniently used with other forms of authentication to further beef up security.
Sweet and Sour
Here’s the good news: researchers from Lookout, a mobile security distributor, described the iPhone 6’s Touch ID system as a “great security measure” for Apple Pay users. One researcher in particular said that the latest Touch ID feature scans a significantly wider fingerprint area not only to improve reliability, but also to identify a print more accurately, thanks to a higher resolution.
The not so good news: Lookout “looked into” the possibility of creating a fake fingerprint – expensive equipment coupled with ultra-high skill and patience – which can indeed be used to give the authentication system a good runaround. A fake fingerprint can be created using a well-defined print of the finger that’s used to unlock the phone. However, that kind of print will most likely not be found on the phone’s touchscreen.
This is what Marc Rogers, one of the researchers at Lookout had to say about Touch ID:
“The iPhone 6, much like the iPhone 5 can be hacked. Though, the attack would require a very high level of skill and patience as well as a decent hi-res copy of the person’s fingerprint – a mere smudge won’t cut it. The process which turns that print into a usable copy is fairly complex and it is quite unlikely a threat to anyone or anything, other than a centralized attack by a sophisticated and well-versed hacker. Locks on our doors are designed to keep criminals out, not because they are designed perfectly in every sense of the word, but because they are convenient and effective enough to meet most ‘traditional threats’.”
The Big Players Offer Reassurance
In the summer of 2014, Samsung and Apple came to terms with questions posed by lawmakers, regarding security and privacy concerns over the use of fingerprint authentication on smartphones.
A letter sent by Samsung’s Vice President to Senator Al Franken, during the same summer claimed that the scanner integrated in the Samsung Galaxy S5 doesn’t store the actual fingerprint image in PDF format, but rather stores a mathematical representation of it – plots of curvatures and endpoints – which simply cannot be converted back to the original fingerprint image.
The letter further explained that this mathematical representation is tucked away safely in a secure section of the semiconductor architecture and cannot be broken into or even shared with external sources. It’s inside the phone and never leaves it. Neither is it transferred to a user’s PC or other handheld device, to Samsung servers or the cloud.
Furthermore, when an app asks for user authentication, it commands the scanner to prompt for user input, at which point the scanner returns a “yes/no” value; this way access is never gained to the user’s fingerprint or even the mathematical representation for that matter. Also to note, is Samsung’s inability to extract or otherwise manipulate finger data from the Galaxy S5.
Apple also offered reassurance of a similar nature to Franken. Like the former’s system, Apple’s Touch ID also does not store the fingerprint image, and uses a mathematical representation to identify a fingerprint; this is stored on a secure chip, cannot be transferred to an external database or otherwise reverse-engineered into a fingerprint image. Unfortunately, Franklen didn’t find the responses from both the tech giants completely satisfactory, and noted:
“This is mostly good news, however; both companies haven’t gone the distance to prevent criminals and/or hackers from using spoofed prints to slip past fingerprint readers. Fingerprint readers are becoming common when it comes to potentially powerful and sensitive information storage or access, and this needs to be addressed sooner rather than later.”
What do we think? Well, there are obviously legal and technical concerns about using fingerprint authentication to unlock your smartphone. The legal implications are just starting to play out as the matter starts to be pursued in courts. In the meantime, jailbreaking” your iPhone.
According to an Oct 2014 Mashable report, a court judge ruled that criminal defendants can be asked to give their fingerprint to unlock their cellphone, which is quite the same as handing over a physical key or DNA sample, for investigation and case expedition purposes. Here’s a pebble in the shoe though: the Police cannot legally force a defendant to give his/her phone’s passcode – it can be classified as “knowledge” and protected by the Fifth Amendment’s anti-self incrimination privilege.
We would suggest that you not worry too much about using fingerprint authentication to unlock your smartphone. And if there is cause for some concern, play it safe and don’t store any sensitive information or such that may be used against you in some way. Easier said than done, we know, but there’s no harm in being extra cautious.
How secure do you think fingerprint authentication is? Talk to us about your experience and leave a comment or two while you’re at it.