Protecting Your Interests and Theirs
Opinion: Security Insecurities and the iPhone 5S
GP GETS HEAVY: Visible Cycling Tactics | In Defense of the Everyman Beer | I Can’t Drink Caffeine
Cramming a fingerprint sensor into a smartphone isn’t exactly a new concept. The Motorola’s Atrix smartphone actually included fingerprint authentication back in 2011. Apple has also clearly pondered on and planned around the potential of such technology for years. They filed a patent application in 2008 for a fingerprint sensor placed in the middle of the old slide-to-unlock bar a mere year after the original iPhone was announced by Steve Jobs in 2007. Things heated up with the purchase of the publicly traded mobile security and biometrics hardware maker AuthenTec, who was already powering fingerprint technology for authenticating mobile payments in Japan, for an estimated $356 million in late July of 2012.
Apple’s implementation of the technology in the 5s is undoubtedly impressive. The fingerprint scanner is seamlessly integrated into the home button and includes a high-resolution 500 ppi sensor that’s slightly thicker than a human hair (or 170 microns for your microscope gurus). It’s covered by a sapphire crystal lens that protects the sensor and doubles as a lens for capturing images of your fingerprint.
In under a week, hackers have shown that the system can quickly be bypassed using a fake glue finger — no amputations required.
Of course, the boil of outrage that would arise from Apple amassing a fingerprint database of millions of iPhone users is predictable. Unlike passwords and credit card numbers, there’s no dialing up a call center in India to change your fingerprint in the event it’s compromised. Apple’s Touch ID system is designed to avoid these risks through a series of protective measures. Though in Apple’s words, the setup relies on “advanced capacitive touch to take a high-resolution image from small sections of your fingerprint from the sub epidermal layers of your skin”, an actual image of your fingerprint isn’t what’s being stored on the device. Instead, the system logs a mathematical representation of your fingerprint, eliminating much of the risk of your prints being reverse engineered by Mountain-Dew-fueled “Black Hats”.
The most interesting and revolutionary hardware advance found on the iPhone 5s relates to how and where this encrypted mathematical representation is stored on your phone. So-called Secure Enclave refers to a segregated and secure area within the processor architecture of the iPhone 5s’s new arm-based A7 chip that essentially allows both hardware and software resources to be partitioned into secure and normal functioning zones. Any data related to your fingerprint can only be used by the Secure Enclave — and only to verify your fingerprint. The rest of the processor, the OS and any other apps are physically walled off from this data. It’s also never backed up or stored on any of Apple servers.
This measure, along with software tweaks included in iOS7 that can prevent a lost iPhone from being used again without the owner inputting their Apple ID and password, has garnered praise from many lawmakers, including New York’s own attorney general, who hope the measures will damper “Apple Picking” — a phrase coined for rampant iOS device theft.
Still, the recent fiddlings of the hacking community have proved once again that a security system can only be really evaluated after time in the wild. In under a week, hackers have shown that the system is easily fooled using a fake glue finger — no amputations required. Several bugs for bypassing the lock screen to do everything from making phone calls to tweeting, looking at photos and even emailing were also found quickly.
Make no mistake. Touch ID is as much about profit tomorrow as it is about protection today.
Apple will certainly fix the home-screen bugs via future updates; and in fairness, a mass wave of 5s break-ins using fake glue fingers seems unlikely. Especially when you consider the additional fallbacks that have been added to the system such as requiring a passcode to unlock the iPhone after a reboot or if it hasn’t been unlocked in the last 48 hours. These findings should serve a warning though to anyone putting complete faith in biometric measures like fingerprint scanners as the ultimate security solution.
There are also more big-picture questions to ask. How much better off are we if systems like Touch ID become the norm for technology? Are the potential risks of biometric data falling into nefarious hands worth the tradeoff in convenience and security? For Apple the answer is clear. Data shows that 50% of current iPhone users don’t bother locking their device with a password because of the hassle, and they hope Touch ID will help bridge the gap. They also cite that the probability of a fingerprint scanner accidentally verifying a false fingerprint match is 1 in 50,000, or roughly five times less likely than the 1 in 10,000 odds of guessing a four-digit passcode.
This evidence is compellingly rational, but it’s not the full story. The introduction of Touch ID is as much about establishing a new threshold of consumer comfort with technology as it is about keeping personal data safe. Controlling payments is the next holy grail in mobile computing (especially in the U.S., which lags behind other countries in this area). The technology to make it happen has existed for years. A lack of agreement on standards, platforms and regulatory concerns between today’s major financial institutions, telecommunication providers and government agencies has always been one half of the road block. The other is convincing the public to trust their smartphones as an extension of their wallet.
By associating security with unique physical traits like a fingerprint and allowing Touch ID to authenticate purchases in the iTunes store, Apple is planting the seeds for consumer confidence in mobile payments like never before — tying invisible marionette strings to the fingers of millions of the world’s most affluent consumers in the process. Make no mistake. Touch ID is as much about profit tomorrow as it is about protection today.