Can the iPhone Popularize Fingerprint Readers? 356
Nerval's Lobster writes "Apple's iPhone 5S features a fingerprint scanner embedded in the home button. Of course, fingerprint-scanning technology isn't new: Bloomberg Terminals feature a built-in fingerprint reader to authenticate users, for example, and various manufacturers have experimented with laptops and smartphones that require a thumb to login. But the technology has thus far failed to become ubiquitous in the consumer realm, and it remains to be seen whether the new iPhone — which is all but guaranteed to sell millions of units — can popularize something that consumers don't seem to want. Security experts seem to be adopting a wait-and-see attitude with regard to Apple's newest trick. 'I'd caution right away, let's see how it tests and what people come up with to break it,' Brent Kennedy, an analyst with the U.S. Computer Emergency and Readiness Team, told Forbes. 'I wouldn't rely on it solely, just as I wouldn't with any new technology right off the bat.' And over at Wired, technologist Bruce Schneier is suggesting that biometric authentication could be hacked like anything else. 'I'm sure that someone with a good enough copy of your fingerprint and some rudimentary materials engineering capability — or maybe just a good enough printer — can authenticate his way into your iPhone,' he wrote. 'But, honestly, if some bad guy has your iPhone and your fingerprint, you've probably got bigger problems to worry about.'"
Not so fast... (Score:5, Informative)
The fingerprint reader in the iPhone 5s uses a capacitive sensor, not an optical one, so Schneier's proposed hack wouldn't work.
Also, Apple requires you to create a PIN code when you enable the fingerprint sensor. If it's been 48 hours since you used the fingerprint sensor to authenticate, you have to use the PIN instead. Likewise, if you've just restarted the iPhone, you have to use the PIN for your first authentication, you can't use the fingerprint sensor.
Re:if someone has your iPhone..... (Score:5, Informative)
The iPhone 5s doesn't store the fingerprint itself, it just stores specific data points. Apple states that the fingerprint data is stored a secure portion of the A7, and it never uploaded to iCloud, or stored on Apple's servers, and never leaves the iPhone itself.
Also, I'd be very surprised if the stored data isn't hashed.
Re:iPhone + fingerprint? (Score:5, Informative)
"But, honestly, if some bad guy has your iPhone and your fingerprint, you've probably got bigger problems to worry about."
Surely if they have your iPhone, they already have lots of copies of you fingerprints smeared all over it?
This technology doesn't use a fingerprint, it actually reads living tissue under the skin. The technology seems very similar because of how you use it (put your thumb here), however it is drastically different.
So no, your fingerprints on the screen won't work. They don't match the living tissue this reads.
Re:Not so fast... (Score:4, Informative)
Capacitive sensors can be hacked if you just have heat and a tiny bit of moisture. AKA, wax fingerprint copy, and you just lick it once.
Yes, but not this one. This doesn't read your fingerprint, but rather tissue underneath the skin. Your wax copy of the outer skin won't work.
Re:To be honest (Score:5, Informative)
That was actually one of my first thoughts when I heard they were adding this, but I watched the keynote address, and Apple made it clear during the initial announcement that they're not uploading any fingerprint data to their servers. They further clarified afterwards that they aren't even storing the fingerprints on the local device at all. Just as good practice dictates that you store a hash of the user's password rather than the password itself, Apple is doing the same here with the fingerprint data. They store a local hash of the fingerprint rather than the fingerprint itself, then simply verify against the hash when authenticating the user.
Which isn't to say that they couldn't backdoor something in later and renege on what they've said if some secret court order came down that gagged them and compelled them to collect the data, but at least they had the decency to try and secure the data properly.
Re:NSA (Score:5, Informative)
Why do you think so? Having a quick and easy way of remotely obtaining the unique hash of the fingerprint of any iPhone user could become very useful for the NSA and other agencies - law enforcement in particular. Say you lift off a fingerprint from some object and want to know whom it belongs to. You compute a hash by the same method as in the iPhone and obtain cell phone data of people who were in the vicinity of the crime scene (that's probably standard procedure by now anyway). Now wouldn't it be nice if you could quickly match your hash with those of the phone owners? The more phones have fingerprint readers, the more obviously useful would it be to have a database of fingerprint hashes or access them remotely on the phones.
Re:Simple hack - use a 3D printer (Score:4, Informative)
And fingerprint scanners that check for a pulse are unbeatable, right? What say you, Adam and Jaimie?
Mythbusters: Busted!
http://dsc.discovery.com/tv-shows/mythbusters/mythbusters-database/fingerprint-scanners-unbeatable.htm
Re: To be honest (Score:4, Informative)
Apple changed the way this data was stored, only stored current information (instead of a complete history), made it possible to encrypt the data and also added an option to disable it altogether. So yeah, a lot did change after this was exposed.
Re: To be honest (Score:5, Informative)
Did anything change as a result?
Yes.
Just to refresh everyone's memory, the issue was one with the geodata cache being kept on iOS devices. The cache was in place to allow the device to more quickly determine its location by recognizing hotspots and cell towers that it had previously seen, rather than having to engage in a battery-draining GPS check. Due to not thinking through things as much as they should have, Apple designed the cache to clear out old data only when the cache exceeded a certain size (IIRC it was 2MB), but the result was that it could potentially have a few years' worth of geodata cached away that a malicious person could use.
Apple modified the cache's behavior in response to the incident, changing it to delete items after a few months (I believe 3).
Re: To be honest (Score:2, Informative)
I guess you fail to recall that the geo-data "flaw" was just a file that was stored on the phone and happened to get backed up onto the user's computer. Afterwards, both Apple and Google testified to congress. Apple brought in an engineer, described the problem and described how it was fixed.
Google brought in a lobbyist and said "But we need to track users, don't let us stop!"