German Data Protection Expert Warns Against Using iPhone5S Fingerprint Function 303
dryriver writes "Translated from Der Spiegel: Hamburg Data-Protection Specialist Johannes Caspar warns against using iPhone 5S's new Fingerprint ID function. 'The biometric features of your body, like your fingerprints, cannot be erased or deleted. They stay with you until the end of your life and stay constant — they cannot be changed. One should thus avoid using biometric ID technologies for non-vital or casual everyday uses like turning on a smartphone. This is especially true if a biometric ID, like your fingerprint, is stored in a data file on the electronic device you are using.' Caspar finds Apple's argument that 'your fingerprint is only stored on the iPhone, never transmitted over the network' weak and misleading. 'The average iPhone user is not capable of checking, on a technical level, what happens to his or her fingerprint once it is on the iPhone. He or she cannot tell with any certainty or ease what kind of private data applications downloaded onto the iPhone can or cannot access. The recent disclosure of spying programs like Prism makes it riskier than ever before to share important personal data with electronic devices.' Caspar adds: 'As a matter of principle, one should never hand over any biometric data when it isn't strictly needed. Handing over a non-changeable biometric feature like a fingerprint for no better reason than that it provides 'some convenience' in everyday use, is ill advised and foolish. One must always be extremely cautious where and for what reasons one hands over biometric features.'"
Also it stands to reason (Score:5, Interesting)
That your fingerprints are all over your phones.
I believe mythbusters showed how trivial it was to bypass fingerprint protections by making your own "finger" from said prints? (This time on an electronic door lock).
Usable Fingerprint data? (Score:5, Interesting)
Aside from the fact the government and many institutions (like Banking in the US) already have your fingerprint...
Is there any evidence at all that the fingerprint data store in the A7 is even usable outside of iOS? There's no reason at all to store a raw image of the fingerprint. How would you recreate the fingerprint to make it usable to someone?
just FUD IMHO (Score:5, Interesting)
1. Passport check at CDG airport
2. Applying for a Speedpass for CA toll roads
3. Getting some papers notarized
So, there are many current uses of fingerprinting in routine life that one has to comply with, and who can say how secure any of it is? But, trust Apple? This is a worthy debate and I trust my fellows slashdotters will post good comments on both sides. Me? I want better security on my phone, as I use it for purchases and banking. I think biometrics is a move in the right direction, what do you think?
Re:He is not an expert... (Score:5, Interesting)
This is going nuts (replying to own reply to own message):
If I was Apple, I would generate a completely new hash every time I recognize the finger print with a completely new salt. This way, the system could get better over time as well as protect the users privacy because the hash and the salt keeps changing every time...
Never transmitted... until the next update (Score:5, Interesting)
Android used to store your wi-fi password locally and never transmit it anywhere. Then came Gingerbread, and all your local data got helpfully "backed up" to google servers. Setting turned on by default, probably before you had a chance to learn it's there. They say they delete your stuff when you turn off the setting, but, naturally, there is no way to really know. Suddenly, google has all your wi-fi passwords, whether you like it or not. It would be naive to assume Apple would behave differently.
Your Fingerprint isn't ever stored in flash (Score:5, Interesting)
If you check the design, the fingerprint image itself is never stored anywhere. The fingerprint profile is only stored on silicon in the A7 chip. There is no API to access that data, only flags to tell you that it exists (so the OS can discover there are four stored prints and their names, but nothing about the actual fingerprints themselves).
Apple touts the fact that the fingerprint is never sent over the network as a feature but in reality it can't send it over the network even if it wants to, nor can any application access it.
If you think Apple is lying... well... There must be some level of trust somewhere or we may as well give up. I tend to draw the line at the CPU because if that is compromised or includes back doors, we are all screwed anyway.
Who will be first (Score:4, Interesting)
Back in 2005 some car thieves in Malaysia tried to steal a Merc S Class with some kind of biometric immobilizer. When they realized they couldn't get the darn thing running without a finger print, they merely chopped the owner's finger off with a machete (I swear it's true: BBC Article [bbc.co.uk]).
I wonder who will be the first to lose an iPhone along with a finger.
Re:Also it stands to reason (Score:5, Interesting)
Yes. However, your greasy fingerprint on the phone can't be stolen remotely from the other side of the planet like the biometric one can.
That said, it's not terribly useful to steal the identifier string stored on the phone since it won't allow you to reconstruct the print any more than a MD5 checksum will permit you to reconstruct the file it is from. What it would do, though, is allow a third party to steal the checksum and then use it with other biometric devices to identify when that same user has come in contact with a different device under the third-party's control. I can't think of a good scenario right now, where that's likely to be an issue. HOWEVER, that doesn't mean that systems won't evolve in the future that could make it a problem.
There are ALWAYS downsides to security issues. It's how security consultants make money.
But unless Apple opens up the internals of how it processes and stores the data, I don't think it will have any generic utility. It's NOT a fingerprint copier. It uses (presumably) unique biometric information to create a (presumably) unique electronic signal to allow access to a device. You can (presumably) erase / clear the memory so the information is no where else, thus bypassing another problem with biometrics - you can't easily change your fingerprints.
I'm not sure it will work well, I've used a number of fingerprint scanners before ranging from the frankly stupid (on a number of laptops) to pretty good implementations on spendy locks. Presumably Apple will Do It Right(TM), but who knows?
Re:He is not an expert... (Score:4, Interesting)
Thanks, I'd wish it wouldn't even leave the finger-print scanner chip as that might allow for even higher security. But this is probably "good enough". Now the next question would be how it gets transferred from the finger-print scanner to the "Secure Enclave inside the A7 chip". If there is direct connection from the reader to the A7 chip, it's probably ok. If it goes through main memory, there could be possible attack vectors...
I don't mean to say I'm a better security expert than Apple has - but, even though I'm an Apple fan/user, I don't think Apple's security track-record is as clean as one might want it...
Re:Usable Fingerprint data? (Score:5, Interesting)
There is no evidence either way. Better err on the side of caution. There wasn't any evidence of iPhones logging GPS data either, until somebody found it. [idownloadblog.com]
Re:Your Fingerprint isn't ever stored in flash (Score:5, Interesting)
In theory, yes.
From what I understand, The secure region of the A7 chip that the fingerprint profile is stored on has a WRITE function, and an AUTHENTICATE function. There is no READ function.
So yeah... because it is protected like this at the hardware level, you're not getting that information out again, period (short of physically breaking into the NVRAM with some sort of forensics tech).
Re:Also it stands to reason (Score:2, Interesting)
Apple is part of the PRISM programme and you can be sure as soon as the NSA heard that they bought a fingerprint scanning company they were on the phone requiring access to it. Of course, the same things applies to pattern locks, PIN codes, passwords etc, and to all companies that are part of the programme. For example, if you iOS/Android/WP device is connected to a wifi network, they have the password.
Even if the hash isn't reversible it's possible that there is enough information to use it to access other fingerprint scanners.
Re:Also it stands to reason (Score:5, Interesting)
Absolutely. When this topic came up previously on Slashdot, I mentioned that even without storing or sending the fingerprint itself, they could still send fingerprint hashes to the devices and ask the devices to verify whether or not they recognize those hashes, effectively allowing them to do a dragnet for a particular set of prints. And they can do that without even storing the fingerprint. Obviously, if they were gagged and under court order, they could be creating a massive database of fingerprints.
Re:He is not an expert... (Score:4, Interesting)
It's been around for a while now and has also been adopted by AMD for their upcoming X86 chips.
Details here:
http://www.arm.com/products/processors/technologies/trustzone.php?tab=Hardware+Architecture [arm.com]
So yes. ARM enables Apple to physically separate the operation of the biometric device and storage of encrypted biometric information in what Apple calls "secure enclave" storage where it is not available to the OS or to apps.