TechWeb

iPhone 5s Fingerprint Scanner: 9 Security Facts

Sep 11, 2013 (08:09 AM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=240161131


iPhone 5c, 5s: 10 Smart Design Choices
iPhone 5c, 5s: 10 Smart Design Choices
(click image for larger view)
The new iPhone 5s, unveiled Tuesday and due out in stores later this month, includes a biometric fingertip scanner -- a first for an Apple smartphone. Dubbed Touch ID, the feature can be used to unlock the device, as well as make purchases in the iTunes, iBooks and App stores.

As with virtually every other new feature in the iPhone 5s, this addition was predicted -- which is to say, most likely leaked -- well in advance of the smartphone's well-hyped unveiling. Then again, Apple signaled its biometric intentions in July 2012 with its $356 million acquisition of fingerprint reader manufacturer Authentec.

One year later, cue the debut of Touch ID, a 500 ppi scanner that "uses advanced capacitive touch to take, in essence, a high-resolution image of your fingerprint from the sub-epidermal layers of your skin," according to Apple. "It then intelligently analyzes this information with a remarkable degree of detail and precision."

[ Updating is not an option. See Apple iOS 7: 6 Reasons Enterprises Must Upgrade . ]

What are the potential security upsides of having an Apple-designed fingerprint scanner? Here are nine related facts:

1. Sensor Lives Where You Most Tap

The iPhone 5s puts the fingertip sensor inside the home button, meaning it's easy to find and use. "If you're lucky enough to get your fingers on an iPhone 5s, you will notice that the new Home button -- ironically, the moving part of an iPhone that most often breaks in my experience -- has a stainless steel ring around it, denoting where the Touch ID sensor is located," said security researcher Graham Cluley in a blog post. Still, Apple said the home button is now made from sapphire glass to make it more durable.

Users can store more than one fingerprint to make it easier to unlock an iPhone no matter how they're holding it. On the family and friends front, the iPhone 5s will store fingerprints -- appropriately enough -- for up to five people.

2. First Impression: Fingerprint Scanning Works

John Gruber, who runs the technology blog Daring Fireball -- and who's seen by many as an Apple evangelist -- got his hands on an iPhone 5s Tuesday and reported that Touch ID was "fairly quick to train, and once trained, it is really fast, and in my brief hands-on testing, very accurate." From a usability standpoint, waking the device involves pressing the home button, and leaving it there a moment longer leads to authentication and an unlock. "It's very impressive technology. I already feel silly tapping in my passcode to unlock my iPhone," he said.

3. Only Apple Touches Fingers

Touch ID isn't meant to replace all passwords or passcodes. In fact, use of the fingertip sensor has been restricted to unlocking the device or making purchases from Apple. So far, other iOS developers don't get to access to Touch ID. "It cannot currently be used to unlock anything else on your iPhone. In other words, it can't access iCloud, or your Keychain, or be used to log into third-party apps like Facebook," said Cluley.

4. Feature To Beat: Fingertip Sensor?

Given Apple's trend-setting capabilities, expect other smartphone manufacturers to follow suit on the biometric front. "Fingerprint-based identification technology is likely to be introduced by other manufacturers in the near future and may catch on as a mode of payment elsewhere as a result," said Ronan de Renesse, a principal analyst at market researcher Analysys Mason, in an emailed research note. He noted that Touch ID -- together with iOS 7, the 64-bit A7 processor and an improved camera -- represent Apple's bid to be more competitive in "in the upper-end of the smartphone market."




5. Biometric Authentication Has So-So Reputation

If more smartphone makers follow Apple's lead, that would represent quite a turn for the fortunes of biometric authentication, which has historically been a technology in search of an application. Britain's biometric residence permits, for example, which store copies of a person's face and fingerprints, were initially pitched to combat both terrorism and welfare fraud. In the face of privacy criticism and information security questions, however, the government backtracked, opting instead to sock the expensive IDs only on immigrants.

6. From Faces To Fingers

Beyond government policy, adapting biometrics for consumer use has faced technological challenges. For example, smartphone fingerprint sensors debuted on Android devices, including the Motorola Atrix in 2011. But users reported that the fingerprint sensor worked infrequently enough to be a hassle.

Going forward, other biometric innovations, such as Face Unlock, a screen-unlocking feature introduced with Android version 4.0 (Ice Cream Sandwich), have reportedly also enjoyed a so-so usability track record. Or as "Dave H." tweeted: "Android face unlock never works so it's 100% secure."

7. No, The NSA Can't Collect Fingerprint Data

Following the iPhone 5s unveiling Tuesday, it took little time for conspiracy theorists to begin decrying Touch ID as a covert attempt by American intelligence agencies to siphon up vast amounts of fingerprint data on foreigners. Just one problem: people visiting the United States -- aside from most Canadians -- are already required to submit to fingerprint scans. In addition, Apple said the fingerprint data will be encrypted, stored in a "secure enclave" in the A7 chip and never backed up to iCloud.

8. Fingertips Don't Leave Classic Fingerprints

A related security observation: The print left by your fingertip pressing on a home button will differ from the type of print collected and stored by border and law enforcement agencies. "That means while hackers may be able to lift your thumbprint from you holding other objects, or from other parts of the phone itself, they probably can't get the tip print needed to do bad things on your iPhone," said Robert David Graham, CEO of Errata Security, in a blog post. "We cybersec hackes will be discussing how to break this in the near future, so I thought I'd be the first to make this observation."

9. Cue Police Drama Abuse

Touch ID will also no doubt be exploited -- so to speak -- via police procedural dramas. The Hollywood thriller take on the iPhone 5s almost writes itself: Electronic bank heist, double cross, stolen iPhone, missing finger, cut to revenge. Surely a race is already underway between the scriptwriters of the various CSI and NCIS franchises to see who can work in an iPhone 5s angle first.

The fictional implications of phones that can be unlocked using fingertips hasn't been lost on information security watchers. "I see a market for selling fingers to be used with these devices. Hopefully not when the phone's churned on eBay!" tweeted "Lee Beejasas." Call that "phish fingers," security researcher Cluley helpfully tweeted. "I guess we need to start telling people not to use the same finger for all their devices," he said.

But thankfully, Sebastien Taveau, CTO of Validity Systems -- which doesn't work with Apple -- told The Wall Street Journal that modern fingerprint scanners search for signs of vitality when reviewing a fingerprint. In other words, dismembered digits shouldn't do the job.

On that note, Apple fans, happy shopping.

Learn more about mobile device security by attending the Interop conference track on Risk Management and Security in New York from Sept. 30 to Oct. 4.