Yesterday, Apple launched two new iPhones. The flagship model, the 5s, is impressive and includes many new features including fingerprint based authentication. It is part of a trend towards using biometrics on mobile devices, e.g., facial recognition on Android and voice recognition on the new Moto X.
The use of fingerprint authentication is not new (a family member has that on their Lenovo notebook), but deployment by Apple usually signals the onset of mainstream adoption. At present the iPhone offers it as an option, so you can still choose to use a traditional password instead. The main benefit of fingerprint technology is slightly faster unlocking than using a PIN code. Also the Apple device is said to be accurate and fast, unlike some earlier consumer-oriented implementations. At present Apple is allowing its use for iTunes and Apps Store purchases but one can imagine third-party applications are around the corner.
Before you activate this system, you should consider several issues. Online forums are abuzz about whether your fingerprint can be spoofed, whether the NSA might be spying on you, and whether you can be legally forced to unlock your device. In turn, Apple has tried to allay fears by stating that your fingerprint only exists in a “secure enclave” on the phone (strictly speaking, it is an electronic description rather than an image of your actual finger). However, there are several issues that I believe need consideration:
1. It is hard to replace your fingerprint.
If your password is compromised, you can just revoke it and create a new one. Replacing your finger can probably be done, but it will involve a bit of pain. If you lose your phone and a hacker gets in, or if they are able to remotely access your fingerprint data, the personal costs may be rather high. We also we have no information about know how cleanly (if at all) the data is erased when you sell your phone or recycle it; can the data be extracted afterwards?
2. The fingerprint encryption scheme will be hacked.
This is not a possibility but a certainty. The only questions are how long before it happens and whether you will get to hear about it. People are worried that the NSA is helping Apple keep a backup copy of the master encryption key (i.e., can you trust them to keep it secret, since they lost thousands of documents to some junior guy without knowing it?). But the problem is more fundamental than that: in order to make use of that encrypted data, your phone must contain the key. This is unlike the case where a password is kept separate from your encrypted fingerprint data, or a design in which a password (or some other security token) is needed in addition to your fingerprint data. Keeping the decryption key on the device makes it vulnerable, since with enough effort the key will be recovered, or some weakness in the encryption software can be found. If you think you have heard this story before, it’s because the same thing happened with DVDs. Any DVD player must contain the decryption key and mechanism for doing so, otherwise you won’t be able to view the movie contained on the disc. When DVDs were launched, manufacturers thought their encryption was sufficient, but were quickly proven wrong. Same thing with BluRay.
3. A magnet for attack
Some are worried about the NSA, but they probably already have your fingerprints. The real threat is elsewhere: encryption is broken and various encryption standards have been compromised (including at an atomic level involving encryption libraries used to build software). Thus, storing the data in encrypted format is just a deterrent. Apart from the NSA, you should worry about the other, possibly more nefarious organizations and governments out there. The fact that we know it is possible implies that others will try to get in, either through the same means or by creating new methods. Nathan Rosenberg calls these “inducement mechanisms” that focus the efforts of others; I have observed it in my own fieldwork on semiconductors. All over the world next week, communities of hackers and spy organisations will probably be posting “do not disturb” signs on their doors and begin working on this new challenge.
4. Large attack surface
The data on the fingerprint chip itself might be fairly secure but IOS, like all operating systems, is complex and has been compromised. Every year we hear of interesting exploits at events like Black Hat. There is no such things as a completely safe program, especially one as elaborate as a modern operating system. Your phone or mobile device is not locked down, unlike the scanning device at your neighborhood immigration counter. You bring it everywhere: to airports, cafes, public places, friends’ homes and to pubs). It is exposed to many angles of attack: physical hacking, software backdoors, security holes, hidden code in apps, and compromised websites that you might visit on the phone’s web browser. Another way in is through your computer that syncs to the phone via iTunes because your phone treats it as a trusted connection. Apple claims that the operating system has no access to the fingerprint data on the chip itself, but you’ll have to go on trust with that one as it is not verifiable (Apple also said it did not store your GPS data!). The question remains of how separate the fingerprint system really is, since iTunes and the App Store will be able to authenticate using the fingerprint sensor, suggesting there may be some indirect paths available to hijack the authentication process, even if one does not touch the data itself.
While these risks are real, they do not necessarily imply that you will be hacked. That depends on whether you are a high enough value target. It also depends upon your personal habits and whether these practices expose you to a larger or smaller attack surface. And it depends upon your luck. Even with a regular old password, you could still end up being hacked, but at least you won’t risk losing your fingerprint data along with your other stuff. It is just a question of being aware of the risks. By no means am I dissuading you from buying that shiny new iPhone.
Bottom line: if you care about security you should avoid activating fingerprint authentication. Use an alphanumeric password in place of the 4-digit PIN and deal with the inconvenience. If you don’t care much about security but are careless about where you leave your phone or which networks you connect to, you should also probably skip it. For everyone else, it depends on your risk appetite. Good luck.