Well, that didn’t take long. Only a couple of days after Apple’s iPhone 5s went on sale, somebody managed to fool its fingerprint sensor.
The headlines and blog comments were predictable and instantaneous: “Oooooh, Apple blew it! The star feature of its new phone is worthless!”
I’ll admit it: I love that darned sensor. You unlock your phone dozens of times a day. Each time is a few seconds of tedium and looking down at it, over and over and over, to enter your password. It’s a drag.
And then there are the 50 percent of iPhone users who don’t even bother with a password. If you’re among them, then your phone and your life are susceptible to snooping should you lose your phone, find it stolen or leave it on your desk while you get coffee.
On the iPhone 5s, you wake the phone by pressing the Home button — and then just leave your finger on it for half a second, and boom: it unlocks.
But should we be concerned, then, that the hacker’s exploits render the fingerprint reader useless?
Not at all. For three giant reasons.
First of all, Apple doesn’t let you create a fingerprint “password” without also creating a regular password. Every so often, you’re required to enter the regular password as a security precaution — including every time you restart the phone and every time 48 hours have elapsed since you last used it. If someone managed to bypass the fingerprint scanner, the joyride wouldn’t last long.
Second, the fact that the fingerprint scanner was fooled is important, but so is how it was fooled.
Marc Rogers, who works at Lookout, a mobile security company, and the guy who “hacked” the Touch ID fingerprint system (or, more properly, fooled it), wrote a blog post about his experiment. It’s “ Why I Hacked Apple’s TouchID, And Still Think It Is Awesome.”
He writes: “Practically, an attack is still a little bit in the realm of a John le Carré novel. It is certainly not something your average street thief would be able to do, and even then, they would have to get lucky. Don’t forget you only get five attempts before TouchID rejects all fingerprints, requiring a PIN code to unlock it.”
The steps are ridiculously difficult and expensive.
The first hard part is just getting the fingerprint. “A suitable print needs to be unsmudged and be a complete print of the correct finger that unlocks a phone. If you use your thumb to unlock it, the way Apple designed it, then you are looking for the finger which is least likely to leave a decent print on the iPhone.” To get your fingerprint, “a thief would have to work out which finger is correct AND lift a good clean print of the correct finger.”
Describing one technique, he goes on: “You take the cleaned print image and without inverting it, print it to transparency film. Next, you take the transparency film and use it to expose some thick copper clad photosensitive PCB board that’s commonly used in amateur electrical projects. After developing the image on the PCB using special chemicals, you put the PCB through a process called ‘etching’ which washes away all of the exposed copper leaving behind a fingerprint mold.”
Seriously?
His conclusion: “The reality is these flaws are not something that the average consumer should worry about.”
Why? Because exploiting them was anything but trivial. Hacking Touch ID “relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician.”
If you really think somebody wants to get into your phone that badly — “a dedicated attacker with time and resources to observe his victim and collect data” — well, spoofing your fingerprint is not the method he’d take.
He’d save a lot of time and effort by learning your password instead. Maybe by holding a knife to your neck and asking for it.
It’s just not a real-world concern, if you ask me.
But there’s a third reason that I still plan to use the fingerprint scanner. It’s very simple: If someone gets your iPhone, either because you lost it or it was stolen, you can erase it or lock it by remote control at iCloud.com.
(Better yet, the new iOS 7 Activation Lock means that a stolen phone can never be erased without your Apple ID, even if it’s force-restored or jailbroken. It’s essentially a worthless brick.)
I’m guessing that if you’re in an industry where your phone is so important to espionage agents that they’d mount a “targeted attack,” you’ll have realized that you’re missing your phone and locked it by remote control long before the bad guy has had time to put it through “a lengthy process that takes several hours and uses over a thousand dollars worth of equipment,” as Mr. Rogers said.
Of course, we all know that some people won’t get past the phrase “hacked the fingerprint reader.” And that’s fine. The fingerprint reader is optional. If you feel safer using a password, you’re welcome to!
But as Mr. Rogers himself concludes: “Fingerprint security will help protect you against the three biggest threats facing smartphone users today:
- Fingerprint security will protect your data from a street thief that grabs your phone.
- Fingerprint security will protect you in the event you drop/forget/misplace your phone.
- Fingerprint security could protect you against phishing attacks (if Apple allows it).”
Let’s be vigilant about security threats. But let’s also be rational.