Why the iPhone fingerprint hack is nothing to worry about

My review of the iPhone 5s begins, somewhat prematurely, with a look at the fingerprint unlock feature. My timetable here has been pushed up a bit by a bit of bad news that hit the Web on Sunday night.

The bad news: proactive security enthusiasts (most would say “hackers,” but that word conjures all kinds of malevolent and usually inapplicable images) have figured out how to circumvent the Touch ID fingerprint reader on the new iPhone 5s less than 72 hours after its release.

The takeaway from the bad news: this doesn’t affect the intended purpose of the feature much. Probably not at all, even.

The color commentary on the bad news: well, duh.

I will elaborate, for those of you who are curious enough to continue.

Apple’s Touch ID system is simple where it needs to be (the stuff that the user sees) and complicated where it counts (keeping your fingerprint data secure). The “home” button, present on every iPhone since the beginning, conceals an ultra-high-resolution flatbed image scanner. Once you’ve registered some of your favorite fingers for recognition, it’s possible to unlock your iPhone 5s without entering a passcode. Just click the Home button as usual and then rest that finger on the button for a moment more. The iPhone takes a high resolution scan of your fingerprint, compares it against the prints it has on file, dismisses the lock screen if it gets a thumbs-up from the CPU.

It’s been designed to foil casual and obvious hacks. A photo of a fingerprint won’t work; the print needs to be in three dimensions. And the classic Rubber Thumb Gag (I don’t know that there is such a thing, but it amuses me to type “the classic Rubber Thumb Gag” and I dare my editor to delete it) won’t work because the print needs to be attached to a warm, living digit.

The Chaos Computer Club — authors of a video demonstrating the hack — got past those two problems via a couple of methods well-known to folks who don’t trust fingerprint readers. They printed a scan of the target finger using extra-heavy ink and then treated the print to further enhance the differences between the hills of ink and the valleys. Then they affixed the flexible print to a substitute finger to satisfy the “living digit” requirement.

Bingo.

We mustn’t rush to take the #FAIL hashtag out of its velvet-lined box prematurely, however. Yup, it’s been quickly proven that an iPhone 5s can be unlocked by a finger that isn’t technically attached to its owner. But this doesn’t change my opinion of the integrity of Touch ID.

First: the video is more of a “proof that it’s possible” than a proof that Touch ID is insecure. Search YouTube for how-to videos demonstrating how to open a cheap padlock with a soda can or a bike lock with a disposable pen and you’ll see the difference. When you see how quickly someone pops open a lock, you want to cut apart a soda can and give it a try. When you look at the CCC video, you’re amazed that anybody would go to such extremes when “beat the information out of the subject” is such a time-proven tactic.

The CCC was working with a willing mark and they could get a clean print without any difficulty. The print was then scanned at greater than 2000 dpi resolution in order to beat the super-high-res scan element in the iPhone 5s. Translating this image into a 1:1 3D print of sufficiently high clarity to beat the system was another nontrivial exercise.

Another piece of the video was telling: before unlocking the phone, the owner had to key in his passcode. You might think that Touch ID is an alternative to a conventional passcode. It isn’t. It’s just a convenience that you get to use, temporarily, after you’ve already unlocked your phone recently with a passcode. If your phone is restarted or has been idle for a while, the iPhone disables fingerprint scanning until it sees your passcode again and re-authenticates you.

Finally, using the fingerprint scanner to get access to your phone requires, obviously, physical access to the device. It’s easy to imagine someone getting access to one of your prints (let’s set aside the problem of getting a good, clear, high-resolution image), keeping your print in their wallet, and then awaiting an opportunity. But it’s not something that can be done easily or quietly. If someone has put in this much effort to steal your fingerprint, the fact that they have your phone in your hands already raises the Game Over flag.

Guessing a passcode is less difficult than the math would indicate. Many people use grid patterns or predictable numbers instead of something truly random…and you’re leaving telltale grease spots behind on the touchscreen every time you authenticate yourself.

Finally: if you don’t trust Touch ID, you don’t have to activate it. It’s just an enhancement to the passcode authentication system that the iPhone has had forever.

So despite the instinctive “that shouldn’t happen” reaction to the video, and its potential as a headline-grabber, this isn’t something I’m all that concerned about. I’m glad it was posted because it helps to put the iPhone 5s Touch ID feature in its proper context.

Touch ID isn’t about security. It’s about convenience. Touch ID does for the lock screen what Time Machine did for backups. It’s not the strongest solution available, but almost all consumers will see it as a more livable solution. The whole point is to get people to perform regular backups of their data, dammit, and to secure their phones with pass codes, ditto. Many people don’t bother securing their phones at all. They wake their phones dozens of times a day for trivial functions that take all of ten seconds, and punching in a code before the magic happens harshes their iPhone buzz.

But a fingerprint reader is coooolllll. And authentication happens in just a fraction of a second, with an operation that doesn’t require conscious thought. They’ll turn on Touch ID and in doing so, they’ll set a formal passcode … which will protect their phone’s data even better than the fingerprint reader.

Touch ID is better than no security. It’s also “better than ‘better than no security’.” It’s a mature system that allows a consumer to erect a reasonable level of protection around the data inside an easy-to-lose device, without making that device harder to use.

I’ve been using the iPhone 5s for a couple of days now and I can vouch for the inherent ginchiness of Touch ID. Authentication happens so quickly that you’re not consciously aware that it’s happening. It takes a little while to retrain your brain to leave your thumb on the Home button but it soon becomes instinctive.

The real win is that unlocking the phone requires none of your focus or attention. If you can feel the Home button under your thumb, you can unlock your phone. The “first task” you address with the iPhone 5s is in fact the task for which you removed it from your pocket in the first place. You’re not distracted from the thought you intended to jot down.

You can register up to five fingers and the process is gamelike. Keep tapping and holding the home button as the iPhone colors in more and more of an onscreen fingerprint. When you’re looking at a completely red fingerprint (“this is the sort of crime-scene evidence collected every week on those ‘CSI’ shows,” my brain helpfully offered) your iPhone has successfully registered that finger.

The training screen could stand some improvement. After the iPhone has learned your fingerprint, it instructs you to continue tapping, using the edges of that finger. Nonetheless, during my first weekend I often found myself using a section of my thumb that hadn’t been properly introduced to the iPhone yet. You can delete a finger and reregister it. But hey, I thought I’d trained it properly in the first place, you know?

I’m actually more concerned about those five training slots. Let’s say I’m a naughty teenage kid with an instinctive drive to prove how clever I am. Mom and Dad feel safe inside their own home (what suckers!) and leave their iPhones around unguarded all the time. If I can figure out their passcode just once (I’ll start with my own birthday; I’ll have plenty of opportunities to guess) I can register my thumb into one of the open slots on their iPhones.

And then I’ll have a backdoor into their iPhones and it’ll be there pretty much forever. They can change their passcodes but if they’ve been using the device recently, I know the iPhone will accept my thumbprint and unlock it. And despite having registered three digits, I haven’t received any sort email notification warning me that a new finger has been added to my authentication. Apple does this when I add an email address to my iTunes account; this seems like a wise thing to extend to Touch ID.

There are broader concerns about fingerprint security that have nothing do with the iPhone 5s, specifically. A fingerprint makes a great authentication token because we had a unique identifier installed right at the factory and we carry these keys with us wherever we go.

But it also stinks because unlike a passcode, we can’t change our fingerprints once they’ve been compromised. And we don’t just leave copies of our passcodes everywhere we go.

Imagine a near-future in which the resolution and accuracy of 3D printers increase to such a level that it’s easy to print a fingerprint mold that’s good enough to foil any fingerprint scanner. Just as high-quality desktop scanners and printers changed the scale of the counterfeiting problem by making the crime accessible to any nimrod with an OfficeMax nearby, the hack that requires a lot of tricky effort and determination today could become accessible to anybody who has $800 and an idle whim to check out what’s on their co-worker’s computer.

Another problem: at some level, a fingerprint authentication system is based on numerical digits instead of biological ones. A poorly-made fingerprint system stores an easily-reproduced and freely-accessed token representing what it expects to see from the hardware scanner. Malicious software can just hand that token to the system and win instant trusted access.

I’m inclined to trust Apple in matters of security, in so far as I trust any company. They take these things seriously. Touch ID is locked down pretty hard. As I understand it, the authentication transaction takes place inside a secure section of the iPhone 5s A7 CPU, and the only data that any software receives is a “Yea” or “Nay.” At this juncture, my understanding is that no code on the iPhone 5s could gain access to that data, and no third-party app can even use Touch ID, let alone access any stored data.

Great, but how hard do you want to work to make sure that every device you use was built with such high standards? The way things stand today, I sure wouldn’t use any system that relied on fingerprint technology. I’d take a peek behind the counter at the security desk, discover that the whole system is running on Windows XP. And then I’d need to go buy new hands on Craigslist. (I’m certain that there’s a guy there with those to sell. I’m not certain that he knows of their new relevance.)

And biometric authentication is another one of those topics that remind me there’s no scarier phrase than “I’m not a lawyer.” An interesting article in Wired (written by an actual lawyer) pointed out, for example, that Fifth Amendment protection against self-incrimination only applies to stuff that’s inside your head. If you know something and you don’t want to tell a prosecutor, the government has no business trying to beat it out of you or subject you to a creepy Vulcan Mind Meld against your consent.

So if the authorities are demanding that you tell them the password that encrypts all of your phone’s data and you don’t want to do that, fifth amendment protection is an option that your lawyer can pursue. But a fingerprint isn’t information inside your head … so if you’re using it to make your personal data secure from undesired eyes, your options become uncertain.

This is also a climate in which law enforcement has, on occasion, embraced new technologies that facilitate the collection of evidence while resisting new laws and guidelines that might counterbalance those technologies. GPS trackers attached to cars without a warrant, or black boxes sitting by the side of a road making a permanent record of every license plate that passes through, are simply doing the work of a conventional analog police officer, observing the freely-observable.

Can law enforcement go through your trash (which you’ve freely disowned), pull a clean fingerprint off of a beer bottle, and use it to unlock your phone or decrypt your data?

Even more simple: if you’ve been previously arrested, can they use the prints they already have on file?

I’m not even suggesting that such a thing is necessarily bad. Or good. I hate, in principle, the idea that my law-abiding car is being tracked by black boxes. I believe my local law people when they say that they think it’s a necessary tool for helping to keep communities safe despite budget cuts that leave departments sorely understaffed.

But releasing a new technology to the mass market has two components to it. There’s the making of the thing, and then there’s the ultimate effect of that thing on our society. The first is a long, deliberate, quantitative process. The second is a damn mystery. We can’t predict the ripples; we must drop the thing into the waters and see what happens.

Metaphor Alert: do not drop your iPhone 5s into water. This will void your warranty and your phone will likely become so upset that it will never speak to you again.

Photo by Justin Sullivan/Getty Images