The security lesson of Touch ID

Today’s big news is that the Chaos Computer Club has broken Apple’s Touch ID fingerprint security feature on the iPhone 5s. First, you have to define broken. They have shown that you can unlock the phone using a copy of an authorized fingerprint. How do you do it? Take a 2400 DPI image of the fingerprint, print it out at 1200 DPI, and then use glue to create a model of the fingerprint.

This reminds me of the fantastic review of bike locks that ran on The Sweethome this week. In the end, the reviewer found that any decent U-lock will deter the casual, opportunistic bike thief and that no lock will deter a professional thief who wants to steal your bike specifically.

Security is a concept with no meaning outside the context of specific threats. Touch ID is meant as a security measure for people who don’t have a passcode on their phone because it’s too much of a hassle. It may also be sufficient for some people who use passcodes. In 2011 Daniel Amitay found that 10% of iPhones are locked using the codes 0000 or 1234.

If you ride a $2,000 bike in New York, it’s eventually going to get stolen if you lock it in the same place every night, no matter which bike lock you buy. If a knowledgeable attacker with unlimited physical access to your phone wants to unlock it, they’ll succeed. Most people don’t need to worry about such attacks. They can probably get away with using Touch ID and a $40 bike lock.

Security has costs, usually in terms of both price and convenience. I already think that tapping in my four digit passcode sucks, I can’t imagine having a longer one. I’m also too lazy to memorize a random passcode, or ever change it. That’s my security posture. Needless to say, I’m not worried about this Touch ID exploit. You probably shouldn’t be, either. If you are, be glad that it’s optional and that you can turn off Simple Passcodes and pick a really good password to unlock your iPhone.

4 thoughts on “The security lesson of Touch ID

  1. Seems like a lot of work to get a photo of a fingerprint. (Are there many 2400dpi scanners that can be discretely hidden somewhere to capture a thumbprint of an unsuspecting user? Any cameras that can take a picture at that resolution of a fingerprint off a glass ;-) ?)

    To paraphrase xkcd ( http://xkcd.com/538/ ), a $5 wrench is all it takes for a determined attacked to get the poor fella to unlock his iPhone. Most of the time, the fingerprint scanner should be plenty secure for most users.

  2. Seems like a lot of work to get a photo of a fingerprint. (… Any cameras that can take a picture at that resolution of a fingerprint off a glass ;-) ?)

    It is easy because your target leaves his “password” all over the place. Just grab the cup from his trash can, take it to your hideout and use superglue fumes to expose the print. Take a picture with your camera and you’re good to go.

    The flaw here is the misconception that biometrics are passwords. They’re not, because they are “usernames”.

  3. “Security is a concept with no meaning outside the context of specific threats.”

    True is a sense but I think this is not the best way of looking at it in general. For the bike lock case it may suffice. I am thinking more in terms of security for complex systems.

    Security is about protecting things of value. There are infinite threats out there, so they can’t all be enumerated. If your defense is built upon reaction or anticipation to “specific threats” then you will be vulnerable to unanticipated threats.

    Thus, you still have to think about security, even without necessarily having a clear idea of the expected threats. Follow best practices, defense in depth, plan for failure and how to mitigate, etc.

    Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>