Today’s big news is that the Chaos Computer Club has broken Apple’s Touch ID fingerprint security feature on the iPhone 5s. First, you have to define broken. They have shown that you can unlock the phone using a copy of an authorized fingerprint. How do you do it? Take a 2400 DPI image of the fingerprint, print it out at 1200 DPI, and then use glue to create a model of the fingerprint.
This reminds me of the fantastic review of bike locks that ran on The Sweethome this week. In the end, the reviewer found that any decent U-lock will deter the casual, opportunistic bike thief and that no lock will deter a professional thief who wants to steal your bike specifically.
Security is a concept with no meaning outside the context of specific threats. Touch ID is meant as a security measure for people who don’t have a passcode on their phone because it’s too much of a hassle. It may also be sufficient for some people who use passcodes. In 2011 Daniel Amitay found that 10% of iPhones are locked using the codes 0000 or 1234.
If you ride a $2,000 bike in New York, it’s eventually going to get stolen if you lock it in the same place every night, no matter which bike lock you buy. If a knowledgeable attacker with unlimited physical access to your phone wants to unlock it, they’ll succeed. Most people don’t need to worry about such attacks. They can probably get away with using Touch ID and a $40 bike lock.
Security has costs, usually in terms of both price and convenience. I already think that tapping in my four digit passcode sucks, I can’t imagine having a longer one. I’m also too lazy to memorize a random passcode, or ever change it. That’s my security posture. Needless to say, I’m not worried about this Touch ID exploit. You probably shouldn’t be, either. If you are, be glad that it’s optional and that you can turn off Simple Passcodes and pick a really good password to unlock your iPhone.