All Tech Considered
Tue September 10, 2013
Key To Unlocking Your Phone? Give It The Finger(print)
Originally published on Wed September 11, 2013 6:54 am
The first note I sent out after Apple announced it was including a fingerprint scanner in the new iPhone 5s was to Charlie Miller.
Miller, who learned how to hack at the National Security Agency and now works in security for Twitter, has hacked connected cars, wireless connections and NFC devices. But what he's best known for — what he seems to enjoy more than almost anything else — is hacking into Apple.
So I was curious. If Apple is rolling out a fingerprint scanner as a way to replace passwords, exactly how long would it be until Miller got to work trying to figure out how to exploit the system?
It is undeniable that passwords are only a half-effective form of security. They are a pain. Apple says roughly half of iPhone users don't even bother to set them up. Your password could be guessed, broken with brute force or stolen.
No one will mourn the end of the password, which no doubt is why Apple is pinning its hopes for the 5s to a fingerprint scanning system, called Touch ID, that could make passwords obsolete.
Apple spent more than $350 million to buy AuthenTec last year. AuthenTec owned a number of security patents, including some covering fingerprint scans.
But Apple isn't the first smartphone manufacturer to try this — and fingerprint scanning isn't foolproof.
In 2011 Motorola release a phone with a scanner. Joshua Topolsky, then writing for Engadget, had this to say:
"As far as truly unique hardware goes, the fingerprint scanner seems fairly novel — but in practice it's a little frustrating. It does work as advertised, but being told to re-swipe your finger if it doesn't take when you're trying to get into the phone quickly can be a little bothersome. Unless you really need the high security, a standard passcode will suffice for most people."
A key test for Apple will be whether its version of this technology just works.
But now, with a fingerprint scanner built into the iPhone 5s' home button, biometrics are taking a big step into a much bigger ecosystem. And the scan won't just be used to start the phone. Apple says you'll also be able to confirm purchases in the App Store using a print instead of your Apple ID password. But — for now at least — don't expect to pay for anything outside of Apple's ecosystem with your finger. App developers will not have access to the scan.
Apple did do its best to assure consumers that the fingerprint data it collects from users will be kept safe and private. The scanned print won't be uploaded to Apple's iCloud. Instead, it will be stored in a secure "enclave" on the iPhone, and Apple says the data will be encrypted.
"I don't think the encryption will be a big hurdle for a hacker," Miller said. "Apple is going to have to compare that encrypted data with a new scan before they unlock the phone. So they are going to have to decrypt it at that point. You could re-engineer that process."
"Of course, doing any of this is difficult," Miller added. "You have to remember you are starting with a phone that's locked and you can't get past the pass screen."
Nonetheless Miller said, in terms in terms of overall security, adding fingerprint scanning is only likely to make iPhones easier to break into.
"They are not going to do away with the pass code entirely," he explained. "So, really, by creating another way to unlock the phone they have created another access point for a hacker to try and exploit."
If the 5s sells as well as its predecessors it's conceivable that 100 million people could be using fingerprint scanning with the year. And that has already raised some privacy questions.
If you are worried about someone, like the police, getting a copy of your prints, there are probably easier ways than hacking your phone. After all, if the authorities have your smartphone they could probably lift a print from the glass screen the old-fashioned way — by dusting for one.
RENEE MONTAGNE, HOST:
And if Apple was aiming to please Wall Street yesterday with new lower priced phones and big distribution deals in Asia - it failed. Apple's stock dropped sharply after it unveiled its latest update to the iPhone.
That may be because Apple's iPhone empire was not built on distribution deals - it was built on technology that enchanted consumers.
So we've asked NPR's Steve Henn in to talk about what new technological innovations Apple introduced yesterday.
STEVE HENN, BYLINE: Good morning.
MONTAGNE: What's new in the world of the iPhone?
HENN: Well, for a while now, Apple has coasted along making incremental improvements to its phones and in many ways yesterday was no different. The iPhone 5S will have a faster processor. There's a new chip that will allow it to run motion detectors in the phone all the time without running down the battery as quickly.
Apple also enhanced the camera and is making claims of better battery life - really a lot of stuff that we've seen before. The one thing that I think that has the potential to capture some people's imagination is Apple's attempt to get rid of passwords.
MONTAGNE: Right. Apple is putting a finger print scanner on this phone. Describe that for us.
HENN: Well, Apple calls the system Touch ID. And it works by embedding a small sensor in the little home button at the bottom of the phone. So now instead of tapping in a password to get your phone on or to buy an app, you can simple scan your finger.
But before any of this works you have to train your phone.
MONTAGNE: Oh yeah. Right.
MONTAGNE: You know, I have a hard enough time trying to train my cat Maggie not to walk across the keyboard when I'm typing. I'm not so sure I want to train my iPhone. How does it work?
HENN: Well, when you're setting up the phone, there's a little set of instructions that will tell you to scan your thumb or finger from different angles. You know, I don't know if you've ever been fingerprinted - but unlike in jail where they roll you finger across a big screen to get a full print - Apple has just as a tiny little sensor to work with here. So it has to take multiple readings of your print and then piece them together. The theory is if they do this right you won't have to pick up the phone in exactly the same way every time for this to work.
You know, Apple's not the first company to have tried this. Motorola introduced a fingerprint scanner back in a phone in 2011 and it received tepid reviews. The thing is a scanner like this, if it doesn't work all the time, pretty quickly it quickly gets annoying.
MONTAGNE: Yeah. What happens if it doesn't work?
HENN: That's a really good question and honestly I'm not 100 percent sure. Apple said that it's possible to turn off the scanner if you don't want to use it. And so I think it safe to assume that if it completely failed to work it would probably default to the old pass code. But I asked Apple that and I didn't get a clear response.
The thing about any biometric system is there are actually two ways biometrics generally fails, and they're related. The first way a system like this can fail is it might allow someone who is not me to access my phone. It could identify your finger as mine and turn it on. That might be awkward, but it's unlikely to be completely disastrous.
The second kind of failure is that I pick it up my phone and it doesn't let me in - a false negative. Now, if Apple designed a system that generated millions of false negatives and customers weren't able to get into their phones, that would be a commercial disaster. So it's pretty likely that Apple has tried to build a system here that delivers more to deliver false positives than false negatives.
So when this phone hits the streets, I'm going to be really curious to see how secure it is in the real world, and whether or not people figure out how to hack it.
MONTAGNE: Well, on that thought, thanks very much.
HENN: Oh, my pleasure. Transcript provided by NPR, Copyright NPR.