All Tech Considered
Tue September 10, 2013
Key To Unlocking Your Phone? Give It The Finger(print)
Originally published on Wed September 11, 2013 6:54 am
The first note I sent out after Apple announced it was including a fingerprint scanner in the new iPhone 5s was to Charlie Miller.
Miller, who learned how to hack at the National Security Agency and now works in security for Twitter, has hacked connected cars, wireless connections and NFC devices. But what he's best known for — what he seems to enjoy more than almost anything else — is hacking into Apple.
So I was curious. If Apple is rolling out a fingerprint scanner as a way to replace passwords, exactly how long would it be until Miller got to work trying to figure out how to exploit the system?
It is undeniable that passwords are only a half-effective form of security. They are a pain. Apple says roughly half of iPhone users don't even bother to set them up. Your password could be guessed, broken with brute force or stolen.
No one will mourn the end of the password, which no doubt is why Apple is pinning its hopes for the 5s to a fingerprint scanning system, called Touch ID, that could make passwords obsolete.
Apple spent more than $350 million to buy AuthenTec last year. AuthenTec owned a number of security patents, including some covering fingerprint scans.
But Apple isn't the first smartphone manufacturer to try this — and fingerprint scanning isn't foolproof.
In 2011 Motorola release a phone with a scanner. Joshua Topolsky, then writing for Engadget, had this to say:
"As far as truly unique hardware goes, the fingerprint scanner seems fairly novel — but in practice it's a little frustrating. It does work as advertised, but being told to re-swipe your finger if it doesn't take when you're trying to get into the phone quickly can be a little bothersome. Unless you really need the high security, a standard passcode will suffice for most people."
A key test for Apple will be whether its version of this technology just works.
But now, with a fingerprint scanner built into the iPhone 5s' home button, biometrics are taking a big step into a much bigger ecosystem. And the scan won't just be used to start the phone. Apple says you'll also be able to confirm purchases in the App Store using a print instead of your Apple ID password. But — for now at least — don't expect to pay for anything outside of Apple's ecosystem with your finger. App developers will not have access to the scan.
Apple did do its best to assure consumers that the fingerprint data it collects from users will be kept safe and private. The scanned print won't be uploaded to Apple's iCloud. Instead, it will be stored in a secure "enclave" on the iPhone, and Apple says the data will be encrypted.
"I don't think the encryption will be a big hurdle for a hacker," Miller said. "Apple is going to have to compare that encrypted data with a new scan before they unlock the phone. So they are going to have to decrypt it at that point. You could re-engineer that process."
"Of course, doing any of this is difficult," Miller added. "You have to remember you are starting with a phone that's locked and you can't get past the pass screen."
Nonetheless Miller said, in terms in terms of overall security, adding fingerprint scanning is only likely to make iPhones easier to break into.
"They are not going to do away with the pass code entirely," he explained. "So, really, by creating another way to unlock the phone they have created another access point for a hacker to try and exploit."
If the 5s sells as well as its predecessors it's conceivable that 100 million people could be using fingerprint scanning with the year. And that has already raised some privacy questions.
If you are worried about someone, like the police, getting a copy of your prints, there are probably easier ways than hacking your phone. After all, if the authorities have your smartphone they could probably lift a print from the glass screen the old-fashioned way — by dusting for one.