iPhone 5S Spoofed – Should we Give Up on Fingerprints?

Many may have seen in the press that the German hacking group Chaos Computer Club (CCC) has claimed to have spoofed (not hacked) the Touch ID fingerprint device in the new iPhone 5S.  Many may have been surprised by their success and are now questioning whether Apple’s reputation has been blemished.  In short, it hasn’t. What follows is exactly why you shouldn’t throw the baby out with the bathwater.

First, the distinction of spoofing verses hacking.  The CCC did not claim to have breached the integrity of either chipset (A7 processor or Touch ID chip); nor did they claim to have penetrated the software that operates Touch ID.  This would have been a real hack and would point to other concerns around coding, encryption and communication channels. Hacking Touch ID would suggest physical access to the phone may not be required and would be an important distinction. Spoofing is fooling the fingerprint sensor into believing the fake image presented is a live finger and physical possession of the phone is required (it cannot be done remotely).

Spoofing Touch ID so quickly after the iPhone 5S launch may be disheartening and cause us to encourage Apple to improve on their technology, but should we now abandon the use of the fingerprint sensor on the iPhone or any other device?  Does the fingerprint sensor still provide some key value?  The following outlines the argument that supports the use of Touch ID on the iPhone regardless of it being spoofed by CCC:

1. Touch ID is easier to use and should encourage more people to activate the protected lock feature on their phone.  Remember that according to Apple traditionally less than 50% of iPhone users lock their phone using a PIN code.  If more users activate a protected lock function, then the overall security of mobile devices as a whole will have been increased.  Think about how many times people unlock their phones throughout the day…this ease of use should make a difference.

2. Touch ID adds a new layer of security that delays and frustrates the thief in the case they are going to attempt to spoof the device.  Remember it takes precious time to find a decent print on the phone of the finger that is enrolled, lift the print and then create the fake finger.  The thief has no idea which fingerprint is enrolled verses what he or she finds on the phone body itself, so it may take multiple attempts before the enrolled finger is effectively copied for spoofing.  And they have no guarantee the right print or portion of the print is on the phone body itself or is not overlaid (disrupted) by other fingerprints and therefore nearly impossible to lift. So even more work and delay may be needed to follow you around to grab ALL your fingerprints (they don’t know which one is enrolled); potentially being forced to lift the prints in public (e.g. off a door knob), which is not very conspicuous.

3. After 48 hours of the phone being locked, after a certain number of attempts to use Touch ID or after rebooting the phone the PIN code is still required.  So this adds another burden on the thief and added delay, as he or she will likely need that time and many failed attempts to spoof Touch ID and therefore also need to crack the PIN code before gaining access to the device.  If the thief makes 10 or more attempts to unlock the iPhone, you can also set your iPhone to wipe itself automatically.

4. Given number 2 and 3 above, the iPhone owner should have ample time to realize their phone is missing and wipe the device remotely before the thief can spoof the fingerprint sensor and crack the PIN code.  Remember that until this happens, the cellular radio (phone network) will still be on and active in the case it was on at the time of the theft (most likely).  The thief cannot adjust any settings on the phone until it is unlocked.

5. This additional time with the phone network likely turned on and the phone locked also adds more credibility to activate and use the Find My iPhone feature.  It is much more likely that the iPhone will be on the network after its theft and while the thief is attempting to spoof Touch ID and crack the PIN. This could afford you or the police enough time to locate the iPhone via GPS or network triangulation and maybe even getting it back and arresting the perpetrator.

6. Cracking a PIN code alone is much faster than spoofing the fingerprint sensor given the freeware cracking utilities and high speed computers available today that can run through the PIN combinations very quickly.  So this added layer of delay does add value to provide more time for the iPhone owner to wipe the device and protect personal info and applications.

7. Hackers like to focus on server-based hacks because they can get a cache of passwords and other credentials from many people or to gain access to many or key applications. It is not very productive for a hacker to spend their time spoofing a single fingerprint sensor on a single phone that only rewards the hacker with only a single person’s passwords and credentials.  The only phones a hacker may have interest in are those owned by the rich and the famous…but that is not most of us!

There is no doubt that more advances in ‘liveness detection’ is much needed by the biometric industry and as (prospective) users we should demand such innovations.  For example, in July 2013 the largest biometric company in the world (by revenue), SAFRAN Morpho, achieved a key milestone for the industry as a whole.  Morpho was the first company to achieve Common Criteria Certification for Fake Finger Detection, passing a rigorous set of spoofing tests designed by a respected government laboratory.  The irony is the organization that performed the rigorous spoof testing was located in none other than Germany, the BSI (Bundesamt für Sicherheit in der Informationstechnik): the German Federal Office for Information Security, which is an independent certification body.  

So maybe the Germans are the biometric spoofing experts after all!  Let’s encourage more biometric vendors to innovate and then go and get their products tested and eventually certified from organizations like BSI. Meanwhile, iPhone 5S owners can legitimately reason that they buy themselves precious time to discover the theft, potentially locate the iPhone and more likely wipe the device (remotely or automatically) if they choose to use the fingerprint device. Not to mention the fact that it will make their life a lot easier since they are frequently unlocking and using their constant companion.  

To conclude, one final tip, if you want to be safer with Touch ID: enroll and use fingers that you very rarely touch your phone with like your little (pinky) fingers (i.e. don’t use your thumb or index finger), and either incessantly clean your iPhone (like after every single time you use it) or never clean your iPhone (so that all your prints overlay and disrupt one another all over the phone body and screen).