Darren: A lot of the concern that we've seen in the marketplace is that privacy concern and I think that this is a completely legitimate thing to worry about. Apple's making a lot of claims about how well they securely store that fingerprint and who can access it and what's actually being stored. Nobody's ever been really too deeply verify any of this yet. We do have a few hints from patent filings, from documentation of the company that makes the sensor, documentation of the trust zone technology that Apple says they're using to store. Apple really put quite a bit of engineering effort into this, so they claim a couple of things.
Darren: One, they claim that they're storing all of the fingerprint data in what they call a secure enclave. People who have analyzed this so far are fairly certain that this secure enclave is an area on the CPU that is designed for a credential storage and reviewing the design of that, it looks as if this is properly done. It's a pretty decent place to store something. They are not storing an image of the fingerprint, so even if you do get access to the clear version of this, encrypted secure enclave data store on the CPU, we know that they're not storing a complete representation of the fingerprint, so you shouldn't be able to reconstruct a complete fingerprint from what they give you.
Darren: The question is how close can we get with that data and that's an unknown. We don't know that yet. It seems pretty obvious to me that with enough engineering effort, we could use that data to make a good enough clone that would authenticate against the same kind of sensor. The other thing is that Apple's treating the touch id as an authentication gateway. There's a 48 hour window where if you don't touch the sensor within 48 hours, it reverts back to PIN storage, so there's a narrow window for fingerprint attacks. If you reboot the phone, you have to re-enter the PIN. I'd really like to see them offer an option that says hey, I want fingerprint and PIN to lock my phone, but at least they're not admitting that that's on the road map. They have no comment to that question. There's also the concern that Apple says that nothing can access this trust zone except for the fingerprint sensor itself and that word can really concerns me because of my history as a security analyst. You've heard this sort of thing too, where someone says that can't happen, but what usually happens?
Darren: Nothing can access the data. Is that a policy or is that a real control in place and what are the weaknesses of that control and what are the tradeoffs of that control? Apple's done a pretty good job of keeping malware out of the app store, but they haven't been perfect and so if we're relying on just an app store review process to keep people from accessing data, somebody's going to figure out a way to hide it well enough that it gets through the app store review process. It's just inevitable.
Darren: There's also the issue of does this stuff get stored into a backup? Apple says no, but we've seen things in the past where they have introduced bugs that have caused sensitive data to be backed up. Then I can possibly attack a backup of it on your computer or people who are copying stuff over their drop-box. Your data gets to be in a lot of places that you don't expect. Those are the kinds of attacks that I'm really looking forward to seeing what the hacker community comes up with in terms of challenging Apple's assertion that quote, nothing can access this fingerprint data.
Jared: This is a significant effort and with that comes bugs and I'm sure they'll do a much better job as it goes along, but some of those statements are going to show how much testing have you done and it is very sensitive data, certainly a lot of concerns about it.
Darren: We know that the OS has at least some access to that sub system because when you are enrolling your fingerprint, there are software prompts that are telling you, I got a valid scan, scan the next one. We know that there's some level of access. What we don't know yet is is that access control for the really important stuff? Is that hardware? Is it software? We're not sure which one is better because if it's hardware and there's a bug, good luck patching.