Did you know that 30-50% of people choose not to use any sort of passcode on their smartphones? The inconvenience that comes with typing in a long passcode means users are willing to put their mobile lives at risk. Apple has attempted to solve this problem by creating a fingerprint scanning application that allows for convenience and security without compromise. With this type of technology on the rise, users may be wondering how it works and if this type of passcode is really safer. In part 1 of our Apple fingerprint technology series, Jared Carlson and Darren Meyer, both senior security researchers at Veracode, discuss this type of technology and what it means for mobile security.
Jared:The first thing that I always want to come back with is just the ideas in terms of CSI and the lay persons perspective on fingerprints and biometrics in general. We see the Borne Supremacy, we see all these kinds of movies where you see iris scans, fingerprinting and they use these absolutely unique identifiers and Apple claims that the fingerprint is absolutely unique. Jared:In science, you have to say there's an error of measurements. People who work with the FBI for 15 or 20 years who have done some tremendously wonderful things for this country, they make mistakes based on a fingerprint. Jared:There's always error of measurement when you do these things and you have to know what that is. These things are never 100 percent. When we talk about iris scans, there's a lot of cutting edge algorithm work there and that's done around pupil dilatation because your pupils change based on the lighting and that can effect that kind of scan. Fingerprinting is the same thing. There's some science there but there's also some pseudo-science. It's somewhat hard to do with the Apple distortion reality field. Darren:One of the problems we have in the marketing versus reality realm is exactly as you said, people believe that fingerprints are absolutely unique to the individual. But, for example the touch id sensor is only scanning a tiny little fingerprint and Apple's own documentation says that will match about 1 in 50,000. There's six billion people on the planet, 300 million in the US alone. How many people are going to have a fingerprint similar enough to yours to match? Jared:One of the other things to bring up too is people have hacked this already. We're not even a week into the release and this has been hacked twice. In terms of how valid and how easy these people are doing it, there's a lot to say about this already. The CCC, the Chaos Computer Club in Germany, put out a nice article on how they did it. They made it sound pretty trivial. I'm not that sure about how trivial it is but I did like Mike Roger's blog over on lookout. I thought he put out a nice reasoned argument in terms of why this is generally speaking a really good thing. We always forgot, you pick up your phone many times a day to do texting, email, all kinds of stuff. If it's just one password every hour or two, I think people are more likely to use passwords, but a password every 15 minutes? I think that's where they kind of go away. Darren:The usability advantage here is what a lot of critiques are overlooking. The most conservative surveys are showing that 30 percent of people are choosing not to have a passcode. Working for enterprises, one of the big pushbacks in securing mobile devices was not wanting to enter a passcode every time I check my email. That's ridiculous. I think the fingerprint has a lot of potential to improve the overall security of the mobile space. Darren:Fingerprint technology has a deservedly bad reputation. There was a Myth Busters episode where they effectively defeated this thing with gummy material. It's very close to being able to just press a gummy bear into a fingerprint reader and have it authenticate the last person who used it. I think that's the kind of thing people are used to seeing with fingerprint tech, but it's also come a long way. It's certainly not fool proof, as we can see from the fact that it's already been hacked a few days after release. When you come to a fingerprint lifting, that's the one that everyone seems to really focus on as the one concern. Somebody can make a copy of it and make a false finger, then they can get into my phone, maybe without me even knowing. Darren:It's high risk as well. You typically have a one shot to lift a print and if you make a mistake you have to try to get a new print. Lifting the print destroys it. The other attack that a lot of people are worried about is what if I just cut off somebody's finger? That is definitely a concern that we have, what's the increase in violence that could potentially happen here. Jared:The one that worries me more is if you get my finger at that point, whether it's off a lift or any kind of method, I'm really in trouble and I basically have to change up the locks. There's no reset. If I have a passcode, I don't have to give it or if someone compromises an email, I can go reset it. Everyone's used to that, but biometrics stuff, fingerprints are fingerprints and my eye color isn't really going to change easily. Jared:I'm not sure what people are going to do about this. One of the things I did like about the Mark Rogers write up in his blog was he had some really great questions that brought up these kind of things in biometrics. The police, if they have your fingerprints and other valuables, that's going to be a treasure trove for hackers to get if biometric picks up. I love the 5s, the convenience is great, but it kind of raises some questions. Darren:You have protection under certain circumstances and whether you have that about something that's a readily available fact like your fingerprint or your DNA is a little muddier. People who are doing things in the edges of the legal gray area as a lot of start up founders do, as a lot of big organizations do, it might have additional cause for concern. People are interested politically and this isn't just the US either. It's a global product. Jared:You have to respect their authority, but on the other hand, these become sensitive information that allows access and even if you're just charged and they decide to drop the charge, they have a record there that could be used to compromise you or all sorts of extortion. The possibilities are startling. Darren:Then there's the issue that I don't see a lot of people talk about which is we focused so much on fingerprint lifting, because that's a very old attack. We've just had to make the attack better and certainly attacks never get harder over time to do, but there's also the issue of recovery and that seems to be where Apple has put most of their effort into. We're storing data about your fingerprint and right now, we don't know what that data is. We're waiting for the engineering efforts. We know it's not a picture of the fingerprint, but there's enough data there for the sensor to verify a section of your print, so some clever person is ultimately going to figure out given that data, how can I make a print that's good enough to recover. That's something I don't need to be anywhere near you to conduct that attack.