Since the release of the iPhone 5s and its built-in fingerprint scanner, Touch ID, biometric security has been a topic of discussion on social media, in the news and around the water cooler. Everyone is wondering whether Apple’s decision to bring biometric security to the smartphone could make the technology as ubiquitous as the PINs for ATM transactions.
Although Apple is not the first company to use fingerprint scanning as an authentication method, it is responsible for one of the most high-profile biometric security initiatives in recent times.
Using your fingerprint may be easier than punching in a passcode, but many security professionals wonder whether the convenience is worth the security risks. A fingerprint is just one type of biometric technology that can be used to verify one’s identity. Unfortunately, prints are left on pretty much any surface touched.
The Chaos Computer Club went to great lengths to hack the Touch ID system, and although the hackers were successful, the operation proved to be quite complex. The group outlined its process as follows:
First, the residual fingerprint from the phone is either photographed or scanned with a flatbed scanner at 2400 dpi. Then the image is converted to black & white, inverted and mirrored. This image is then printed onto transparent sheet at 1200 dpi. To create the mold, the mask is then used to expose the fingerprint structure on photo-sensitive PCB material.
The PCB material is then developed, etched and cleaned. After this process, the mold is ready. A thin coat of graphite spray is applied to ensure an improved capacitive response. This also makes it easier to remove the fake fingerprint. Finally a thin film of white wood glue is smeared into the mold. After the glue cures the new fake fingerprint is ready for use.
Discussions about security and convenience are often directed at the user, but those features are of interest to the hacker as well. The above process might be successful, but the resources involved in securing a high-resolution copy of someone’s fingerprint (without his or her knowledge) and assembling all of the necessary material to reproduce the fingerprint make this type of breach an unattractive option for most hackers.
Some say Touch ID is “more secure than a short code” because everyone has a unique set of fingerprints. According to Apple, after five failed attempts with the wrong print, Touch ID will not work; instead, a passcode will be needed to gain access to the device. Also, despite concerns that smartphone thieves would go on a finger-snatching spree, the user must present the fingerprint from the correct live finger in order to access the device, so pictures of prints will not work on the sensor, according to a report from Mashable.
On the other hand, there is a possibility that cyberhackers could use sinister iPhone apps to obtain the print from the chip. Little discussion about this potential breach has taken place, but the opportunity for the hack is present, according to a report from ZDNet.
If worrying about these scenarios sounds paranoid, consider the fact that our lives are increasingly becoming digital. Losing a phone is no longer about just the device; it’s also about the personal data the phone carries.
So while there’s no doubting the cool factor of fingerprint authentication, there’s also no doubting the appetite for fingerprint fiascos.