Fingerprint sensor in iPhone 5S is no silver bullet, researchers say
- 10 September, 2013 23:00
The fingerprint sensor in Apple's new iPhone 5S has the potential to enhance the security of the device, but the devil will be in the details.
Its effectiveness will depend on the strength of the implementation and whether it's used in conjunction with other security credentials, researchers said.
Apple unveiled two new iPhone models Tuesday, the iPhone 5C and iPhone 5S, the latter of which has a fingerprint sensor dubbed Touch ID built into the home button. The sensor will allow users to use their fingerprints instead of a password to unlock the device and make purchases on iTunes.
It's not clear if the feature will also be used in other scenarios that have yet to be revealed or if third-party applications will also be able to use it to authenticate users.
In presenting the technology Tuesday, Apple said the fingerprint data is encrypted and locked in the device's new A7 chip, that it's never directly accessible to software and that it's not stored on Apple's servers or backed up to iCloud.
Fingerprint scanners have historically been susceptible to errors and replay attacks that involve stealing fingerprints and using them to trick the scanners by employing a variety of techniques.
According to Apple, Touch ID scans sub-epidermal skin layers, has a 500-ppi resolution and can recognize fingerprints at any rotation. But how well it will resist attempts by security researchers to bypass it remains to be seen.
"Common attacks against fingerprint readers include using photos of fingers or creating fingerprint molds based on captured prints," said Dirk Sigurdson, director of engineering for the Mobilisafe mobile risk management technology at security firm Rapid7, via email. "Hopefully the iPhone sensor will have strong protections against using copied fingers."
Fingerprint technology is not a high-security feature, said Marc Rogers, principal security researcher at mobile security firm Lookout. That's why most military installations, for example, use hand geometry or retina scanners instead, he said.
"It is possible to copy a fingerprint and I think that as the technology sees wider usage, the techniques of copying fingerprints will only improve," the researcher said. However, a fingerprint is still better and more convenient than a four-digit PIN, he said.
The best single factor of authentication is a strong password stored only in the user's brain, but it's inherently difficult for people to create and remember strong passwords, Sigurdson said. This often results in bad passwords being used, so a good fingerprint reader and matching algorithm will likely improve the security of iOS devices, he said.
Many people probably don't even set a PIN because it's inconvenient to enter it every time, so a fingerprint gives them the opportunity to secure their device in a way that's better than nothing, Rogers said.
Research suggests as many as half of users never set up a four-digit PIN or a more complex password to lock their devices, Apple said during its presentation.
Rogers believes fingerprints could add great security if they're used in conjunction with other security credentials as part of two-factor authentication.
For example, Apple could allow users to set a strong, complex password that's used to encrypt the file system and which would need to be entered only when the device is switched on. The user's fingerprint could then be used as a medium-strength access credential to unlock the device when it's on and needs to be used. This would provide both security and convenience for users, Rogers said.
In addition, if Apple would allow other applications on the device to use the fingerprint sensor, it could increase the security of those applications. For example, a banking application could require users to authorize transactions by scanning their fingerprints, limiting what attackers can do if they steal those users' log-in passwords, he said.
Overall, the sensor has the potential to increase the security of the device, but it depends on implementation and whether consumers will actually use it, Christopher Pogue, director of security vendor Trustwave's SpiderLabs security research team, said via email. "It is key that consumers can easily understand how to use the sensor."
Like Rogers, Pogue believes that fingerprints would be most valuable if used as part of a two-factor authentication system.
"Like anything else that runs on a mobile device, the scanner itself is an application that interfaces with the underlying operating system and like other applications, regardless of function, there are vulnerabilities that exist due to a multitude of factors," Pogue said. "This application will likely be no different, and exploits will certainly be forthcoming if not already here."
Unlike a password, a fingerprint is not something a person can forget or share with someone else, so in that regard it provides stronger access control than a password, Pogue said. However, there has to be a failsafe mechanism to prevent the device owner from being locked out in case his fingerprint is modified as a result of an injury, for example, he said. "It's this 'back door' access that, if present, would likely lead to unforeseen security vulnerabilities."
Security best practices indicate that access control should always use at least two factors: "something you know," like a password or PIN; "something you have," like a physical token device; or "something you are," like a biometric feature, including fingerprints, Pogue said. Adding an additional layer of defense makes unauthorized access to the device through that mechanism exponentially more difficult, he said.
The goal should always be to raise the bar for attackers and, keeping that in mind, if the fingerprint sensor would be used as part of a two-factor authentication system, it would greatly enhance security, Rogers said.
However, Rogers and Pogue had different opinions on how useful this feature will be in enterprise environments.
Rogers thinks that if the feature will be made available to third-party developers, enterprises could use it to secure their internal mobile applications and limit the risks resulting from phishing attacks that target employee access credentials.
He also believes that it increases the physical security of devices and could, in conjunction with other technologies like remote device tracking, discourage mobile phone theft, which has become a serious problem in many countries.
Meanwhile, Pogue thinks that the sensor only marginally improves security because there will likely be bypasses for it, and he doubts that enterprises will take advantage of the technology anytime soon.
The FIDO Alliance, an industry group that wants to reduce reliance on passwords, welcomed Apple's inclusion of a fingerprint sensor, but didn't think it would result in widespread adoption of such technology, because its implementation is proprietary.
"Apple's decision to include authentication with the iPhone is a good dose of rocket fuel for the industry," said Michael Barrett, president of the FIDO Alliance. "Though any authentication technology unsupported by standards may take years, if ever, to achieve widespread market penetration. The marketplace seeks authentication capabilities that span computer, smartphone, and physical access authentication and federated identity applications. Open industry standards, such as FIDO authentication specifications, are required before we can achieve industry-wide adoption of strong authentication across all platforms."