The
biometrics team of Germany's well-known Chaos Computer Club (CCC) claims it has
"cracked" Apple's Touch ID
system.
Touch ID is the fingerprint sensor and the associated software that
provides a biometric lock for the brand new iPhone 5s.
Fingerprint readers have been common
add-ons to laptops for many years, but never really caught on.
Here's why.
Firstly, fingerprints aren't secret.
All of us inadvertently leave
good-quality prints on many surfaces, such as glass, metal and hard plastics.
Additionally (in many countries in
the post-9/11 world) many of us deliberately, often unavoidably, have allowed
the authorities, our employers and even businesses such as banks to take
high-quality copies of our prints, and to keep them pretty much for ever.
Secondly, you can't change fingerprints if there's a breach, like
you can an ephemeral password.
Thirdly, fingerprint sensor technology has been found wanting in
the past, with glue, gelatin and even photocopies with a very thick layer of
toner being used as copies that would pass muster as a real finger.
Fourthly, when you're logging into your laptop, being able to use
your fingerprint doesn't add an awful lot of convenience.
You've already got a perfectly
servicable keyboard in front of you when you open up your laptop, on which you
are probably going to type your username anyway, so why not just stick with
what you know: a typed-in password?
Fifthly, there's something unappealing to many people about using
biometric data such as fingerprints, DNA or retina scans for anything but the most
serious matters of identification.
Biometric objections typically lie
somewhere between the visceral and the spiritual, which makes them hard to
quantify.
But it is perfectly understandable
(laudable, even) to be uneasy about using "something you are" as a
way of identifying yourself, especially if it's merely to use a piece of
computer hardware you already own outright.
Nevertheless, despite these
objections, Apple's Touch ID is supposed to be - may yet still be! - the
biometric implementation that will change all this.
It's built in to the new iPhone 5s,
right in the button you press to start everything up anyway; it seems to work
reliably, so it doesn't lock you out all the time; and it doesn't store digital
copies of your fingerprints centrally where they might leak to the world in a
data breach.
Better yet, it means you don't need
to type in a complicated password on the iPhone's fiddly on-screen keyboard.
Best of all, it works conveniently
even for people who would rather do without a regular passcode altogether, so
for many users, it might succeed entirely on the basis that "something's
better than nothing."
As Apple itself very proudly points out on its website:
You check
your iPhone dozens and dozens of times a day, probably more. Entering a
passcode each time just slows you down. But you do it because making sure no
one else has access to your iPhone is important. With iPhone 5s, getting into
your phone is faster, easier, and even a little futuristic. Introducing Touch
ID — a new fingerprint identity sensor.
Put your
finger on the Home button, and just like that your iPhone unlocks. It’s a
convenient and highly secure way to access your phone. Your fingerprint can
also approve purchases from iTunes Store, the App Store, and the iBooks Store,
so you don’t have to enter your password.
The only fly in the ointment now is
that it looks as though Touch ID isn't "highly secure," after all.
It's perhaps not as futuristic as
Apple thought, either: the CCC hackers say that they used a technique
documented in CCC materials back in 2004.
Greatly simplified, the fingerprint
cloning process works like this:
- Take a hi-res (2400dpi) photograph of the fingerprint.
- Digitally invert the image so that the valleys of the print are black.
- Laser print (1200dpi) the image with a very thick toner setting.
- Smear white woodglue (or latex) over the printout and allow to set.
- Carefully peel off the glue or latex sheet.
- Breathe on the surface so it's slightly moist and conductive.
- Unlock phone.
So last decade!
The really intriguing aspect of the
claim is that the CCC guys didn't start with a photograph taken directly from a
finger, which would typically require some sort of co-operation (or heavy
inebriation) on the part of the victim.
They say that they used:
...the
fingerprint of the phone user, photographed from a glass surface.
The next question is, will they, can
they, claim the crowdsourced prizes on offer for doing
what they say they did?
And the final question: should you
use Touch ID?
I'm the wrong person to ask, because
I'd probably say, "No!" on the basis of point 5 alone - a visceral
sense that I'd simply rather not do so, especially since I know how to type
perfectly well.
My advice, then, is to consider
points 1, 2 and 3 above.
If you're happy in the face of those
objections, and you aren't fussed by point 5, then...
Is it better not to have passcode at
all!