Touch ID was hacked, but no one cares

Jon Tullett
By Jon Tullett, Editor: News analysis
Johannesburg, 26 Sept 2013
Apple's Touch ID fingerprint sensor in the new iPhone 5S was hacked in short order.
Apple's Touch ID fingerprint sensor in the new iPhone 5S was hacked in short order.

It took almost two whole days for Apple's new Touch ID fingerprint security to be cracked. The iPhone 5S features a fingerprint reader (cleverly hidden behind the home button) and a security stack designed to help users lock their phones, encrypt data, and sign in to services.

Despite Apple's assurance to the contrary, security specialists predicted Touch ID would be attacked in short order, and they were right. But it doesn't matter, and here's why.

Touch ID, like any fingerprint biometric, is not all that difficult to attack. Sure, the sensor can use a number of techniques to resist attack, but in the real world, fingerprint biometrics are known to be easily defeated. In 2002, Tsutomu Matsumoto demonstrated successful attacks against several commercial fingerprint biometric systems, armed with a secret weapon: a chewy sweet. Matsumoto's results were so astoundingly comprehensive that Bruce Schneier wrote at the time: "The results are enough to scrap the systems completely, and to send the various fingerprint biometric companies packing."

In context, Schneier was highlighting the tendency of security companies to talk up their products' robustness, and certainly the claims of biometric systems looked shaky after Matsumoto's paper, and others like it, appeared. But biometrics do still have a valuable role to play if deployed right, and as a convenience device in a smartphone almost certainly falls under that description.

Most users, after all, don't even use PIN protection on their mobile devices, and with the continuous consolidation of personal and corporate information in the mobile space, the risk to both individuals and employers can be enormous. If users unlock their phones frequently, typing a PIN becomes awkward, so many don't bother unless their employer's MDM policy requires it (and in any case the imprint of frequently tapped areas of the screen, never mind shoulder surfing, can render PIN protection less robust than many users might think).

A simple swipe is much more user-friendly (and the default on most devices), so evolving that basic gesture into a fingerprint scan is a great deal more secure than the swipe on its own. It may not be as bulletproof as Apple might like us to believe (and in that respect, Schneier's 10-year-old criticism still applies), but the technique to crack it is still difficult enough to deter a petty thief, and a serious attacker wouldn't be stopped by a PIN either.

So while Apple deserves the brickbats for over-hyping Touch ID's marketing, it still deserves the plaudits for putting physical two-factor authentication quite literally in the hands of its users. Schneier, in response, was softer on Apple than he was on commercial biometrics firms a decade ago: "Despite its drawbacks, I think it's a good trade-off for a lot of people."

For the suspicious, there is the lingering question of just how secure Touch ID is anyway. Can Apple retrieve keys, decrypt data, and hand info to the NSA? Apple says no (again), which quite possibly means yes, but even that doesn't matter as much as some think: Touch ID is still more secure against many attacks than no security at all. Even for corporate environments, as part of an MDM/security policy, the potential drawbacks are probably strongly outweighed by the advantages.

So Apple's claims of robust security were predictably shown to be overblown, but the claims that Touch ID is fatally flawed and without value are equally off the mark. The truth is somewhere in the middle, and right now, that adds up to an attractive security stack unique to Apple. Non-Apple users, meanwhile, can expect similar efforts within the next product generation (Samsung reportedly already has fingerprint sensors in its upcoming products). Since Apple acquired both the technology and the patents (from AuthenTec), the lawyers are presumably already limbering up in Cupertino.