The way that the industry collectively came together to offer a near $4,000 bounty for the first person to break Apple’s Touch ID fingerprint scanner shows an interest in research, and how determined we are to show fallibility.
In the story, the challenge to break Touch ID, introduced as part of iOS 7 last week, was launched by independent security researchers Robert Graham and Nick DePetrillo, who put their own money up in order to create a bounty that be awarded to the “winner”. This resulted in many others offering cash, bitcoins, books and alcohol for the first person to hack Touch ID.
However why did people come together to do this? Is it not a criminal action to break something and report it? Look at how it was actually broken by the Chaos Computer Club, by effectively creating a fake finger with an image of the user’s fingerprint. Hardly a zero-day threat or software vulnerability.
The other issue here is in regard to fingerprint authentication; yes it is unique to the user and hard to replicate, but look at your smartphone or tablet, there are fingerprints all over it. Is this the equivalent of writing your password on post-it notes and sticking it your computer? Well not really, but making a copy of something so present probably presents little challenge to the sophisticated minds out there.
How it was done by CCC is demonstrated in this video, and as you will see it is very unusual. Back in 2010, I asked if there was a flaw in biometrics if details are hacked, and it seems that this is the case here. Then LogLogic CEO Guy Churchward said that while biometric authentication is a great idea, the problem is that you cannot change your fingerprint like you can with a password.
In agreement with this was David Emm, senior security researcher at Kaspersky Labs, who said that if a passcode becomes compromised, he could replace it with a new one, but he cannot change his fingerprint.
“So if someone is able to fool a fingerprint reader by spoofing the fingerprint, you can’t just find a new fingerprint,” he said.
“If the CCC has indeed found an easy way to circumvent the Touch ID technology, then it would suggest that Apple’s ‘highly secure’ implementation may not be secure enough. Because of the nature of fingerprints, you effectively leave your password everywhere you go so unless a fingerprint reader is able to fully distinguish between a real finger and a fake one, a fingerprint scan is a poor substitute for a password.”
I have thought that the future was fingerprint authentication for some time, especially with the prevalence of shiny surfaces on mobile devices, and if I am honest I don’t see how this will go away. But the point is what Emm and I made in 2010, if the details are hacked and collected by a third party, it is not as easy as changing a password. Then again, you do have nine other fingers.
