Hacking the Digital: Fingerprint Secured Touch ID from Apple
The iPhone 5S is a revised version of its predecessor, the iPhone 5, and was unveiled to the general public last month on September 20th. Aside from various improvements and new available features, Apple’s new fingerprint-based identity sensor, Touch ID, grabs your attention first. Yet while fingerprint scanners on laptop computers are nothing new, the iPhone’s sensor may finally mean the end of PIN and could signal the commercial spread of biometrics. Is the latest installment of biometric security on smartphones actually secure?
Chaos Computer Club (CCC) is an elite European association of Hackers that may have proven otherwise using a homemade fake rubber print. The CCC claims it was not even that hard: “it is far too easy to make fake fingers out of lifted prints.” Their recent hack into Apple’s Touch ID is a demonstration of the group’s hacker ethics and acts as a reminder of the need to “protect private data” and “mistrust authority”. The protection of private data necessitates consistent challenges to authoritative definitions. Apple says your fingerprint will protect you, do you believe them?
Their hack demonstrated above is an example of what Gabriella Coleman and Alex Golub describe as ‘underground’ in Hacker Practice. The purpose is the action. Their transgression is “a reminder to those in power that there are individuals (…) who can and always will unsettle”. Regardless of who holds it, power is power. The Chaos Computer Club says to stay mistrustful of the hands of power.
Members of this elite group only understand the lies authorities tell because of their know-how and resources. Their fingerprint hacking article recites the instructions to crack the phone as if all of us are at home, not putting our “laser printer” and “white woodglue” to good use. Perhaps they are right. If the security of your iPhone is of concern, we might assume you can afford a laser printer.
Bruce Sterling’s advice to hackers is to “[become] a fed,” because in terms of expertise these two groups inhabit similar spaces. Coleman and Golub’s describe the underground community of hackers as a group that “envisages hacking as a constant arms race between those with the knowledge and power to erect barriers and those with the equal power, knowledge… to disarm them.” Sure, the CCC can break into Apple’s Touch ID. It takes a wolf to catch a wolf.
We should be wary of calling either one a hero. In the CCC’s own code of ethics they caution the centralization of power without a hint of self-reflexiveness. To what extent are the CCC causing the insecurity by revealing the hole? By providing the instructions? Far beyond just self-fulfilling prophecy, they are acting upon the future. Though one might be tempted to romanticize their mission, Deleuze reminds us that all formats incorporate elements of control.
Regardless of issues of control, Apple believes Touch ID provides very high level of security. Any piece of static information is far easier to compromise and puts consumers at greater risk in comparison to a unique, personal trait such as a fingerprint that is “always with you, and no two are exactly alike”.
However, lets look at some of the negative issues that arise from this novel use of biometric technology. Here there are two lines of thought on how a secure authentication system can fail. As Bruce Schneier notes, it can make the mistake of allowing an unauthorized person access, or it can mistakenly deny access to an authorized person. The former has already been proven by the Chaos Computer Club as seen in the video above, and the later could become common due to cold weather exposure, sweaty hands during a hot summer or when your shriveled fingers just left the shower, and so on.
Does this answer our question whether Touch ID is really secure? The fact that security systems are not 100% effective is not an indictment against their use at all. Mainstream antivirus software isn’t absolute, but most business enterprises and individuals use it. The lock on your apartment can be picked, but that doesn’t stop you from securely locking your door at night. The basic point is that security can never be impenetrable. Security is an exercise in risk management and making it harder for potential intruders. You don’t need to have ‘unhackable’ security – you just need security that makes it more arduous and impractical to bypass.
Touch ID is a step towards secure smartphones, but it leads to a bigger concern about the security of information. To what extent will, and is, our biometric data stored and shared? The hacker group Anonymous has revealed the relational ties between AuthenTec, the company Apple purchased to develop its fingerprint technology, and the US Department of Defense and Intelligence community.
It is important to understand these relationships, and while issues surrounding the social and political effects of the Touch ID system have been debated, less attention has been paid the the more practical legal questions that arise. An article in Wired raises questions surrounding the Fifth Amendment in the U.S., and whether Touch ID complicates is use and effectiveness. The Fifth Amendment, Art. 6 of the European Convention on Human Rights, and other laws guarantees a right against self-incrimination. However, this privilege only extends to “testimonials”, or information arising from the mind. These laws do not protect against your fingerprints from being used in a prosecution anymore than it protects the use of DNA evidence. There is a risk that the increased use of biometric systems will erode the protections against self-incrimination. If Apple’s move leads us to abandon knowledge-based authentication altogether, we risk inadvertently undermining current legal protections
When determining the correct security solution, it is important to take into account for what purposes your phone will be used, and what information will be on it. With the recent increase of protests worldwide, and subsequent citizen journalism, it is extremely common for police to attempt to force people to unlock digital devices. From filming stop-and-frisks in New York City, to organizing protests in the Middle East, governments have more incentive than ever to have easy access to smartphones, and their possible damaging content.
Fingerprint-based access systems make it much easier for the police to coerce you to unlock your phone. From touching the phone to your finger while handcuffed, to physically coercing you to unlock, fingerprint access is not a safe as a PIN number. It is far easier to resist giving out a memorized number under interrogation, than to resist physically unlocking a device. While this probably is not the first concern of many iPhone 5S users, it is important to realize, especially in light of recent NSA leaks, what advantages and disadvantages each security system has.
Even the Chaos Computer Club doesn’t suggest ignoring security. They simply believe that technology surrounding Apple’s Touch ID is less secure than using a PIN number or password. Some security is better than using no security at all and since “more than 50 percent of smartphone users don’t use a passcode”, the new fingerprint scanner technology is infinitely superior. The hack isn’t as easy as it seems.