How Much Can You Trust Your Phone’s Fingerprint Unlock?
As more consumers consider the option of using their fingerprint to unlock their smartphones — and the technical and legal implications of doing so begin to play out — it’s worth asking yourself: How much can you trust your phone’s fingerprint authentication system? Are they really as reliable and hack-proof as Apple and other smartphone manufacturers would like us to believe?
As VentureBeat reports, Chaos Computer Club, Europe’s largest association of hackers, claims that it can reproduce a person’s fingerprints using just a few photos that show his or her fingers. At the group’s 31st annual convention in Germany, a member named Jan Krissler, also known by the alias of “Starbug,” explained that he copied the thumbprint of German Defense Minister Ursula von der Leyen.
Using what Krissler characterizes as a “standard photo camera,” fingerprints can be captured from people at public events and used for biometric authentication. Krissler said that he used commercially available software called VeriFinger, and used as his main source a close-up photo of von der Leyen’s thumb, supplemented with photos taken from different angles to complete the fingerprint.
VentureBeat notes that if the method can truly be replicated as easily as he describes, Krissler’s findings could deal a significant blow to the use of fingerprints for authentication and security purposes. On his part, Krissler believes that after his demonstration, “politicians will presumably wear gloves when talking in public.” However, it’s also important to note that even if hackers can break into a system by reproducing a fingerprint, that doesn’t instantly negate the utility of fingerprints in security systems. Fingerprints are more secure than PIN codes in many cases, and can also be used in conjunction with other types of authentication for added security.
CSO reported in September that researchers at mobile security vendor Lookout characterized the Touch ID system in the iPhone 6 as a “great security measure” for consumers who want to use Apple Pay. Marc Rogers, a researcher at Lookout, said at the time that the latest Touch ID sensor scans a much wider area of the fingerprint to improve reliability, and used a higher resolution to identify a print more accurately.
However, Lookout did find that it’s possible to create a fake fingerprint — with a high level of skill and patience, plus expensive equipment — to fool the authentication system. A fake fingerprint could be created with a well-defined print of the finger that an individual uses to unlock his or her phone, though that type of print likely wouldn’t be found on a phone’s touchscreen. Rogers wrote in a blog post, called “Why I hacked TouchID (again) and still think it’s awesome”:
Just like its predecessor — the iPhone 5s — the iPhone 6’s TouchID sensor can be hacked. However, the sky isn’t falling. The attack requires skill, patience, and a really good copy of someone’s fingerprint — any old smudge won’t work. Furthermore, the process to turn that print into a useable copy is sufficiently complex that it’s highly unlikely to be a threat for anything other than a targeted attack by a sophisticated individual. I’ll reiterate my analogy from my last blog on TouchID: We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats.
This summer, Apple and Samsung addressed questions from lawmakers about the privacy and security concerns involved with using fingerprint authentication on their smartphones. In a June letter to Senator Al Franken, Samsung vice president and general counsel Cindi Moreland noted that the scanner in the Samsung Galaxy S5 does not store the actual fingerprint image (PDF), but instead stores “a mathematical representation of the image (plots of endpoints and curvatures), which cannot be converted back to the fingerprint image.”
The letter went on to explain that “The mathematical representation is stored in a secure part of the semiconductor architecture and cannot be accessed by or shared with external sources. It remains inside the phone.” The representation is not transferred to a user’s computer, to the cloud, or to Samsung servers. Additionally, when an app requires authentication of the user, the app directs the scanner to prompt the user for his or her fingerprint, and the scanner returns only a “yes” or “no” response to the app — which never gains access to the user’s fingerprint or the mathematical representation of the fingerprint. Samsung itself doesn’t have the ability to extract or manipulate fingerprint data from the Galaxy S5.
As The Hill reported at the time, Apple offered similar reassurance in its response to Franken. Like Samsung’s system, Apple’s Touch ID does not store an image of the fingerprint, but instead uses a mathematical model to identify the user’s fingerprint. That model can’t be reverse-engineered into an image of the fingerprint, and is stored in a protected chip, not transferred to an external database. However, Franken wasn’t completely satisfied with the responses he received from the tech companies. He noted in a statement:
What I got was mostly good news. But both companies have not taken any further steps to prevent criminals from bypassing fingerprint readers with a spoofed print. That problem needs to be fixed, since fingerprint readers are becoming a gateway to a range of powerfully sensitive information.
There are legal as well as technical concerns involved with using fingerprint authentication to unlock your smartphone. The legal implications of using a fingerprint to unlock a device are also beginning to play out as the matter becomes relevant in courts of law. As Mashable reported in October, a circuit court judge ruled that a criminal defendant can be compelled to give up his fingerprint to unlock his cellphone, on the grounds that it’s equivalent to handing over a DNA sample or physical key, which citizens can already be compelled to give to police. However, police can’t force a defendant to give up a phone’s passcode — because it’s considered “knowledge” and is protected by the Fifth Amendment’s privilege against self-incrimination.