Fingerprint Folly

It was only a matter of time before somebody found a way to crack the fingerprint reader on the iPhone 5S. Coming in as the first group to publicly announce a bypass is the Chaos Computer Club (CCC), which has a habit of breaking security systems:

The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple’s TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.

[…]

“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake”, said the hacker with the nickname Starbug, who performed the critical experiments that led to the successful circumvention of the fingerprint locking. “As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.”

I’ve never been a fan of biometrics. While it’s true that using features unique to a person can be used to uniquely identify that person it’s also true that, as Frank Reiger of the CCC pointed out, one cannot change their biometrics:

“We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token”, said Frank Rieger, spokesperson of the CCC.

If you can’t change your authorization token and somebody compromises that token things aren’t going to end well. Fingerprints are especially bad tokens because they can be lifted from many of the surfaces we touch. An authorization token isn’t very secure when you go around telling everybody about it.

With that said, if Apple’s fingerprint reader is convenient enough that people actually use it it will have served its purpose. While an unchangeable security token that you leave everywhere you touch isn’t great it’s better than no authorization control whatsoever.