Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Fingerprint sensor in iPhone 5S is no silver bullet, researchers say

Lucian Constantin | Sept. 11, 2013
The fingerprint sensor in Apple's new iPhone 5S has the potential to enhance the security of the device, but the devil will be in the details.

touch ID

The fingerprint sensor in Apple's new iPhone 5S has the potential to enhance the security of the device, but the devil will be in the details.

Its effectiveness will depend on the strength of the implementation and whether it's used in conjunction with other security credentials, researchers said.

Apple unveiled two new iPhone models Tuesday, the iPhone 5C and iPhone 5S, the latter of which has a fingerprint sensor dubbed Touch ID built into the home button. The sensor will allow users to use their fingerprints instead of a password to unlock the device and make purchases on iTunes.

It's not clear if the feature will also be used in other scenarios that have yet to be revealed or if third-party applications will also be able to use it to authenticate users.

In presenting the technology Tuesday, Apple said the fingerprint data is encrypted and locked in the device's new A7 chip, that it's never directly accessible to software and that it's not stored on Apple's servers or backed up to iCloud.

Fingerprint scanners have historically been susceptible to errors and replay attacks that involve stealing fingerprints and using them to trick the scanners by employing a variety of techniques.

According to Apple, Touch ID scans sub-epidermal skin layers, has a 500-ppi resolution and can recognize fingerprints at any rotation. But how well it will resist attempts by security researchers to bypass it remains to be seen.

"Common attacks against fingerprint readers include using photos of fingers or creating fingerprint molds based on captured prints," said Dirk Sigurdson, director of engineering for the Mobilisafe mobile risk management technology at security firm Rapid7, via email. "Hopefully the iPhone sensor will have strong protections against using copied fingers."

Fingerprint technology is not a high-security feature, said Marc Rogers, principal security researcher at mobile security firm Lookout. That's why most military installations, for example, use hand geometry or retina scanners instead, he said.

"It is possible to copy a fingerprint and I think that as the technology sees wider usage, the techniques of copying fingerprints will only improve," the researcher said. However, a fingerprint is still better and more convenient than a four-digit PIN, he said.

The best single factor of authentication is a strong password stored only in the user's brain, but it's inherently difficult for people to create and remember strong passwords, Sigurdson said. This often results in bad passwords being used, so a good fingerprint reader and matching algorithm will likely improve the security of iOS devices, he said.

Many people probably don't even set a PIN because it's inconvenient to enter it every time, so a fingerprint gives them the opportunity to secure their device in a way that's better than nothing, Rogers said.


1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.