Tuesday, September 10, 2013

Finger tip prints are not fingerprints

You use a different part of your finger to touch the iPhone sensor than what you use to touch other things. Hold a glass in one hand, and hold your iPhone in the other with your thumb on your sensor. You'll notice that you are holding the glass with the flat of your thumb, but touching the phone with the tip. The two prints overlap slightly, or not at all.

That means while hackers may be able to lift your thumbprint from you holding other objects, or from other parts of the phone itself, they probably can't get the tip print needed to do bad things on your iPhone.

This means the fingerprint databases held by the NSA, FBI, and border security are largely useless at unlocking your phone: they don't cover the same parts of your fingers. 

I point this out in regards to the latest iPhone 5S release with "Touch ID" sensor that reads fingerprints instead of requiring you to type in passwords. We cybersec hackes will be discussing how to break this in the near future, so I thought I'd be the first to make this observation.



6 comments:

Anonymous said...

ok, but now there is a new datapoint to collect on individuals A database of thumb tips to further confirm identities.

Anonymous said...

Didn't they mention sub-dermal details are analyzed as well? Are those present in standard fingerprint lifting efforts.

El Gato Parlante said...

Security through obscurity... Not a good idea.

Even if NSA was able to broke the trust in Internet Secure Protocols, sooner or later they will have to reap the escalade of distrust they sow, by new approachings in cyber security.

It's totally unacceptable to trust a fingerprint, whether from tip, flat or toe finger to a crypto system which transparence can't be audited and verified by third parties.

Unknown said...

Apple does everything through obscurity, not just security. For them, this is business as usual.

That said, I don't think that the goal of fingerprint identification was supposed to provide absolute authentication and identification of an individual, but rather increase the bar from the common four-digit PIN typically used by the average iPhone user. If your goal is to improve thing from a 1:9999 chance of cracking the code, they have done their job well. To my understanding, the A7 chip does not even store an image of your fingerprint, but rather a hash of common characteristics. Without knowing the length of this hash, even a weak 10 Character hash is a magnitude better than a 4 digit numerical one.

Consider the common door lock. These use four or five pins that can be one of ten elevations. this means that door locks only have 99,999 possible variations. That means the key that you have in your pocket probably opens a few thousand other doors in the country. They just count on the fact that the chance you may stumble upon one of those other doors is remote.

Unknown said...

Apple does everything through obscurity, not just security. For them, this is business as usual.

That said, I don't think that the goal of fingerprint identification was supposed to provide absolute authentication and identification of an individual, but rather increase the bar from the common four-digit PIN typically used by the average iPhone user. If your goal is to improve thing from a 1:9999 chance of cracking the code, they have done their job well. To my understanding, the A7 chip does not even store an image of your fingerprint, but rather a hash of common characteristics. Without knowing the length of this hash, even a weak 10 Character hash is a magnitude better than a 4 digit numerical one.

Consider the common door lock. These use four or five pins that can be one of ten elevations. this means that door locks only have 99,999 possible variations. That means the key that you have in your pocket probably opens a few thousand other doors in the country. They just count on the fact that the chance you may stumble upon one of those other doors is remote.

Unknown said...

"You use a different part of your finger to touch the iPhone sensor than what you use to touch other things..."

That's not true, Robert. The sensor is obviously designed to be touched using the tip of the thumb, which is the same exact way you would touch icons on the screen (especially the bottom part of the screen, which is only an inch or so higher than the sensor).