Monday, September 23, 2013

TouchID defeated: what does it mean?

Apple's Touch ID sensor has been defeated. What does this mean?

First of all, it means Nick Depetrillo and I were wrong. We claimed it'd be harder. We assumed that a higher resolution sensor wouldn't be so simply defeated with just a higher resolution camera. We bet money. We lost (and Starbug of the CCC won).

Many people claim this hack is "too much trouble". This is profoundly wrong. Just because it's too much trouble for you doesn't mean it's too much trouble for a private investigator hired by your former husband. Or the neighbor's kid. Or an FBI agent. As a kid, I attended science fiction conventions in costume, and had latex around the house to get those Vulcan ears to look just right. As a kid, I etched circuit boards. This sort of stuff is easy, easy, easy -- you just need to try.

At the same time, it doesn't mean Touch ID is completely useless. Half the population doesn't lock their phone at all because it's too much trouble entering a 4 digit PIN every time they want to use it. If any of them choose to use Touch ID security instead of no security, then it's a win for security.

There are also some ways around the hack. Use your ring finger or pinky finger instead. You don't use these fingers to navigate your phone, so these prints won't be on your phone. These are also the most difficult and unlikely prints to retrieve from other surfaces, like beer glasses.

So here are the four lessons:

1. security experts can be wrong
2. don't believe the security assurances from vendors
3. bad security is still better than no security
4. knowledge is your best defense: understand this hack and how to use your pinkie finger instead


Ed Hurtley said...

This worries me, too. They made it sound like it was much more than "reading the physical image of your finger print".

Oh well, marketing strikes again.

Kirsch said...

3. bad security is still better than no security

This isn't entirely true. The biggest drawback of bad security is that it can make an ill-informed person believe he's secure, thus forgoing good security.

In the Touch ID case, security is improved, because it's replacing no security at worse, or a weak four digit pin at best. Ok, I guess there's three guys in the world who really know and carry very sensitive stuff who use a long pass phrase. Those three can keep using a pass phrase.

It's all about striking a balance and adding security while I keeping hassle to a minimum. Touch ID is a huge success in this regard.

Ruud Noorhoff said...

It seems what Apple was aiming for is something as convenient as no PIN or password, but (in many cases, a bit) safer than PIN.
They are calling it 'very secure' which could be true enough depending on what you compare it to. It's not what security experts would call 'very secure'. It would be nice if everybody knew how (in)secure it actually is, but that is just not going to happen.

I'm also wondering, if Apple is not outright lying about the sensor, it should be able to do more. Maybe Apple went for the convenience option first and will add a high security option, requiring longer scan times, later.