The news that the new iPhone 5S’s fingerprinting system has been successfully cracked by German hacker group the Chaos Computer Club should come as no surprise. As I suggested in my initial response to the announcement, hackers would be itching to get their fingers on the technology to find a way around it. It took them about a week.
This is from the Chaos Computer Club’s blog post:
“The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple’s TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.”
The Chaos Computer Club are what I would call ‘white hat’ hackers: they’re the good guys, working generally to bring into the open things that are of benefit to us all. They’re very good at what they do – but they’re not the only hackers out there. What the Chaos Computer Club could do in about a week will be possible for those others – and that includes those working for the authorities, for organised crime, for the other tech companies and so forth.
The precise details of how they did it are interesting but not really that important: the key is to understand the implications. Any technology, no matter how advanced, will have vulnerabilities. Any data gathered, no matter by whom or how held, will be vulnerable. That needs to be taken on board when we look at how and whether to embrace that technology – and it needs to be understood when considering how to balance the risks and rewards of that technology. Many people – not least in the technology press when covering the launch of products like the iPhone 5S – tend to gloss over the risks. They take the assurances of the manufacturers that the technology is ‘secure’ at close to face value – and treat the concerns of the odd privacy advocate as tinfoil-hat-wearing paranoia.
Now there IS a good deal of paranoia out there – but to paraphrase Joseph Heller, just because they’re paranoid it doesn’t mean they’re not right. What we’ve learned about the activities of the NSA, GCHQ and others over the summer has gone far beyond many of the nightmares of the most rabid conspiracy theorist. That doesn’t mean that we should all be moving to small islands in the Outer Hebrides – but it should mean that we are a little more cautious, a little more open-minded, and a little less trusting of everything we’re told.
There are a lot of jokes circulating on the internet at the moment. One goes like this:
There’s a point there. By moving from a system of passwords (a deeply flawed system) to one based on biometrics we’re taking on a new level of risk. Is this a risk that we really want to take? What are the benefits? As the Chaos Computer Club have demonstrated, it’s not really for security. Fingerprinting is a deeply insecure system. If someone gets hold of your phone, it will be covered with your fingerprints – getting the data out of it won’t be major problem for any of the people who might want to use that data.
So it’s not really about security – it’s about convenience. It’s about saving the seconds that it takes to put in a few numbers to unlock your screen. That’s not something to be ignored – we give away huge numbers of things just for a little convenience – but we should at least be aware that this is the bargain being made. For many people it may be worth it. I’m not one of them.
The other risks associated with the use of fingerprinting as an identification and authentication method – some of which I outlined here – are too much for me. Still, for me, the way that it helps establish as ‘normal’ the idea of asking for fingerprints is the worst. It’s not normal to me. It still smacks of authoritarianism – it’s worse that the image of the policeman asking ‘your papers please’, as you’ll have no choice. That’s the thing about biometrics. You become your papers…..
No thank you.
Paul Bernal's Blog 