
About Touch ID Security - interpol_p
http://support.apple.com/kb/HT5949?viewlocale=en_US&locale=en_US
======
madeofpalk
Apple also says internally, which I find mildly amusing:

> Not everyone will be able to use the fingerprint scanner feature. Some
> people lack the impedance necessary to activate biometric devices.

> Do not service or replace the device for issues with a specific finger(s).
> If the customer has an issue with certain fingers, explain that in some
> cases Touch ID may unable to match those fingers consistently. This is
> usually caused by the readability of that fingerprint, and the customer can
> either try enrolling the finger at a later time, or use a different finger
> for Touch ID.

Source: [http://i.imgur.com/ku1KOUK.png](http://i.imgur.com/ku1KOUK.png)

~~~
aptwebapps
> > Not everyone will be able to use the fingerprint scanner feature. Some
> people lack the impedance necessary to activate biometric devices.

That'll be a new disadvantaged minority. I think I can imagine a sci-fi short
story around this now ...

------
softbuilder
"Touch ID does not store any images of your fingerprint. It stores only a
mathematical representation of your fingerprint. It isn't possible for your
actual fingerprint image to be reverse-engineered from this mathematical
representation."

This is a tad disingenuous.

Fingerprint 101:

Fingerprint databases don't search images of your fingerprints. They search
_mathematical representations_ of your fingerprints.

To uniquely identify your fingerprint an image is scanned for unique features
called "minutia points"[1]. The spacing and orientation of those points is
what is stored and later searched for.

Fingerprint matching isn't boolean. When you do a database search you get a
list of high probability matches. There are no perfect matches, even between
two different images of the exact same finger. Everything is based on
probability. For law enforcement purposes, strong matches result in a
technician reviewing actual images and making comparisons. For biometric
security like this (which is not my area) I expect that there is a threshold
percentage match that must be met.

The reason this quote concerns me is that while the actual image can't be
reproduced, the image isn't the part that matters! The "mathematical
representation" is what counts.

Whether or not that information is actually secure onboard the phone, I don't
know.

[0] I have worked with fingerprint processing systems.

[1]
[http://en.wikipedia.org/wiki/Fingerprint_recognition#Minutia...](http://en.wikipedia.org/wiki/Fingerprint_recognition#Minutia_features)

~~~
jnardiello
Nobody knows where the model is stored. Considering the records and recent
history, very likely finger prints models will be used for further
intelligence analysis.

~~~
numbsafari
It's stored inside a portion of the A7 chip that accepts writes, but
apparently not direct reads. Further analysis will hopefully show whether this
was successfully implemented or not.

------
casca
At this point in time, the 4-digit PIN on the IPhone is protection against
someone casually looking at the phone when you've left it on your desk. It
takes 10 minutes to remove the PIN lock and keep the data intact without using
specialist tools. With specialist tools the data can just be read and the
owner will never know as the PIN lock will stay on.

Given that, the fingerprint reader will be an improvement for most people. It
keeps the same level of security and makes people feel like they're in the
future when they unlock their phones.

~~~
devx
The problem with fingerprints is that you only have so many of them, and you
really don't want them to get compromised, because you can't change them. If
your main fingerprints get stolen, that pretty much means you'll never be able
to use them in your lifetime, unless you risk having the "bad guys" using
those fingerprints in your name.

And that's besides the fact that the government could try to eventually
collect all those fingerprints in some way.

~~~
casca
This is a different problem with fingerprints and biometrics in general. You
leave them around wherever you go so they are easily collected by others for
reuse. But to provide a very basic level of protection for unimportant data,
they should be fine.

------
anonymouz
A couple of years back, the last time fingerprints and biometric
authentication became popular (mostly for notebooks, I believe), CCC managed
to beat a lot of fingerprint readers with essentially a bit of tape.

Is there any evidence so far that these readers are better armed against the
most trivial of attacks?

Another problem with all kinds of biometric authentication is of course that
you can't exactly change your fingerprint. So if your credentials ever become
compromised you have a bit of a problem.

~~~
interpol_p
There is only the claim that the Apple sensor reads a "sub-epidermal" layer of
skin. We'll have to see if people manage to fool it with standard tricks in
the coming days.

~~~
panic
Relatively low-quality gel casts don't seem to work:
[http://blog.fortinet.com/iPhone-5s--Basic-Fingerprint-
Replic...](http://blog.fortinet.com/iPhone-5s--Basic-Fingerprint-Replication-
Methods-Stymied-by-TouchID-Sensor/)

------
nonchalance
"... security is only as secure as its weakest point ..."

I wonder why the 4 digit password became so standardized if it is as insecure
as people think it is.

~~~
terabytest
I think the baseline thought behind putting it on the iPhone's lock screen is
that nobody in their right mind would rely on it to secure top secret
documents or the information from their bank account... or would they?

~~~
interpol_p
I actually secure my mobile banking access with a four digit pin. I make two
or three transfers per day, and it would be a pain to have to enter a long and
complicated password that often (especially while standing in line at a
store).

To actually transfer money out of any of my accounts to an unknown account
requires two-factor authentication (and transfer to unknown accounts can't be
done from a phone).

I find the balance of convenience and security fairly good in this instance.

------
gren
" It isn't possible for your actual fingerprint image to be reverse-engineered
from this mathematical representation."

I'm not really convinced, nothing is absolutely impossible in computer
science. At least, can't we bruteforce it?

I'm curious to know if they are true saying there is no way to reverse-
engineer it, Any paper on the subject?

~~~
interpol_p
My understanding of that sentence is that it is a lossy conversion. A one-way
cryptographic hash.

Though I wonder how they update it with failure attempts. (When a failed scan
occurs, if the subsequent scan is successful then data is used from the failed
scan to update the fingerprint data.)

~~~
gren
Ok, I get it! If I understand it correctly, if it's lossless, 2 different
fingerprints could pass the test (collision)?

So by a bruteforce technique, I could be able to generate a subset of all
possible fingerprint (finite?).

Tell me if I'm wrong, but maybe by "cross checking" with another data (e.g.
another device with a second different conversion algorithm) I could finally
find out what was your fingerprint! That's quite overkill though!

~~~
interpol_p
Think of it like this. We can oversimplify what Apple is doing with Touch ID.

Let's say when you scan your fingerprint Apple breaks it down into three key
properties, A B and C. Each fingerprint has a different percentage for A B and
C. So yours might read as

A 50% B 30% C 0%

This data is then cryptographically hashed with some unique identifier inside
the phone (so the same data would store differently on every iPhone). The data
is then _irreversibly_ transformed into a different representation. _You can
't retrieve the unique properties of the fingerprint, nor can you retrieve the
fingerprint itself._

In the linked article, Apple states that the probability of two fingerprints
matching in Touch ID is 1 in 50,000. So that just means that their algorithm
for breaking fingerprints down into key features discards enough information
that it is possible to read two different human fingerprints as the same
fingerprint.

------
atrox
Does anyone else see the fail here? Basically they state that Touch ID is more
secure than using an passcode but then state that it falls back to passcode,
in other words it actually reduces security by now giving you two ways of
getting into the phone....

~~~
giovannibajo1
They explicitly mention that the security is as hard as the weakest link and
thus suggest to not use a simple passcode anymore but switch to a full
password.

As long as the password needs to be bruteforce with more than 50K attempts
(really, any reasonable one), your weakest link is the touch sensor, which is
still 5 times better than a 4-digit passcode used by only 50% of users.

------
beatpanda
Blah blah blah whatever. Apple has legal obligations to the NSA that they
can't talk about in public. Anybody using the fingerprint unlock feature needs
to understand that it is likely compromised by this.

~~~
tjohns
If you live in California (and probably many other states) and have a drivers
license, or if you've ever crossed a US border and aren't a US citizen, then
the government already has your fingerprints.

Frankly, if a government agent wants your fingerprints, there are much easier
ways to do it than trying to get a backdoor placed in a TPM chip. Even _if_
it's something they can do, they sure as heck aren't going to use it routinely
-- it would be visible in network traffic, would be sitting there in the
source code for anybody to come and discover it with a decompiler, and would
destroy Apple's reputation if it ever got out (and you can bet their lawyers
would push back when their reputation's on the line).

~~~
code_duck
The goverment has my fingerprints because the FBI came to my pre-school when I
was 5 and told us all we should give them our prints so we could be ID'd if we
were kidnapped.

------
polarix
Doesn't mention two-factor unlocking. Please let there be optional two-factor
unlocking.

~~~
aeontech
There isn't, unfortunately. I'm sure it's being considered though.

------
jnardiello
"Touch ID does not store any images of your fingerprint. It stores only a
mathematical representation of your fingerprint"

Everybody questioning about wether they can or can't rebuild your finger print
from the mathematical model. While this is relevant, it's just one of the many
implications that implementing finger-print technology in mass-production
products has.

Apple here is saying that the "mathematical representation" of your finger-
print IS stored. Where? Nobody knows. Locally? Cloud?

Very likely they will abuse this, as they are abusing social data in general.

I'll just leave it here: "So, we have your day-to-day activities and a solid
face recognition mathemtical model thanks to facebook, all your phone data
thanks to Apple and Google, now we will have your finger print as well"

As far as i'm concerned, at the moment NSA reversing from the mathematical
model to the actual finger-print image is quite irrelevant and the general
sitution is becoming disturbing.

~~~
interpol_p
> _Apple here is saying that the "mathematical representation" of your finger-
> print IS stored. Where? Nobody knows. Locally? Cloud?_

Apple explicitly says that fingerprint data is _not_ backed up to iCloud.

The data is _only_ stored in what they are calling "Secure Enclave" on the A7.
From my understanding this is an area of the SoC that is out of reach to all
processes and most of iOS itself.

From the article:

" _The Secure Enclave is walled off from the rest of A7 and as well as the
rest of iOS._ "

I think all OS processes that wish to interact with the secure enclave must do
so through a secure monitor. The idea is that the secure processes are
completely isolated from anything untrusted.

~~~
giovannibajo1
It's more likely that the fingerprint matching is made by a hardware component
that is not the main CPU. The CPU talks to it with a driver which only issues
answers like "finger matched" or "finger error". The CPU has no way to read
the actual fingerprint data and performs operation on it, because otherwise
any jailbreak would be able to access those data, and thus any "agency" with a
0-day.

~~~
interpol_p
Yes, this is the understanding I have as well.

Some are claiming that Apple's "Secure Enclave" is their branding of ARM's
TrustZone. [1]

[1]
[http://www.arm.com/products/processors/technologies/trustzon...](http://www.arm.com/products/processors/technologies/trustzone.php)

------
theboywho
Am I the only one to notice this?

"...so it is rare that...two separate fingerprints are alike enough to
register as a match for Touch ID. The probability of this happening is 1 in
50,000 for one enrolled finger. This is much better than the 1 in 10,000 odds
of guessing a typical 4-digit passcode...the 1 in 50,000 probability means it
requires trying up to 50,000 different fingerprints until potentially finding
a random match. But Touch ID only allows five unsuccessful fingerprint match
attempts before you must enter your passcode..."

So Touch ID odds are 50,000 while passcode is only 10,000. But since you only
have five attempts for Touch ID to switch back to passcode, The Touch ID
security only adds 5 odds to the previous passcode system and we end up with
10,005 odds of some successfully breaking into your phone.

A whole system to gain 5 odds of breaking into the phone. Brilliant.

~~~
code_duck
You have a certain number of tries with the passcode, too. You need to process
that number in the same way.

Also, the slick, futuristic appeal of fingerprint access goes a long way to
achieve Apple's branding goals, which surely is just as important to selling
iPhones as actual security.

------
devx
> You can also use Touch ID instead of entering your Apple ID password to
> purchase content from the iTunes Store, App Store, and iBooks Store. You
> will be asked to scan your fingerprint with each purchase.

How does this work exactly, if the fingerprint-pass is only stored locally on
your device? Is the fingerprint acting only as a "master password", which
means you still have to set-up your password for iTunes first?, and then it
just re-uses that iTunes password after you used the fingerprint-master
password?

Because otherwise I'd have to assume Apple stores your fingerprint on their
servers, in order to match your account with your fingerprint-as-password.

~~~
lambada
>Is the fingerprint acting only as a "master password", which means you still
have to set-up your password for iTunes first?, and then it just re-uses that
iTunes password after you used the fingerprint-master password?

That's the right answer I believe.

------
onedognight
Talking about the security of the processed Touch ID data storage is worthless
without discussing the data path from the sensor to the data store. It sounds
like the sensor provides more detail to the CPU than it ends up storing. i.e.
the real data is likely available to anyone who hacks your phone.

------
legulere
What I find interesting is that nobody criticizes the M7 motion coprocessor,
but everybody criticizes the fingerprint sensor. It's now possible to log
every movement you make and where you are 24/7\. And here Apple offers a nice
API for every app developer that is interested in your data.

~~~
interpol_p
> log every movement you make and where you are 24/7

This is most definitely not the case. The GPS is not running 24/7, nor do apps
have access to historical GPS data. The location API is still _entirely_ opt-
in at the time the app runs.

The data you can query from the M7 is not very sensitive, and is geared
towards fitness apps.[1]

For example, you can query the number of steps taken in a given date range
(for up to seven days). You can also query the motion type.

This is no way relates to GPS or your actual, physical location in the world.

[1] [http://www.doubleencore.com/2013/09/core-motion-activity-
tra...](http://www.doubleencore.com/2013/09/core-motion-activity-tracking-in-
ios-7/)

------
huhtenberg
> _0% of people found this helpful._

Surprise.

