A German group has bypassed the security in Apple’s new Touch ID. I’m not entirely surprised, but the big question is — what happens next?
It was only ever really a matter of time. A German group, CCC has bypassed the fingerprint security of Touch ID using a high detail picture and recreation of a user fingerprint to gain access to an iPhone 5s, as per the above video.
At the same time, and over the weekend, I was seeing a lot of calls for Apple to “open up” Touch ID, talking about how wonderful it would be for the technology to be available to third-party apps. I wasn’t so enthusiastic about that.
I’ve got to be honest here; I’d held off from authorising Touch ID to make iTunes purchases just in case. A little paranoid really, but the prospect of something tied to a financial system being tied to my fingerprint bothered me.
The fingerprint is only half the Touch ID story, which is why this counts as a bypass hack, but not a compromising situation for the whole security platform. There’s no indication that the secure enclave holding the fingerprint data on each iPhone has been compromised as yet; were that to happen in a way that made remote iTunes purchases possible, Apple would be in an entirely different — and far more troubling — situation.
With this latest bypass (it’s not really a hack; this kind of printed fingerprint malarkey has been ongoing for some time) it seems unlikely that Apple will go down the path of opening Touch ID further — at least for a while.
What will be interesting to see is what Apple does with the technology on an ongoing basis. Touch ID wasn’t sold as a matter of absolute corporate security; instead Apple sold it on the convenience of having a level of security for unlocking and purchases. It’s no accident that the blurb for TouchID calls it “a convenient and highly secure way to access your phone.” Convenience is the key factor here; security is the secondary concern.
As noted, I was never that comfortable with purchases, but for unlocking it’s excellent. That’s really a matter of usage. I might buy a new app (or a song or movie) once a day, if that. I unlock my phone anywhere from 5-50 times per day depending on my day, so quick and secure-enough access is a highly desirable feature.
One thing that’s been drummed into me by numerous security types over the years is that if somebody’s got physical access to your hardware, it’s pretty much game over, at least at a consumer level.
That’s no different here. If you were arrested, then, yes, in theory it’s easier to force your fingerprint down on a smartphone than it is to compel you to enter a passcode. At the same time, if you’re arrested (or illegally held against your will by people with pointy sticks, or whatever), there’s already an assumed level of trouble inherent in your situation, and they’ve already got your phone.
Touch ID is by no means a compulsory feature of the iPhone 5s platform. Those folks wacky enough to hold the secrets to the Nuclear Wesssels on their iPhone 5s could always just opt for a longer passphrase and delete all their fingerprint data right now. If I were in that situation, that’s probably what I’d do, were there some compelling need to have that data on my phone in the first place.