Apple’s new iPhone 5S, which comes with a fingerprint scanner, won’t store actual images of users’ fingerprints on the device, a company spokesman confirmed Wednesday, a decision that could ease concerns from privacy hawks.
Rather, Apple’s new Touch ID system only stores “fingerprint data”, which remains encrypted within the iPhone’s processor, a company representative said Wednesday. The phone then uses the digital signature to unlock itself or make purchases in Apple’s iTunes, iBooks or App stores.
In practice, this means that even if someone cracked an iPhone’s encrypted chip, they likely wouldn’t be able to reverse engineer someone’s fingerprint.
This seems relatively safe – but then again, only if you trust that government agencies don’t have some sort of backdoor access anyway. This used to be tinfoil hat stuff, but those days are long gone.
I dislike the characterisation of privacy “hawks”, though. It reminds me of how warmongering politicians in Washington are referred to as ‘hawks”, and at least in my view, it has a very negative connotation.
So if it don’t store it on the device then where? If its stored on Apple’s then could could mean some type of back-dooring is possible since they could just tell phone its right finger print even when its not.
RFTM
So where’s the manual describing in detail the finger print subsystem, and where is the actual code so people can review it?
I don’t see any reporting that is unclear, inconsistent, or ambivalent about there being a dedicated processor on the A7 SOC that stores the data necessary to identify enrolled fingerprints — locally and encrypted. And that this data never leaves the phone.
If you are interested in Touch ID and have questions, RT the MFing metaphorical manual. Read what Thom wrote, read the source article, read Apple’s web site, watch the keynote, watch the 5S video.
The parents questions are answered. His speculation is baseless.
Are there any number of unanswered questions? Absolutely. Do I trust anyone? No way. But start with a little self-education then ask an interesting question.
Edited 2013-09-12 04:14 UTC
Further, I presume the parent mistook “images of your fingerprints” (a pretty ludicrous concern and lack of understanding in the first place, a good showing of how poor technology reporting is at informing the general public) for “the information necessary, likely one-way hashed and encrypted, (we don’t really learn anything from this article on the implementation beyond what was in the keynote and a general understanding of the state-of-the-art) that authenticates your fingerprint with your ID”…. so he thought your unique Touch ID is not stored locally… which would likely be less secure. But it is. And it’s only stored locally. Do I think that’s been reasonably well reported and trustable as the truth? Yes I do. RTFM.
Do I trust that it can’t be hacked? No way. Do I think it’s perfect? No, but it doesn’t sound worse than an 18-digit passphrase with at least one case variation, a number, and a special character. I want to know more. But this does sound better than most current forms of authenticating when considering all factors.
Edited 2013-09-12 04:27 UTC
TFM only exposes what the manufacturer wants 3rd party developers and users to see. It does not expose much if any details of the actual design and implementation. Specially since tons of trade secrets are present and the manufacturer does not want to share with the public for fear of releasing their IP to competitors. Which is worse in the case of a company as paranoid and secretive as Apple.
So perhaps you should apply your advice to yourself and actually understand what TFM is and isn’t.
Basically your point is that you trust Apple because they say so and that’s that. And basically proceeded to question the character or level of knowledge of those who don’t trust a corporation blindly.
Do I think Apple is going to do anything “naughty” with these sensor and the information it generates? Not necessarily. Do I trust them? No, not really. The only way they can demonstrate that they’re trustworthy is by releasing the actual code and design details. Trust is earned not granted. Specially when it comes to very large companies, which are known to do plenty of naughty things.
Edited 2013-09-12 08:32 UTC
No, RTFComments I left. That is not my point. My point is: the first comment was idiotic and completely misread this post and clearly showed no understanding of what has been said in ANY post. I explicitly stated there is plenty more to learn and that I don’t trust anyone.
Wow, were we supposed to infer all that from a single RTFM?
Based on the general meaning of RTFM (you asked a stupid question, the answer is provided if you just read correctly), votes on my comment, my subsequent comments, and the complete idiocy of the first post: YES!
Edited 2013-09-12 18:21 UTC
The original poster could be very well wrong, and probably is. But at this point your speculation is just as good as the person’s you replied to, since neither of you have access to the official f–king manual, yet. All that is know is via non validated documents leaked a couple of days ago (or one day ago when you wrote your response).
So if you’re going to flippantly tell other people to RTFM, you should perhaps apply that advice/standard to yourself first.
Edited 2013-09-12 19:22 UTC
Maybe you should rejoin reality. No one agrees with you. Everyone seems to unambiguously accept that Apple is being truthful in saying that the only place your fingerprint/authentication data will reside is locally on an iOS device equipped with Touch ID on a secure coprocessor of the SOC and that they will not transmit that data off of the device.
You can continue to claim that’s not verified and that Apple may be lying, but you just sound like a nutjob.
jared_wikes,
Just calm down… there’s good reason to take security claims with a grain of salt. All companies are known to stretch the truth when it suits them.
We really don’t know if the iphone finger reader will be capable of storing finger prints directly, the sensor can probably do it even if apple doesn’t store it. The thing is this opens up devices to *targeted* attacks where hackers remotely enable such capabilities even if they aren’t enabled out of the box.
Mind you I’m not asserting such, but it’s completely plausible (if not probable) that the spokesperson is totally clueless and is just echoing what he’s been allowed to tell. Being a spokesperson, even one from apple, shouldn’t put claims above scrutiny.
Yeah, RTFM. There is ample materials — albeit marketing materials — that state that the fingerprint authentication solely resides on the dedicated coprocessor and it is not uploaded. This general sentiment is spoken by their Senior Hardware Executives. This is simple truth.
I’m not suggesting that this won’t be a target of attacks… or that it will never be cracked… or that governments don’t already have it cracked… or that there aren’t drawbacks… or that we don’t know how well it works in the real world… or if their will ever be a specification that gives us greater understanding. I’m not being a gullible noob accepting whatever the marketers want me to accept. However, I am taking it as truthful that there is a dedicated coprocessor on the SOC that keeps the fingerprint authentication relatively secure and Apple never needs to transmit that data anywhere else off of the device. I am only stating this simple fact. I do not think it’s in dispute.
RTFM.
Edited 2013-09-13 00:58 UTC
jared_wilkes,
“Yeah, RTFM. There is ample materials — albeit marketing materials — that state that the fingerprint authentication solely resides on the dedicated coprocessor and it is not uploaded. This general sentiment is spoken by their Senior Hardware Executives. This is simple truth.”
I highly doubt apple archives fingerprints in dragnet fashion, however that doesn’t answer the question of whether the fingerprint data on the phone is actually secure or not and that’s a very fair question to ask (and to expect any biometric device manufacturer to provide an answer for). What assurances do we have that fingerprint functions cannot be remotely enabled using root access on the phone?
Unless I missed it somewhere, we don’t even know the make of the biometric reader. It would be foolish to create assertions about what an unidentified component is capable of doing based on a spokesperson’s vague marketing blurb.
“I’m not suggesting that this won’t be a target of attacks… or that it will never be cracked…”
Of course, but consumers shouldn’t have to learn after the fact that the implementation wasn’t so secure after all.
“RTFM.”
You’ve misused this term several times now … if you provide me with a link to the finger reader component’s manual, then I will gladly read it and possibly change my stance if it addresses the concerns.
Edited 2013-09-13 06:20 UTC
Umm, I haven;t incorrectly used RTFM… Do you and others actual take it literally? So sad. Your post is a perfect example of RTFM. Claiming I am saying something I am not saying and completely ignoring what I actually am saying.
jared_wilkes,
“Umm, I haven;t incorrectly used RTFM… Do you and others actual take it literally? So sad. Your post is a perfect example of RTFM. Claiming I am saying something I am not saying and completely ignoring what I actually am saying.”
I’m not making claims, I’m asking questions and you’re becoming terribly offended by it. There is no reason for you to be so defensive, I would ask the same questions were it google or someone else simply because I am interested in security and an objective discussion around it. The article doesn’t identify the reader nor even it’s physical capabilities, nor the hashing properties, nor the way in which it’s been secured. If there’s something I missed (such that ‘RTFM’ would be relevant) then please let me know what it is. Otherwise if you don’t have the answers, just admit to it instead of beating around the bush and responding this way.
Edited 2013-09-13 14:09 UTC
I don’t know why you think I’m “terribly offended”; I just think you are stupid.
I responded to an idiotic comment that he should RTFM because his questions were already answered. You and others somehow presume this means I am saying this is perfect and flawless and there is no need to ask questions and Apple is perfect.
I haven’t said that at all. I have said those questions do exist but that the stupid questions asked by the first poster were answered by the article if he ACTUALLY READ IT. This is the meaning of RTFM (whether or not there is literally a manual or man page or no). That I have to explain this over and over and over and over again to you and others is further example of RTFM!!!!
jared_wilkes,
“I don’t know why you think I’m ‘terribly offended’; I just think you are stupid.”
… said as a six year old would. Grow up and perhaps we can have an earnest discussion about security topics without resorting to childish name calling, which I hope you can agree is counterproductive. So what do you say, move on?
Alas I don’t know that there’s much more to discuss since apparently nobody here has access to the technical information about how this finger reader works. We just have theories until someone reverse engineer’s the thing and publishes the details (or in an unusual twist apple actually elects to disclose them itself).
Among other things, I am extremely interested in the device’s false positive and false negative rates during actual use and what kind of hashes are stored.
You were responding to me. My point was in response to the first poster. The first poster didn’t comprehend the difference between images of fingerprints and dat that authenticates a scanned fingerprint with an ID and didn’t understand that this was happening locally.
It was you who chose to argue this reality with me. Yes, I still think is completely stupid. As I have said, this has been the full extent of my point in this subthread. You having specific technical questions about the implementation doesn’t have any bearing on the truth of my statement. So, yes, your comments are stupid. As stupid as the original posters. That may be indelicate but it’s not childish. It’s just the truth.
jared_wilkes,
“You were responding to me…”
Yes, to point out that I was in agreement with tylerdurden, especially because you said “No one agrees with you”. Note that neither he nor I said the OP was correct. The OP had a genuine question about how the fingerprint identification could work without storing the fingerprints somewhere. Instead of explaining things, you chose to mock him with a terse “RTFM”. It’s undeniable that “RTFM” was completely unhelpful in clarifying the OP’s misunderstandings; doubly so since the article doesn’t even talk about how it might work.
“So, yes, your comments are stupid. As stupid as the original posters. That may be indelicate but it’s not childish. It’s just the truth.”
Have you ever thought about becoming a writer for Law and Order?
You are still arguing about whether or not there is a separate secure coprocessor on the SOC that sorts the authentication data, that this data is stored locally, and that it never leaves the device, and that the original poster was wildly wrong with his questions and all of his questions could have been answered by knowing how to read… I’ve stated this same thing about 40 times now.
Not getting that after it being stated so clearly so often is the DEFINITION OF RTFM!!!
“and that the original poster was wildly wrong with his questions”
Ok, then you should have pointed out why.
“all of his questions could have been answered by knowing how to read… I’ve stated this same thing about 40 times now.”
And it’s *still* wrong, the article doesn’t describe how it works in either technical or laymen’s terms. Someone not familiar with the concept of hashing would still not be able to understand how a print could be matched without storing a copy of it from reading the article. Even we’re forced to deduce that hashing is used because the article never states it explicitly.
Even if you were right about the article answering his question (which it does not), the response was still disrespectful. It’s likely other people would benefit from the discussion as well as the OP. A more respectful approach would be to quote the relevant portion from the article, however in this case it’s unlikely that any quote from the article would have been helpful, so you might either try to explain it in laymens terms or just say nothing at all instead of “RTFM” and discouraging laymen from asking questions.
“Ok, then you should have pointed out why.”
I have over and over and over again. But apparently, you can’t RTFM.
“And it’s *still* wrong, the article doesn’t describe how it works in either technical or laymen’s terms.”
And you still can’t RTFM. The original poster asked if it wasn’t stored locally, where was it stored. He presumed it would then be on Apple’s servers (presumably, his English appears to be wretched…). So, yes, we can answer that he is in fact wrong. He never asked anything about hashing. Again, please RTFM.
“Even if you were right about the article answering his question (which it does not), the response was still disrespectful.”
Yes, it does. I am not wrong. I’m starting to think I need to be a lot more disrespectful because you are still being a complete idiot about it.
“A more respectful approach would be to quote the relevant portion from the article, however in this case it’s unlikely that any quote from the article would have been helpful, so you might either try to explain it in laymens terms or just say nothing at all instead of “RTFM” and discouraging laymen from asking questions.”
I WANT to discourage dumbasses. I want to encourage literacy. Clearly, this community could benefit from some remedial reading classes.
Blah, blah, blah, so basically what you’re trying to let us know is that you haven’t read either the fucking manual you were telling others to read.
Not surprising given how it hasn’t been publicly released yet.
BTW, arguments to popularity, besides being sad and childish, are fallacies. You could try making logic arguments, so you can save the time and effort of having to go through all those alt accounts. Just trying to help you out.
Umm, you are an idiot. RTFM does not mean: hey there is a fully detailed, technical specification and manual that you would enjoy reading. It means: your comments and/or questions are stupid because you clearly haven’t done any reading whatsoever.
When someone posts “RTFM”, it doesn’t literally translate to: hey, I should search the web for a manual… It means: what you said was stupid, look at what you said, develop a theory for what it may be stupid, then go back and actually read the story, READ the story, and you will see why you are being mocked for not having READ before posting.
Then again, even if they did gave you some piece of source code and told you “this is the source of the fingerprint reader software”, how would you be sure that it’s actually this code that is used inside of the iPhone ?
That’s a good point. As I said trust is earned, so it’s Apple’s job to earn that trust if its very difficult for Apple to do that, then that’s their problem. The burden is on them, not the consumer.
They have earned it. Clearly not from you, but from millions of their customers. Trying to earn it from you is pointless, since you would never be satisfied until you saw the code, and then you’d invent a different reason not to trust them.
In reality, you have to think about motivations. Let’s put aside the NSA for a moment and think about what is in Apple’s best interest. Do you think it is in their interest to upload fingerprints to their server, or not adequately protect the information? You think it is in their interest to create something that will end in a massive security scandal? No of course not. They are just as interested in making this system secure as you are. That doesn’t mean there aren’t vulnerabilities present, but the idea that they are somehow misleading people and not doing their best to make this thing secure just doesn’t pass the common sense test.
leos,
“They have earned it [trust]. Clearly not from you, but from millions of their customers.”
That’s a good point, however just because one buys an android or windows device doesn’t automatically imply trust in google or microsoft.
“In reality, you have to think about motivations. Let’s put aside the NSA for a moment and think about what is in Apple’s best interest. Do you think it is in their interest to upload fingerprints to their server, or not adequately protect the information? You think it is in their interest to create something that will end in a massive security scandal? No of course not.”
What you are saying makes logical sense. However I think there’s a very real conflict that the public is often oblivious to. As a developer I’m sometimes privy to this conflict and in some cases it’s scary how causally companies managers are willing to brush off known issues until it is being exploited in the open. The marketing staff and clients are simply out of the loop. I’m speaking from general experience only, not related to apple.
Cost pressures sometimes justify the unjustifiable.
I don’t care what millions of customers do or do not. Specially when it comes to a company like Apple, whose customer base at large is neither technically educated nor savvy (that’s the whole point of apple’s products: to serve the segment of the market that can’t cope with a mouse with more than one button). So sure as hell very few of them, if any, are going to conduct any sort of due diligence on the products many of them view as a fashion statements more than actual computing devices.
Following your logic; we should eat shit because if it was bad for you there is no way billions and billions of flies would eat it on a daily basis. I, however, prefer to know what’s on my diet based on the precept that I am what I eat. And make my decision based on my own context, and not rely on what’s popular. Especially in a country like the US, where the popular foodstuffs are just shit (to tie in with the fly metaphor).
The point I’m trying to make is not that Apple is using their sensors to do “naughty” things. They probably are not. But rather, since I have a sense of self respect, it’s Apple’s burden to prove me they are not doing anything bad with the info they gather from me, so they have to earn my trust any time they want to earn my business. You obviously may have a different concept for your persona, so you perhaps simply grant trust automatically to any company on the basis you like their shinny products. Live and let die, if that’s how your roll then good for you.
They do store some data on the device (at least according to the article), it’s just not an actual image of your fingerprint. This probably isn’t unusual for fingerprint readers: I believe only certain features are needed to repeat an identification.
Unfortunately the conclusion that “this means that even if someone cracked an iPhone’s encrypted chip, they likely wouldn’t be able to reverse engineer someone’s fingerprint” doesn’t necessarily follow. It seems like a strange claim to make anyway. What exactly is it that they think the “privacy hawks” are worried about?
Presumably, it works like this:
Since fingerprints aren’t compared in their entirety normally, since there’s too much variability in quality of data to match exactly, certain types of features are located, usually whirls and loops, and their location is calculated relative to the the other features in a standardized way.
This data is used to generate a one-way hash, and that hash itself is compared to an original hash. The fingerprint is never stored permanently, and ideally is erased from memory the moment the hash is generated.
In the original announcement, Apple explicitly stated that it isn’t stored in the cloud, and I’m inclined to believe them, since it would be quite trivial to discover that it isn’t true.
I don’t think they use a hash.
Because I think finger print readers use ‘probability’, it’s not exact.
So what they store (encrypted) is about-here-is-a-whatever and about-there-is-a-something and if these mostly match the device will ‘recognize’ your fingerprint.
I”m going to guess that what they use is some kind of biometric equivalent to one-way hashes.
It would however be nice if this was documented the same way industry standard hashes are, especially since these hashes can’t be changed and they uniquely identify you.
Edited 2013-09-12 05:59 UTC
In this day and age would you ever trust these guys completely?
Edited 2013-09-11 23:22 UTC
No, of course not. On the other hand, I live in the US, in a state that requires fingerprints to get a drivers license. So if they want my fingerprint, they have it already.
Yes, but they are still not *sure* that it is you using a particular phone – until now!
WorknMan,
“No, of course not. On the other hand, I live in the US, in a state that requires fingerprints to get a drivers license. So if they want my fingerprint, they have it already.”
It makes me wonder what proportion of people have their prints recorded?
As a green card holder in US, my thumb print is displayed on my green card. I have to go to DHS to get new prints every several years, and the TSA has taken my fingerprints every time I’ve flown internationally (I’m not sure if this is routine policy?).
The local PD has a program to finger & footprint newborns but there’s no legal requirement to do so, I wonder who takes them up on it.
I’m not one to cherish the privacy of my fingerprints so much, but the prospect of being falsely implicated in a crime due to false positives is a chilling thought.
Edited 2013-09-12 17:00 UTC
I understand the worry and fuss about the NSA stuff but the simple reality is that the actual danger of a thief stealing and accessing my phone is about ten thousand times more of an actual threat than the government getting hold of a scan of my fingerprints.
Personally I couldn’t care less if the government has my fingerprints. I do care a great deal about thieves accessing the stuff on my phone and but I also find find entering a pass code every time I use the phone very tedious indeed. Touch ID seems a great step forward to me, more insecurity and less intrusion, what’s not to like?
Actually, when the police start to look at your phone, you’ll be very disappointed about how much information is actually kept on your phone. And they’ll twist that information to fit their need. You think you are innocent, the police or other agency might have a different idea.
I think paranoia is a bit too rampart. Are you engaged in activities that the cops should be interested in? If so by all means be paranoid. I on the other hand take a more relaxed view. The cops got my fingerprints 40 years ago when I was briefly a bad boy in my youth (1968 radical street fighting and all that) now I am a sedate older person and the cops are the good guys.
I don’t use a pass code lock on my phone either. What are people going to discover if they steal my phone, how many friends I have
There is a lot of data stored on your phone:
http://www.youtube.com/watch?v=ibTjBY-_Dbc
Don’t give the police any information, it’s going to be a problem. It doesn’t matter if you are innocent:
http://www.youtube.com/watch?v=6wXkI4t7nuc
Can anyone tell me what that really means? I understand its really a System on a Chip they are talking about, but those have non volatile storage? I wouldn’t have thought they would, but I guess that’s possible.
And “encrypted” do they really mean hashed? That’s what I would assume, treat it like a password. Finger print scanner spits out some sort of number based on the positioning of various finger print features sends it to processor where that data is salted and hashed and only the hash is stored “on the chip”.
I mean, there’s no reason to actually store the finger print encrypted via symmetric encryption, that just seems silly and theoretically unsafe.
Bingo. That is pretty much exactly what they are doing.
A hash is no security in this situation. No one wants to forge fingerprints! If the NSA or some other intelligence organization knows the hashing algorithm, you can be identified. All Apple can really promise is that they aren’t transmitted anywhere.
Once they can be used to sign into your bank account, there will be plenty of people.
Knowing the hashing algorithm and having the un salted hash of a password would allow an attacker to construct a rainbow table to discover the most common dictionary words used. This is why it is good practice to have strong password requirements, and to salt each password stored in a system differently. That should defeat rainbow tables. Also, in this case its not a dictionary word, but a binary representation of a finger print which would make it even more difficult. Hashing done correctly would be the best approach in this situation.
you have more than one digit don’t you?
I never use my forefinger for FP systems. A different digit for different systems. Simples!
So I can only ever have ten logins, after that I’m pretty much screwed.
I’ve had a new credit card issued five times in the last ten years due to data breaches. With a finger print login, I’m essentially leaving my password in plain text on thousands of sticky notes in thousands of different places every day.
Edited 2013-09-12 15:58 UTC
I don’t see how you get from some fuzzy image for reading finger prints to the same numbers each time.
Because that is what you need when you are going to use a hash. The numbers would have to match exactly.
So they are encrypted and than compared to the image to see if they match for 90% or whatever they use.
I usually play along with the tin foil hat crew, as paranoia tends to lead to innovative security solutions .. to a point. But its nice to have realistic conversations about security tradeoffs that we all must live with.
I always interpret “hawks” as keeping a keen eye out, since hawks are well known for keen eyesight.
In my mind, the idea of war hawks is the exception to that usage.
I thought the “war” hawks usage was the most common?
I agree with Thom, the word used in this context implies that “Apple would never do such a thing as compromize your privacy”. But even people who scrutinize too much should not be worried.
Hawk is applied to innumerable policies that attract a constituency of representatives who align and fight with consistency, vehemence, aggressiveness and primacy above other issues.
That it’s original derivation is specifically War Hawk and War Dove in respect to declaring war against Britain for American Independence leaves an odd taste in Thom’s mouth is bizarre but largely irrelevant.
I see no such context. The context here is: a privacy hawk may never be satisfied with any answers provided for an enabling technology that could be abused. If apple did this right, those privacy hawks may be somewhat more satisfied. In fact, using “hawk” specifically implies that if everyone else is blinded into believing everything is okay, you still have a hawk who is looking out for you… can that hawk even be satisfied with this design?
Thom’s point is that to him a “hawk” must be a whacko militant and someone who is “hawkish” is not inherently a whacko, conspiracist, nutjob militant. However, what Thom doesn’t realize is that War Hawks are often widely respected — even by those who oppose them — and that hawk is applied to many policies and with good regard. (Depending on your point of view.) For many, hawk is not negative. And for most, they appreciate that the “hawk” term applies to vehemence, sincerity, watchfulness, steadfastness — not anything particularly negative whether or not they agree with the perspective of the “hawk.”
Edited 2013-09-12 02:48 UTC
There are still questions.
Presumably this could be used to collect all of the fingerprints of people who touch the phone. iOS is built so that everyone has to touch the home button multiple times during a session. Is the sensor still active outside of areas that need authentication, and does it store a list of the incorrect fingerprints?
Then there is the anonymity aspect. How easy is the fingerprint signature to reverse? Now there is proof who the phone belongs to.
Then there is the question of how much tracking is Apple using this for. Do they have a log of when the phone has been used and by whom?
But they don’t actually store fingerprints… So worst case scenario they are storing a hash of your fingerprint – which (if they do it right) cannot be used to determine the actual fingerprint that was used to compute the hash.
I don’t see any reason why they would store incorrect fingerprints – it just doesn’t make any sense at all to do that (on a technical or functionality level).
Again, it should be mathematically impossible, and if it isn’t the lawsuits will start flying like bullets in a drive by…
That is an interesting one, because if they are trying to go after the enterprise market this would actually be a very valuable feature – HIPPA laws practically require it. That said, it is probably an undesirable feature in the consumer market (obviously). If they are smart there would be some way to turn such logging off and on using provisioning profiles – but I don’t know if they do anything like this or not currently.
What you define as “doing it right” it’s actually “doing it absolutely wrong”: If the system can’t be used to determine the actual correct fingerprint (the owner’s) then it is useless.
I think both of you may be missing the point. If a 3rd party manages to get a hold of the fingerprint signature, they already have all the information they need about said fingerprint. There is no point in “reverse engineer.”
The point of a database of finger prints. It’s not about reverse engineer the print, but rather to match the signature of an unknown finger print, probably gathered in the field, against a data base of “known” signatures. If there is a positive, then you can easily figure out who that “unknown” signature belongs to, because the positive signature is associated with a specific phone/device and the owner of such is known.
Edited 2013-09-12 03:14 UTC
That’s like saying password hashes are wrong since you can’t use them to deduce the original password.
Also, he didn’t say it can’t be used to determine if a fingerprint is correct, he said it can’t be used to determine the original fingerprint.
No, that’s no what I said. In fact it’s the opposite of what I was trying to express;
There is no point for the NSA, or whatever other naughty agency, to reverse engineer the hash/digital signature/or what have you in order to reconstruct the entire fingerprint that generated it. The unique digital signature itself is all the data they need.
That’s because after isolating an unknown fingerprint in the field, all one needs to do is to simply run that print through the same algorithm that generates those unique digital signatures. After we have generated the signature for the unknown fingerprint (unknown as in we don’t know who the isolated finger print belongs to). Then all one has to do is run the signature just generate against the DB with the “known” signatures, i.e. signatures that have been extracted from devices we have id for, thus revealing the identity of the owner of the specific device. If there is a match in the database, then you can assume those two unique signatures come from the same finger print, as such we, in turn, know who the owner of that fingerprint and device could be.
Not that I’m implying the NSA is doing such thing. But the way people seem to be thinking about the entire fingerprint as being the actual data of interest is wrong. The unique hash that identifies a specific fingerprint is. So as long we know the actual device that produced a specific unique hash/vector machine/digital signature. That’s all that is needed to identify a person just by their finger print isolated from other surfaces (as long as it matches a digital signature extracted from a specific device).
Edited 2013-09-12 09:06 UTC
What sort of level of paranoia do you have?
Edited 2013-09-13 05:39 UTC
If I had to guess a figure, I’d say about one hundredth of your level of infatuation with all things Microsoft. So very paranoid, I am afraid.
Edited 2013-09-13 20:33 UTC
I think you have got it on more on the mind than I have considering you brought them up.
TBH I find it utterly boring that you act like a complete c*nt about the fact that I like ASP.NET and Visual Studio for development. I don’t like it when people create a echo chamber of bad jokes about Microsoft that are no longer relevant, funny or constructive in the industry I work in, because it is the joke that stupid people make. Especially when there could be a more interesting discussion.
I work in corporate style environments, and I guess I kinda think that way, so I comment accordingly. A lot of things that Microsoft does works really well for corporations and me knowing the tech pays well. So yeah I do kinda love Microsoft because I get PAID!
I don’t know however how this anything to do with iPhones and finger print scanners. But I suppose attacking me rather than explaining the reasons behind your paranoia is easier for you to vocalise.
Edited 2013-09-13 22:36 UTC
Let me get this straight:
You call me paranoid, then you have the balls to lecture me about personal attacks by calling me a cunt (not the first time you have done so BTW). Then you go out of your way to prove my point by spending the majority of your post defending Microsoft. To top it all off, nothing what you wrote had anything to do with the topic, yet somehow you feel entitled to blame others for doing the same you just have done.
I’m in awe of you kid, I never thought it would be possible for a human being to operate at a negative level of self awareness. You must be the next step of human devolution. You’re so sad I can’t even be mad at you.
Now back to the topic, bye.
I didn’t call you paranoid, I asked if you were paranoid. There is a difference, that was what the question mark was indicating.
I wasn’t defending Microsoft I was responding to your person jab about what how I feel about Microsoft. As that seems to cause you some tension.
You bring this about yourself because of snarky statements that you make, which are designed to provoke and then you complain when I call you names. Gimme me a break.
Edited 2013-09-14 07:54 UTC
Whether it is a password, a fingerprint, a time based key (google authenticator), etc… – it doesn’t matter. The authentication system’s job is not to know your credentials, and if it does actually know your credentials it is simply not built responsibly. The authentication system only has to determine that you know your credentials, and there are very well established ways to do that without having to ever store them.
Oh, I understand your point perfectly. What you are describing is a rainbow table
Im not arguing that using biometrics is a good idea – I was just answering the specific points brought up. There are many reasons why this is a horrible idea:
1. Fingerprints can’t be changed, so if someone figures out how to compromised the authentication system using “fake” fingerprints you are pretty much screwed.
2. You leave them everywhere. Its kind of stupid to trust security to a piece of information that is in fact fairly trivial to acquire. Its like writing a post-it note with your password on it, but you do it virtually every time you touch anything…
3. They are unique enough that they can serve as compelling evidence legally for identification purposes. Knowing someone logged into a system with a password of “foo” is not going to be very useful in identifying a person, because lots of people could be using that password – if you have the hash of a fingerprint and can generate that hash from the suspect’s fingerprint… well that is pretty much the opposite.
The first two points are certainly problems, but considering that this is replacing a system that uses a trivial 4 digit numeric passcode by default, well it isn’t all that much worse – and it does have some compelling advantages when it comes to simplicity for the user.
The third point (and your main concern) can be dealt with quite effectively – I just don’t know if Apple did this responsibly or not. You can make the hash less effective for identification purposes by simply making sure that it has a fair number of collisions – i.e. the odds of two fingerprints resulting in the same hash is say 1 in 10,000 or something like that – far too low to be useful for identification all on its own.
That would make it pretty much useless for the purposes of “drag netting”, having the hash would be useless without other supporting evidence, because lots of people could have the same hash. It would also make it fair less secure of course. Considering the intended use case, I would argue that being less secure would actually be the right thing to do. I would really be interested to know what the collision rate actually is…
But I would add that it might also be a moot point. I mean, if the NSA has your phone, and the phone is yours… well they don’t really need the fingerprint then do they? They have the phone, if they can get the hash they have already broken its security – there is probably lots of other evidence on it identifying you…
All in all I think the privacy concerns are a red herring. The problem is its just a dumb way to do security. But seeing it is for something most people don’t bother securing effectively anyway, I don’t really see what the big deal is.
Edited 2013-09-12 14:29 UTC
Well, a fingerprint is a credential, all the sensor really does is create a digital signature for any fingerprint it reads and passes it to the OS. The authorization module in the OS then proceeds to validate that signature against a database of “known/correct” signatures and then proceeds to determine the identity of the owner of that fingerprint’s digital signature.
“Digital Credentials” refers to many things, perhaps you’re thinking of “credentials” as being the same as the user’s identity. But I think we’re thinking of the same concept and perhaps we were hung up on each other’s way of referring to it.
I wasn’t trying to make an appeal to paranoia. And yes, it’a bad way to go about security. I was simply talking about a different thing; that a digital signature for a fingerprint is all that would be required to track somebody even if their phone is off or not with them. There is no need to “reconstruct” the fingerprint itself. Which is what other comments seemed to be concerned about.
I’m not saying it is being done, or that a 3-letter agency is interested in creating such a database. But we still need to be vigilant so that it remains so.
In a time of diminishing privacy people should have the right to know exactly what’s being collected about them. It’s only fair that the expectation of decreased privacy goes both ways. If a corporation or government agency wants to know specifi details about me, then I should be able find out what specific details about me they know.
Presumably they’re using a hash, but the article didn’t state how they are storing the fingerprint data. It said they aren’t storing an “image”, so I erred on the side of ambiguity used fingerprint to reference whatever data is generated and stored.
Of course, it can’t be used to get the actual fingerprint. Fingerprint scanners work by creating graphs of features on the finger.
The point is Apple hasn’t released any information on how this works, so it’s an unknown black box.
Reverse was the wrong word. I should have used replicate since I was contemplating how hard it would be for some law enforcement agency to tie people to a specific phone.
Evidence that people tried to access the phone without permission.
If the phone is stolen, the thieves would provide evidence that they were in possession of the phone. If the phone is a company phone, people who are trying to circumvent security policies would be logged.
You kind of agree with this at the end of your post. The negatives are just as important as the positives.
I really doubt it isn’t a hash. Fingerprint reading isn’t exact. Every read does not give you the same numbers. Not even ones.
So they store the characteristics of your finger print, something like coordinates of where features like mountains and valleys are.
Let’s say you have a list of these features, that won’t allow you to create an image of what your fingerprint looks like.
But it however would be enough to make a new fake fingerprint, though. So it doesn’t matter.
So when the thieves steal your iPhone, they’ll need to steal a finger, too, right? Don’t think it’ll happen? It already has with other items with biometric locks.
My thoughts exactly. They toughened up bank card security which led to more intrusive ways the criminals used to get what they wanted. They toughened up car security so there was no way it could be stolen without the keys, that led to burglaries so the f*****s could get the keys, some violent ones at that. Now wait for the violence to escalate and some poor sod have their fingers removed with a penknife and stolen along with their device.
If someone is about to cut off your fingers, touch your home button and give them the phone.
Likewise, presently, if someone is going to caught off your fingers or do anything mortally harmful to you to access your phone, give them your passcode and the phone.
If your phone contains something that is worth losing your fingers — or any other part of your body — for, do not get into situations where someone will cut off your fingers to get into your phone.
If you generally don’t want to lose your phone or fingers, try to avoid or be prepared for situations where someone will cut off your fingers or steal a phone that is useless to them.
Try to be more self-aware, vigilant, and less stupid.
Edited 2013-09-12 04:40 UTC
Ha, there’s always one! Do you really think any of that is going to stop a druggy arsehole? If so you need to get out more and see what happens in certain areas. None of it effects me, I don’t have or want a smartphone and if I did I wouldn’t touch anything made by Apple with a ten foot bargepole! I just feel for the poor sods that may come across this.
Yeah, I can see why a “druggy arsehole” might want to cut off your fingers. I’ve had my fair share of experience with drug addicts and drug users and people willing to break the law or cause physical harm to get what they want… I feel confident in my ability to navigate the world without losing my fingers… without being paranoid… or a douche bag.
They don’t need to steal your finger: you are holding the phone with your hands, your fingerprints are already all over the device.
Fingerprints, biometrics, polygraphs, fibre analysis and most other forensic “techniques” (including many genetic tests) are quasi-scientific nonsense. They are not unsupported by any rigorous experimental data.
There are three problems with fingerprints:
– privacy
– accuracy
– replication
Fingerprint identification is not done by comparing the pictures but by identifying number of features of the fingerprint and tested it against the fingerprint that has been just scanned.
Apple doesn’t need to store the pictures, just the features they look for in each fingerprint.
But they don’t need to store the picture to have a security risk. Any security agency that scan for fingerprints use similar algorithms. The question is does Apple look for the same features than those agencies. If it is possible to make apple’s fingerprint database compatible with let say the FBI database, we can assume it will be done if it isn’t already.
Even if Apple use only some of the characteristics of the agency, they might integrate it and use it…. or simply had a new comparison program to test the prints against apple database.
Even if Apple doesn’t store the pictures of the fingerprints, we can be sure it these databases will be available to US security agencies.
Accuracy is another problem. There are 2 kinds of accuracy problems.
The first is when the computer doesn’t recognize you (false negative). This is the lesser problem, you just rescan your finger.
The other is when the computer recognize you as someone else (false positive).
Experts at a tribunal do make many errors: 0.1% of false positives and 7.5% of false negative (http://content.usatoday.com/communities/sciencefair/post/2011/04/fi…)
I remember than a few ago I read that laptops that did have fingerprint has password did had around 1% of false positive and 1% of false negative.
Even if apple system is good enough to have 0.01% there is still a risk that it will recognize you as someone else. How does apple ensure that you are not paying for someone else?
The last problem is that fingerprints are a password you let on every items you touch. The fact that most people cannot read it, doesn’t mean that none can. In fact the methods to reproduce a fingerprint is easy (just look at mythbuster). If you lose your iphone, you need to assume that in the next couple of hours people will have duplicate your finger print and enter into your iphone.
My point is that using fingerprints to unlock a door, a computer or a smartphone is a bad bad idea
I’d change your last point to
My point is that ONLY using fingerprints to unlock a door, a computer or a smartphone is a bad bad idea
You do know what the problem is what biometrics ?
When your identity is stolen, it becomes really hard to change it.
to look stupid.
“I dislike the characterisation of privacy “hawks”, though. It reminds me of how warmongering politicians in Washington are referred to as ‘hawks”, and at least in my view, it has a very negative connotation.”
The easiest way is to spot a glass you have been drinking from, take a strip of adhesive foil and you’re done “reverse engineering” the fingerprint. Once you have it, it’s trivial to create a “model” of this fingerprint, that you can just stick to your finger to spoof a fingerprint reader. The German CCC actually demonstrated this with the then current minister Schäuble.
And the problem is: Once you know a fingerprint has been compromised, you only have 9 fingers left. You cannot change them unlimited times like a password.
Edited 2013-09-12 07:41 UTC
The process is far more straight forward: capture fingerprint from a surface with an adhesive device. Use the adhesive now imprinted with fingerprint directly on the bio-metric sensor. That seems to work remarkably with some systems. Although I presume that only works only with sensors that are very simple and only have a 2D model.
With 3D printers becoming affordable, if fingerprints as ID method becomes mainstream enough I’d bet you’d soon see specialized software to create 3D finger models out of a fingerprint scan, ready to be 3D-printed and used anywhere.
Trust me, as someone who is building a 3D printer. That problem is still quite far away! The current methods are not at the level of detail required for that. Give it a decade or so, then maybe.
…what a Privacy Hawk is?
Some sort of large scary noble raptor that goes for the eyes of anyone that messes with my privacy.
Possibly with a cape. And a badge or medal.
I’m nitpicking the claim about not storing the fingerprints on the device. It may be literally true, and yet it will lead consumers to draw completely false and/or naive conclusions about the safety of their fingerprints. Biometric one way hashing is not really backed by the same mathematical challenges that are the foundation for genuinely strong crypto. A one way biometric fingerprint hash will never be cryptographically strong.
Firstly, there’s the implicit tradeoffs with security and reliability due to the fact that unlike computer data, biometric data isn’t *exactly* reproducible between reads. Therefor a considerable amount of fault tolerance has to be built in to decrease false negatives, which has the side effect of opening up false positives[1].
Secondly, fingerprints are not unique within the margins of error[2]. While odds of encountering seemingly identical prints is low, with billions of people on earth odds are very high that many or most of us will have fingers which match within margins of error (similar to a birthday attack where there’s a ~60% chance that two students will share a birthday in a class of just 30). Even the FBI has been proven to have made mistakes in claiming an exact fingerprint match[3]. Algorithmically the biometric fingerprint hash could be vulnerable to generating arbitrarily numerous fingerprints at random (which will with very high probability “match” everyone on earth’s within undetectable margins of error) and then build a reverse hash index to obtain fingerprint images from everyone’s “one way hash” suitable for impersonation.
Thirdly there’s so much redundancy in a natural fingerprint that one can reconstruct it entirety from a few minute samples [4]. This property makes fingerprint hashing fairly effective (it eliminates the need to store the entire fingerprint to identify it), but at the same time it makes reversing the hash nearly trivial due to the fact that a fingerprint doesn’t contain enough entropy.
This isn’t just a problem for biometrics, ALL mathematical crypto algorithms can be exploited when the input lacks entropy. Consider how even cryptographic hashes like sha1 and Windows password hashes can be reversed using personal computers depending on how predictable the hashed inputs were [5,6].
Of course, when put in perspective, a finger scanner is probably good enough for the vast majority of us who’s data is worth less than the phone is itself. Regarding vulnerabilities of one way hashes, common thieves will probably resort to less technical hacks anyways[7]. The real issue arises when biometrics become commonplace for banking and commerce, that’s when a lost iphone containing fingerprint hashes (and possibly cached bank details) could come back to harm the victim in a very big way.
Biometrics should only be used for causal or supplemental security. Today biometrics offers a bit of “security by obscurity”, but mark my words as we transition to widespread biometric identification in the future, biometric data will show up on the black markets just like the credit card information sold there today.
1. http://lockstep.com.au/blog/2012/05/06/biometrics-must-be-fallible
2. http://lockstep.com.au/blog/2011/10/25/false-advertising-biometrics
3. http://math-blog.com/2011/09/20/are-fingerprints-unique/
4. http://www.cse.msu.edu/~rossarun/pubs/RossReconstruct_SPIE05.pdf
5. https://isc.sans.edu/tools/reversehash.html
6. http://www.openwall.com/john/
7. http://www2.washjeff.edu/users/ahollandminkley/Biometric/index.html
TSA claimed their xray machines couldn’t even store images, they were immediately discarded, yet somehow they ended up on the internet.
To give the new iPhone the finger.
This is an interesting video of fingerprint training on an iPhone 5s
http://youtu.be/GM2sZLLWHeI
Looks impressive.
I’ve read that it appears (not tested yet) that Apple’s scanning system defeats the re-created prints used in the German protest, where hackers found, recreated, then distributed a politicians print that actually allowed some other people to get through his biometric security.
I hope this is the case. I’m sure hackers will start attacking the 5s in the next few weeks. We will read those reports and make judgement then. Personally my 32gb 4 is still perfect for me so I’m not in the market. My gfriend is getting a 5c asap though, her 3s is finally breaking down after 4 years.
I do find it amazing how some of you continually believe Apple has no engineering sense to solve (or at least address) these problems.
Some of you truly believe that Apple does nothing more than package and market existing technologies. Ever. You have no idea of the number of large and small comp-sci problems that Apple engineers have attacked over the years.
You’d probably all still be using dumb phones with 2×2 screens and text control if it wasn’t for Apple’s engineers. For that matter you might still be plugging wires into your motherboard, storing data on magnetic discs in paper envelopes, and flipping switches to load a program if it wasn’t for apple’s engineers. No one company has pushed personal computing farther along than Apple in the last 37 years, but according to some of you they have the engineering prowess of Coca Cola Inc.
Haters hate. Bury your head in the sand and wait to buy the 2 knockoffs currently being developed by from Samsung and HTC, you know they are coming. Start the copy machines! But no one can match apple’s hardware/software integration, for instance, the new camera on the 5s looks pretty bad azz. Only nokia’s camera is coming close to apple’s. The 1000-tone flash, the 120fps slow-mo, the burst and re-assemble on the fly (replacing out of focus areas with same area from another shot in the burst) – that’s engineering folks, not marketing.
Edited 2013-09-13 15:11 UTC
You’ll believe anything.
The next headline is going to read, “Apple keeps fingerprints but doesn’t use them”. After that it will be “NSA keeps Apple fingerprints but doesn’t use them without cause”.
And so on, and so on…. Like peeling an onion.