Biometric on iPhone worse than Snakes on a Plane?

Apple has recently spur some controversy with the introduction of a biometric sensor onboard its last flagship product, the iPhone.  When it comes to this topic (governments stealing fingerprints…anyone?), I think that most people are overseeing some  other interesting issues.
In my knowledge, available and affordable biometric sensors are known to be quite easy to bypass. Even those considering skin humidity can be bypassed and this vulnerability is known since 2002 so it comes in no surprise that Apple touch-id has been broken  in a few hours after its launch by CCC .
So, if everything was just known, why manufacturers decided to insert a biometric sensor anyway. Why? There may be different reasons, some understandable, some  outside the scope of this article.
– PINs and passphrase authentication schemes are showing their weakness and a suitable answer was required by market.
– biometric sensor is a great way to tie the device to the user. In a not distant future, ‘for security reasons’ it may be handy for manufacturers to tie the biometric credential to the device in an irreversible way, to ‘burn in‘ thus zeroing the second hand market (and black market as well).
Update(27.09.2013):I feel that thid will eventually come up any time soon.
– Plausible Deniability: in this not distant future, once the biometric credential is ‘burned in’ the device during initial setup, it can be difficult for the user to repudiate the device, claiming he does not own it.
As far as I know, the link between the biometric credential and the device is not so strong at the moment, and I suppose that the phone can be reset and sold without particular issues in this regard.

For normal people, the ones who fear more a violent assault by petty thieves than a government coming after them for espionage,  there a are a few reason why a biometric sensor on a phone is a good thing:

  • PINs, unlock schemes and pass phrase may be awkward to insert in an emergency situation. While it’s true that the emergency  dialer is always accessible, an emergency situation may include a scenario where one has to call a different number from the standard one and PINs and pass phrase are difficult to remember under stress.
  • an authentication scheme based on a biometric sensor is better in an hands-free situation, because it does not require the  user to focus on the credential insertion.
  • a biometric sensor is great for elderly people and impaired one.
  • you cannot forgot a biometric credential (*hopefully*).

On the other end, there are plenty of cons regarding a credential system solely based on a biometric sensor.

  • a biometric credential cannot be easily changed.
  • a biometric credential, like a fingerprint, is comparably cumbersome to protect while for normal situation protecting a PIN or a pass phrase is relatively easy.
  • fingerprints, in particular, are mostly exposed as unless the user is using gloves, as fingertips are always in contact with the surrounding environment. The claim that touch-id works also with other part of the body may be fun, but fingertips have a very special characteristic: they are different from person to person. I would love see people unlocking their device with the forehead, but it would be interesting to see if foreheads of  other people forehead can work as well. Moreover, no more placing your forehead on the window in a cold day like Keanu Reeves would possibly do, unless you want to risk to compromise your main credential.

The use of fingerprints as a biometric credential while practical, has some real issues that people should consider. First of all,  there’s a better chance of violent crimes being conducted where the thieves unlock forcibly or cut the fingertip
to obtain the biometric credential. And living without the thumbs can be at least uncomfortable.
Then there’s the aspect of privacy and data security.  Everyone may find himself in a situation where a third party can forcibly try to obtain access to the device.
While a little interrogation or trying to access by forensic methods can be a viable alternative every law agency can consider, bypassing a biometric credential is easy like forcing the user to swipe a finger on the sensor. You don’t even have
to spend 5$ on a wrench .
A few points worth mentioning:

  •  biometric authentication means that the device is vulnerable in any situation where the user is unconscious or’unavailable’, while for classical credential like PINs and passphrase this scenario works conveniently the opposite way.
  •   it’s difficult to oversee a plausible deniability scheme where one can provide the adversary with a different fake credential that will reveal uninteresting data, because the user can be observed acting in normal life ( so it may, for example, be difficult to swipe a different finger under distress, as the adversary may and probably already knows what the valid finger is).

So, are we ready for biometrics? Probably not. But probably, like many innovations Apple has endorsed, this will bring some good, spurring manufacturers into developing safer biometric systems.

Update (24.09.2013): a really good article on the subject (with some first hand experience on the touch-id hack) can be found here.

Further reading

Importance of Open Discussion on Adversarial Analyses for Mobile Security Technologies:

Chaos Computer Club breaks Apple TouchID:


Why I Hacked Apple’s TouchID, And Still Think It Is Awesome:


Security firm Syss reports what allegedly seems to me another case of XOR story, speaking of a false sense of security.

In an article from H-Security, the reports a serious weakness in some Secure-pendrive certified with the FIPS 140-2 Level 2 certificate:

During a successful authorisation procedure the program will, irrespective of the password, always send the same character string to the drive after performing various crypto operations – and this is the case for all USB Flash drives of this type.

The response from the affected vendors was mixed: some recalled the affected products, some issued a security bulletin.
I wonder how many final user will hear about that bulletin. What’s worst is that the weakness didn’t involve any cryptography at all, thus putting these super-secure drives on the reach of a trivial attach./

I wonder also how long this will go on: hurrying a product to the market with an allegedly known or poorly designed security scheme, boasting about super-secure-powers and super-secure algorithms (which will, eventually be rendered useless by the poor design), hoping that no one will notice, have a quiet response when someone discovers the flaw, and as a last measure, eventually threaten legally who discovered the flaw in the firm place.

That is, I repeated a lot of times, security thru obscurity DOES NOT work, does not help anyone except the vendor who can go away for a while with a poor designed product.

‘unhackable’ netbook network

“The appearance of safety was mistaken for safety itself.” (Walter Lord)

It seems reasonable to me that the prefix UN- should be banned from the world of computing and technology in general.
We have several examples of UN-thingies.
RMS Titanic
Enigma machine
so why not go on with the ‘unhackable’ netbook network
“There was no way we could do any of this on XP,” he said. “Windows 7 nailed it for us.”

a GNOME/KDE virus in 5 steps…

Speaking of false sense of security …Interesting point of view.

False sense of security strikes again

Year 2008, and still cheap encryption could bring a false sense of security.
./  has a story on cracking (not literally) and encrypted hard disk open.–/features/110136

You may think you payed less and still got AES, and what you got was the old’and safe (pun intended) XOR.

It reminds me of  another XOR story so much, that I’m starting collecting it.
If you know more, please send them.