1:31 p.m. September 23, 2013

Apple Gives Security The Finger

Only days after the launch of a $13,000 contest to successfully hack Apple's new iPhone fingerprint scanner, the Chaos Computer Club declared itself the winner. In a video and blog post, the European hacker collective said it could trick the scanner with high-resolution photos of fingerprints.

Though the club's victory is still not verified, the news seems to buttress Sen. Al Franken's (D-Minn.) new letter to Apple executives that raises serious questions about iPhone technology and the use of biometrics as a substitute for passwords.

Before we go on, let me pause and personalize this with a germane confession. I'll just come out and admit it: this weekend I followed the screaming throngs and bought the new iPhone. No, I didn't purchase the device for the fingerprint scanner - my old phone was starting to shit itself every few hours, so I was merely looking to take advantage of a decent trade-in deal. But yeah, I initially used the fingerprint scanner without hesitation and with the giddiness of a kid brought up on sci-fi schlock.

Before you write me off as the typical technology-wowed rube who mindlessly ignores serious security questions, let me explain myself. It wasn’t that I didn't think about any privacy and security questions when I let my new gadget map my thumb. No, it was a considered risk. As the NSA is building skeleton keyholes into encryption protocols, which hackers are probably also able to exploit - I figured that the question of which particular way I happen to unlock my iPhone is probably the least of my security concerns.

Now sure, you can proceed to pulverize me with the requisite epithets for my continued use of Apple stuff (wanna-be hipster, yuppie, asshole, etc.), but on the specific security issue, I felt like I was on firm ground. I just calculated that if someone smart enough and motivated enough wants to hack my phone, I'm probably screwed - whether I use my thumbprint or a four-digit password.

Then, of course, I happened upon the news of the fingerprint hack, bumped into Franken's letter and fell down the rabbit hole of academic research into biometrics. That's left me sufficiently spooked - not necessarily about the iPhone in specific, but by what the new iPhone's biometrics may portend for the future of security protocols in general.

Look, biometric technology has an obvious appeal; it’s user-friendly and reads traits that are apparently unique. Simply put, your biometrics are part of your body, so a biometric security system means you no longer have to remember a password or worry about someone accidentally finding the key to your digital life scrawled on a discarded piece of paper. Likewise, because we assume that our fingerprints, retinas and facial structures are unique, we assume biometric technology is more secure than a password - which can be replicated.

Sounds great, right? Sounds like Apple was right to bill its biometric system as "one of the best passwords in the world," right? Sounds like the coming of what's been billed as "a new era of supersecure gadgets," right?

Hells yeah, it does... except for one thing. Even if you ignore serious questions about whether fingerprints actually are unique, there's the whole problem that Franken outlines in his letter:

Passwords are secret and dynamic; fingerprints are public and permanent. If you don't tell anyone your password, no one will know what it is. If someone hacks your password, you can change it - as many times as you want. You can't change your fingerprints. You have only ten of them. And you leave them on everything you touch; they are definitely not a secret. What's more, a password doesn't uniquely identify its owner - a fingerprint does. Let me put it this way: if hackers get a hold of your thumbprint, they could use it to identify and impersonate you for the rest of your life.

Franken is alluding to the fact that up until now, security has, in part, been built on the ability of password systems to constantly change the locks to accept any one of an infinite number of secret keys (which is why your office IT staff periodically ask you to change your login info). By contrast, a biometric lock accepts only one finite set of keys, which are fused to your body, which leave public traces everywhere, and which you cannot ever change in the event that those keys get stolen.

Of course, the allure of biometric technology is its use of a particular set of keys. Their (alleged) uniqueness and their physical connection to your body makes them seem far harder to steal, replicate or codebreak in Joshua-esque fashion than anything else. And, indeed, they may truly end up being more difficult to steal than traditional passwords.

But a perusal of studies reveals a frightening truth: biometric keys are not impossible to steal - not even close.

As Franken implies, the most straightforward way to pilfer someone's biometric identifier is to simply capture the image of a fingerprint left in a public place, and then use that image to physically trick a scanner. That's what security expert Bruce Schneier says is the most simple hack of the new iPhone and it is what the Chaos Computer Club purports to have done. And what's troubling is that there seems to be little that can be done to prevent such a hack. As Michigan State University researchers noted, "Since (fake biometrics) operate in the analog domain, outside the digital limits of the biometric system, the digital protection mechanisms such as encryption, digital signature, hashing etc. are not applicable."

On top of this physical vulnerability, there is the possible digital-security hole in biometric systems.

Remember, these systems (like Apple's) typically do not store an actual image of your fingerprint. Instead, they convert the image into a complex algorithm (called a "template") that is then compared against the algorithm generated by every subsequent fingerprint that tries to unlock the system. This is all done in the name of security - the idea being that while it may be easy to replicate an image from an image, it is nearly impossible to reverse engineer a passable image from an algorithm.

But, again, that's not necessarily the case.

A 2004 report from Michigan State University found that hackers can "break into accounts protected with templates" and "synthesize templates that guarantee positive identification." Similarly, University of Bologna researchers in 2007 reconstructed images from template algorithms with a level of accuracy that gave them "a high chance to deceive state-of-the-art commercial fingerprint recognition systems." By 2011, CNN/Money reported that those researchers' algorithm-to-image techniques "were so successful that they were able to build gummy finger versions of the prints that could be pressed up against a reader and used to fool the computer into letting them into someone else's account." And before you insist that this can all be fixed by simply switching body parts, remember that at 2012 Black Hat conference, researchers from Universidad Autonoma de Madrid and West Virginia University revealed their success in cracking iris-scanning technology.

For its part, Apple has tried to reassure consumers by reminding them that the algorithmic versions of their fingerprints will be securely encrypted. But that's hardly comforting when the NSA is making the whole concept of secure encryption look like an oxymoron, and further, when Apple is refusing to disclose whether it is providing encryption skeleton keys to government officials.

Put it all together, and you see a harrowing picture in a country where identity theft is already increasing at an alarming rate. From that picture, you can easily imagine the same identity thieves who clone credit cards now also employing simple MacGuyver-like techniques to lift individuals' fingerprints off touch screens or hotel room furniture or door knobs and then using those prints to access whatever devices are biometrically locked. Worse, if companies end up storing biometric data on their central servers (Apple says that, for now, it isn't), the algorithm-to-image techniques could allow for mass security breaches.

OK, OK - let's stop again because even though I haven't hacked the microphone of the device on which you are reading this article, I can hear what you are muttering under your breath. If you love Apple, you are a bit worried, but you are saying at least this is only an issue for people fortunate enough to possess an iPhone. If you hate Apple, you are laughing at iPhone owners, you are rejoicing that all this makes your clunky Android superior, and you are reassuring yourself that you have nothing to worry about.

Well, here's some inconvenient truth: no matter which side of the Mac-PC war you are on and no matter if you own an iPhone or would never own an iPhone, this should concern you. Why? Because as Franken pointed out in his letter: "Regardless of how carefully Apple implements fingerprint technology, this decision (to use biometrics) will surely pave the way for its peers and smaller competitors to adopt biometric technology, with varying protections for privacy."

Translation: Apple is a technology trendsetter, and its use of biometric technology could set standards throughout the economy. We're talking fingerprints replacing passwords for everything from ATM machines to office-building security systems to car doors to debit card transactions. After all, if the world's leading computer company is normalizing this technology for the sake of saving people the minimal effort of typing in a four-digit code, other companies will almost certainly embrace this technology for more arduous security tasks. As the president of eBay's PayPal told USA Today, "Within the next two years the vast majority of high-end smartphones will have biometrics and mainly fingerprint logins. It's going to be very useful for payments."

This is where permanence and scale can become enormously destructive.

Sure, it might be no big deal to accept the vulnerabilities of a fingerprint scan if it gave you access to your iPhone and nothing else. In that situation, only your phone would be susceptible to biometric hacks - and your information would be no less secure than it would be had you used a hackable password for that phone. So sure, right now, you can probably use your new iPhone's fingerprint scanner without much worry.

However, when the success of the iPhone inevitably leads to a future in which lots of different technologies in your life are locked and unlocked by a finite number of biometrics, then far more than your phone is at risk. The scale of such biometric security systems would mean your whole life could be held hostage because the locks and keys have been fundamentally changed.

Think about it in practical terms. Whereas in today's password-based system you can protect yourself after a security breach with a simple password change, in tomorrow's biometric-based system, you have far fewer - if any - ways to protect yourself after a security breach. That's because you cannot so easily change your fingers, your eyes or your face. They are basically permanent. Yes, it's true - security-wise, those biological characteristics may (and I stress "may") be less vulnerable to a hack than a password. But if and when they are hacked in a society reorganized around biometric security systems, those systems allow for far less damage control than does a password-based system. In effect, your physical identity is stolen - and you can't get it back.

In light of this, there's a simple question: is the time it takes to punch in a code worth the hassle? I'd say two seconds and some finger flicks isn't actually a hassle, whether it’s punching in an iPhone code, typing in a login password or entering an ATM pin number. More importantly, it sure isn't a very high price to prevent your body from becoming someone else's permanent skeleton key to your whole life.