Slashdot Mirror
Can the iPhone Popularize Fingerprint Readers?
Nerval's Lobster writes "Apple's iPhone 5S features a fingerprint scanner embedded in the home button. Of course, fingerprint-scanning technology isn't new: Bloomberg Terminals feature a built-in fingerprint reader to authenticate users, for example, and various manufacturers have experimented with laptops and smartphones that require a thumb to login. But the technology has thus far failed to become ubiquitous in the consumer realm, and it remains to be seen whether the new iPhone — which is all but guaranteed to sell millions of units — can popularize something that consumers don't seem to want. Security experts seem to be adopting a wait-and-see attitude with regard to Apple's newest trick. 'I'd caution right away, let's see how it tests and what people come up with to break it,' Brent Kennedy, an analyst with the U.S. Computer Emergency and Readiness Team, told Forbes. 'I wouldn't rely on it solely, just as I wouldn't with any new technology right off the bat.' And over at Wired, technologist Bruce Schneier is suggesting that biometric authentication could be hacked like anything else. 'I'm sure that someone with a good enough copy of your fingerprint and some rudimentary materials engineering capability — or maybe just a good enough printer — can authenticate his way into your iPhone,' he wrote. 'But, honestly, if some bad guy has your iPhone and your fingerprint, you've probably got bigger problems to worry about.'"
very easy to remote wipe iphones
but if you have some super secret corporate info on your iphone you should be relying on a lot more than a consumer level fingerprint scanner for security
If someone has your iPhone, they have your fingerprint.
"First they came for the slanderers and i said nothing."
"But, honestly, if some bad guy has your iPhone and your fingerprint, you've probably got bigger problems to worry about."
Surely if they have your iPhone, they already have lots of copies of you fingerprints smeared all over it?
I want to be the first to show how you can use the same old fingerprint reader defeating techniques on an iPhone.
Better make sure there's not already a patent on that
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
The fingerprint reader in the iPhone 5s uses a capacitive sensor, not an optical one, so Schneier's proposed hack wouldn't work.
Also, Apple requires you to create a PIN code when you enable the fingerprint sensor. If it's been 48 hours since you used the fingerprint sensor to authenticate, you have to use the PIN instead. Likewise, if you've just restarted the iPhone, you have to use the PIN for your first authentication, you can't use the fingerprint sensor.
I know it isn't always cool to support Apple, but I have to say that there are a lot of things that were just fads before they came in and did it right. Even if they didn't get it right, they normally did something to do it better, or to make it popular.
Look at how many mp3 players there were before the iPod...
Sig: I stole this sig.
We'll have to wait to find out exactly what they're referring to, but if implemented well this should be resistant to fingerprint lifting. Only the outer layers of your finger's skin touch objects. You'd have to have somebody else touch a sensor like this one and then try to recreate the capacitive map.
"But the technology has thus far failed to become ubiquitous in the consumer realm, and it remains to be seen whether the new iPhone — which is all but guaranteed to sell millions of units — can popularize something that consumers don't seem to want."
This is not how Apple thinks of design. Instead of asking people "Do you want a fingerprint scanner?" the question they ask themselves is "How do we make security easier if not completely transparent to the end user?" If you asked people if they wanted to be secure without having to do anything at all, your answer would be different. The fingerprint scanner just happens to be the right solution to the problem (in Apple's opinion).
I am not interested in articles about life extension advancements.
Best Animaniacs adult humour: www.youtube.com/watch?v=1xmAC9Qu908
And now the NSA will have a finger print database for all iphone users with minimum effort.
Stop this. Stop it this very instant. The NSA (or any other nefarious creature / corporation / government entity / evil deity) is not interested in a user's fingerprint.
First, as has been mentioned ad nauseaum, you don't get a fingerprint - you get a hash of an output off a sensor that relates to a fingerprint.
Second, even if you could reconstruct the loops and whorls of the fingerprint then so what? You leave a veritable trail of fingerprints (and DNA and a host of other things we don't want to talk about here) everywhere you haul your ugly bit of meatspace around to. Nobody cares about a single fingerprint. The only valid concern is whether or not someone can take an existing copy of your fingerprint and gain access to the device. We shall see.
IF it works (big if) then it's a fine bit of biometrics to allow you to play Angry Birds. If you are carrying more sensitive information on your iPhone and you don't have it encrypted separately from phone access, sucks to be you.
Not every bit of security has to be able to foil three letter government agencies.
Faster! Faster! Faster would be better!
Well, it should come in handy when the Feds are investigating "terrorists."
The cow says "Moo." The dog says "Woof." The Timothy says "Thanks, valued customer. We appreciate your input."
This is why you use a print from your non-dominent hand, non-active finger (say, your non dominant hand pinky or ring finger) Those are the least likely to be damaged in day to day activities, and also the least likely to be expected for use, should someone be lifting your prints and making fake fingers to scan in. (most people would expect dominant hand index or thumb, just out of ease of use) Security through obscurity always helps.
I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
That was actually one of my first thoughts when I heard they were adding this, but I watched the keynote address, and Apple made it clear during the initial announcement that they're not uploading any fingerprint data to their servers. They further clarified afterwards that they aren't even storing the fingerprints on the local device at all. Just as good practice dictates that you store a hash of the user's password rather than the password itself, Apple is doing the same here with the fingerprint data. They store a local hash of the fingerprint rather than the fingerprint itself, then simply verify against the hash when authenticating the user.
Which isn't to say that they couldn't backdoor something in later and renege on what they've said if some secret court order came down that gagged them and compelled them to collect the data, but at least they had the decency to try and secure the data properly.
Why do you think so? Having a quick and easy way of remotely obtaining the unique hash of the fingerprint of any iPhone user could become very useful for the NSA and other agencies - law enforcement in particular. Say you lift off a fingerprint from some object and want to know whom it belongs to. You compute a hash by the same method as in the iPhone and obtain cell phone data of people who were in the vicinity of the crime scene (that's probably standard procedure by now anyway). Now wouldn't it be nice if you could quickly match your hash with those of the phone owners? The more phones have fingerprint readers, the more obviously useful would it be to have a database of fingerprint hashes or access them remotely on the phones.
Apple used a saphire cover for the lens cover. Why? One possibility was they needed a material that is transparent in the IR to do the sub dermal imaging. But there's other choices. Another possibility is that it's just cool. But what I'm thinking is that perhaps this cannot tolerate too much scratching so they had to use something super hard. I suppose there's also the requirement for mechanical stresses. I don't know. But if it's scratching I wonder if this will be robust.
In any case getting back to the post I'm replying to. there's no reason to store the finger print, just a hash of it, as is done for passwords. You would not want to hash the image of it either. You would want to distill it down to a set of rotationally and translationally invariant feature vectors. Of course that's still an ID of you from your fingerprint, but given the features they could not recreate your fingerprint itself.
Personally I'm very excited about this because I'm very concerned about my phone being the worlds worst 2 -factor identification. Since passwords resets from nearly all websites are sent to the address that you get all your other correspondence from them you have to use the same e-mail address for both. Your phone knows this address since you have to be able to get your e-mail. And if you also use your phone for a 2nd factor, then that doesn't really help. Anyone with your phone can just request a password reset and then they have your password and the 2nd factor. By by pay pal and google pay and your bank accounts.
So if the phone is to be that important having a biometric filter running transparently, regardless of whether it is 100%, is really welcome.
Some drink at the fountain of knowledge. Others just gargle.
Yes, they did *claim* that.
The cow says "Moo." The dog says "Woof." The Timothy says "Thanks, valued customer. We appreciate your input."
Um, so I have to comment on this.
Again Apple has stated this information is not stored on a cloud or server. It also doesn't send your fingerprint scan to a server, your fingerprint generates a data key that is compared against data stored in an encrypted section of the CPU. So there is no centralized "data" to send to the NSA, court approved or otherwise. Apple is not consolidating a list of user profiles with fingerprint scans that the NSA or any policing agency could then demand access too.
Leaving a fingerprint on a cup at Starbucks is not going to lead to the NSA hacking into your iTunes account to profile your taste in music and movies to find out if you are a suspect terrorist.
You have the audacity to ask people to learn by the news, but when the news is spreading FUD and garbage all you are asking, and contributing to, is an increase in social ignorance.
The only thing I fear these days is a growing lack of common sense and outright stupidity of the Idiot Elite that would rather believe in Hollywood fictitious level of government conspiracy, and "report" on it, rather than actually trying to understand the science of the technology they are using.
I haven't thought of anything clever to put here, but then again most of you haven't either.
It's how you apply the tech, and what you do with it. The ATRIX 4G had a fingerprint sensor, but it was definitely a less elegant implementation, having to swipe your finger down across a sensor on the back of the phone. Apple puts it right where you always touch to activate the phone anyway, and dooesn't even make you change your behavior -- just touch. It also allows touch from any orientation and tilt of your finger so you don't have to worry about getting the touch perfect.
Fingerprint scanning while allowing the user to not do anything special to scan the fingerprint. That's the elegance. That's what's going to get it used in large numbers as opposed to the ATRIX, where it ended up being a rarely used gimmick.
People will absolutely find out if their prints are indeed uploaded or stored on their device. Apple knows this, they've learned it the hard way when someone found out about the storing of geo-data and made an app to show the travel log of any iPhone user a few years ago.
I don't think Apple would make these claims (without anyone asking no less) if they weren't true. If they were storing this data, they would have been quiet about it, don't you think?
Pretty good is actually pretty bad.
I know Slashdot is mostly single guys, but I'd be curious to know if this feature supports multiple fingerprints for family situations. I unlock my phone, my wife will unlock it to look something up, my kids will unlock it to play a game or watch a video - How will this work in these scenarios? I'd also expect customization - I'm fine with my kid using a fingerprint to unlock the phone, but I don't want them to be able to make iTunes purchases at all. I own that right.
I don't think Apple would make these claims (without anyone asking no less) if they weren't true. If they were storing this data, they would have been quiet about it, don't you think?
No, I don't think so. I don't have any reason to trust Apple, and you shouldn't either. You have to realize that you don't have the whole story when an agency like the NSA refers to Apple as "Big Brother". If the NSA thinks Apple is Big Brother and its customers are zombies, then why would you put any level of trust into Apple to not use your personal data however they please? Both Apple and the NSA know that Apple's customers don't care about things like that, what they care about is owning the newest Apple device, regardless of what that entails. Apple can quietly push out any update they want and people won't care once it leaves the news cycle.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Calculate invarient properties of the image and hash those. This is not new technology it has been around for many decades.
People will absolutely find out if their prints are indeed uploaded or stored on their device. Apple knows this, they've learned it the hard way when someone found out about the storing of geo-data and made an app to show the travel log of any iPhone user a few years ago.
Did anything change as a result? Did iPhone users suddenly wake up and not use their iPhones? Or switch to Android (ha ha, same privacy concerns, different companies)?
They got caught, took a few licks from the press, but ultimately the future refused to change.
More Twoson than Cupertino
And fingerprint scanners that check for a pulse are unbeatable, right? What say you, Adam and Jaimie?
Mythbusters: Busted!
http://dsc.discovery.com/tv-shows/mythbusters/mythbusters-database/fingerprint-scanners-unbeatable.htm
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Apple changed the way this data was stored, only stored current information (instead of a complete history), made it possible to encrypt the data and also added an option to disable it altogether. So yeah, a lot did change after this was exposed.
Pretty good is actually pretty bad.
Did anything change as a result?
Yes.
Just to refresh everyone's memory, the issue was one with the geodata cache being kept on iOS devices. The cache was in place to allow the device to more quickly determine its location by recognizing hotspots and cell towers that it had previously seen, rather than having to engage in a battery-draining GPS check. Due to not thinking through things as much as they should have, Apple designed the cache to clear out old data only when the cache exceeded a certain size (IIRC it was 2MB), but the result was that it could potentially have a few years' worth of geodata cached away that a malicious person could use.
Apple modified the cache's behavior in response to the incident, changing it to delete items after a few months (I believe 3).
Here is an article that explains this better than I did, written by an attorney that specializes in computer security, electronic privacy etc.
http://www.wired.com/opinion/2013/09/the-unexpected-result-of-fingerprint-authentication-that-you-cant-take-the-fifth/