German Data Protection Expert Warns Against Using iPhone5S Fingerprint Function

dryriver writes "Translated from Der Spiegel: Hamburg Data-Protection Specialist Johannes Caspar warns against using iPhone 5S's new Fingerprint ID function. 'The biometric features of your body, like your fingerprints, cannot be erased or deleted. They stay with you until the end of your life and stay constant — they cannot be changed. One should thus avoid using biometric ID technologies for non-vital or casual everyday uses like turning on a smartphone. This is especially true if a biometric ID, like your fingerprint, is stored in a data file on the electronic device you are using.' Caspar finds Apple's argument that 'your fingerprint is only stored on the iPhone, never transmitted over the network' weak and misleading. 'The average iPhone user is not capable of checking, on a technical level, what happens to his or her fingerprint once it is on the iPhone. He or she cannot tell with any certainty or ease what kind of private data applications downloaded onto the iPhone can or cannot access. The recent disclosure of spying programs like Prism makes it riskier than ever before to share important personal data with electronic devices.' Caspar adds: 'As a matter of principle, one should never hand over any biometric data when it isn't strictly needed. Handing over a non-changeable biometric feature like a fingerprint for no better reason than that it provides 'some convenience' in everyday use, is ill advised and foolish. One must always be extremely cautious where and for what reasons one hands over biometric features.'"

Also it stands to reason

[rolfwind]

That your fingerprints are all over your phones.

I believe mythbusters showed how trivial it was to bypass fingerprint protections by making your own "finger" from said prints? (This time on an electronic door lock).

Re:Also it stands to reason

[Hentes]

But because of that the privacy concerns raised are pointless. Casual use is exactly where biometrics are useful, they are very convenient but don't provide any real security.

Re:Also it stands to reason

Yes. However, your greasy fingerprint on the phone can't be stolen remotely from the other side of the planet like the biometric one can.

That said, it's not terribly useful to steal the identifier string stored on the phone since it won't allow you to reconstruct the print any more than a MD5 checksum will permit you to reconstruct the file it is from. What it would do, though, is allow a third party to steal the checksum and then use it with other biometric devices to identify when that same user has come in contact with a different device under the third-party's control. I can't think of a good scenario right now, where that's likely to be an issue. HOWEVER, that doesn't mean that systems won't evolve in the future that could make it a problem.

Re:Also it stands to reason

[ColdWetDog]

Yes. However, your greasy fingerprint on the phone can't be stolen remotely from the other side of the planet like the biometric one can.

That said, it's not terribly useful to steal the identifier string stored on the phone since it won't allow you to reconstruct the print any more than a MD5 checksum will permit you to reconstruct the file it is from. What it would do, though, is allow a third party to steal the checksum and then use it with other biometric devices to identify when that same user has come in contact with a different device under the third-party's control. I can't think of a good scenario right now, where that's likely to be an issue. HOWEVER, that doesn't mean that systems won't evolve in the future that could make it a problem.

There are ALWAYS downsides to security issues. It's how security consultants make money.

But unless Apple opens up the internals of how it processes and stores the data, I don't think it will have any generic utility. It's NOT a fingerprint copier. It uses (presumably) unique biometric information to create a (presumably) unique electronic signal to allow access to a device. You can (presumably) erase / clear the memory so the information is no where else, thus bypassing another problem with biometrics - you can't easily change your fingerprints.

I'm not sure it will work well, I've used a number of fingerprint scanners before ranging from the frankly stupid (on a number of laptops) to pretty good implementations on spendy locks. Presumably Apple will Do It Right(TM), but who knows?

Re:Also it stands to reason

[Nemyst]

Apple's fingerprint reader doesn't read the fingerprint, it reads the tissue under the skin. This makes it much harder to fake and very constant over time. They're much more secure than "traditional" fingerprinting.

Re:Also it stands to reason

[Bing+Tsher+E]

'Under the skin' is the magic dust the Apple marketing people came up with this time.

It's the Altivec Unit of 2013.

Re:Also it stands to reason

[Hentes]

I admit that it will make the job of the common thief hard, that's why I said that it's a good idea. Just don't trust unencrypted sensitive data on your phone.

Re:Also it stands to reason

[runenfool]

If you Google you may have found this as the top result as I did:

http://www.redmondpie.com/iphone-5s-touch-id-requires-a-live-finger-to-unlock-wont-work-with-one-thats-severed-from-body/

The attack you describe doesn't work - you can't use a severed finger either. It's not so trivial to bypass.

Re:Also it stands to reason

[wvmarle]

And even if so. Your fingerprints may be all over the phone - incomplete, streaked out, overlapping: most likely totally useless to harvest. It will work great against the casual theif, or the one who find the phone you just lost. They won't be able to get in that way, so it's working pretty well.

The key of the issue is that more and more governments are demanding biometrics to be included in one's passport, including fingerprints (I'm using my thumb print to clear immigration - very convenient now they finally got a good reading of my thumb, the previous one didn't really work well). That makes my thumb print also rather valuable: everyone who has my thumb print and knows how to thwart Hong Kong's scanners can enter and leave the country pretending to be me. And that accounts for the other 6 mln or so Hong Kong permanent residents that use this system as well (it's mandatory for all adults).

Now a casual device like the iPhone wants your fingerprint. That means that if I were to use my thumb for that and lose my phone, the person who finds it could theoretically extract my thumb print data (even if Apple says you can't: they got the actual device so I will assume it is possible, even if hard), and use that to clear immigration.

Even if it is not possible now, those scanners get better over time and will likely store more and more detailed fingerprint details, making it more and more likely that it becomes possible. And the fear is that by that time everyone is so used to use their fingerprints for anything, that it's going to be the perfect avenue for identity theft.

Re: Also it stands to reason

[tedleaf]

http://secureidnews.com/news-item/motorola-releases-fingerprint-sensor-embedded-android-phone/

Re:Also it stands to reason

[interval1066]

...it reads the tissue under the skin.

And you know this how? What does that mean exactly? How does it do that non-intrusively? Fingerprints are by definitions "on the skin", not under it, aren't they?

Re:Also it stands to reason

[mlts]

IMHO, the best way to have a fingerprint done is to hash the data with the has algo of choice, then use that hash to encrypt a salt. Then, store the salt and the encrypted part.

This way, there is no way to recover any usable fingerprint data. Even if the hashed fingerprint data is obtained, trying to find the original data is like trying to run a meat grinder in reverse in hopes to get the pig back.

Re:Also it stands to reason

[slick7]

That your fingerprints are all over your phones.

I believe mythbusters showed how trivial it was to bypass fingerprint protections by making your own "finger" from said prints? (This time on an electronic door lock).

You can pry my fingerprints from my cold dead hands you filthy apes.

Re:Also it stands to reason

So has Toshiba since at least Portege M500, many years ago.

Doubt this makes much more secure finger print scanning for a determined intruder. All it takes is two layers with similar optical and capacitive characteristics to the real thing in most cases.

Re:Also it stands to reason

[allo]

yeah. So what? Other security features may copy this method. And then your "tissue under the skin" will be stored on a phone, maybe stolen by apps, and used on other security systems, maybe to identify as you on a ATM.

Re:Also it stands to reason

[greenbird]

But because of that the privacy concerns raised are pointless. Casual use is exactly where biometrics are useful, they are very convenient but don't provide any real security.

Yeah, because having your fingerprint physically on something is exactly the same as having it digitally stored where it can be transmitted in seconds to any anywhere in the world. It's just as easy follow someone around until you can physically steal their phone and pull the fingerprints off as it is to plant some malware on it and have it transmit the info.

Re:Also it stands to reason

[greenbird]

This way, there is no way to recover any usable fingerprint data.

Ummm...except reading the actual output from the scanning device.

Re:Also it stands to reason

[ceoyoyo]

No, actually. What you think of as your "fingerprint" is a pattern in the layer of dead skin, the epidermis. That pattern is created by patterns in the dermis, the living cells underneath the epidermis. That's why if you wear away your fingerprints, unless you do serious damage to your finger pads, they'll grow back the same as they were.

The sensor in the 5s uses a low frequency RF signal to read the fingerprint from the dermis, not the surface. That kind of sensor is much more reliable and easier to use than older ones, and can't be fooled by masks or dead fingers. Fujitsu has some notebooks in Asia that already have them, and Microsoft has demonstrated them as well.

Re:Also it stands to reason

[ceoyoyo]

You're wrong.

http://360biometrics.com/faq/fingerprint_scanners.php
http://link.springer.com/chapter/10.1007%2F0-387-21685-5_2#page-1
http://www.hanscan.com/en/radio-frequency-sensors

Re:Also it stands to reason

Casual use is exactly where biometrics are useful, they are very convenient but don't provide any real security.

The government has another idea about what 'security' means. They want to make sure they have identifiers about you, such as your iris scan or finger print that you yourself can't tamper with to create a duplicate or new persona. Hence the big push to embed such data in RFID identity documents and passports, which in turn creates demand and a black market for such data that can be used by identity thieves, spies and even terrorists (yes, I used the T word... bear with me). God forbid your biometric data be blacklisted for whatever reason: your then become an unperson, a pariah, you are officially fucked and can be denied your rights at the whim of the enforcers.

So the full chain of thought that is not explained in the summary is: the governments are pushing biometrics down our throats, the least we can do is keep it secure and not easily accessible in an electronic format on the cloud-flavor-du-jour. Biometrics is still a bad idea for anything. Fingerprints especially - since I leak that information on everything that I touch. I refuse to be fingerprinted and treated like a criminal to get a US visa for example.

Re:Also it stands to reason

[quacking+duck]

Now a casual device like the iPhone wants your fingerprint. That means that if I were to use my thumb for that and lose my phone, the person who finds it could theoretically extract my thumb print data (even if Apple says you can't: they got the actual device so I will assume it is possible, even if hard), and use that to clear immigration.

There's theory and there's practice. In theory, if a hacker managed to access /.'s database, they can obtain your password. But, assuming /. follows the latest security best practices, your actual password isn't stored at all... it'll be a value obtained by bcrypt-ing your password (salt + hashing used to be okay, but the advent of powerful GPUs seems to be this method's Achilles' heel). In practice this makes it very difficult to discover your original password.

The analogy doesn't quite hold because fingerprint matching has to be a slightly fuzzy or inexact method, but if done right (remember Apple didn't come up with this themselves, they bought a company that did nothing but security solutions), it would take more resources than even most organized crime have to reconstruct the original digital representation.

And even then, what would they do with it? They can't graft it onto the fingerprint system of another device, possibly not even another iPhone if each A7 chip's security module has their own unique ID and encryption/decryption keys. And as others have said, there's far easier ways to get just the surface fingerprint details.

Time will tell though. The gauntlet has been thrown down, and there'll be no shortage of attempts to hack it and gain notoriety as the group that cracked Apple's much-vaunted security.

Re:Also it stands to reason

Here's the relevant patent. It's measuring your fingerprint by capacitance. It's only "subdermal" in that the epidermis doesn't register on a capacitance sensor, but the dermis does.

The "subdermal patterns" are the same patterns as your ordinary fingerprint. I'm pretty sure that part is just thrown in to make the whole thing sound magical or futuristic.

I don't know what your "low frequency RF" stuff has to do with anything, though. More magic, I suppose.

Re:Also it stands to reason

[Trax3001BBS]

But because of that the privacy concerns raised are pointless. Casual use is exactly where biometrics are useful, they are very convenient but don't provide any real security.

In the USA the privacy concerns are very real.

* The Patriot Act allows for the ue of backdoors for counter-terrorist investigations.

* Vendors are legally and commercially prevented from acknowledging their backdoors.
Defense will not be able to prove their existence.

* Users of Mobile devices and cloud stroage sign off on their rights to data scanning. There is no opt-out option.

a few lines from http://www.techarp.com/article/LEA/Encryption_Backdoor/Computer_Forensics_for_Prosecutors_(2013)_Part_1.pdf

Showing that in the USA, Apple can't make the claim that biometric data is never transmitted over the network'

Re: Also it stands to reason

[the_B0fh]

You really have a hardon for Apple don't you? They've never claimed to be the first, hell, they bought a company that *SOLD* fingerprint readers to other companies.

They do claim they made it the best possible for users. The sapphire cover, for example. We won't know how well it actually works until it has been out for a while. But just as we won't know how well it will or will not work, *NEITHER WOULD YOU* so to see you slamming them - just how big of a hardon do you have for Apple?

Re:Also it stands to reason

[ahabswhale]

source?

Re:Also it stands to reason

[Xicor]

they dont actually scan fingerprints, they scan the differences in elecrostatic charge between the ridges on your finger. copying the oil fingerprint wont do you much good as far as breaking this scan.

Re:Also it stands to reason

[Anubis+IV]

Except that they've already confirmed that they're not storing your actual fingerprint. They're storing hashes of the fingerprints that they use to verify your fingerprint when you attempt to login, just the same as how a well-designed, traditional login system stores password hashes instead of the passwords themselves.

So, for all intents and purposes, a malicious individual actually would have an easier time getting your fingerprint by lifting it from the smooth, glass surface on the front of the device than by hacking your phone and extracting it, given that it doesn't actually exist in the phone.

Re:Also it stands to reason

[neuroklinik]

'Under the skin' is the magic dust the Apple marketing people came up with this time.

It's the Altivec Unit of 2013.

AltiVec is a Freescale Semiconductor trademark. Apple calls it Velocity Engine, IBM and P.A. Semi call it VMX.

And, it's SIMD vector processing tech... hardly merely a marketing buzzword.

Re:Also it stands to reason

[AmiMoJo]

Fujitsu has some notebooks in Asia that already have them, and Microsoft has demonstrated them as well.

I smell a patent lawsuit brewing.

Re:Also it stands to reason

[AmiMoJo]

Apple is part of the PRISM programme and you can be sure as soon as the NSA heard that they bought a fingerprint scanning company they were on the phone requiring access to it. Of course, the same things applies to pattern locks, PIN codes, passwords etc, and to all companies that are part of the programme. For example, if you iOS/Android/WP device is connected to a wifi network, they have the password.

Even if the hash isn't reversible it's possible that there is enough information to use it to access other fingerprint scanners.

Re:Also it stands to reason

[Anubis+IV]

Absolutely. When this topic came up previously on Slashdot, I mentioned that even without storing or sending the fingerprint itself, they could still send fingerprint hashes to the devices and ask the devices to verify whether or not they recognize those hashes, effectively allowing them to do a dragnet for a particular set of prints. And they can do that without even storing the fingerprint. Obviously, if they were gagged and under court order, they could be creating a massive database of fingerprints.

Re:Also it stands to reason

[Yaztromo]

I admit that it will make the job of the common thief hard, that's why I said that it's a good idea. Just don't trust unencrypted sensitive data on your phone.

All data on every iPhone since the 3GS has been fully encrypted, so long as you have a passcode/passphrase setup.

In the iPhone 5s presentation, it was mentioned that one of the main drivers for the fingerprint scanning technology is because in their research, a large percentage of users never bother to setup a passcode/passphrase, making all of the hardware encryption in the iPhone completely useless.

Yaz

Re:Also it stands to reason

[Kielistic]

Except if the point of getting the fingerprint is to tie a person to a print all you really need is the hash. How exactly do you think fingerprint databases work? (It's not like they show on CSI.)

To continue your traditional login system example if I had a database of user,hash pairs I could query the database and say "What user uses this password".

Re:Also it stands to reason

[Yaztromo]

But unless Apple opens up the internals of how it processes and stores the data, I don't think it will have any generic utility.

According to the 5s release presentation, Apple claims that the fingerprint hash is stored in secure memory inside the CPU, in such a way that it isn't available for read outside the CPU itself. Applications have no access to it -- all you can do is a) write to it, and b) presumably run a CPU instruction to compare against it (whether this is tied directly to the scanner or not I have no idea). The claim as I understand it is that the data can never be read by anything anywhere other than the internal comparison circuits.

I suppose the truth of this will be tested in the coming months by every hacker who would like to take Apple down a peg or two.

Yaz

Re:Also it stands to reason

[AmiMoJo]

Of course, there may also be a backdoor in iOS that makes it save and transmit the actual fingerprint on demand.

Re:Also it stands to reason

[Anubis+IV]

Completely correct. In fact, I already brought that exact situation up in another response. I wasn't trying to suggest that it's foolproof security, merely that a malicious person wouldn't be able to pull the fingerprint from the device for use with other scanners elsewhere. Instead, they would have to settle for verifying a fingerprint they provide against the hashes stored on the device.

Re:Also it stands to reason

[Anubis+IV]

Yup. I even acknowledged that in my last comment. ;)

Re:Also it stands to reason

[VortexCortex]

Except that they've already confirmed that they're not storing your actual fingerprint.

Bullshit. Haven't confirmed shit. Talk is cheap, show me the code.

Re:Also it stands to reason

[dmesg0]

For the last 12 years US Custom and Border services take the fingerprints of any non-american entering the USA, and share them with NSA. Now it's time to get the fingerprints of all the Americans as well.

Re:Also it stands to reason

[cbiltcliffe]

For example, if you iOS/Android/WP device is connected to a wifi network, they have the password.

Well, I put one over on them, then. My wireless isn't encrypted!!!!

Figure out that password, Clapper!!!

Re:Also it stands to reason

[mjwx]

In the iPhone 5s presentation, it was mentioned that one of the main drivers for the fingerprint scanning technology is because in their research, a large percentage of users never bother to setup a passcode/passphrase, making all of the hardware encryption in the iPhone completely useless.

And nothing of value was gained.

I'll put good money on the fact that people didn't set up passcodes/phrasess on their devices because they thought "I've got nothing worth stealing" or "I dont really care" or the perennial favourite "It'll never happen to me". Adding a new method of authentication wont make these attitudes automagically change.

Re:Also it stands to reason

[fox171171]

Except that they've already confirmed that they're not storing your actual fingerprint.

Yes, and we also know the NSA isn't spying on anyone, and certainly not gathering any information on American citizens... blah blah blah... they told us so.

Re:Also it stands to reason

[sl149q]

The best someone who has your phone would be able to do is : 1) jailbreak it and 2) feed hashes to the CPU to check against the internal securely stored hashes.

That might be possible. They might find a match in some useful (less than a century) timespan. And they might actually then be able to figure out what actual fingerprint which would be useful in some other finger print match actually generated the hash.

Might. But probably not.

If the NSA wants your finger print they will visit the local DMV (e.g. if you live in California) or just covertly visit your apartment when you are not at home (with a warrant of course.)

Re:Also it stands to reason

[sl149q]

The only way that this could happen would be for Apple to have a backdoor in the original scanning procedure. Send the hashes to the NSA before or at the same time as they write them into the CPU.

The hashes cannot be (easily) recovered by any simple process (electron scanning microscope probably required) after they are written to the CPU.

Re:Also it stands to reason

[Trax3001BBS]

Showing that in the USA, Apple can't make the claim that biometric data is never transmitted over the network'

Who gives a flying phantasm about the transmission of data? In the U.S. this is a step backwards for privacy.

Your fingerprints are something you have, not something you know. You can be compelled to produce them, and they are not considered protected 'testimonial', just like blood, urine, or DNA samples. Your 5th amendment rights, on shaky ground as it is regarding pass-phrases, will not apply to this security model.

From the first or second "The People's Almanac http://en.wikipedia.org/wiki/The_People's_Almanac
and http://www.amazon.com/The-Peoples-Almanac-David-Wallechinsky/dp/0385040601
November 1975 and October 1978 respectfully

It was mentioned in Russia one can't just up and move or go somewhere . You must first get permission and
be supplied with the proper papers. Showing papers at every border crossing or when asked for them.
To be arrested or penalized in some manner if you papers weren't in order or being carried.

It went on to say there's no real difference in the United States.

At any time you can be asked for your drivers license or an ID; if you don' t have one,
you can be arrested for not having a proper ID. If you don't have a place to live or less that so many dollars at the time,
you can also be arrested for vagrancy

The situation isn't new; just the ways of running afoul of the legal system have increased.

Re:Also it stands to reason

[Xest]

I think this is probably the biggest concern. Right now you have a certain degree of anonymity on the internet. If you get hauled through the courts over something that's been posted online for political reasons you can deny you ever posted it because it's impossible to prove it was you that used a particular system even if they trace back to a specific system via cookies, IP address etc.

If you start authenticating via biometrics like fingerprints then you'll have a lot tougher time arguing it wasn't your doing.

Effectively as I see it the real risk here is the erosion of anonymity, there's a danger given the points you make that it will be much easier to suggest in court someone was tied to some specific thing on the internet.

If someone is aware of corruption by some official, but doesn't have any solid proof even though they know it's true but feels it's important to whistleblow then they can do that right now and that person can attack them with libel cases and so forth but it'll be hard to tie that individual to it and win such a case. If somehow a fingerprint hash is getting tied back to that whistleblowing then you've lost all hope of getting away with it in court and being silenced by that sort of legal assault even if what you did was morally the right thing to do.

Depending on what you do, sometimes more secure authentication and security can be detrimental to your goals. If you're a political activist highlighting real issues in the face of oppression then you're probably better off having no login on your PC and unsecured wireless because you have all the plausible deniability you need at that point.

Re:Also it stands to reason

[alexgieg]

yeah. So what? Other security features may copy this method. And then your "tissue under the skin" will be stored on a phone, maybe stolen by apps, and used on other security systems, maybe to identify as you on a ATM.

Not necessarily. Here in Brazil my bank uses some kind of camera-based palm scanning instead of fingerprints. This is an easy way to keep things independent: fingerprints for non-important stuff, whole hand for stuff that requires more security, maybe whole hand plus retina plus voice plus ... for very important stuff etc. Sure it all comes down to a limited set of passwords, but considering the alternative are usually 4-digit pins (reused everywhere) it's an improvement nonetheless.

Re:Also it stands to reason

[Quila]

No, it's something AuthenTec came up with, which made that company worth $390 million to Apple.

Re:Also it stands to reason

[Quila]

It would depend on the implementation, and I'd like to see how Apple is doing it.

If it is on the chip in a crypto module as they way, a well designed one would only have a few functions. One would be to store (when you teach the system your print). Another would be authenticate (send fingerprint data to see if it matches anything stored). It would be pretty stupid (or required by a three-letter-agency) to include a function to read the fingerprint data. If that function isn't built into the chip hardware, it's not going to happen without some very expensive equipment.

Re:Also it stands to reason

[Dan541]

If you start authenticating via biometrics like fingerprints then you'll have a lot tougher time arguing it wasn't your doing.

Effectively as I see it the real risk here is the erosion of anonymity, there's a danger given the points you make that it will be much easier to suggest in court someone was tied to some specific thing on the internet.

Your fingerprint can be stolen just like any other password, and since it's unchangeable and you leave it behind on any glass surface you touch (hello touchscreens) you have a much better Plausible Deniability than you would with a normal password.

Re:Also it stands to reason

[Dan541]

This way, there is no way to recover any usable fingerprint data.

Ummm...except reading the actual output from the scanning device.

Personally I just cut their fingers off.

Re:Also it stands to reason

[Anubis+IV]

The "blah blah blah" is "but we already know that this is a given, so there's really no point in stating the obvious every single time that anything related comes up". Basically, yes, of course, that could be happening, but I don't feel like adding a disclaimer about the NSA and PRISM being a threat to every single post I make about a technology company and/or security concerns. We all know it's still there and still a problem, obviously.

Re:Also it stands to reason

[Xest]

Other comments seem to suggest this depends on the quality of the fingerprint scanner in question.

Re:Also it stands to reason

[Anubis+IV]

Yes and no. Salting is designed to thwart the use of rainbow tables. To gloss over almost all of the details, the problem that salting is addressing is "how do you make it harder for an attacker to figure out the passwords that correspond to hashes if they've already stolen the hashes?" It's designed to limit the amount of damage that can occur after someone compromises you. By uniquely salting each password, you can force the attacker to have to create rainbow tables for each and every single account, rather than being able to use one set of rainbow tables for all of the accounts in your system.

So, salting could indeed help prevent the creation of a massive database of fingerprints...assuming the attacker wasn't someone who owned the system like how Apple does. It wouldn't be very effective if the attacker is Apple itself under a court order from the NSA, since they could just rewrite the login system to send a copy of your print to them before the device hashed the fingerprint and stored it securely. It'd make them liars, since it's contrary to how they've explained the way that it works, but it is a possibility that we can't deny.

The dragnet problem I described here is roughly analogous to "if you're a person who uses the same login info at every site, how do you prevent someone who has your login info from finding out if you have an account at X site?", except that instead of sites, we're talking about devices. It's a different problem, in other words, since the attacker isn't trying to create a database of everyone's fingerprints; they're just trying to find out where a fingerprint they already have is being used, presumably so that they can track that person down (e.g. a fugitive, a fingerprint at the scene of a crime, a "terrorist" they want to keep tabs on). And they're able to do all of that without ever needing access to the fingerprint hash that your device created from you, since they can just ask the device whether or not the fingerprint that they're providing it matches one it recognizes. As such, salting wouldn't be effective, since the attacker never needs the hash in the first place.

Re:Also it stands to reason

[Anubis+IV]

To summarize, they don't actually hash your fingerprint (in fact, they're not even technically taking a picture of it since they're using a 500 dpi capacitive sensor for this stuff). Rather, they capture a set of unique identifiers for your fingerprint that are independent of its rotation (e.g. which one of the three primary types of patterns your print is, where the breaks occur in the lines, etc.) and then create the hash based on that stored representation. This problem has actually been a solved one for decades.

Re:Also it stands to reason

[greenbird]

Except that they've already confirmed that they're not storing your actual fingerprint. They're storing hashes of the fingerprints that they use to verify your fingerprint when you attempt to login

Guessing you're not a software type? Whether they store it on a form of permanent storage or not in order to calculate the hash they HAVE TO feed in the raw data to the hash function. If the hash is of your digitized fingerprint then the digitized fingerprint data is there. You can't just magically create a hash value. While it's there it is vulnerable. The malicious software simple has to intercept the raw data before it's fed into the hash function. The most likely place to do this is to read the raw data feed from the sensor.

Re:Also it stands to reason

Yep. All the "subdermal" crap in Apple's marketing just means that they're using a capacitive sensor to measure the difference in the conductivity of the finger's dermal layers.

Which is EXACTLY the type of sensor that Mythbusters was able to beat with a licked printed scan on the end of a real finger.

Re:Also it stands to reason

[Anubis+IV]

I actually am the software type. I'm a software developer (mostly C# development for desktop apps used by engineering clients, though I mostly use Apple stuff at home) and even did my grad work in computer science.

The reason I didn't address that concern in response to you (though I actually have already addressed it in other responses, as well as outlined a few other types of attacks that are easier to implement and more likely to occur), is because I didn't see a point in mentioning it, given that the attack you described was supposed to be simpler than lifting prints off the surface of the device itself. At least for now though, the hack you've described would likely involve needing to jailbreak the device, and for that you currently need to have physical access to the device, then you'd need to return it to the target's custody and wait for them to use it after that. At that point, lifting prints really would have been significantly simpler, so I assumed, quite naturally I believe, that you were talking about the more obvious threat posed by the data stored on the device. I've seen a number of people wrongly assume that they're storing actual fingerprints and/or are backing that information up to a place where it can be accessed offline (a la the geolocation data issue from last year), which WOULD be a simpler attack than lifting prints from the device, and I assumed incorrectly that you fell into that crowd, hence why I addressed that problem.

Anyway, yes, that is a possibility. And the possibility always exists that we could see the return of jailbreaking that doesn't involve having physical access to the device, in which case this threat would become much more pressing. Though, honestly, I'd be more worried about Apple itself implementing something like that than a random hacker doing so, since I find the former to be far more likely, as I've said elsewhere in some of these responses.

Re:Also it stands to reason

[david_thornley]

I'm going to suggest that people didn't password-protect their iPhones because it would be a pain in the ass to continually enter said password. Fingerprint matching means that I can have my data protected and still have easy access.

Re:Also it stands to reason

[david_thornley]

It's not possible to keep my fingerprints secure from somebody who is after me in particular, since I leave my prints all over. The question is whether having my prints on file somewhere is going to cause me problems later, and I'm not clear that it's likely to. Lots of people already have their fingerprints on file with some government agency or other, and it doesn't seem to be a major problem.

Re:Also it stands to reason

[mjwx]

I'm going to suggest that people didn't password-protect their iPhones because it would be a pain in the ass to continually enter said password. Fingerprint matching means that I can have my data protected and still have easy access.

I highly doubt it.

The fact is most people dont care about security. Most wouldn't even bother locking their car if it didn't void their insurance.

If you think that people aren't putting passwords on the phones because its inconvenient, you seriously need to get out and talk to people.

Re:Also it stands to reason

[Wovel]

Yeah no. It is real. Good try though.

Re:Also it stands to reason

[rthille]

I recently went from a 4-digit PIN to a password that takes about 11 keystrokes to enter. I do notice that it's more of a pain when driving, but other than that, not so much... Now if my iPhone had NFC and I could unlock it with my Yubikey Neo, that'd be cool as I'm unlikely to lose my phone and keys at the same time, unless I also lose my pants. And if that's happened, I've got bigger problems...

Re:Also it stands to reason

[rthille]

Heh, I adopted a kid, so I'm already in the FBI database, all 10 fingers.

Re:Also it stands to reason

[smaddox]

Ahh. I misunderstood the claim. They're using an oscillating field and detector array to measure the local conductivity in the near field - thereby making my complaint based on diffraction theory irrelevant.

Re:Also it stands to reason

[ceoyoyo]

As you pointed out, unless you're trying to scan fingerprints across a room you're necessarily working in the near field.

Re:Also it stands to reason

[Trax3001BBS]

Strangely enough, nobody seems to be calling attention to the fact that this slideshow confirms TrueCrypt has been backdoored (second slide, page 15). Is it possible to get a degree in applied mathematics without meeting the NSA's recruiting arm?

I didn't read it as there being a backdoor for TrueCrypt -but one being available, and there is if you don't use it correctly.

I started using TrueCrypt and back doored it myself without knowing.

I encrypted one data partition to test it out; but if the OS partition isn't encrypted your not hiding anything,
especially Windows where everything you do is listed in multiple places. Thats just one of many precautions.

I found this after I dug a bit deeper into TrueCrypt (Read TFM). IMPORTANT: If you want to use TrueCrypt, you must follow the
security requirements and security precautions listed in this chapter. http://www.truecrypt.org/docs/security-requirements-and-precautions

The TrueCrypt FAQ http://www.truecrypt.org/faq links to Operation Satyagraha

http://yro.slashdot.org/story/10/06/26/1825204/fbi-failed-to-break-encryption-of-hard-drives
"the FBI has failed to decrypt files of a Brazilian banker accused of financial crimes by Brazilian law enforcement,
after a year of attempts" "Truecrypt and the other unnamed. 256-bit AES was used"

http://en.wikipedia.org/wiki/TrueCrypt#Operation_Satyagraha claims "They enlisted the help of the FBI, who used dictionary attacks"
-real high tech stuff.

He is not an expert...

[ImdatS]

Basically, he is the guy legally overseeing German Privacy Laws in the State of Hamburg. He is not a privacy expert. The only two guys in Germany I would listen to (maybe three guys) is the Privacy Commissioner of the State of Schleswig-Holstein, the Federal Privacy Commissioner and someone from Chaos Computer Club.

That being said, the question rather should be how the fingerprint scanner is implemented. If it generates a hash that is stored on the device and never stores the finger-print itself outside of RAM, I wouldn't have a problem with that.

The devil usually is in the detail - and in this case in the details of implementation. I would assume that Apple generates a hash code, stores it on the device and compares only hashes and never has a finger-print picture stored on the device (which would be better in any case). One might even consider storing up to 3, 5 or 10 hashes in order to have some heuristics.

Also, one wouldn't generate a has of the picture but rather the relationship of certain finger-print lines in order to not rely on a picture that might be different every time. But the line-relation is not so much different. I'm not an expert in biometrics, but I believe this is the same approach for face-recognition (certain specific face-points and their relationship to each other is analyzed, a hash generated and stored and next time compared against a new hash).

Being myself a German, I sometimes worry about German "alarmism". As Sigmund Freud said: "some times, a cigar is only really a cigar..."

Re:He is not an expert...

[ImdatS]

Oh, one more thing: if I was Apple, I would also salt the hash with a device-specific (device-unique) random code in order to make sure that the Government cannot send me a list of hashes asking: "We want data from users with these hashes..." - and the device salt could be generated anew every time the device is restored...

Re:He is not an expert...

[Nerdfest]

There are people working on 'revocable' biometrics for exactly the reason he's citing here. IBM and a few other have been working on it for some of their fingerprint, face, and iris devices. You can probably dig up some details with a few searches. It is a valid concern, although if the hashes truly do not leave the device, I'm not sure it's a concern here.

Re:He is not an expert...

[jonbryce]

Hash values work for passwords where you enter exactly the same password every time. However, you don't enter exactly the same fingerprint every time you scan it, so the device has to decide whether it is close enough to the one you entered previously. For that, I think you would need the un-hashed fingerprint.

Re:He is not an expert...

[ImdatS]

This is going nuts (replying to own reply to own message):
If I was Apple, I would generate a completely new hash every time I recognize the finger print with a completely new salt. This way, the system could get better over time as well as protect the users privacy because the hash and the salt keeps changing every time...

Re:He is not an expert...

[ImdatS]

Couldn't it work like a smart card chip? Meaning: The chip that does the authentication is connected directly to the reader. The reader can communicate only with this specific chip. The chip itself receives the pictures, calculates the hash and stores the hash in its own non-volatile memory. The chip has only two api-calls: "Train" and 'Authenticate'.

With "Train", it would train on a users finger-print and return "DONE" or "NOT SUCCESSFUL". With "Authenticate", it would only return "ACK", or "NACK". I know, I know, the company building the chip would still be able to put in back-doors, etc, but at least this way the finger-print picture or hash would never leave the chip.

Also, best would be to open-source the chip code so that it can be verified. I know, it still doesn't GUARANTEE that the verified source is what is in the chip that is shipped but at least SOME security/privacy check would be in there..

Re:He is not an expert...

[Glock27]

It highlights the need for Apple to tell us exactly how the fingerprint security works, which was a part of the point of the original article.

Apple has revealed enough detail:

According to an unnamed spokesman at Apple, the fingerprint detector won't actually record images of your fingerprints.

and...

This is in line with what Apple said during the actual announcement, specifically that the information was stored "in the Secure Enclave inside the A7 chip on the iPhone 5s." The information would not be store on Apple's servers or in the iCloud.

From the WSJ.

Re:He is not an expert...

[ImdatS]

Thanks, I'd wish it wouldn't even leave the finger-print scanner chip as that might allow for even higher security. But this is probably "good enough". Now the next question would be how it gets transferred from the finger-print scanner to the "Secure Enclave inside the A7 chip". If there is direct connection from the reader to the A7 chip, it's probably ok. If it goes through main memory, there could be possible attack vectors...

I don't mean to say I'm a better security expert than Apple has - but, even though I'm an Apple fan/user, I don't think Apple's security track-record is as clean as one might want it...

Re:He is not an expert...

[lesincompetent]

After James Clapper i don't trust words anymore. I want facts.

Re: He is not an expert...

[iamhassi]

Do you have more information on Apple's security track-record? Seems to me to be much better than Microsoft or Android. As to biometrics not being safe, where has this guy been for 10 years? Biometrics is everywhere, my laptop and desktop both have biometric scanners. Passwords don't seem much better with cameras being everywhere now days, I remember a story of some thieves stealing debit cards by hiding a card reader and tiny camera that watched the keypad at gas stations. Nothing seems to be secure if a thief is determined enough, although I would feel more comfortable if the biometric scanners also checked for a heat signature so a simple photocopy of a fingerprint could not work.

Re:He is not an expert...

[Bing+Tsher+E]

he is the guy legally overseeing German Privacy Laws in the State of Hamburg.

That makes him an authoritative Hamburger, correct?

Re:He is not an expert...

[Bing+Tsher+E]

"ACK" or "NACK"

Acknowledge, or Acknowledge-Inverted? So it approves in all instances?

Re:He is not an expert...

[ImdatS]

Either you are very young or you or just pulling my leg:
ACK - ACKnowledge
NACK - Not ACKnowledged (old school computer stuff, back from the 1960s-1990s)

Re: He is not an expert...

[ImdatS]

Indeed, if I compare Apple's track record to Microsoft's, it seems a lot better. I have no idea on Android, but anecdotal evidence (read: stuff I read on the Internet), it seems better than Android, too - but I can't judge it as I haven't done an analysis myself.

But "better" doesn't, at least for me, mean "good". Apple could do better. I've seen too many security issues in Safari and some in OS X as well. I don't mean that there are more than Windows or Android, but some times Apple's reaction was not optimal. So, going from, let's say, 100 security vulnerabilities per year to 50 might sound better than going from (e.g., no real numbers) from 300 (e.g. Windows) to 200, or even 150 (though in latter case, both would be 50% reduction). But Apple could do a lot more. They have been doing some great strides but I wish they would do even more.

One thing with security, where Apple has a lot to do, is transparency: sometimes I feel Apple is not being transparent enough on what they do with regards to security. But again, it might be perception bias as I'm a lot closer to Apple and might be criticizing them a lot more than Microsoft or even Android.

TL;DR - Apple could do more just in absolute terms, and be more transparent. Comparing to Microsoft/Android, they seem "better", but not necessarily "good" - in my world only.

Re:He is not an expert...

[fustakrakich]

I sometimes worry about German "alarmism".

There's nothing alarmist about it. All our worst fears have been confirmed. And despite that we still the hopelessly naive who believe the propaganda. Sniff your network. Trust no one.

Re:He is not an expert...

[mean+pun]

After James Clapper i don't trust words anymore. I want facts.

Because facts are not words?

Re:He is not an expert...

[allo]

yeah. because having multiple hashs of the same data (and multiple stolen) increases security.

Re:He is not an expert...

[lesincompetent]

I hate slashdotters like you who try to look smart exploiting the ambiguity of natural language.

Re: He is not an expert...

[Trolan]

Uhm, the OS doesn't crash when the rendering engine sees that. The app, if it's using the system libraries to render it, may. App-level crash, no obvious vector to leverage the issue to do anything further. It's really more in the realm of annoyance, since apps crash for plenty of other reasons too.

Here's everything fixed up in the 10.8.5 update release last week: http://support.apple.com/kb/HT5880

Re: He is not an expert...

[DrEldarion]

Do you have more information on Apple's security track-record? Seems to me to be much better than Microsoft or Android.

No, this is not true. Two main notes:

1) The only reason people hear about Android "malware" is because antivirus companies are allowed to provide antivirus software for Android. Rarely do they mention that it's people downloading pirated apps from shady third party app stores after they've disabled all the security features.

2) All those "jailbreaks" for iPhones? Those are ALL security exploits. If they can be used to jailbreak the phone, they can be (and have been) used to completely pwn the phone.

Re:He is not an expert...

[Eythian]

There are types of hashes where the difference between two hash values is proportional to the difference between the source material. They can be used to identify spam that is mostly-the-same-but-a-bit-different, for example.

Re:He is not an expert...

[MCSEBear]

There is a standard feature made available by ARM called TrustZone which enables hardware based separation of a device's OS and apps from a trusted environment, including trusted peripherals such as biometric devices or storage devices.

It's been around for a while now and has also been adopted by AMD for their upcoming X86 chips.

Details here:

The security of the system is achieved by partitioning all of the SoC hardware and software resources so that they exist in one of two worlds - the Secure world for the security subsystem, and the Normal world for everything else. Hardware logic present in the TrustZone-enabled AMBA3 AXI bus fabric ensures that Normal world components do not access Secure world resources, enabling construction of a strong perimeter boundary between the two. A design that places the sensitive resources in the Secure world, and implements robust software running on the secure processor cores, can protect assets against many possible attacks, including those which are normally difficult to secure, such as passwords entered using a keyboard or touch-screen. By separating security sensitive peripherals through hardware, a designer can limit the number of sub-systems that need to go through security evaluation and therefore save costs when submitting a device for security certification.

http://www.arm.com/products/processors/technologies/trustzone.php?tab=Hardware+Architecture

So yes. ARM enables Apple to physically separate the operation of the biometric device and storage of encrypted biometric information in what Apple calls "secure enclave" storage where it is not available to the OS or to apps.

Re:He is not an expert...

[Xest]

"Being myself a German, I sometimes worry about German "alarmism"."

Trust me, given your history I'd argue it's better to have German alarmism over issues like privacy than British complacency. Your country learnt the lessons of it's past. Unfortunately we didn't learn the lessons of your past despite the impact it had on us, hence why we're becoming an ever more xenophobic insular state with an unhealthy amount of nationalism and surveillance.

Better to have alarmism that tends towards personal freedom and liberty, than the type of alarmism we have that goes against personal freedom and liberty such as comments like "Allowing gay marriage will destroy people's existing marriages!" from the Church, a number of politicians, and even whole parties like UKIP.

There's a reason why your country is so strong economically, and so respected politically and as frustrating as some things may seem sometimes you should be cautious not to wish away the things that make your country great.

Re:He is not an expert...

[Quila]

You're assuming the mapping algorithm produces a 1:1 hash. Possibly the numerical map of the fingerprint (the "hash") includes some fuzziness.

Re:He is not an expert...

[ai4px]

....and this would work because no one would ever get in between the smart card and the phone/pc and falsely inject an ACK? Weren't the el-cheap-o encrypted USB drives venerable to this sort of attack? If I recall correctly they all used AES encryption, but all used the same key and the PC's glue program determined if the key could be used or not.

Re:He is not an expert...

[mean+pun]

I hate slashdotters like you who try to look smart exploiting the ambiguity of natural language.

I'm not playing language games here. Exactly how do you propose to distinguish between a fact and someone just saying something? At some point you will have to trust the word of somebody or something; you cannot verify everything down to its fundamentals.

Re:He is not an expert...

[lesincompetent]

At a certain degree of 'verifiedness' something becomes a fact. It is very subjective, of course.

Re:He is not an expert...

[cundare]

Better stick to something you have a clue about. Maybe cigars? This issue has long been a real concern re:biometric identification on inherently insecure platforms. The point of vulnerability is actually the encoded data, not an image of a fingerprint, stored or not. This is one reason why you don't see biometrics used casually in consumer applications. When implemented, a real-world biometric scanner is usually part of a system that incorporates significant physical means of isolation. Using a biometric marker in a device as ubiquitous and insecure as a cell phone is idiotic. And it doesn't take a "privacy expert" (wtf that is) to understand that.

Usable Fingerprint data?

[Rosyna]

Aside from the fact the government and many institutions (like Banking in the US) already have your fingerprint...

Is there any evidence at all that the fingerprint data store in the A7 is even usable outside of iOS? There's no reason at all to store a raw image of the fingerprint. How would you recreate the fingerprint to make it usable to someone?

Re:Usable Fingerprint data?

[EvanED]

Aside from the fact the government and many institutions (like Banking in the US) already have your fingerprint...

Errr... what? I've never had to give my fingerprint to my bank or the government, aside from the fact that I've handed them papers that I've touched.

Re:Usable Fingerprint data?

[Plumpaquatsch]

Aside from the fact the government and many institutions (like Banking in the US) already have your fingerprint...

Errr... what? I've never had to give my fingerprint to my bank or the government, aside from the fact that I've handed them papers that I've touched.

So they have your fingerprints.

Re:Usable Fingerprint data?

[lxs]

There is no evidence either way. Better err on the side of caution. There wasn't any evidence of iPhones logging GPS data either, until somebody found it.

Re:Usable Fingerprint data?

[fustakrakich]

Better err on the side of caution.

That's right. A 'privacy policy' is not worth the paper it's printed on (hell, even a constitution isn't), and at these prices, certainly not worth the ink. Trust is absent now. Always assume the worse until you can confirm otherwise.

Re:Usable Fingerprint data?

[larkost]

Except thre was no GPS logging ever. What they actually found was iOS caching observed WiFi and Cell tower locations that had been near where you were in order to more quickly locate you when an applicaiton you ran requested that information. Your actual location was never recorded, but since much of the data was timestamped with when it was last verified some rough guesses on where you had been on what days was possible from the information.

So there never was "GPS logging" and the best accuracy you could have gotten from the data was that someone had probably been within 5-10 miles of a location within 3-4 days of a specific time.

Re:Usable Fingerprint data?

[Anubis+IV]

It's becoming more common. The state of Texas requires anyone getting a driver's license to provide a thumbprint, and has for quite a few years now, for instance. I'm willing to bet they're not alone.

Re:Usable Fingerprint data?

[MrNiCeGUi]

From the Apple press release regarding this incident:

" iPhone can reduce this time to just a few seconds by using Wi-Fi hotspot and cell tower data to quickly find GPS satellites, and even triangulate its location using just Wi-Fi hotspot and cell tower data when GPS is not available (such as indoors or in basements)."

So, using triangulation, just using cell phone towers they can locate users with way greater precision than just 5 to 10 miles.

Also, this data was crowdsourced. Which means that, for those users that have their GPS turned on, both the GPS location and the visible cell towers and WiFi access points were logged, in order to build said database.

The NSA documents that Snowden made available specifically say that the NSA was using a location bug to track apple users.

From the Spiegel article:

"The NSA analysts are especially enthusiastic about the geolocation data stored in smartphones and many of their apps, data that enables them to determine a user's whereabouts at a given time.

According to one presentation, it was even possible to track a person's whereabouts over extended periods of time, until Apple eliminated this "error" with version 4.3.3 of its mobile operating system and restricted the memory to seven days."

4.3.3 was the version in which this particular bug was fixed. Highly unlikely that it was just a coincidence and the NSA were speaking of another bug entirely.

Re:Usable Fingerprint data?

[Xest]

There's two issues:

1) Having your fingerprint replicated to be used elsewhere against your will.

2) Having your biometrics used to track and trace you

You're right there's probably no threat here of 1) happening because the fingerprint itself is apparently not stored, but the danger is 2). For 2) you don't need the full fingerprint, all you need is a hash that can be calculated from it. This means that if say that hash is leaked onto the web and associated with something you post there for example, then if the government also has your fingerprint and can also hence generate the same hash they can link you with a strong degree of certainty to that thing online.

I'm not saying the hash does, or even can be leaked but if, and that's a big if, if it can be leaked or does get leaked from the device then this allows for ever more intrusive tracking. If websites were able to access it then you'd get a whole extra degree of tracking well beyond what you see now which relies on much more flakey identifiers like cookies and IP addresses.

That's the privacy issue.

Re:Usable Fingerprint data?

[gerardrj]

And the iPhone's weren't logging GPS data, they were caching the locations of cell towers and wifi stations in the immediate area.

The real issue.

[Karmashock]

No one is going to trust these companies until they make it clear that they're standing up to the NSA and various governments around the world that want our data.

Till then... no trust. And this stuff really just puts a spike in the eye for the whole cloud notion.

If the centralized systems are not to be trusted then we'll just use centralized systems. Which means the walled garden is unacceptable.

Re:The real issue.

[Bing+Tsher+E]

The Cloud has been spiked for months. The thing is, organizations like Google don't make The Cloud for storage optional. They produce attractive devices with no removable storage. Then a bunch of people chime on on forums 'why would you need that?' when the lack of removable storage is mentioned as a major negative feature. Google-worship and the cult of the Nexus takes over.

just FUD IMHO

[kencurry]

Some recent uses of my fingerprints in which I had no real say:

1. Passport check at CDG airport
2. Applying for a Speedpass for CA toll roads
3. Getting some papers notarized

So, there are many current uses of fingerprinting in routine life that one has to comply with, and who can say how secure any of it is? But, trust Apple? This is a worthy debate and I trust my fellows slashdotters will post good comments on both sides. Me? I want better security on my phone, as I use it for purchases and banking. I think biometrics is a move in the right direction, what do you think?

Re:just FUD IMHO

[CaymanIslandCarpedie]

Certainly not FUD. A valid concern even if you personally don't think it is an issue. I personally am not worried about it != FUD.

If you want better security on your phone your best bet is stop using a 4 digit numerical passcode or incredibly simply swipe gestures and choose a properly strong/long password. My knowledge of biometrics is limited to enterprise system we had years ago which was horribly unreliable (often wouldn't allow the proper person access and would allow unauthorized people access on what seemed a random basis). I'm sure things have improved a lot since then, but still most studies you read on such systems don't leave you with much confidence.

Their best use seems to be in a 2 factor authentication scheme, but certainly not a replacement for a proper strong password.

Re:just FUD IMHO

[alostpacket]

Speedpass? Wow that seems invasive. Not sure how I feel about iPhone fingerprinting, but for a Speedpass that seems excessive.

Re:just FUD IMHO

A thought experiment: Replace 'Apple' with 'Chinese phone manufacturer' and 'NSA spying scandal' with 'Chinese spy scandal'. Would you still trust them?

That is how foreign governments see the US and US companies.

Re:just FUD IMHO

[Andreas+Mayer]

A thought experiment: Replace 'Apple' with 'Chinese phone manufacturer' and 'NSA spying scandal' with 'Chinese spy scandal'. Would you still trust them?

Actually, that would worry me less, since I can't think of anything the Chinese would want to do with that information. The US on the other hand has already proven, that they think they are the world police.

Re:just FUD IMHO

[nightcats]

agreed insofar as this is a horse that's already out of the barn. It's very often required to be printed to be employed -- I remember having to be printed when starting a gig for American Express in NYC; to get into the building we had to put a finger over a scanner. This was post-9/11 at the WFC (a block west of the WTC site); but I hear it's become fairly widespread over a decade.

Re:just FUD IMHO

[TrekkieGod]

Some recent uses of my fingerprints in which I had no real say: 1. Passport check at CDG airport 2. Applying for a Speedpass for CA toll roads 3. Getting some papers notarized

What the hell? I have a passport, and didn't submit any fingerprints to get it. I didn't submit my fingerprints to get an identification document such a driver's license and california would expect me to submit them to get through toll roads?? Why the hell did you need fingerprints to get a document notorized? Usually you show up at a bank, hand them an ID, and sign the paper in front of the notary.

So, there are many current uses of fingerprinting in routine life that one has to comply with,

No, there are not! The only people I've ever personally met in the US who were fingerprinted were either arrested at some point or were applying for a security clearance. Routine life here doesn't and shouldn't require such a thing. I haven't heard of this non-sense in california until you mentioned it in your post.

Me? I want better security on my phone, as I use it for purchases and banking. I think biometrics is a move in the right direction, what do you think?

The 4-digit pin is way more secure than your fingerprint. As pointed out elsewhere in this thread, your fingerprints are all over your phone.

Re:just FUD IMHO

[timmyf2371]

What the hell? I have a passport, and didn't submit any fingerprints to get it.

I think the point here is that you have to submit fingerprints sometimes when entering a foreign country/continent.

Whenever I visit the US, I have to give my fingerprints and have my photo taken at the port of entry, meanwhile as a European, I can travel throughout the EU without even showing my passport. I suspect the parent was a US citizen visiting France as similar entry requirements would apply for non-Europeans at their port of entry.

Re:just FUD IMHO

[wvmarle]

Steal one's fingerprints, steal their identity. That's the issue.

Everything about a person can be changed - names, IDs such as social security numbers, etc. Lots of bureaucracy to deal with maybe, but it can be changed. Your fingerprints, not so much. They're yours until after you die.

Re:just FUD IMHO

[TrekkieGod]

I think the point here is that you have to submit fingerprints sometimes when entering a foreign country/continent.

Fair enough point. I completely forgot this is the case, as I have dual citizenship and generally enter the US and EU countries without submitting fingerprints. That said, when did France start copying the US nonsense? I entered France using my US passport instead of my Italian one back in 2007, and wasn't fingerprinted.

Re:just FUD IMHO

[immaterial]

What the hell? I have a passport, and didn't submit any fingerprints to get it. I didn't submit my fingerprints to get an identification document such a driver's license and california would expect me to submit them to get through toll roads??

I don't know about toll roads, but California definitely requires you to mash your thumb on the fingerprint scanner at the DMV every time you renew your drivers license.

Re:just FUD IMHO

[ACorrosionOfDeviants]

> Some recent uses of my fingerprints in which I
> had no real say...

Disneyland requires a biometric fingertip scan at the park entrances, ostensibly to deter fraudulent passes. Here's a 2008 blog post from Cory Doctorow:
http://boingboing.net/2008/03/15/fingertip-biometrics.html.

I was surprised to encounter this on a recent family vacation, and even more surprised to learn that it had been happening for years with no backlash from park visitors.

Biometric scanning for a theme park? Really?

Re:just FUD IMHO

[TrekkieGod]

I don't know about toll roads, but California definitely requires you to mash your thumb on the fingerprint scanner at the DMV every time you renew your drivers license.

Interesting. I live in South Carolina. People here would throw a fit if somebody tried to implement that.

Paranoia

[countach]

While there are good reasons for paranoia when it comes to the NSA, I think this paranoia is over the top. Firstly, if Apple is lying, and the fingerprint information is not stuck inside the chip like they say, hackers WILL discover it. Then Apple will have bad publicity from here to eternity. So I don't think Apple would lie. Secondly the government has lots of better and easier ways to harvest fingerprints if they really want to. Thirdly, I don't think fingerprints will really do the government much good, except in crime investigations. If you're worried about that, then you've probably got bigger problems.

Re:Paranoia

So I don't think Apple would lie.

You poor, ignorant, naive little bunny.

You're either 11 years old, or an older fool.

Re:Paranoia

[zAPPzAPP]

I don't see how this is paranoia.
I wouldn't use the same password for my phone and my banking acount. But the fact you can't change your fingerprints pretty much forces you to.
Worse, you will use the same print in the future, forever.

So how long is that password going to last, with all the regular leaks, phone-malware and whatnot? How many years?
If any single application you gave the fingerprint to has a security hole, just one of them, then all other are immedeately compromised. And there is no way you can change that, even if you knew it happened.

And the best part is, because the 'password' is so strongly linked to your person, everyone who got it can easily figure out which other locks it might open for them, other than your phone.

Lastly, the argument of 'the xyz could do it if they really wanted' is just a bad one and I'm sick of hearing it.
This is still a question of economics.
Sure there could be agents following everyone around, grabbing fingerprints from the used glasses in restaurants and so on... would only cost like a trillion dollars until we have all the data.
Or we have them all upload their prints to their phones, which we already have backdoors into anyway, so it costs one of our IT people 10 minutes to issue the download command.
One thing will never happen, the other is more than likely.

Re:Paranoia

[am+2k]

Even when you're not involved in crime, somebody in the police force who doesn't like you might plant your fingerprint in a convenient place when available.

Re:Paranoia

[maccodemonkey]

Firstly, if Apple is lying, and the fingerprint information is not stuck inside the chip like they say, hackers WILL discover it.

This is the absurd part. People are screaming that Apple could send the fingerprint to the NSA, and we'd have no idea. I'm sorry, I didn't know I was on the "My First Computer Forum" and not Slashdot. You guys know how to use packet sniffers, right? And I'm sure a few people here can read a decompiled Mach-O/Arm binary, right?

The idea that if Apple was sending around fingerprints they'd get away with it is really laughable. Remember the time they were storying GPS data on the phone and they got discovered real quick? That data didn't even leave the device. There are no secrets on the device or on the network. Sure, Apple may not put the source in a public place, but they put the binaries on every device, which is the next best thing,

People are playing dumb and putting up straw men arguments on purpose. I'm not saying we should blindly trust whatever Apple says. I'm saying that it somehow being unverifiable is a false claim.

Never transmitted... until the next update

[Chemisor]

Android used to store your wi-fi password locally and never transmit it anywhere. Then came Gingerbread, and all your local data got helpfully "backed up" to google servers. Setting turned on by default, probably before you had a chance to learn it's there. They say they delete your stuff when you turn off the setting, but, naturally, there is no way to really know. Suddenly, google has all your wi-fi passwords, whether you like it or not. It would be naive to assume Apple would behave differently.

Re:Never transmitted... until the next update

[ColdWetDog]

If you're that paranoid, don't use a cell phone. Madre de Dios folks, cell phones ARE NOT SECURE. They never will be.

Re:Never transmitted... until the next update

[KiloByte]

Correction: don't use a cell phone with a proprietary OS. This means iOS and Google's and carriers' builds of Android, but don't necessarily the rest.

Re:Never transmitted... until the next update

[mean+pun]

Correction: don't use a cell phone with a proprietary OS. This means iOS and Google's and carriers' builds of Android, but don't necessarily the rest.

No, it means: don't use a cell phone, period. The phone radio software will be proprietary in the foreseeable future, there are plenty of opportunities to place backdoors on a cell phone no matter what OS is running on it, cell phones can be tracked no matter what OS is running on it, and even a fully open OS is so large and specialised you cannot possibly check it unless you have nothing else to do in life.

Re:Never transmitted... until the next update

[ceoyoyo]

I'm not aware of a cell phone that has a completely open OS, including the baseband.

Re:Never transmitted... until the next update

[Anubis+IV]

Except that even if they did transmit it, they've already confirmed that the phone doesn't store actual fingerprint images. It stores hashes of the prints taken via the capacitive sensor.

Re:Never transmitted... until the next update

[KiloByte]

The radio part has no access to any data the phone company can't already get off the wire/air. Everything that the spooks and other criminals are interested in resides in the computer part.

Re:Never transmitted... until the next update

[mjwx]

Android used to store your wi-fi password locally and never transmit it anywhere. Then came Gingerbread, and all your local data got helpfully "backed up" to google servers. Setting turned on by default, probably before you had a chance to learn it's there. They say they delete your stuff when you turn off the setting, but, naturally, there is no way to really know. Suddenly, google has all your wi-fi passwords, whether you like it or not. It would be naive to assume Apple would behave differently.

WiFi passwords I dont really care about. Same with my Bluetooth settings.

In fact I'm glad my WiFi password gets backed up. Saves me having to put it back in when I re-image my phone (my WiFi password is a 63 character, complex, randomly generated string). Beyond that I've got passwords for the Majestic Grande in Bangkok and a bunch of other hotels around Asia as well as Linksys (the worlds largest free ISP).

If you're storing personal or dangerous data in a WiFi password you're doing something wrong. If you're so paranoid that someone potentially knowing your WiFi password makes you nervous... Why the fuck are you even running WiFi? Dont you know that shit can be cracked?

Backing up WiFi details is nothing compared to backing up your contacts (which has been happening since Android 1.5) which contains a shitload more personal data than your WiFi passwords should. But if you dont want any of this backed up either dont log in with your Google account or when you do, un-tick the option that asks if you want all of this backed up. If you just clicked "next, next, next" without reading anything you've only got yourself to blame.

But I dont really care about my contacts either, I like having that synced across all my Android devices. Google are at least pretty open as to what they do with your data (yes I know it's being used to target ads at me, but that's what AdBlock is for).

Your Fingerprint isn't ever stored in flash

[rabtech]

If you check the design, the fingerprint image itself is never stored anywhere. The fingerprint profile is only stored on silicon in the A7 chip. There is no API to access that data, only flags to tell you that it exists (so the OS can discover there are four stored prints and their names, but nothing about the actual fingerprints themselves).

Apple touts the fact that the fingerprint is never sent over the network as a feature but in reality it can't send it over the network even if it wants to, nor can any application access it.

If you think Apple is lying... well... There must be some level of trust somewhere or we may as well give up. I tend to draw the line at the CPU because if that is compromised or includes back doors, we are all screwed anyway.

Re:Your Fingerprint isn't ever stored in flash

[CaymanIslandCarpedie]

Apple touts the fact that the fingerprint is never sent over the network as a feature but in reality it can't send it over the network even if it wants to

So the data exists on the phone. The phone is connected to a network. But it is physically impossible for that data to be sent over the network? Not sure how that would work.

Re:Your Fingerprint isn't ever stored in flash

[CaymanIslandCarpedie]

To be clear, I don't think Apple sharing my fingerprint is the biggest problem here. I'd never use it simply because my finger print is already known or easily knowable by so many people/entities. My properly strong passwords are not.

Re:Your Fingerprint isn't ever stored in flash

[Necronomicode]

I don't know the design of the fingerprint device so my comment here may not apply to this device specifically but it's still a thing worth thinking about.

The security of the device is not that of the final destination of the data (the fingerprint data and the A7 in this case) but of the data path from the reception of the data to its final destination (and in this case I don't know what that is). You get a weakest link level of security. If any processing of the finger print data goes through a snoopable interface or storage area then your security is shot.

You would hope that the design is such that the fingerprint device itself is attached to the A7 directlly with a completely separate bus, but I wouldn't put money on it. I'd need some hardware schematics and data sheets to know for sure.

And comments from some users like "Is there any evidence at all that the fingerprint data store in the A7 is even usable outside of iOS?". That's backwards security thinking, you want evidence and assurances that it isn't usable/accessible before you start. Otherwise, you might want to pay top dollar for my new crypto routines that I've just knocked up as there's no evidence that they're a steaming pile of junk (yet).

Re:Your Fingerprint isn't ever stored in flash

[Wraithlyn]

In theory, yes.

From what I understand, The secure region of the A7 chip that the fingerprint profile is stored on has a WRITE function, and an AUTHENTICATE function. There is no READ function.

So yeah... because it is protected like this at the hardware level, you're not getting that information out again, period (short of physically breaking into the NVRAM with some sort of forensics tech).

Re:Your Fingerprint isn't ever stored in flash

[jsepeta]

Technically, Apple never stores your fingerprint. When you train the device, it recognizes signature parts of your fingerprint, such as the location of whorls etc, and then saves that not as a photograph of your finger, but as an abstract number that corresponds to where that whorl exists on your finger. So your fingerprint is never stored, just a series of numbers that represent aspects of your fingerprint. Big difference.

Re:Your Fingerprint isn't ever stored in flash

[wvmarle]

I tend to draw the line at the CPU because if that is compromised or includes back doors, we are all screwed anyway.

The CPU will have bugs, for sure. Pushed hard enough people will be able go get to do things with it they're not supposed to be able to do. Whether those bugs allow for your finger print data to be revealed, we don't know yet. But intentional backdoors certainly are not needed for that.

And good luck changing your fingerprint after it's out in the open, and people start using it to impersonate you.

Re:Your Fingerprint isn't ever stored in flash

Trust is weakness. Usually, trust are broken sooner or later. If not now, then soon.
It must be nice to be suspect of a crime in a country you never visited, just because fingerprints matched.

Captcha: pruned

Re:Your Fingerprint isn't ever stored in flash

[quacking+duck]

It would be far easier to obtain your fingerprints from systems that already have it stored as a much simpler data, i.e. any number of government databases.

1) more people/connected systems have access to it, compared to a single component on a single device
2) since lifted prints are only surface-level images, that's all they've bothered to store in those systems

Re:Your Fingerprint isn't ever stored in flash

[jpatters]

Oh, I don't know, maybe with a hash function, like with every other passwork implimentation ever?

Re:Your Fingerprint isn't ever stored in flash

[coolsnowmen]

Lets pretend the figerprint hash takes up 1KB of space.
So, on the WRITE_NEW_PASSWORD function, the api sets a 0 on the multiplex line that address the first KB of space, and then it saves it.
Now you need to authenticate
So, you write a 1, on the multiplex line, that addresses the second KB of space, and then a hardware comparitor writes a 0 for == and 1 for != on the output line.

Re:Your Fingerprint isn't ever stored in flash

[Agent0013]

And we can believe that the NSA didn't backdoor the A7 chip. You are aware of all the encryption hardware that has come out as being backdoor'd by the NSA, right?

Re:Your Fingerprint isn't ever stored in flash

[Wraithlyn]

That's why I started my post with "In theory".

Re:Disney...

[ImdatS]

Oh, now I understand why everybody in Duckburgh uses gloves (Mickey Mouse, Donald Duck, etc...)

Elementary error

[Beryllium+Sphere(tm)]

Biometric data does not have to be secret.

Your photograph on your driver's license is a biometric in effect. It works even if you don't keep your face a secret. It works because if someone holds a copy of your face up to a traffic officer, the traffic officer won't be fooled.

Password security is all about secrecy because anyone can use a password. The only way for it to be secure is if nobody else knows it. Biometric security is about having an adequately intelligent verification system which reacts like the traffic cop would if someone brings in a duplicate, a hostage, or a severed body part. Doing that right is Not Cheap, which is the real objection to biometrics when security counts.

Who will be first

[lars_boegild_thomsen]

Back in 2005 some car thieves in Malaysia tried to steal a Merc S Class with some kind of biometric immobilizer. When they realized they couldn't get the darn thing running without a finger print, they merely chopped the owner's finger off with a machete (I swear it's true: BBC Article).

I wonder who will be the first to lose an iPhone along with a finger.

Re:Who will be first

Appropriate : http://xkcd.com/538/

However : there is a vital difference : a Merc S class costs 100k and there is no reset button. An iPhone 700 bucks.
Chopping of a finger for 700 bucks isn't worth it. Just restore it with iTunes. Much easier. :-)

In other words : no. It won't happen. It's just FUD. Fear mongering.

Re:Who will be first

[wvmarle]

So rude! They could have politely asked the owner to start the vehicle for them - and change the registered fingerprint(s) in the process.

Re:Who will be first

[Anubis+IV]

Apple has quietly mentioned to the press the fact that because they're relying on a capacitive sensor that reads what's underneath the top layer of skin, it wouldn't work on a dismembered finger. Someone else can doubtless explain the science behind it, but if a thief is savvy enough to know that they need your fingerprint to work your phone, there's at least a good chance that they'll also know it won't work with a dead finger.

Re:Who will be first

[c]

Back in 2005 some car thieves in Malaysia tried to steal a Merc S Class with some kind of biometric immobilizer. When they realized they couldn't get the darn thing running without a finger print, they merely chopped the owner's finger off with a machete (I swear it's true: BBC Article).

What makes this sort of thing particularly nasty is that it doesn't have to actually work. The bad guys just have to think it might work, and goodbye finger. Or fingers, since they wouldn't necessarily know which finger was magic. Or eyes, if they get confused about what "Retina Display" is all about.

Re:Who will be first

[maccodemonkey]

Back in 2005 some car thieves in Malaysia tried to steal a Merc S Class with some kind of biometric immobilizer. When they realized they couldn't get the darn thing running without a finger print, they merely chopped the owner's finger off with a machete (I swear it's true: BBC Article).

I wonder who will be the first to lose an iPhone along with a finger.

If the phone goes long enough without being unlocked it reverts back to a passcode. So a chopped off finger won't get you in. Neither will law enforcement forcing you to touch the home button.

I'm also pretty sure the type of sensor in the 5S won't work with a "dead" finger anyway.

fingerprint useless as a secret.

[gl4ss]

My own government/EU has it on file.
and the USA government has it on file already too, since when I visited they took it.

so uh, what the fuck, it's not very useful. it's not that useful even for tracking me. opening a phone with it is just for ease of use. in fact, I would argue that something like opening the phone with it is the only fucking thing it's good for as an authentication as it gets around the problem of inputting a pin in public 100 times a day...

but you wouldn't want your banking for example just behind it. that would be stupid, especially if you might pass out somewhere..

Try this next time.

Instead of rushing to get your comment out there as quickly as possible, take a few minutes to think about what you want to say. I'm not suggesting that you need to spend an hour on it. Just take 5 or 6 minutes, think through what you want to say, and then write it out in a single comment. Then you can submit that single comment, without replying to yourself again and again and again.

Re:Try this next time.

[ImdatS]

Thanks, I was actually in a different forum on a different website. Unfortunately, the discussion there was quite unfocused and what happened was that the first posting I did here was the result of my thoughts there ... and, as you suggest, I thought a little bit more about it, I came to other insights. Being an author, it is sometimes weird to notice that my ideas are generated while I'm writing and not always while I'm thinking. In a book, it's no problem: I can just re-edit. Here, on slashdot, as there is no EDIT possibility, I can't do that. But the additional insights were, IMHO, interesting enough (I thought) to write down here.

I know it is really more than stupid to respond to yourself and I will definitely follow your suggestion to take more time before posting next time.

Thanks again - especially as your tone was really quite nice and positive, so it helps to think about your recommendation...

Re:Try this next time.

You're welcome, son. Your humbleness is a testament to your honest nature.

Just keep in mind that Slashdot is a harsh place. When you're commenting here, you need to be on the top of your game. This isn't the schoolyard where children play baseball and tag; this is where real men battle it out to the digital death over topics that are extremely critical to all of humanity. If you don't have your arguments in order before you comment, then you'll very likely get trampled, and it will be excruciatingly painful.

You've learned a valuable lesson here today. I know you'll be better prepared in the future. You're a good kid, and you've got a lot going for you. I look forward to reading your future comments.

Re:Try this next time.

[brantondaveperson]

this is where real men battle it out to the digital death over topics that are extremely critical to all of humanity.

Hilarious.

Re: Disney...

They use capillary scanners and not finger print readers, at least. You don't leave your capillary patterns everywhere you touch, like with your prints, and it works better with wet dirty fingers and shallow ridged finger prints.

Implied innovation

[Plumpaquatsch]

Apple has found a way that an iPhone can tell whether somebody will intercept communications and will not send anything incriminating like a fingerprint

And since the NSA will intercept any communications, the fingerprint will never be sent. Crisis averted.

Bollocks

[kanweg]

The US government has my fingerprints because in my country we're obliged to give such biometric data when we get a passport.
As the first poster said: You leave your fingerprints everywhere.
On the iPhone, the fingerprint is analysed (in case of Apple in quite sophisticated way), the resulting algorithm resulting in some string. This string is only meaningful to the phone. In a next scan, is the string the substantially the same or not. The string itself does not convey information as it is useless without the algorithm.
IF there is an algorithm that can work the opposite way to generate the fingerprint, then what? BTW, I doubt that this is possible because apple uses interrupts in lines (where pores are) and while a particular interrupt in a line of my fingerprint is a datapoint, it doesn't say anything about the direction in which the line runs.

If you have my string, and you manage to put it on your iPhone, then you've managed to make your iPhone suitable for use by me. Now that is a great hack! Thanks!

Bert

Finger prints everywhere

[Annorax]

This guy makes one huge mistake in his reasoning. He assumes that we aren't constantly littering the world with our finger prints for anyone to retrieve. Dude. Finger prints are as easily obtained as taking out the garbage.

Finger prints are not something that we need to protect from being proliferated, because we proliferate them ALL THE TIME.

Idiocy.

Legal Ramifications

[webdog314]

More important to me are my legal protections from the authorities if they wish to use my fingerprint to unlock my phone. I don't have to give them my pin code to unlock my device (at least in most states in the U.S.) but my fingerprints are on almost anything I touch. Would it be legal for the police to hand me a glass of water, take prints from the glass, and then use those prints to unlock my phone without my consent?

Fingerprints for a Speedpass? Seriously?

[sjbe]

Some recent uses of my fingerprints in which I had no real say:

1. Passport check at CDG airport
2. Applying for a Speedpass for CA toll roads
3. Getting some papers notarized

You have quite a lot of say over all those things.
1) There is nothing forcing you to travel to Paris or if there is something actually that important forcing you to travel there, it is probably more important than your fingerprints. (like something relating to your family's well being etc)
2) You don't have to have a Speedpass and I certainly wouldn't give anyone my fingerprints to save a few bucks on toll roads.
3) I happen to be a Notary Public and there is no requirement whatsoever that you give a fingerprint to have a document notarized in most jurisdictions. (It is required for certain property transactions in some places like California) There certainly is no requirement in the state I live in so if you don't want to give up the fingerprint you do have the option of moving.

More than one kind of fingerprint reader

[danaris]

That your fingerprints are all over your phones.

I believe mythbusters showed how trivial it was to bypass fingerprint protections by making your own "finger" from said prints? (This time on an electronic door lock).

Except that various people have already been investigating the fingerprint reading technology Apple is using, and they seem to think that it's really not that easy, because they're using a more robust technique than the classic scan-the-surface-optically method.

Dan Aris

Simply Wrong

[Bill+Dimm]

The recent disclosure of spying programs like Prism makes it riskier than ever before to share important personal data with electronic devices.

This may seem like nitpicking, but it is not the disclosure of spying programs that makes it risky, it is the existence of spying programs that makes it risky. Disclosure just highlights the risk that was already there. If anything, disclosure makes it less risky because people are less likely to pull such shit when users are more aware of the possibility (i.e. more likely to notice).

Biometric data does require privacy

[sjbe]

Biometric data does not have to be secret.

For some uses it does need to be secret or at least reasonably private. For others it does not. Part of what makes my fingerprint a reasonably secure means of identifying me is that very few people have access to it. It is NOT hard to copy fingerprint data and use it for purposes which the owner of that fingerprint does not approve.

It works because if someone holds a copy of your face up to a traffic officer, the traffic officer won't be fooled.

Unless the name used to match with that photo is not your name. People make fake IDs all the time. Furthermore it is quite possible for someone to use biometric data of yours for identity theft. You could even be framed for some crime using such data. My Social Security Number technically is publicly available but only a fool would believe that distributing it more widely than absolutely necessary would be a good idea. While you are correct that the secrecy requirements for biometric data are not the same as those for passwords it does not follow that there is no need for privacy for biometric data.

"cannot be changed"

[spiderwebby]

Tell that to the biometric clocking machines I used to have to use. They work brilliantly until you get dirt on your finger, or water (having just scrubbed said dirt off) or cuts. Then there was that belt sander incident...

True with caveats

[pev]

So apple say that they wont transmit the biometric id. That they can control. However, id bet that within months if not weeks someone will find a way to abuse and hijack this on jailbroken devices. The same protection doesn't apply to them...

Also eventually im sure the normal iphone will be abused too. Look at the debacle over the ease of extracting the users location history from iphones...

Re:True with caveats

[mysidia]

So apple say that they wont transmit the biometric id. That they can control.

It doesn't matter so much if they do transmit the biometricc ID; it could be useful, to "authorize someone else to use your iphone" in advance --- or authorize someone to use a feature; such as the fingerprint-based ability to unlock your front door's biometric lock, by just picking an option on their ID in your contact list.

A biometric ID doesn't capture your fingerprint; the bio ID is specific to a kind of fingerprint reader, and it's more like a hash than a password.

For example: there is a chance that 300 or 400 people in the world may have the exact same or very similar biometric ID key, but totally different fingerprints.

That's because all the bits of data the fingerprint reader manufacturer has selected to authenticate a fingerprint has to be boiled down into a very short string of numeric values forming an ID key.

It's not like the reader will be storing a high-resolution capture of your fingerprint, that could be used to manufacture fake fingerprints -- or be capable of being used with other readers.

FP readers dont capture your fingerprints

[mysidia]

They capture metrics based on your fingerprints

These are not cameras, that take an optical image; or collect data that can be used to reproduce your fingerprints.

The readers provide only enough data to authenticate the ridge pattern, by taking some simplified metrics that represent your pattern with a relatively high fraction of uniqueness.

See the citeworld article for more information about the iPhone's reader; apparently, this reader will be harder to trick than most laptop readers from Authentec have been in the past.

If they were worthwhile; then this seems worthwhile.

It's certainly a better idea to have fingerprint + 4-digit passphrase than a 4-digit passphrase.

Long passphrases are inconvenient; more convenient security means the bar is raised: people's risk will go down.

Also, since the reader requires live skin, it cannot be faked easily ---- it may reduce thefts of these devices by pickpockets and the like.

Two touchscreen phones

[Cyfun]

This could be easily foiled if you had two touchscreen phones. Just hold the iPhone 5s's fingerprint scanner up to the other's touchscreen, which will no doubt be covered in smudgy fingerprints, and be warm enough to simulate body temperature if need be.

Re:Two touchscreen phones

[wonkey_monkey]

Just in case you're serious (you can never tell) - no, you couldn't do that.

Forgery with gelatin remains as problem

[Antique+Geekmeister]

Fingerprint forgery is now a well established technology, with numerous articles such as http://www.stdot.com/pub/ffs_article_asten_akaseva.pdf explaining the basic technology. That publication is 10 years old, and I've seen no evidence of any real improvement in the scanners themselves since then.

Commonplace scanning with the inevitable consumer applications storing it locally, and badly, will unfortunately contribute to the forgery problem by making the replicable fingerprints even more available to thieves and fraudsters. That sidesteps the "digital hash" storage problems, but takes more work to get complete fingerprint scans, such as those stored by the police or military databases for reference matching.

Re:Forgery with gelatin remains as problem

[bensyverson]

Gelatin won't work—the technology in the Touch ID sensor requires a live finger.

Re:Forgery with gelatin remains as problem

[Antique+Geekmeister]

According to the original paper at http://cryptome.org/gummy.htm, the gelatin fakes worked quite well as a thin layer over a live finger to defeat the thermal sensors or capacitive sensors designed to detect live fingers. So it's better than older phone apps which did not try to detect "live fingers", but it's vulnerable to precisely the same technology that beat the world's best fingerprint sensors better than 80% of the time, using photocopies of police fingerprint records laid on gelatin, in 2002.

Keep to yourself

[markdavis]

>"Handing over a non-changeable biometric feature like a fingerprint for no better reason than that it provides 'some convenience' in everyday use, is ill advised and foolish. One must always be extremely cautious where and for what reasons one hands over biometric features.'"

This is much more important for biometric features that are "left behind" or can be remotely monitored. Those include:

* Fingerprints
* DNA
* Facial recognition
* Voice recognition

Other biometrics are far safer for the owner because they [theoretically] can't be collected or used to track the owner without knowledge and consent each time:

* Retinal scan
* Vein pattern

For example, without my permission, my fingerprints can be collected. Without my permission my latent prints can be analyzed and used for searches. And because they (and DNA) are left all over the place, it is far easier for someone to make copies, too- then use those for tracking, breaking into things, or framing the owner for a crime.

subdermal imaging

[goombah99]

I don't have special knowledge about how the Apple print scanner works but what I've read makes me believe it uses infrared sub dermal imaging. That is it seems below the surface. If so it's seeing more than just your finger surface print. That should make it harder to forge from lifted surface prints. It also will mean that it will work for people who have worn their finger prints off (apparently some types of labor do this--they grow back)

Moreover I would say this so called "expert" has it backwards. If you fingerprints really are a one-shot biometric that can't be unspoiled then we want to use them for casual things not critical things.

This finger print scanner is not eliminating passwords, it's just a second factor. I'ts a great idea used well.

How about a DNA sensor by spitting at the phone?

[JoeyRox]

I predict a day in the not-to-distant future where lazy consumers will tire of having to touch their devices to unlock them and will demand a DNA sensor that lets you unlock phones by spitting at them. I wouldn't want to be sitting in the front row of that Apple media event.

stop driving cars

[jsepeta]

one should stop driving cars because most people are unable to independently explain how the internal combustion engine works.

me, i pour gas into the gas tank, and the thing just fucking works. it's a goddamned miracle i tell you!

Biometric Features are Constant

[ZeldorBlat]

Biometric features of your body, like your fingerprints, cannot be erased or deleted. They stay with you until the end of your life and stay constant — they cannot be changed.

Perhaps, but the passwords of your average user stay with them until the end of their life and are constant -- so what's the difference?

I got finger printed in 2nd grade

[millertym]

Is there anyone in the USA that doesn't have their fingerprints already stored in some FBI controlled database? It's nearly universal as far as I can tell to have children's finger prints taken officially at school "to protect against kidnapping" type mentality. It has been happening at least since the early 80s when I was that age and was prodded into sticking my small child fingers into the ink and rolled onto an official paper - with a spot for each finger.

Border control

[dindi]

Does that appear to you, that every time you enter *certain* countries they ask for your full fingerprint? Then as we know they swap this data with other governments for no good reason.

You cannot use your fingerprint for anything.... it is almost like tattooing a QR code on your forehead and using that for authentication purposes...
OK. maybe not that bad, but pretty close. Did I just watch to much mission impossible and think that they can take my fingerprint, then 3d print it to a condom and use it to unlock my whatever they want to unlock?

Re:As a german myself.

[gnupun]

Apologize for what? Everything they say is true. Fingerprint systems should not be used by casual consumers. It's only when the general public discovers illegal use of these fingerprints will the do something about. By then, it will be too late.

They may not be storing the passwords in database today, but if a certain terrible incident were to happen, and thereafter it would be legal to store fingerprints, all it would require would be an update to iOS to now store fingerprints. I don't think commercial companies should have access to fingerprints.

The biggest problem

[dnaumov]

Is that you can't KNOW for sure what actually happens. Essentially, vendors that utize closed-source firmware/software (basically almost everyone), like Apple, are asking their users to "just trust us that we aren't doing anything really stupid or malicious". After all the Snowden revelations, I find it pretty hard to trust ANYBODY with ANYTHING. Reassureances are not good enough, I want actual tangible PROOF.

Re:The biggest problem

[the_B0fh]

then don't use it. it's not mandatory you know

This is very entertaining

[roc97007]

Taking the 10,000 foot view for a moment, Apple has, sadly, lost their leadership, and appears to be starting to make the same kind of mistakes that a leaderless Microsoft has been making for some time. The backlash has been very entertaining. I may make popcorn.

I guess the real question becomes, what company is positioned to take advantage when the big two falter? (And has the intelligence to capitalize on it?)

No, don't say Linux on the Desktop. Just don't.

Re:This is very entertaining

[iggymanz]

Android adoption is growing, that's Linux in a pocket or on a desktop. Deal with it.

Re:This is very entertaining

[iggymanz]

From a financial point of view, what mistakes has Microsoft made? They have growth, and projected growth even with a stagnant PC market outlook.

Re:This is very entertaining

[roc97007]

Android adoption is growing, that's Linux in a pocket or on a desktop. Deal with it.

Well, sort-of. Android is Linux in much the same way that OSX is BSD. (Neither of which are bad things.) And although I've heard rumors of Desktop Android, I've not seen a lot of adoption yet.

Don't get me wrong, I like Android. I think it's a very well thought out OS for touch devices. Wife, daughter and I all carry Android phones. Daughter wants a Samsung Note tablet. We own an ASUS convertible (currently running Win8) that might actually be usable with Android.

I'm just not convinced Android is appropriate on the desktop. In general, I'm not certain at all that there can be a paradigm that works effectively both on desktop and tablet. Microsoft certainly succeeded in proving that their vision doesn't work well in either environment.

Mythbusters busted,

[westlake]

I believe mythbusters showed how trivial it was to bypass fingerprint protections by making your own "finger" from said prints?

It is not an image scanner, it is an RF scanner.

With the new sensors you don't have to move your finger, just press it against the reader. And like the sensor in the iPhone 5S, the sensors that will be in laptops and keyboards and other phones can detect the ridge and valley pattern of your fingerprint not from the layer of dead skin on the outside of your finger (which a fake finger can easily replicate), but from the living layer of skin under the surface of your finger, using an RF signal. That only works on a live finger; not one that's been severed from your body.

This will protect you from thieves trying to chop off your finger when they mug you for your phone (assuming they're tech-literate thieves, of course), as well as from people with fake fingers using the fingerprint they lifted from your phone screen.

Why the iPhone's fingerprint sensor is better than the ones on older laptops

Re:Mythbusters busted,

[MisterMidi]

If thieves have access to your finger, they don't even need to chop it off, they just have to press it against your iPhone to unlock it and then register their own fingerprint. So no, it will not protect you from thieves, it will just let you keep your fingers.

Re:Mythbusters busted,

[MrKaos]

If thieves have access to your finger, they don't even need to chop it off, they just have to press it against your iPhone to unlock it and then register their own fingerprint. So no, it will not protect you from thieves, it will just let you keep your fingers.

I'm sure anyone who is prepared to steal a phone is educated enough to know this.

Re:Mythbusters busted,

[bmo]

And further down in the article you cited:

but as Validity CTO Sebastian Taveau points out, that's like saying your ATM PIN doesn't protect you from thieves at the ATM threatening to break your kneecaps with a crowbar if you don't withdraw money and hand it over. "How many people do you see limping away from cashpoints?" he asks.

Too many.

http://www.bostonglobe.com/metro/2013/07/24/southie/T3pRIehmw8M271WbFDEThI/story.html

During the last moments of her life, Amy E. Lord was led on a terrifying journey, from the South Boston street where the 24-year-old was kidnapped to a series of ATMs where she was forced to withdraw money, to Stony Brook Reservation where her brutally stabbed body was discovered by a passing cyclist early Tuesday morning.

--
BMO

Re:Mythbusters busted,

[mark-t]

FWIW, that sort of situation is precisely why I would *NOT* give any would-be robbers access to my banking information.... they can just up and murder you anyways, so why would I want to give my potential would-be killers any money?

People who are willing to rob you are almost certainly no less likely to be also be willing to lie to you about not hurting you if you cooperate.

Re:Mythbusters busted,

[MrKaos]

Nope. So they'll end up cutting of your finger, and still not being able to get into your phone.

But you'll still be missing a finger.

Thank you for explaining that, Captain Obvious.

Why Fear?

[Ed+The+Meek]

The Feds already have my prints. I gave them up voluntarily. The Feds have my SSN. What could Apple or any other company do with my prints that could hurt me? What's next? Wear rubber gloves to WalMart?

What could go wrong?

[MarkvW]

Give Apple, Inc. and the commercial world a database of all our fingerprints!

What could go wrong?

was Ned Ludd German?

[peter303]

You think the Luddites originated on the continent instead of England form the anti-technology whines of some Europeans.

lenovo

[ncohafmuta]

Lenovo has been doing fingerprint auth for years on their laptops.
News outlets are making it sound like this is some new-fangled tech.
Yes, i know in light of recent NSA developments.. but I still feel this is a non-story.

Re:Disney...

[fazig]

Actually, most of the Disney 'Birds' have no use for gloves at all, and pants.

common sense?

[zyzzyxx]

Any sensible security person will not rely on just finger print (alone) for security purposes. Especially, after the Snowden leak!

NSA already has his fingerprints

[farenka]

He's European and if he's a security expert probably he already travelled to United States for a convention or something like that. Well every time we (europeans) travel to US they take a picture of us and all out fingerprints at the border... so where's the point in the Apple Touch ID?

Re:Fingerprints for a Speedpass? Seriously?

[Carewolf]

Traveling to Paris is not what requires a finger-print. The only country that requires finger-prints is the US, as long as you stay out of the US you do not need fingerprints for traveling.

More fingerprints in the Real World...

[mpaque]

Just yesterday, I picked up a water glass in a restaurant. I also used the silverware.

5 bucks to a busboy, and someone could have gotten a pretty clear set of my prints. Oops.

Worried about someone getting YOUR fingerprints? Wear gloves everywhere. Bring along a handkerchief to wipe everything down if you momentarily have the gloves off.

Low tech doesn't mean no tech.

Re:How about a DNA sensor by spitting at the phone

[Fear+the+Clam]

I predict a day in the not-to-distant future where lazy consumers will tire of having to touch their devices to unlock them and will demand a DNA sensor that lets you unlock phones by spitting at them.

Even better, a DNA analyzer that requires a semen sample. Just to make things more secure, an image of the owner's choice will be displayed on the access screen to "inspire" them to produce the sample. If it's not your cup of tea, then it will just be an extra security feature, making things more more difficult to produce a sample.

Only bad when Apple does it

[radarskiy]

Fingerprint unlock on my ThinkPad: Good.
Fingerprint unlock on my iPhone: Bad.

Camera

[Smiddi]

Why all the fear around the fingerprint reader? Geez, the phone will simply take a pic of the users face with the front facing camera and send it off to the NSA with the persons details, wifi passwords, etc.

Re:Fingerprints for a Speedpass? Seriously?

[pangloss]

The only country that requires finger-prints is the US, as long as you stay out of the US you do not need fingerprints for traveling.

Many countries require fingerprints for entry. See, for example: http://www.cic.gc.ca/english/department/biometrics-international.asp

And the above list is certainly not exhaustive. Malaysia fingerprints everyone. China has evidently recently started. etc. etc.

wrong tree

[Tom]

While I share the basic sentiment, I must also say that our (I live in Hamburg) former office holder knew more about what he was talking about. The current guy is a lawyer by profession.

If you are worried about your fingerprints making the rounds, there are several hundred other things more dangerous than your mobile phone, because frankly, you leave your fingerprint everywhere.

What is worrying about the digital thing is that theoretically a hacker in China could get it without travelling to your location and lifting your fingerprints of something you touched.

But - that would only work if the device actually stored a fingerprint, and not just what is essentially the hash sum of one.

My advise would be the exact opposite (and contrary to Caspar, I am a security expert). Do use your fingerprint for casual stuff like unlocking your phone. Do not use it for important things like your car, house or bank account.

High security requires multi-factor authentication

[GuB-42]

Getting fingerprint data is easy for a determined attacker, you are leaving them all over the place, and yes, obviously, you can't change them. That's the inherant weaknes of biometrics.
That's why, for high security, you have to combine it with another factor, which might be a physical key or/and a password.

Re:Fingerprints for a Speedpass? Seriously?

[Carewolf]

Those are for visas not for visa free travel. Holiday traveling between EU and USA is usually visa free. From your list only the US and Japan seem to require it for visa free travel.

When the government wants your fingerprint

[Quila]

All they have to do is make a fingerprint mandatory for an essential service. If they require it for drivers licenses and public transportation passes, they have over 99% of the population covered.

Don't worry, I got this.

[Polo]

I've been secretly using Jude Law's biometrics. Eventually I'll be on that ship to outer space.

Re:Vital uses

[david_thornley]

This.

(I normally hate that, but this comment will at least start as more visible than its parent.)