Yesterday we heard two pieces of news about Apple; the Chaos Computer Club had ‘hacked’ Apple’s clever ‘Touch ID’ fingerprint scanner for the new iPhone 5s, and having read numerous negatively themed articles over the preceding few days that 6 million iPhones or less last weekend would be bad news for Apple, it transpired they sold 9 million iPhones – the Apple doom stories stopped – well for a few days at least. Apple shares were up 5% on the sales news – $23 on the day showing us it’s easy to see what Wall Street was focussed on – 9 million thumbs up, beats a latex copy of just one of those thumbs, any day.
I’ve been aware of the Chaos Computer Club for twenty years and the Hollywood and television portrayals of hackers over those two decades owed much to the CCC, fixing them with a steely cold-war meets capitalist opportunist aura so useful for the action film-makers of the time. From early displays of political activism to security exposés the CCC remain the most credible of what we would now call ‘hacking coalitions’, so when Apple announced its iPhone 5s with Touch ID, a fingerprint sensor built in to the Home button that would unlock your iPhone and allow you to validate tasks like purchases on the iTunes store, it appears it piqued the interest of the Chaos Computer Club, and their jaundiced view of what’s deemed secure. Over the last few days it emerged that the CCC have hacked the Touch ID fingerprint sensor, using a reconstructed fingerprint. On their website the Chaos Computer Club issued a statement, illustrating the technique and making the point that,’the public should no longer be fooled by the biometrics industry…’. Good advice; I haven’t trusted biometrics since 2007.
“The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.”
In 2007 I was managing a project for a large corporate with tens of thousands of employees, who were being given the option of ‘clocking-in’ using a biometric clock that had a fingerprint sensor. It would read your print, associate that with your employee ID number and record your attendance at work. A large but straightforward project and one we’d done before many times. When automating the recording of employee attendance some companies use a desktop-sign in, some use an SMS message from an employee’s phone, some use an ID badge at the door and some like this one, use a biometric scanner. Occasionally during biometric projects concerned workers, privacy advocates within the company or unions question the security of biometrics but they’re generally assured or perhaps nudged in the direction of topics like security, fire-safety and the payment of overtime and the projects move on.
In 2007 just as this large installation was being completed I was reading Ben Goldacre’s Bad Science column in The Guardian and he raised the issue of fingerprints, biometrics and how secure they were. It appeared that scientists at the Biometric Systems Lab at the University of Bologna had reconstructed a fingerprint from the digital record of that print. When a fingerprint is recorded in the sort of biometric scanners I was using, it’s stored,not as an image but as a digital record, using a defined format and on my project he format was the ISO/IEC 19794-2:2005 Fingerprint Minutiae Record Format. This record format takesa number of ‘key points’ or minutiae of the fingerprint, not all of the data associated with a print, but enough to be unique on a company’s system and enough to be recognised the next time the same human print is scanned and compared against the one on record. It’s reliable, I’ve watched three hundred people in a morning place their finger on these biometric scanners, with unclean hands, a little oil here and there, perspiration and even every single fingerprint was validated with 100% accuracy. Yes it’s reliable as method of recognition, but we know now that if someone has access to the digital records of those prints they can be ‘reverse engineered’ back to an image of a fingerprint, and that’s the real concern in this technology.
Following Ben Goldacre’s column on the subject in 2007 I did my own reading and fact-finding; researchers and scientists from Italy to Japan, and particularly the work of the Biometric Systems Laboratory at University of Bologna illustrated to me unquestionably that as the Chaos Computer Club said yesterday, we shouldn’t trust biometrics. The CCC iPhone hack was really a social hack; get someone to leave a print, photograph it and use some latex to replicate the print and gain access to an iPhone. The starting point for the CCC was a print they photographed, but we know that if you have the digital record of a print in the standardised ‘minutiae’ format, that can be the starting point, eliminating the need to photograph a legitimate print and start a hack or impersonation without ever meeting the owner of a fingerprint.
There’s almost a decade of evidence, evidence that’s moounting and convincing; biometrics are not the way to reliably secure a company front door, an iPhone or indeed a country’s border.
External links & references
- Chaos Computer Club : statement on Touch ID hack
- Fingerprint Image Reconstruction from Standard Templates : PDF : Cappelli, Alessandra Lumini, Dario Maio
- A Study on Accuracy and Problems in using ISO/IEC 19794-2 Finger Minutiae Formats : PDF : Takahiro Yoshida, Seiichiro Hangai, Tokyo University of Science
- Senator Al Franked expressed concer over Apple fingerprint scanner security
- Biometrics : Electronic Frontier Foundation
- Ben Goldacre : Bad Science : November, 2007