A week and a bit after Apple released the iPhone 5S with its much vaunted “TouchID” biometric, the fingerprint detector has been subverted by the Chaos Computer Club (CCC). So what are we to make of this?
Security is about economics. The CCC attack is not a trivial exercise. It entailed a high resolution photograph, high res printing, and a fair bit of phaffing about with glue and plastics. Plus of course the attacker needs to have taken possession of the victim’s phone because one good thing about Apple’s biometric implementation is that the match is done on the device. So one question is, Does the effort required to beat the system outweigh the gains to be made by a successful attacker? For a smartphone with a smart user (who takes care not to load up their device with real valuables) the answer is probably no.
But security is also about transparency and verification, and TouchID is the latest example of the biometrics industry falling short of security norms. Apple has released its new “security” feature with no security specs. No stated figures on False Accept Rate, False Reject Rate or Failure to Enroll Rate, and no independent test results. All we have is anecdotes that the False Reject Rate is very very low (in keeping with legendary Apple human factors engineering), and odd claims that a dead finger won’t activate the Authentec technology. It’s held out to be a security measure but the manufacturer feels no need to predict how well the device will withstand criminal attack.
There is no shortage of people lining up to say the CCC attack is not a practical threat. Which only begs the question, ok, just how “secure” do we want biometrics to be? Crucially, that’s actually impossible to answer, because there are still no agreed real life test protocols for any biometric, and no liveness detection standards. Vendors can make any marketing claim they like for a biometric solution without being held to account. Contrast this Wild West situation with the rigor applied to any other branch of security like cryptographic algorithms, key lengths, Trusted Platform Modules, smartcards and Secure Elements.
You can imagine Bart Simpson defending the iPhone 5S fingerprint scanner:
“It won’t be spoofed!
I never said it couldn’t be spoofed!
It doesn’t really matter if it is spoofed!!!”
Demonstrations of biometric failings need to be taken more seriously – not because they surprise hardened security professionals (they don’t) but because the demos lay bare the laziness of many biometrics vendors and advocates, and their willful disregard for security professionalism. People really need to be encouraged to think more critically about biometrics. For one thing, they need to understand subtleties like the difference between the One-to-One authentication of the iPhone 5S and One-to-Many authentication of fanciful fingerprint payment propositions like PayTango.
The truth is that consumer biometrics are all about convenience, not security. And that would be ok, if only manufacturers were honest about it.