Fingerprint sensor in iPhone 5s is no silver bullet, researchers say

The fingerprint sensor in Apple's new iPhone 5s has the potential to enhance the security of the device, but the devil will be in the details. Its effectiveness will depend on the strength of the implementation and whether it's used in conjunction with other security credentials, researchers said. Apple unveiled two new iPhone models Tuesday, the iPhone 5c and iPhone 5s, the latter of which has a fingerprint sensor dubbed Touch ID built into the home button. The sensor will allow users to use their fingerprints instead of a password to unlock the device and make purchases on iTunes. It's not clear if the feature will also be used in other scenarios that have yet to be revealed or if third-party applications will also be able to use it to authenticate users. In presenting the technology Tuesday, Apple said the fingerprint data is encrypted and locked in the device's new A7 chip, that it's never directly accessible to software and that it's not stored on Apple's servers or backed up to iCloud. Fingerprint scanners have historically been susceptible to errors and replay attacks that involve stealing fingerprints and using them to trick the scanners by employing a variety of techniques. According to Apple, Touch ID scans sub-epidermal skin layers, has a 500-ppi resolution and can recognize fingerprints at any rotation. But how well it will resist attempts by security researchers to bypass it remains to be seen. "Common attacks against fingerprint readers include using photos of fingers or creating fingerprint molds based on captured prints," said Dirk Sigurdson, director of engineering for the Mobilisafe mobile risk management technology at security firm Rapid7, via email. "Hopefully the iPhone sensor will have strong protections against using copied fingers." Fingerprint technology is not a high-security feature, said Marc Rogers, principal security researcher at mobile security firm Lookout. That's why most military installations, for example, use hand geometry or retina scanners instead, he said. "It is possible to copy a fingerprint and I think that as the technology sees wider usage, the techniques of copying fingerprints will only improve," the researcher said. However, a fingerprint is still better and more convenient than a four-digit PIN, he said. The best single factor of authentication is a strong password stored only in the user's brain, but it's inherently difficult for people to create and remember strong passwords, Sigurdson said. This often results in bad passwords being used, so a good fingerprint reader and matching algorithm will likely improve the security of iOS devices, he said. Many people probably don't even set a PIN because it's inconvenient to enter it every time, so a fingerprint gives them the opportunity to secure their device in a way that's better than nothing, Rogers said. Research suggests as many as half of users never set up a four-digit PIN or a more complex password to lock their devices, Apple said during its presentation. Rogers believes fingerprints could add great security if they're used in conjunction with other security credentials as part of two-factor authentication. For example, Apple could allow users to set a strong, complex password that's used to encrypt the file system and which would need to be entered only when the device is switched on. The user's fingerprint could then be used as a medium-strength access credential to unlock the device when it's on and needs to be used. This would provide both security and convenience for users, Rogers said. In addition, if Apple would allow other applications on the device to use the fingerprint sensor, it could increase the security of those applications. For example, a banking application could require users to authorize transactions by scanning their fingerprints, limiting what attackers can do if they steal those users' log-in passwords, he said. Overall, the sensor has the potential to increase the security of the device, but it depends on implementation and whether consumers will actually use it, Christopher Pogue, director of security vendor Trustwave's SpiderLabs security research team, said via email. "It is key that consumers can easily understand how to use the sensor." Like Rogers, Pogue believes that fingerprints would be most valuable if used as part of a two-factor authentication system. "Like anything else that runs on a mobile device, the scanner itself is an application that interfaces with the underlying operating system and like other applications, regardless of function, there are vulnerabilities that exist due to a multitude of factors," Pogue said. "This application will likely be no different, and exploits will certainly be forthcoming if not already here." Unlike a password, a fingerprint is not something a person can forget or share with someone else, so in that regard it provides stronger access control than a password, Pogue said. However, there has to be a failsafe mechanism to prevent the device owner from being locked out in case his fingerprint is modified as a result of an injury, for example, he said. "It's this 'back door' access that, if present, would likely lead to unforeseen security vulnerabilities."custom paper writing quesol custom thesis poni write an essay for me mesni english homework help zipum college essay help piatof academic english writing wane law assignment help verwo essay writing sites sersa assignment helper prowab writing essays for money flanxi