July 21st, 2015
Last week’s announcement that the new iPhone 5 will include a fancy new fingerprint scanning security system was met with a chorus of protests. What if someone lifts my prints and makes a fake finger and unlocks my phone? What if the government snoops on my phone (more than it already does) and steals my fingerprints?? Oh God, what if muggers cut off my thumbs to unlock my phone when they steal it?!? Relax. None of that’s going to happen. Here’s why.
First, a quick rundown of how the tech actually works. When you set up your new iPhone 5, its TouchID fingerprint scanner registers one of your prints and stores that data locally in the phone’s secure A7 chip. From that moment onward, if you have TouchID enabled, every time you press your finger against the home button/capacitance scanner the phone matches the current print with the registered version and, if they match, unlocks the phone. What’s more, the new iPhone 5 will also reportedly employ RF signals to “see” through the uppermost, dead layers of finger skin and image the living tissue immediately below.
There are a couple of key points there that are worth a little more detail.
First, if your finger is not alive, the scan won’t work. That means that cutting off a thumb won’t do anything but earn you the nickname “One Thumb Bill” (assuming your name is indeed Bill). Using Silly Putty to steal prints won’t work either, since last we checked Silly Putty can’t replicate living tissue. In addition, latent prints an evildoer picks up from that mug you just put down might not even contain the correct portion of the print, since the iPhone’s scanner only images the very tip of the digit, a part of the finger you don’t often use for gripping..
“You use a different part of your finger to touch the iPhone sensor than what you use to touch other things,” writes Robert Graham on the Errata Security blog. “That means while hackers may be able to lift your thumbprint from you holding other objects, or from other parts of the phone itself, they probably can’t get the tip print needed to do bad things on your iPhone.”
Second, the government can’t get at your fingerprint. That’s partly because the iPhone stores all fingerprint data on its secure chip and only sends a message to websites or apps stating that the two prints match, not actual proof that they do, so there’s no outgoing sensitive information (unless you can intercept and spoof the confirmation token sent by the phone). And also partly because if the government really needed your fingerprints, it simply wouldn’t be worth the trouble of cracking into your phone. DMVs, passport offices; there are plenty of government agencies that have your thumbprint on file already. And if they don’t, they could get it just by following you around town for 10 minutes.
And as Philip Bump explains in The Atlantic:
Your fingerprint…isn’t traveling anywhere. Is it possible that the NSA could ask Apple to upload a user’s fingerprint from the phone so that it can be transmitted to the agency? Sure. But that likely wouldn’t be a request that comes through PRISM; it would probably require a separate warrant. Not impossible, but, given the burden of demonstrating need for a warrant, not as easy as a few keystrokes.
If anything, you should be worried that the scanner’s not effective enough security for all of the information that is vulnerable in your phone. “There should always be some concern with new technologies or functionality that has such a large base of users,” Joe Schumacher, a consultant for security firm Neohapsis, told CNN. “The fingerprint reader is more of a sales tactic than a strong security enhancement.”
A mugger could try to cut off your thumb, sure. But wouldn’t it be easier—and less messy—just to force that thumb down on your phone? And honestly, if you’re really that worried, why not just disable TouchID altogether? The PIN is still a viable option.
So no, you shouldn’t worry about Apple’s new fingerprint scanner being a boon to muggers o government spooks. The former’s not going to get anywhere cutting thumbs, and the latter’s too busy reading your emails to bother with your prints.
Register for an account it’s free to participate in the discussion or share your thoughts in the Facebook.Stop Worrying About the New iPhone's Fingerprint Scanner,