back to article iPhone 5S: Fanbois, your prints are safe from the NSA, claim infosec bods

Apple’s decision to bundle a fingerprint scanner with its newly unveiled iPhone 5s has the potential to become a game-changer for personal device authentication. But the success of "Touch ID" fingerprint authentication will depend on security as well as reliability, according to market-watchers. The fruits of Apple's …

COMMENTS

This topic is closed for new posts.

Page:

  1. Ambivalous Crowboard

    This article reads a bit like

    a "here's what everyone else has to say about the iPhone fingerprint scanner"

    I particularly liked the bit from the bloke who sells SMS authentication who says that, when talking about authentication methods, if it isn't SMS authentication then it's crap.

    Why, how objective of you!

    1. Chad H.

      Re: This article reads a bit like

      Yes, I thought that was an odd voice as SMS authentication, whilst a nice hacked-up token method is nice and convenient, is about as useful as tits on a bull for the purposes the iPhone sensor will be used for.

    2. ItsNotMe

      Re: This article reads a bit like

      Only one slight problem with Apple's description of this.

      "The authentication system features a redesigned home button and a metal sensor ring around it. Apple's promotional blurb explains: "[The sensor] uses advanced capacitive touch to take, in essence, a high-resolution image of your fingerprint from the sub-epidermal layers of your skin."

      Your fingerprints are a part of the epidermal layer of your skin. Try consulting a medical dictionary next time Apple.

  2. thesykes

    "a new fingerprint reader for iPhone smartphone is likely to spur widespread use of fingerprint readers as authenticators"

    Really? I would've thought this appearing on an iPhone signals the death knell for it. Apple will no doubt have lodged a "on a mobile device" patent already (ignoring the Motorola phone with fingerprint scanning as prior art). Therefore, any use by other manufacturers will result in court cases and import bans.

    1. Anonymous Coward
      Anonymous Coward

      Here we go again

      You can't patent an idea, no one can patent "fingerprint reader on a phone". They could, however, patent a particular way of doing it. If the way they managed to integrate the sensor into the home button was an invention in itself, they'd be able to patent that, and someone else who wanted to put a sensor in a button would have to find a different way to do it.

      Of course, if Apple has filed some sort of patent on this the headlines will all read "Apple patents fingerprint reader on phone" and people will say "how can they get away with this, Atrix is prior art!" and not read the list of claims in the actual patent (assuming the article even bothers to link the patent)

      1. Anonymous Coward
        Anonymous Coward

        Re: Here we go again

        Apple bought the basic technology with a company - they own any patents without lifting a finger.

  3. J P

    So does this mean muggers will now have a second use for the bolt-croppers they use on bike locks - taking the finger along with the phone? (Presumably there's scope to change the print that the phone recognises, so you wouldn't have to actually sell it with the original owner's digit once you'd reset the authentication)

    IIRC there were some unpleasant incidents in Hong Kong when Mercedes brought out a fingerprint authenticated car, so while I'd hope things wouldn't go that far just for a phone, it does raise fears for how lowlifes might try to get around the tech...

    1. chr0m4t1c

      I thought most phones were stolen for the hardware, not the data on them.

      In addition to that, the police say that the majority of thefts are "snatches" - phones taken out of open handbags, pockets, off tables in public places or even just directly from someone's hand as they're using it.

      I can't see this technology changing that at all.

      BTW, your unpleasant incidents in Hong Kong appear to be one incident in Malaysia in 2005, at least that's all that's turning up on a Google search.

      1. J P
        Pint

        @ chr0m4t1c

        I'm sure you're right about the hardware/data motivation for thefts - outside of Hollywood, I can't really see thefts being based on the contents of the phone; it's going to be the resale value of an unlocked handset that motivates the average junkie. So if the means of unlocking changes, the pattern/method of thefts may change.

        The worry of course is how they go about unlocking the handset, and that's what got me thinking. It may be that the gummi-bear solution works, but if that's the case then (as other commenters have pointed out) the NSA is going to be the least of any fanbois' worries once the shell of the phone is covered in their prints. However things turn out, the 5s is bound to sell at a premium, and that will in turn enhance the incentives to get hold of a saleable example, by hook or by crook.

        Thanks also for taking the time to check on the Mercs story; glad to know I was only vaguely divorced from reality in my memories; I hadn't realised it was as long as 8 years ago... I'm slightly less thankful for you reminding me just how old I am :-)

    2. jubtastic1
      Thumb Up

      iphone 5S for sale

      Comes with free gift: unlucky human finger keyfob.

  4. Ralph B

    Of course they would say that

    If Apple were being required by the NSA to pass on all finger prints collected to the NSA, then, of course, the NSA would also require that Apple must deny that they are doing so. Just like with FISA gag orders.

    iPhone 5S can enjoy the convenience of fingerprint identification for unlock and app-purchase, but they should not be surprised if the authorities unexpectedly identify them from crime scene evidence, or if the authorities can unexpectly unlock their iPhone using an official (skeleton) finger.

    If you're worried about this in connection with anything you're doing, then maybe you shouldn’t be doing it in the first place. (Different company, same mentality.)

    1. Dan 55 Silver badge
      Black Helicopters

      Re: Of course they would say that

      Could the law as it stand force Apple to push out a software update if demanded by the NSA which, as well as storing the fingerprint on the A7, also upload it to Utah (or iCloud)?

      1. Anonymous Coward
        Anonymous Coward

        Re: Of course they would say that

        Could the law as it stand force Apple to push out a software update if demanded by the NSA which, as well as storing the fingerprint on the A7, also upload it to Utah (or iCloud)?

        Honestly.. The iPhone doesn't store an image or a loop pattern for a finger, but a hash. If Apple has had any sense, that hashing sits in the hardware sector surrounding the sensor, so they couldn't change that if they wanted to, or were forced to.

        What COULD happen is that the hash is exported, but if the hash incorporates, for instance, parts of the hardware it will be useless outside the device.

        On the flip side, it is indeed possible for any mobile provider with a US HQ to be forced to silently collaborate with intercept. That is, after all, the law in the US (people hollering at the NSA is wrong - they should yell at those that task it because the orders are illegal - the NSA simply does what it was set up to do). However, that is not limited to Apple. If anything, Apple sells hardware, with some software sauce to facilitate that. Android's architect, however, IS in the data gathering business and has already repeatedly appearing in court for being a tad too enthusiastic in ignoring the laws that surround ownership of that data and privacy. Microsoft also has had a tad casual approach to other people intellectual property, but I'm not sure how deep they were into data gathering.

        Take your pick who you trust least. "Neither" is probably the correct answer (still have my trusty Nokia 6310)..

        1. Dan 55 Silver badge

          Re: Of course they would say that

          Who knows what the fingerprint reader driver will do, I very much doubt the hash will go straight from the reader to the CPU without touching anything in the middle.

          Which means everyone's favourite beardy wierdy was right.

      2. Anonymous Coward
        Anonymous Coward

        Re: Of course they would say that

        "Could the law as it stand force Apple to push out a software update if demanded by the NSA which, as well as storing the fingerprint on the A7, also upload it to Utah (or iCloud)?"

        Probably already are! It'll be another "oops sorry, it's a bug. We didn't know, honest!" scenario.

      3. DB 2

        Re: Of course they would say that

        Probably find the iphone backup software for pc stores the fingerprint and some cloud backup options will be offered. The NSA leaks show they love iphone backups.

    2. sabroni Silver badge
      FAIL

      Re: Eric Schmidt quotes?

      Did he really say "Error establishing a database connection"?

      1. Ralph B
        Black Helicopters

        Re: Eric Schmidt quotes?

        Did he really say "Error establishing a database connection"?

        He obviously called in the black helicopters to silence that site. Let's see if he will take down The Register too.

    3. Rob Crawford

      Re: Of course they would say that

      Today the fingerprints are NOT passed onto the NSA (et al) and are stored securely

      Couple of updates later the fingerprints ARE uploaded to the NSA for secure storage.

      Wonder if every ios future update will be checked by the security types for what happens to the data

  5. Anonymous Coward
    Anonymous Coward

    Liar's paradox

    So, let's see for a second what is the possibility of:

    1. The aforementioned expert is not telling the truth and the biometrics are harvested and stored.

    2. He is subject a FISA court letter not to tell the truth.

    Plausible? Hell yes...

    Don't you just love laws that mandate that _ANY_ recipient of any capricious request issued by Комитет Государственной Безопасности lie about anything said agency prescribes them to. Constitution? Rights? Laws? Yeah... we heard about them... they are in another reality for now. Not in this one.

    As long as there is a law which effectively puts every cittizen and every corporation under higher level security clearance requirements it does not matter what Apple says. The law explicitly and in writing specifies that there is _NO_ reason for us to believe them.

    Gotta love the results this will have long term on public (both American and abroad) trust.

    1. Chad H.

      Re: Liar's paradox

      I don't think it is plausable.

      Whilst they can compel you not to speak, the national security letters can't compel someone to lie and say the opposite situation definitively exists.

      1. Dan 55 Silver badge

        Re: Liar's paradox

        Why is it not plausible? It's already happened with several big tech companies in the US.

  6. edge_e
    Big Brother

    <rant>

    integrated capacitive fingerprint sensor will build legitimacy for the technology in mainstream consumer electronics, although privacy concerns are bound to raise their heads in these newly paranoid times

    The first half of that sentence translates as

    Look into my eyes, not around my eyes, into my eyes. You're under. Giving your finger prints is a good thing, look how secure it makes your phone. Wouldn't it be wonderful if you could do everything by touching your finger against a little pad. What could possible go wrong?

    The second part is both understatement of the year, yet also subtley phrased to make you think that those concerns are ludicously paranoid.

    </rant>

  7. Mr C

    rules (and promises and claims) are meant to be broken

    "Why is a fingerprint sensor on an iPhone such a violation of privacy when laptops have featured them for years and no one even blinked? Giving our fingerprints to Wintel PCs and various border control for years but Apple = NSA? This is crazy."

    uhm idunno maybe because

    1. i dont carry my laptop in my pocket and take it with me whereever i go?

    2. i never actually used the fingerprint thingy on my laptop? nice gadget, but no thanks

    Actually, aside from this, i rules are meant to be broken. So now they might claim that fingerprints dont ever go to the cloud, but who's to say they won't go back on their word later?

    I've heard plenty of times claims being made which where then brushed aside the first opportunity there was profit in it for someone.

    1. Anonymous Coward
      Anonymous Coward

      Re: rules (and promises and claims) are meant to be broken

      Unbelievable. The first time you can genuinely give the NSA the finger and you all whinge.

      /me shakes head

  8. Anonymous Coward
    Anonymous Coward

    Spooks delight, fanbois in fright!

    What a time to release fingerprint harvesting technology like this during the current perfect storm! Genius!

    How can anyone, post Snowden, be under any illusions of digital privacy anymore? If you are reasonably intelligent, and can think of a plausible way of exploiting this, then you can guarantee that someone with a billion dollar budget has already thought of the same thing.

  9. Maharg

    So, has anyone had a look at the specs for this, is it going to check pulse and count the pores, or can I get into it with some talcum powder and a bit of sticky tape?

  10. JDX Gold badge

    Boring

    As it says, this has been on laptops for ages.

    More relevant is the point about airport security - surely anyone travelling on an internation flight in the last few years has been fingerprinted in some way. It's been a while but don't they routinely check fingerprints and retina scans?

    I remember I got taken into a small room because my prints didn't match - due to playing guitar I think.

    1. J P

      Re: Boring

      Bricklayers often have problems with fingerprint recognition too - so no point them queuing up for the new iShiny then.

      1. Anonymous Coward
        Anonymous Coward

        Re: Boring

        "Bricklayers often have problems with fingerprint recognition too - so no point them queuing up for the new iShiny then." ......and those who handle acidic products (fruit, such as), guitar players, etc...

        Like to see the pleb at the "genius bar" explain that the user must change career!

        1. Darryl
          Joke

          Re: Boring

          You mean like:

          "Just change careers. Not a big deal

          Sent from my iPhone"

    2. Triggerfish

      Re: Boring

      Nope I was never fingerprinted or retinal scanned when I went on holiday at the beginning of this year.

    3. Neil Porter

      Re: Boring

      It depends on what queue you go in at passport control. Not everyone has the new fangled biometric passports.

    4. Mr C

      Re: Boring

      " surely anyone travelling on an internation flight in the last few years has been fingerprinted in some way."

      Well at a airport they're not hiding what they're doing, you just *know* that info is going to go into a government database, 'for your own safety' .

      But its different on a mobile device, where, besides the manufacturers word, you can't effectively control who gets that information, when, how often, how it will be used and most importantly you might never know about it.

  11. Wang N Staines

    It stays on the A7 until the NSL arrives, ask the Lava dude.

  12. Piro Silver badge

    Time Warp

    Woah, we're back in 2003? iPaqs are all the rage, and some models have fingerprint scanners.

    Flash forward to 2013, nobody wants to waste good area that could be used as screen on a bloody fingerprint scanner.

    Other than Apple, with their mighty bezels.

  13. fishman

    It's not new.

    Motorola sold an Android phone (Atrix) a few years ago with a fingerprint reader on it.

    1. Mike Bell

      Re: It's not new.

      The Atrix had a swipe sensor. Temperamental and inconvenient.

      Is that the 'new' that you're talking about?

      1. Anonymous Coward
        Anonymous Coward

        Re: It's not new.

        "The Atrix had a swipe sensor. Temperamental and inconvenient.

        Is that the 'new' that you're talking about?"

        Now now Mike, let's not split hairs, swipe sensor or full image, fingerprint scanning is fingerprint scanning. The end result being authentication from finger print. And it's been done before!

  14. Anonymous Coward
    Anonymous Coward

    and on el Reg

    Apple = Bad

    Google = Good

    Microsoft = Evil

    Can all Reg readers just conform to this? Sure makes commentarding easier.

    1. Anonymous Coward
      Anonymous Coward

      and to post anonymously

      Butt hurt anonymous apple fan, strangely blind to all the butt hurt anonymous google fans on here. The Register HATES YOU ALL!!!!! GOT IT?

  15. Wanda Lust

    Pinky

    Bruce Schneier got it about right with the point of it being a good compromise between security and convenience, typing PINs is such a pain in the ass.

    Worrying about NSA, etc, is a bit moot because everything on the iPhone (except the fingerprint, of course) is in the clouds and accessible by them plus however has your iTunes credentials.

    I suggest using a 'pinky' finger on an iPhone5S: thumb and forefinger much more likely to be impressed elsewhere! Now, there's the start of something.

    1. sabroni Silver badge
      Happy

      Re: typing PINs is such a pain in the ass.

      Drawing an unlock pattern on an android phone is surprisingly loads better (imo). Was playing with an ios7 device yesterday and it's PIN style unlock seems positively clunky in comparison.

      Oh no! I must be a massive Google fan and member of the Borg, I like a single feature on Android!!! (just getting in before the AC haters!)

      1. Anonymous Coward
        Anonymous Coward

        Re: typing PINs is such a pain in the ass.

        "Oh no! I must be a massive Google fan and member of the Borg"

        Let's not mix analogies. Being Borged is definatley being Apple brain washed. Our yoof have been borged in huge swathes.

    2. Frumious Bandersnatch

      Re: Pinky

      Bruce Schneier got it about right ...

      Don't forget that this is the same Bruce Schneier that thought it was fine to start displaying passwords on screens. Also the same man that never complained about Phorm, despite working for BT. Sure, the guy's a legend, but he's not always right.

    3. Anonymous Coward
      Anonymous Coward

      Re: Pinky

      "Bruce Schneier got it about right with the point of it being a good compromise between security and convenience, typing PINs is such a pain in the ass."

      Sorry, but that is just so Girl. WTF???

      I can unlock my phone in 1 second. W O W. That's such a PITA!

    4. Scott Wheeler

      Re: Pinky

      > everything on the iPhone (except the fingerprint, of course) is in the clouds

      Speak for yourself. I don't use cloud storage, and I don't use Siri (because it would upload my contacts). You may be happy living in the panopticon, but you don't speak for everyone.

  16. Alexander Hanff 1

    Believe Apple? Erm no.

    All this crap about the fingerprint data being secure is exactly that, crap. There is absolutely no way Apple can assure people that the data is not shared with anyone given the revelations about the NSA and their buddies at GCHQ etc.

    We simply cannot trust that the NSA don't already have access to the fingerprints and that Apple are under a Gag Order - in fact you have to assume that Apple have already provided access to the phone through a backdoor because of CALEA which requires manufacturers to backdoor -all- telecommunications hardware - last I checked a cell phone was a piece of telecommunications hardware (as are android and windows phones). So before you even begin to think about National Security Letters, PATRIOT, FISA & FISC you have CALEA.

    Furthermore, if you have an iPhone 5S and you travel to the US, can we now assume that if your device is taken at the border accessing the contents is now a trivial matter since all people entering the US have to give their fingerprints - which presumably can be used to unlock the device.

    Your fingerprints are not safe on this device - there is nothing Apple can do to guarantee their security and that security is probably already compromised as a matter of law. Don't drink the cool-aid.

    1. Mike Bell

      Re: Believe Apple? Erm no.

      Personally, I recommend always wearing gloves whilst outdoors in order to protect one's precious fingerprints.

    2. Grant Mitchell

      Re: Believe Apple? Erm no.

      Your fingerprints are as safe on the device as any other thing your carrying.. You're missing the obvious point about fingerprints now, aren't you? I don't have a fingerprint scanner on my laptop, or my phone... but my laptop and phone have my fingerprints. It's not even a new problem, the O'Relly book (old analogue tech in front of me on my desk even has my fingerprints!). Your fingerprints are not safe, BECAUSE YOU LEAVE THEM EVERYWHERE DUMMY!! If the you have been stopped at a border crossing, handing over your passport is giving them your fingerprints! Yes, you hand it to them! SHOCK!

      Now sit back, breathe and think about what your fingerprints are used for. Consider for a moment does this technology give anyone the cool pictures that appear on CSI when you watch this? Does it read that oily print you left at the crimescene... from several fingers? THINK (PLEASE!) if I wanted to get your fingerprints off your phone... take 2 seconds to consider how I could do that even if you don't have a scaner on your phone.

Page:

This topic is closed for new posts.

Other stories you might like