Feeds

back to article iPhone 5S: Fanbois, your prints are safe from the NSA, claim infosec bods

Apple’s decision to bundle a fingerprint scanner with its newly unveiled iPhone 5s has the potential to become a game-changer for personal device authentication. But the success of "Touch ID" fingerprint authentication will depend on security as well as reliability, according to market-watchers. The fruits of Apple's acquisition …

COMMENTS

This topic is closed for new posts.

Page:

This article reads a bit like

a "here's what everyone else has to say about the iPhone fingerprint scanner"

I particularly liked the bit from the bloke who sells SMS authentication who says that, when talking about authentication methods, if it isn't SMS authentication then it's crap.

Why, how objective of you!

6
0
Silver badge

Re: This article reads a bit like

Yes, I thought that was an odd voice as SMS authentication, whilst a nice hacked-up token method is nice and convenient, is about as useful as tits on a bull for the purposes the iPhone sensor will be used for.

0
0
Bronze badge

Re: This article reads a bit like

Only one slight problem with Apple's description of this.

"The authentication system features a redesigned home button and a metal sensor ring around it. Apple's promotional blurb explains: "[The sensor] uses advanced capacitive touch to take, in essence, a high-resolution image of your fingerprint from the sub-epidermal layers of your skin."

Your fingerprints are a part of the epidermal layer of your skin. Try consulting a medical dictionary next time Apple.

2
0

"a new fingerprint reader for iPhone smartphone is likely to spur widespread use of fingerprint readers as authenticators"

Really? I would've thought this appearing on an iPhone signals the death knell for it. Apple will no doubt have lodged a "on a mobile device" patent already (ignoring the Motorola phone with fingerprint scanning as prior art). Therefore, any use by other manufacturers will result in court cases and import bans.

10
4
Silver badge

Here we go again

You can't patent an idea, no one can patent "fingerprint reader on a phone". They could, however, patent a particular way of doing it. If the way they managed to integrate the sensor into the home button was an invention in itself, they'd be able to patent that, and someone else who wanted to put a sensor in a button would have to find a different way to do it.

Of course, if Apple has filed some sort of patent on this the headlines will all read "Apple patents fingerprint reader on phone" and people will say "how can they get away with this, Atrix is prior art!" and not read the list of claims in the actual patent (assuming the article even bothers to link the patent)

1
1
Anonymous Coward

Re: Here we go again

Apple bought the basic technology with a company - they own any patents without lifting a finger.

0
0
J P

So does this mean muggers will now have a second use for the bolt-croppers they use on bike locks - taking the finger along with the phone? (Presumably there's scope to change the print that the phone recognises, so you wouldn't have to actually sell it with the original owner's digit once you'd reset the authentication)

IIRC there were some unpleasant incidents in Hong Kong when Mercedes brought out a fingerprint authenticated car, so while I'd hope things wouldn't go that far just for a phone, it does raise fears for how lowlifes might try to get around the tech...

4
0

I thought most phones were stolen for the hardware, not the data on them.

In addition to that, the police say that the majority of thefts are "snatches" - phones taken out of open handbags, pockets, off tables in public places or even just directly from someone's hand as they're using it.

I can't see this technology changing that at all.

BTW, your unpleasant incidents in Hong Kong appear to be one incident in Malaysia in 2005, at least that's all that's turning up on a Google search.

1
0
Thumb Up

iphone 5S for sale

Comes with free gift: unlucky human finger keyfob.

0
0
J P
Pint

@ chr0m4t1c

I'm sure you're right about the hardware/data motivation for thefts - outside of Hollywood, I can't really see thefts being based on the contents of the phone; it's going to be the resale value of an unlocked handset that motivates the average junkie. So if the means of unlocking changes, the pattern/method of thefts may change.

The worry of course is how they go about unlocking the handset, and that's what got me thinking. It may be that the gummi-bear solution works, but if that's the case then (as other commenters have pointed out) the NSA is going to be the least of any fanbois' worries once the shell of the phone is covered in their prints. However things turn out, the 5s is bound to sell at a premium, and that will in turn enhance the incentives to get hold of a saleable example, by hook or by crook.

Thanks also for taking the time to check on the Mercs story; glad to know I was only vaguely divorced from reality in my memories; I hadn't realised it was as long as 8 years ago... I'm slightly less thankful for you reminding me just how old I am :-)

0
0
Silver badge

Of course they would say that

If Apple were being required by the NSA to pass on all finger prints collected to the NSA, then, of course, the NSA would also require that Apple must deny that they are doing so. Just like with FISA gag orders.

iPhone 5S can enjoy the convenience of fingerprint identification for unlock and app-purchase, but they should not be surprised if the authorities unexpectedly identify them from crime scene evidence, or if the authorities can unexpectly unlock their iPhone using an official (skeleton) finger.

If you're worried about this in connection with anything you're doing, then maybe you shouldn’t be doing it in the first place. (Different company, same mentality.)

8
1
Silver badge
Black Helicopters

Re: Of course they would say that

Could the law as it stand force Apple to push out a software update if demanded by the NSA which, as well as storing the fingerprint on the A7, also upload it to Utah (or iCloud)?

1
0
Silver badge
FAIL

Re: Eric Schmidt quotes?

Did he really say "Error establishing a database connection"?

0
0
Anonymous Coward

Re: Of course they would say that

Could the law as it stand force Apple to push out a software update if demanded by the NSA which, as well as storing the fingerprint on the A7, also upload it to Utah (or iCloud)?

Honestly.. The iPhone doesn't store an image or a loop pattern for a finger, but a hash. If Apple has had any sense, that hashing sits in the hardware sector surrounding the sensor, so they couldn't change that if they wanted to, or were forced to.

What COULD happen is that the hash is exported, but if the hash incorporates, for instance, parts of the hardware it will be useless outside the device.

On the flip side, it is indeed possible for any mobile provider with a US HQ to be forced to silently collaborate with intercept. That is, after all, the law in the US (people hollering at the NSA is wrong - they should yell at those that task it because the orders are illegal - the NSA simply does what it was set up to do). However, that is not limited to Apple. If anything, Apple sells hardware, with some software sauce to facilitate that. Android's architect, however, IS in the data gathering business and has already repeatedly appearing in court for being a tad too enthusiastic in ignoring the laws that surround ownership of that data and privacy. Microsoft also has had a tad casual approach to other people intellectual property, but I'm not sure how deep they were into data gathering.

Take your pick who you trust least. "Neither" is probably the correct answer (still have my trusty Nokia 6310)..

0
0
Anonymous Coward

Re: Of course they would say that

"Could the law as it stand force Apple to push out a software update if demanded by the NSA which, as well as storing the fingerprint on the A7, also upload it to Utah (or iCloud)?"

Probably already are! It'll be another "oops sorry, it's a bug. We didn't know, honest!" scenario.

0
1
Silver badge
Black Helicopters

Re: Eric Schmidt quotes?

Did he really say "Error establishing a database connection"?

He obviously called in the black helicopters to silence that site. Let's see if he will take down The Register too.

0
0
Silver badge

Re: Of course they would say that

Who knows what the fingerprint reader driver will do, I very much doubt the hash will go straight from the reader to the CPU without touching anything in the middle.

Which means everyone's favourite beardy wierdy was right.

0
0

Re: Of course they would say that

Probably find the iphone backup software for pc stores the fingerprint and some cloud backup options will be offered. The NSA leaks show they love iphone backups.

0
0

Re: Of course they would say that

Today the fingerprints are NOT passed onto the NSA (et al) and are stored securely

Couple of updates later the fingerprints ARE uploaded to the NSA for secure storage.

Wonder if every ios future update will be checked by the security types for what happens to the data

0
0
Anonymous Coward

Liar's paradox

So, let's see for a second what is the possibility of:

1. The aforementioned expert is not telling the truth and the biometrics are harvested and stored.

2. He is subject a FISA court letter not to tell the truth.

Plausible? Hell yes...

Don't you just love laws that mandate that _ANY_ recipient of any capricious request issued by Комитет Государственной Безопасности lie about anything said agency prescribes them to. Constitution? Rights? Laws? Yeah... we heard about them... they are in another reality for now. Not in this one.

As long as there is a law which effectively puts every cittizen and every corporation under higher level security clearance requirements it does not matter what Apple says. The law explicitly and in writing specifies that there is _NO_ reason for us to believe them.

Gotta love the results this will have long term on public (both American and abroad) trust.

8
1
Silver badge

Re: Liar's paradox

I don't think it is plausable.

Whilst they can compel you not to speak, the national security letters can't compel someone to lie and say the opposite situation definitively exists.

0
3
Silver badge

Re: Liar's paradox

Why is it not plausible? It's already happened with several big tech companies in the US.

1
0
Big Brother

<rant>

integrated capacitive fingerprint sensor will build legitimacy for the technology in mainstream consumer electronics, although privacy concerns are bound to raise their heads in these newly paranoid times

The first half of that sentence translates as

Look into my eyes, not around my eyes, into my eyes. You're under. Giving your finger prints is a good thing, look how secure it makes your phone. Wouldn't it be wonderful if you could do everything by touching your finger against a little pad. What could possible go wrong?

The second part is both understatement of the year, yet also subtley phrased to make you think that those concerns are ludicously paranoid.

</rant>

9
1

rules (and promises and claims) are meant to be broken

"Why is a fingerprint sensor on an iPhone such a violation of privacy when laptops have featured them for years and no one even blinked? Giving our fingerprints to Wintel PCs and various border control for years but Apple = NSA? This is crazy."

uhm idunno maybe because

1. i dont carry my laptop in my pocket and take it with me whereever i go?

2. i never actually used the fingerprint thingy on my laptop? nice gadget, but no thanks

Actually, aside from this, i rules are meant to be broken. So now they might claim that fingerprints dont ever go to the cloud, but who's to say they won't go back on their word later?

I've heard plenty of times claims being made which where then brushed aside the first opportunity there was profit in it for someone.

7
1
Anonymous Coward

Re: rules (and promises and claims) are meant to be broken

Unbelievable. The first time you can genuinely give the NSA the finger and you all whinge.

/me shakes head

0
0
Anonymous Coward

Spooks delight, fanbois in fright!

What a time to release fingerprint harvesting technology like this during the current perfect storm! Genius!

How can anyone, post Snowden, be under any illusions of digital privacy anymore? If you are reasonably intelligent, and can think of a plausible way of exploiting this, then you can guarantee that someone with a billion dollar budget has already thought of the same thing.

3
0

So, has anyone had a look at the specs for this, is it going to check pulse and count the pores, or can I get into it with some talcum powder and a bit of sticky tape?

0
0
JDX
Gold badge

Boring

As it says, this has been on laptops for ages.

More relevant is the point about airport security - surely anyone travelling on an internation flight in the last few years has been fingerprinted in some way. It's been a while but don't they routinely check fingerprints and retina scans?

I remember I got taken into a small room because my prints didn't match - due to playing guitar I think.

2
1
J P

Re: Boring

Bricklayers often have problems with fingerprint recognition too - so no point them queuing up for the new iShiny then.

1
0
Bronze badge

Re: Boring

Nope I was never fingerprinted or retinal scanned when I went on holiday at the beginning of this year.

0
0

Re: Boring

It depends on what queue you go in at passport control. Not everyone has the new fangled biometric passports.

0
0

Re: Boring

" surely anyone travelling on an internation flight in the last few years has been fingerprinted in some way."

Well at a airport they're not hiding what they're doing, you just *know* that info is going to go into a government database, 'for your own safety' .

But its different on a mobile device, where, besides the manufacturers word, you can't effectively control who gets that information, when, how often, how it will be used and most importantly you might never know about it.

0
0
Anonymous Coward

Re: Boring

"Bricklayers often have problems with fingerprint recognition too - so no point them queuing up for the new iShiny then." ......and those who handle acidic products (fruit, such as), guitar players, etc...

Like to see the pleb at the "genius bar" explain that the user must change career!

0
1
Silver badge
Joke

Re: Boring

You mean like:

"Just change careers. Not a big deal

Sent from my iPhone"

0
0

It stays on the A7 until the NSL arrives, ask the Lava dude.

0
0
Silver badge

Time Warp

Woah, we're back in 2003? iPaqs are all the rage, and some models have fingerprint scanners.

Flash forward to 2013, nobody wants to waste good area that could be used as screen on a bloody fingerprint scanner.

Other than Apple, with their mighty bezels.

1
1

It's not new.

Motorola sold an Android phone (Atrix) a few years ago with a fingerprint reader on it.

1
1
Bronze badge

Re: It's not new.

The Atrix had a swipe sensor. Temperamental and inconvenient.

Is that the 'new' that you're talking about?

0
1
Anonymous Coward

Re: It's not new.

"The Atrix had a swipe sensor. Temperamental and inconvenient.

Is that the 'new' that you're talking about?"

Now now Mike, let's not split hairs, swipe sensor or full image, fingerprint scanning is fingerprint scanning. The end result being authentication from finger print. And it's been done before!

0
1
Anonymous Coward

and on el Reg

Apple = Bad

Google = Good

Microsoft = Evil

Can all Reg readers just conform to this? Sure makes commentarding easier.

2
3
Anonymous Coward

and to post anonymously

Butt hurt anonymous apple fan, strangely blind to all the butt hurt anonymous google fans on here. The Register HATES YOU ALL!!!!! GOT IT?

3
0

Pinky

Bruce Schneier got it about right with the point of it being a good compromise between security and convenience, typing PINs is such a pain in the ass.

Worrying about NSA, etc, is a bit moot because everything on the iPhone (except the fingerprint, of course) is in the clouds and accessible by them plus however has your iTunes credentials.

I suggest using a 'pinky' finger on an iPhone5S: thumb and forefinger much more likely to be impressed elsewhere! Now, there's the start of something.

0
1
Silver badge
Happy

Re: typing PINs is such a pain in the ass.

Drawing an unlock pattern on an android phone is surprisingly loads better (imo). Was playing with an ios7 device yesterday and it's PIN style unlock seems positively clunky in comparison.

Oh no! I must be a massive Google fan and member of the Borg, I like a single feature on Android!!! (just getting in before the AC haters!)

0
0
Bronze badge

Re: Pinky

Bruce Schneier got it about right ...

Don't forget that this is the same Bruce Schneier that thought it was fine to start displaying passwords on screens. Also the same man that never complained about Phorm, despite working for BT. Sure, the guy's a legend, but he's not always right.

1
0
Anonymous Coward

Re: Pinky

"Bruce Schneier got it about right with the point of it being a good compromise between security and convenience, typing PINs is such a pain in the ass."

Sorry, but that is just so Girl. WTF???

I can unlock my phone in 1 second. W O W. That's such a PITA!

0
0
Anonymous Coward

Re: typing PINs is such a pain in the ass.

"Oh no! I must be a massive Google fan and member of the Borg"

Let's not mix analogies. Being Borged is definatley being Apple brain washed. Our yoof have been borged in huge swathes.

0
0

Re: Pinky

> everything on the iPhone (except the fingerprint, of course) is in the clouds

Speak for yourself. I don't use cloud storage, and I don't use Siri (because it would upload my contacts). You may be happy living in the panopticon, but you don't speak for everyone.

1
0

Believe Apple? Erm no.

All this crap about the fingerprint data being secure is exactly that, crap. There is absolutely no way Apple can assure people that the data is not shared with anyone given the revelations about the NSA and their buddies at GCHQ etc.

We simply cannot trust that the NSA don't already have access to the fingerprints and that Apple are under a Gag Order - in fact you have to assume that Apple have already provided access to the phone through a backdoor because of CALEA which requires manufacturers to backdoor -all- telecommunications hardware - last I checked a cell phone was a piece of telecommunications hardware (as are android and windows phones). So before you even begin to think about National Security Letters, PATRIOT, FISA & FISC you have CALEA.

Furthermore, if you have an iPhone 5S and you travel to the US, can we now assume that if your device is taken at the border accessing the contents is now a trivial matter since all people entering the US have to give their fingerprints - which presumably can be used to unlock the device.

Your fingerprints are not safe on this device - there is nothing Apple can do to guarantee their security and that security is probably already compromised as a matter of law. Don't drink the cool-aid.

5
0
Bronze badge

Re: Believe Apple? Erm no.

Personally, I recommend always wearing gloves whilst outdoors in order to protect one's precious fingerprints.

1
0

Re: Believe Apple? Erm no.

Your fingerprints are as safe on the device as any other thing your carrying.. You're missing the obvious point about fingerprints now, aren't you? I don't have a fingerprint scanner on my laptop, or my phone... but my laptop and phone have my fingerprints. It's not even a new problem, the O'Relly book (old analogue tech in front of me on my desk even has my fingerprints!). Your fingerprints are not safe, BECAUSE YOU LEAVE THEM EVERYWHERE DUMMY!! If the you have been stopped at a border crossing, handing over your passport is giving them your fingerprints! Yes, you hand it to them! SHOCK!

Now sit back, breathe and think about what your fingerprints are used for. Consider for a moment does this technology give anyone the cool pictures that appear on CSI when you watch this? Does it read that oily print you left at the crimescene... from several fingers? THINK (PLEASE!) if I wanted to get your fingerprints off your phone... take 2 seconds to consider how I could do that even if you don't have a scaner on your phone.

0
3

Page:

This topic is closed for new posts.