Wednesday, September 18, 2013

The itty bitty fingerprint sensor

tl;dr: The fingerprint reader of the new Jesus phone is a bad idea, but not because of security or espionage problems.

Apple has shown exceptionally poor judgement with its choice of headline feature of its new iPhone 5s. If I had Apple stock, this would be to be a good time to be embarrassed about it. Not just because I believe that the screen is too small, the flash memory too stingy, the UI too flat, or because a fingerprint reader is a disastrous choice in itself, but because Apple seems to have lost its sense for taste and timing. You do not keep ahead of the game by making phones thinner and longer or blingy. And adding a feature that screams "privacy violation" in the middle of a mass surveillance affair outs you as a nutcase.
For quite a few years now, I am subjected to the considerable indignity of having to leave my fingerprints whenever I cross the border into the US. It is hard to say why I feel so uneasy about this. Maybe it has to do with the fact that I grew up in East Germany, and surveillance was a real issue back then. The contents of my book case, the conversations with my math teacher, the phone call to a family friend, or the occasional remark overheard by the over-eager snoopy daughter of the head-master all made it into my file and could decide about my academic, social and professional future.
To say that I am irked by the careless lies of our politicians (Friedrich, Pofalla and others) when it comes to the collaboration between the secret services of the US, Germany, UK, Sweden, France and so on, would be a grave understatement. I am deeply uneasy that the top echelon of German politics are apparently in cahoots with and puppeteered by a deep state that has spun wildly out of control.

We have known for quite a few years now that the US reads our diaries. Gmail, Dropbox, Skype, phone call metadata, bank transactions and even the iPhone's location data have all been known to be available to the whims of American secret services, courtesy of the patriot act and willing collaboration. The fact that Ed Snowden has brought this to the attention of some of the mainstream press does not create a new situation: if you do not want the American or German government in your communications, buy at least a Cryptophone. The only news is: our politicians are indeed aware of the problem and not willing or powerless to do anything about it.

How does the fingerprint reader of the new iPhone change the equation? I think it does not. First of all, the NSA and the German government already fingerprinted me. The phone will probably not even store a useful photograph of my paws, but a hash over an abstraction of some of the minutiae. Even if the NSA could whisk a scan of my thumb off my home button, it does not learn anything new about me. The NSA, the GCHQ, even the police can already bypass all standard security measures on my phone.

But what about all the obvious security problems? Are we not going to see thieves running around with stolen phones and a necklace of severed fingers to unlock them? (No.) Will kids pwn my phone with sticky tape and a glass I touched last week? (Unlikely.) Is someone going to find a serious flaw in the scanner or the unlock procedure? (Probably.) Update: someone just did; the classic tricks of the CCC seem to work with little modification.

So Apple has turned my finger into a password. If I loose this password, I cannot change or reset it. This sounds like a terrible idea, no? Actually, I do not think this to be an issue! Should someone steal my iPhone and somehow manage to read out its memory, they won't be able to do much with it. Even for casually unlocking my next iPhone, pressing a string of bits to the home-button won't help them much. Neither will they be able to go for a splurge in the iTunes store, because, well: the fingerprint is not a password. The fingerprint is simply a very specific way of pressing a button on a very specific phone. It won't work on another phone or device, and it won't work well for anybody else.

It is very easy for me to press the phone this way, and very awkward (although probably not impossible, given enough time and resources) for someone else. My co-worker or spouse is not going to read my SMS. A thief won't be able to use the banking app within the time it takes me to remote-disable the phone. The fingerprint reader will not make any application less secure than the flimsy passwords that I have chosen to be entered comfortably on the iPhone's shitty onscreen keyboard.

And no, the fingerprint won't make things easier for the NSA. The NSA has already got all my data on a platter, courtesy of Apple's willingness to comply with crazy American surveillance laws. The fingerprint won't make things easier for the police, because the police already bypasses my phone's security.

You may choose not to get another iPhone because Apple has shown very bad taste and timing in its choice for the headline feature. But you should not concerned about privacy issues that you did not have yesterday already.

One more update: Dustin Kirkland just points out that fingerprints should not be treated as passwords, but as user names. This is a very smart observation. Unlike a password, you cannot change it, and it is easy to obtain and probably already compromised. Like your user name, it is pretty unique. As an advantage to a conventional user name, it is quite difficult to enter for someone who is not you. If you see it as a means of authentication or a key to protect your data and identity, you are in trouble. The fingerprint is a convenient way of telling a device that you mean to use it, and it might keep your four-year old out of your appstore account. But it is not going to protect your sensitive data from a smart or physically threatening attacker.


  1. "First of all, the NSA and the German government already fingerprinted me." isn't a good argument in favor of adding all those whose fingerprints aren't in either database yet.

    Regarding "The phone will probably not even store a useful photograph of my paws, but a hash over an abstraction of some of the minutiae.": I don't know about Apple's implementation, but there are some efficient algorithms out there that capture good level of detail on fairly small storage space, so a hash is not the only option I'd say; s. e.g. The FBI Fingerprint Image Compression Standard

    "The fingerprint reader will not make any application less secure than the flimsy passwords that I have chosen to be entered comfortably on the iPhone's shitty onscreen keyboard." – that's a choice you made though, trading security for convenience, and I wouldn't want that choice taken away from me.

    As a friend pointed out, there's also the aspect that if you get stopped by the police in Germany, you have the right not to tell your password when asked, not though the right to refuse your fingerprint. With the additional effect that if the fingerprint matches the phone, the data on it are then verified as yours rather than only assumed to be yours.

    In the end, obviously, Apple shall do as it likes, I just won't buy their product, but I think you're downplaying the risk.

    1. 1. You are right, there are some people, especially US citizens, who are possibly not fingerprinted yet. However, Europeans have biometric passports now, so the virginity of my fingerprints has been raped into every hole by now.

      2. Indeed, if Apple wants to steal our fingerprints, they can easily do so now. But for recommendation, Apple won't need the images at all, and the abstraction will be mandatory, so I would tend to believe their statements in this regard.

      3. The choice is still yours. You can stick with the 4 digit code for unlock, and choose not to trigger the authentication of your random 32 character Apple ID password by the combination of your specific phone and something that looks like your finger on its home-button.

      My issue with passwords on the phone is that they are snake oil if an attacker can easily subvert the phone or run a man in the middle attack on SSL. Application passwords are now mostly an inconvenience to a serious attacker, not a security device. "Casual" attackers will likely be deterred by the fingerprint reader.

      4. Yes, they can fingerprint you, but they cannot force you to unlock your phone with your fingerprint. Matching a scanned fingerprint to the unlock data in the iPhone is probably possible, but non-trivial. Given that police can already unlock my phone, and phone contracts are not anonymous in Germany, I do not see how a court will accept my denial that the data on the phone is mine.

      5. I am very uncomfortable with the state of affairs wrt privacy of my communication, wheraabouts and stored data. I just do not think that the fingerprint reader will make it worse in any respect.