Although yet to be confirmed, the Chaos Computer Club have been able to circumvent the fingerprint reader on an iPhone.
Big Deal. Big Hoopy Doo Deal. Golf Claps for the Kleva Kids.
Let me explain. The idea of retina or finger print scanning for any serious security application has long been discredited but not for the reasons that most people expect.
The single biggest problem is repudiation. In security, you must assume that any security measure will be circumvented in time. Therefore the security must be able to be replaced or upgraded with a new technique that moves ahead of current security.
Biometric security like fingerprint or retinal scanners relies on something that CANNOT BE CHANGED and therefore is not suitable for any real security application.
All this movie-style stuff about cutting off fingers or removing makes great comic book stories but in the real world biometric scanning can only be used for low security applications. It can also be useful in combination with other authentication methods to achieve an acceptable level of validation for a individual.
Example: Biometric locks on doors inside a building can be practical for tracking and access control if the user is already validated at entrance with a stronger technique like ID card swipe, password and photo (as is commonly used in data centres.
Real Security Benefits
There are practical security benefits from a fingerprint scanner in a phone. Most people don’t like using PIN Numbers – thumbprints are a significant security improvement compared to PIN numbers. Screen gets marks showing the pattern, or toy robot can be programmed to press PINs will eventually get the number right.
And with universal authentication method Apple can now enforce PIN locking as a default and Apple can make it much less desirable to steal iPhones on the street.
To lock or erase your phone or tablet, go to iCloud.com on your computer and sign in with your Apple ID and password. Once logged in, select Find My iPhone, then select Devices and select your device. Find My iPhone will track down your device’s location, and it will give you the option to play a sound (useful if you lost your phone in the couch cushions), put your phone into “lost mode” (which lets you protect your phone with a PIN and put a message on the lock screen), or to erase your device completely, which puts it in Activation Lock mode. Techhive.com
Once your iOS device is locked it is much harder to clear it for resale:
The second — and most important — strike is that the device cannot be erased without entering the owner’s Apple ID password, preventing a thief from resetting a stolen iPhone to factory defaults before reselling it. Of course, if your iPhone lacks a passcode, it would still be somewhat usable, which isn’t ideal, but as long as it can reach a network, it continues to update its location. And, of course, you can opt to wipe it remotely. Even if the iPhone was off when the erase feature was invoked, the iPhone erases itself the instant it establishes any sort of network connection.
Compared to alternatives, a thumbprint scanner is a practical step forward in increasing security. It’s not perfect but it is perfect (for the time being) for mass market use where millions of devices are deployed to an audience that has very limited security training or expertise.
If you are delivering security to “my grandma” you have to keep it simple. So don’t take the CCC claims too seriously either.
So the CCC have done the obvious security breach but the world doesn’t need a media induced panic attack. Security is better today than it was yesterday and that is the important point here.