Much has been written already about the new iPhones and the iOS 7 operating system. Some people are underwhelmed by the OS ("Apple is just stealing ideas from Android now!") and disappointed by the iPhone 5C ("Apple still isn't making cheap phones!"). For us security geeks, though, the big news is in the iPhone 5S's fingerprint scanner. It has also drawn its share of negative reactions, with privacy folks screaming bloody murder ("Big Brother is here!"). I am not insensitive to privacy concerns, but I think that is an overreaction, and there's a lot about this fingerprint scanner that I really like.
The fact is, I've been hoping for a fingerprint-based passcode mechanism on the iPhone for a long time now, so I'm ecstatic that it's finally arrived. Not that there aren't some potential pitfalls. But let's start with the basics.
The home button of the iPhone 5S is a fingerprint sensor, called Touch ID, that reads the user's fingerprint and uses that to unlock the device. We're told that Apple will also use Touch ID for verifying iTunes purchases, but that's just scratching the surface of what's possible.
All older iPhones, and the new 5C, can be locked with a passcode, with the default being a four-digit PIN. (Those individuals and companies that are more conscious of security matters can opt for a complex passcode and go well beyond four digits.)
Now, even a four-digit passcode is better than nothing, but there is a problem with the way Apple implements the passcode system: For several iOS versions now, the user's passcode, along with a device's unique hardware identifier, is used as a base when generating certain encryption keys. These keys include the ones that Apple uses for its DataProtection API and for protecting data in the device's keychain. Someone who gains physical possession of your device could compromise it quite easily if you use no passcode or only a four-digit passcode. And if your simple passcode is compromised, the bad guy gets more than just an unlocked phone; he has access to your encrypted files. So, yeah, a security geek like me is going to be excited by Touch ID. It's a big deal that the default passcode has gone form a four-digit PIN to the user's own fingerprint.
Ah, but what about the privacy implications? An iPhone that unlocks to your fingerprint has to store your fingerprint so it can make a match, right? True enough, and I'm not privy to how Apple is implementing the technology. I want to dive into that and find out more about it, but what I know about how Apple operates in other areas tells me that it is not about to store fingerprint images on Touch ID-protected devices without applying a strong hashing algorithm. I don't think it would do that any more than it would store a passcode in plain text. So my best guess is that hashed data is used to authenticate a scanned finger as a one-way function. An attacker could not derive a fingerprint from the hashed data.
But I do have a concern, brought to my attention by people in law enforcement. A passcode is something you know, and an argument can be made that law enforcement can't compel you to reveal that. But consider a situation where officers have a warrant to search your home. If a room is locked, they can conceivably compel you to provide the key, which is something that you have. Well, a fingerprint is really something that you are. Can you be compelled to present your finger to unlock your phone? It's possible, and I'm sure the question will be heading to a court sometime not too far down the road.
The best thing to do if you are worried about anything like that happening is to use both a fingerprint and a passcode, and I hope Apple will enable that. Not everyone is going to want to do that, since it pretty much kills the simplicity of using a fingerprint. It should be an option, nonetheless.
Another complaint about Touch ID is that Apple hasn't opened up a general purpose API for external software developers to use in their own apps. That's a valid criticism, but these are early days. I hope that this is just the first step toward great things to come, and I would not be surprised to see Apple make a Touch ID API available in future releases.
But just because Touch ID has shortcomings does not lessen its importance. I believe that this first fingerprint scanner for a smartphone could herald a big leap forward in data security for mobile devices. I'd like to think that Touch ID will be the catalyst for highly trustworthy data storage on mobile devices, making them safer for things like mobile banking, payments and medical records.
I will be doing more evaluation of Touch ID, but at this point, it looks as if I may be able for the first time to recommend Apple's data protection mechanisms to my business clients. Until now, serious business applications have needed more security than Apple could provide. Here's hoping that we're about to see that change.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.