Useable Security tales, part the 23rd: TouchID spoof still smells in the realm of the fantastic

CSI Fingerprint Investigation KitSaw the latest video proof of the possibility of spoofing the iPhone 5S TouchID sensor with a fingerprint replica ‘recovered’ from the iPhone.  Yes, the “proof” is in the video, and congrats to the CCC who have demonstrated their mastery of fingerprint recovery over the decades.  But I think we should remember to think critically about this laboratory demonstration, and what it does and doesn’t demonstrate.  I’m going to focus simply on the first step, the capture of a viable fingerprint from the phone itself.

In a word, trivial – under what real-world (not Hollywood) scenario will you be finding such a (a) clean phone (b) just logged in via passcode and (c) capture the phone in a state where that fingerprint hasn’t been smudged?

I don’t know about you, but in my experience this is quite a unique usage model:

(a)    Take a clean iPhone screen (no previous smudges, swipes or smears on the screen to muddy up the about-to-be-captured fingerprint)

(b)   Login via passcode on a 5S where TouchID has already been enrolled (i.e. this phone hasn’t been used in 48 hours, or it’s only *just* been rebooted and never unlocked)

(c)    Grab the phone *immediately* afterwards (before the user has a chance to touch, swipe and pinch the crap out of that “perfect” fingerprint image)

(d)   Make sure you don’t touch the screen before you capture a hi-res scan of the fingerprint image (i.e. don’t grab it too heavily as a running thief might, and definitely don’t throw it in a bag or pocket as you run away)

When will I be unlocking my 5S with a passcode?  Statistically speaking, most likely in one of the two locations where I use it most: at home, or at work.  Is it likely a thief is waiting behind the credenza for me there?  With an adult diaper and a bag of snacks (as he waits for that perfect moment to bonk me on the head)?

I’m also pretty likely to continue to use the phone – I don’t know too many people who unlock the phone and then leave it aside.  So I’m very likely to pinch, swipe and tap all over that screen, given all the apps locations and usage models I and many users have.

Finally are we relying on a threat scenario where the thief happens to have a forensic evidence-quality bag to drop the phone into…and is he wearing rubber gloves?  If Benson, Stabler or Grissom wanted to grab my phone, I’m pretty sure they’ve got other ways to get at the secrets that I happen to have stored on my phone.

Are we really accepting that this is a realistic enough scenario to warrant all the fear against a significant advancement in consumer security technologies?  Yes the industry can do better, but I hope we’re not letting perfect be the enemy of good – I’d hate to see anyone’s next business ventures all be judged on that model (and still derive the massive profits we’re all in search of).

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s