Touch ID: Net Benefit or Net Loss?

min read

Guest Blogger: Joshua Wright, @joswr1ght

Figure 1: Touch ID in Action. Source: Apple

With the introduction of the iPhone 5S, Apple debuted Touch ID, an integrated fingerprint authentication system used for unlocking the iPhone, and for authorizing purchases in iTunes and the App Store. While Apple is not the first vendor to introduce fingerprint recognition in a smartphone, it is very likely that the iPhone will be many users' first exposure to biometric authentication.

Shortly after the introduction of Touch ID, the Chaos Computing Club (CCC) publicly demonstrated that the system can be tricked through the use of spoofed fingerprints using latex or wood glue, processed from latent prints. This attack requires some sophistication, but is easily accessible to anyone familiar with watching YouTube videos carefully, with access to commodity electronics and less than $100 to spend on specialty equipment.

Recognizing that Touch ID can be bypassed, it's reasonable to wonder about the benefit overall: should we use Touch ID for protecting our iOS devices?

The answer is complex: it depends.

Phil Schiller: Statistician

At the Apple Special Event on September 10, 2013, Apple Senior VP of Worldwide Marketing Phil Schiller revealed some interesting information about smartphone use:

"In fact, in our research, about half of smartphone customers do not set up a passcode on the device. And they really, really should." Phil Schiller, Apple.

Schiller doesn't elaborate on this statistic any further, including whether Apple's research includes passcode use on Android phones, but it remains a valuable statistic.

If you are one of the 50% of users who do not use a passcode…you really, really should.

Is Touch ID a net benefit for those users who do not have a passcode on their device? Yes, most definitely. Touch ID is simple and reliable enough for even the toughest hold-outs who have long refused to delay their smartphone use by the 3 seconds needed to enter a 4-digit passcode. With Touch ID turned on, the same holdouts even have an opportunity to make iOS purchases even faster by authorizing with their fingerprint instead of their Apple ID.

Device and Apple ID Authentication Integration

For the first time, Apple has integrated device authentication (traditionally a 4-digit PIN, or a longer passcode) with the Apple ID credentials used for iTunes, the App Store, and in-app purchases. From an attacker perspective, one credential (your fingerprint) is now enough to unlock the device, and make purchases against the credit card information associated with the victim's Apple ID. It's not hard to envision future revisions to iOS where the Touch ID credential is sufficient to access iCloud data as well, potentially exposing more than just the data on the lost device.

Yes, this is a potential detriment to security compared to the 2nd authentication password needed for Apple ID (which Apple requires to be at least 8 characters long, with a mix of lower case, upper case, and numeric characters). Anytime you remove an authentication layer from the system, and rely on previous credentials for access to subsequent systems, we reduce the effective security of the system.

Practically however, the Touch ID attack demonstrated by CCC is more complex to pull off than the typical motivation of a criminal looking to download the latest Lady Gaga album for free. Using Touch ID to simplify purchases on iOS enhances the platform usability while removing a complexity obstacle that helps Apple's bottom line ("What is my Apple ID password again? Bah, I didn't want that episode of Keeping Up With the Kardashians anyway"). It is unlikely that everyday muggers are going to use forensic fingerprint gathering techniques for iTunes theft. Also, at least in the US, consumers are not liable for purchases made by stolen credit card numbers (whether the legal system considers Touch ID bypass as a "stolen credit card" remains to be seen), adding another countermeasure to defend against malicious use of fingerprint data.

Enterprise Use and Hard Questions

Most Apple iOS users will benefit from Touch ID without significant negative detriment to the security of the platform over a standard 4-digit passcode. However, when we consider the iOS use cases for enterprise users (read: people who have valuable data on their iOS devices), the situation becomes murky.

Before Touch ID, enterprise users would use a 4-digit or more complex passcode to protect the iOS device. With Touch ID, enterprise users have the choice of using a passcode, or a passcode and Touch ID. Apple does not allow for the use of Touch ID without a backup passcode (a wise choice), thereby increasing the potential attack surface for an adversary who wants to gain access to the stolen iPhone.

When we acknowledge that the introduction of Apple ID increases the attack surface opportunity for an attacker, it automatically becomes a detriment to security. In information security defense, we want to reduce the attack surface exposure, and Touch ID increases the exposure by introducing a 2nd device authentication method. Leveraging the technique described by CCC, it's reasonable that a motivated attacker who steals an iOS device will be able to lift a print, reproduce it, and use it to unlock a device within the 48-hour window imposed by Apple. With a matching fingerprint, the attacker will have sufficient access to backup the iOS device, access data within application sandbox directories using iExplorer or iFunBox, and extract sensitive content from the device, potentially gaining access to other stored passwords on the device as well (while we wait for an iOS 7 jailbreak to become available).

For enterprise organizations that rely on iOS device authentication to protect against data loss following a lost or stolen device, Touch ID may introduce an unnecessary risk. Organizations will need to evaluate their risk to data exposure (taking into consideration other security controls on the platform, such as container-based security applications, or remote-access mechanisms such as Citrix XenMobile), the ability to enforce policy on devices, and the overall risk and exposure of Touch ID.

Final Words

If you are worried about the confidentiality of data that you access from your iOS device, then Touch ID probably isn't for you. However, for a potentially significant number of iOS users, Touch ID is a considerable improvement over poorly-selected passcodes ("0000") and over no passcode at all. When my iPhone 5S finally arrives, I plan on configuring Touch ID in a variety of ways, while resisting the urge to store credit cards, social security numbers, electronic patient healthcare records, and customer data on my phone. In the meantime, I'll keep using my iPhone 5 secured with my 4-digit passcode ("1111"). 

Joshua Wright is a senior instructor for the SANS Institute, the author of the SANS Institute SEC575: Mobile Device Security and Ethical Hacking course, and an information security consultant with Counter Hack Challenges. He hopes to someday have 1/100th the number of Twitter followers as Ryan Seacrest (@joswr1ght).