On The Vulnerability Of TouchID

There has been a lot of media attention given to the teams of researchers who claim to have "hacked" the TouchID fingerprint system that can be used to secure access to an Apple iPhone 5S.    However, these researchers had two unfair advantages:  They knew which finger to use, and they had a perfect fingerprint to use.  In other words, it was a controlled test under controlled conditions that wouldn't be present in the real world.   Here, I examine the actual impact of their discoveries in real-world circumstances.

WHICH FINGER?

Phones are generally stolen while they are being held or used by someone, or left unattended. A study of phone theft in San Francisco bears this out; most are snatch-and-run type robberies, holdups, or thefts of unattended devices.   By reading the descriptions of the crimes, it seems clear that the suspects cannot study how the owner unlocks the phone, either because the owner is not using the phone at the time of the robbery, is using an already-unlocked phone, or is simply not present.   This deprives the thief of the knowledge of which finger must be replicated to successfully bypass TouchID.   The problem, therefore, is expressed as a 1 in 10 chance that a single fingerprint reproduction will be of the correct finger.

LIFTING THE PRINT

The next problem is that a pristine fingerprint must be obtained.  Mark Rogers sums up the difficulties in an article:

First you have to obtain a suitable print. A suitable print needs to be unsmudged and be a complete print of the correct finger that unlocks a phone. If you use your thumb to unlock it, the way Apple designed it, then you are looking for the finger which is least likely to leave a decent print on the iPhone. Try it yourself. Hold an iPhone in your hand and try the various positions that you would use the phone in. You will notice that the thumb doesn’t often come into full contact with the phone and when it does it’s usually in motion. This means they tend to be smudged. So in order to “hack” your phone a thief would have to work out which finger is correct AND lift a good clean print of the correct finger.

Next you have to “lift” the print. This is the realm of CSI. You need to develop the print using one of several techniques involving the fumes from cyanoacrylate (“super glue”) and a suitable fingerprint powder before carefully (and patiently) lifting the print using fingerprint tape. It is not easy. Even with a well-defined print, it is easy to smudge the result, and you only get one shot at this: lifting the print destroys the original.

And again, this presumes a number of things that are uncertain:

  1. The thief knows which finger to target

  2. That fingerprint exists on the phone

  3. That fingerprint is not smudged

  4. The thief can identify that fingerprint on the iPhone

If any of these points are untrue, the thief either cannot perform the hack, or faces a much more complex problem ("Which fingerprint is it?").

However, let’s assume that in addition to the above, the thief also has the proper skills and equipment (which Rogers states is a “thousand dollars worth of equipment including a high resolution camera and laser printer”).   The thief has only 5 chances to unlock the phone with a correct finger, after which the user’s passcode must be entered - game over.

Further, if the replicated fingerprint fails, it can be for one of two reasons: Unregistered fingerprint (wrong finger) or that it simply did not work.  The thief is not told which case is true, and has wasted one of the five chances.

Next, we must consider that if the iPhone has been stolen, the user can simply go to icloud.com and use "Find My iPhone" to force it to be locked with the passcode, rendering any TouchID hack attempts moot.   Of course, Find My iPhone can no longer be disabled without the iTunes account password, so the only recourse the thief has is to turn on Airplane Mode - essentially meaning that the phone can never connect to the Internet again; because when it does, it will contact Apple and lock itself.   Of course, if Airplane Mode is not enabled, the phone’s location can be tracked by law enforcement.

 

IS IT FEASIBLE?

Therefore, to steal an iPhone 5s and bypass TouchID in the real world, the thief must overcome the following obstacles:

  1. Steal the phone and not get caught (easy!)

  2. Determine which finger is used to unlock TouchID (not so easy!)

  3. Obtain the fingerprint from the iPhone:

    1. The print must be present

    2. The print must not be smudged (this can happen during the theft!)

    3. The print must be identifiable.  Lifting the ring finger when the pointer is your target is worthless.


  4. The fingerprint must be reproduced and used

    1. Requires special equipment and skills

    2. Only 5 attempts are possible;

      1. If you try a print, is it an unregistered finger or a failed attempt at a registered one?

      2. If you have 6 or more viable prints to replicate, which do you try?




  5. The owner must not be allowed to lock the phone with the passcode or have law enforcement track the iPhone’s location via Find My iPhone

    1. The only way to prevent it is to enable airplane mode; but the device cannot connect to the Internet again, even if TouchID is bypassed, since it will passcode lock on connection.

    2. Turn off the phone -- but the passcode is required on bootup



 

It is very unreasonable to assume that any thief will be lucky enough to surmount all of these obstacles; and the chances of doing this more than once - let alone on a regular basis -  approach zero.

Now, let’s throw in some potential variables:

  1. The phone is in the hands of a friend of the owner.  The friend’s use of the device obliterates all previously viable fingerprints.

  2. The owner is wearing gloves, and is not only not creating prints, but is actually destroying previously created ones.   TouchID works through gloves (and other materials; at least one person read a print through a banana peel).

  3. The owner periodically cleans the screen (on a shirt, perhaps).

Each of these further reduces the chance of obtaining a viable print.

 

TARGETED ATTACK

The only scenario in which an attack that successfully compromises TouchID could possibly be achieved with any reasonable chance of success is in a targeted attack by someone who:

  1. Watched the victim long enough to establish which finger unlocks the iPhone

  2. Has the ability to stay around the victim long enough to both do so and to steal the device.

One such possibility that immediately springs to mind is in a bar.   Imagine an environment where:

  1. Everyone is consuming alcohol, relaxing, and generally enjoying themselves and is therefore not as on guard against theft as they might be at a bus stop or street corner

  2. Lots of strangers are expected to be around and to hang around

  3. The room is darkened, helping the thief to mask the theft and escape

  4. The victim is holding bottles, cans, or cups that they will willingly surrender when they are finished with them - fingerprints and all

  5. People commonly place their phones on the bar, and perhaps even turn their back on them from time to time

In such circumstances, the thief could reasonably observe the victim unlocking the iPhone with TouchID, note the finger used, and pretty easily obtain an object that the victim doesn’t want and that almost assuredly has good prints.   There are still some considerations:

  1. The surface of the cup/can/bottle must be capable of having viable fingerprints deposited.  Dry, clean surfaces make for more readily lifted fingerprints.  Wet or dirty surfaces, not so much.  Glasses with condensation would be less than ideal.  Note that this does not equal “impossible” or “highly unlikely”.  However, given that you have one chance to lift the print and only 5 chances to test the reproduction, the odds of success, again, drop dramatically.

  2. The thief must transport the fingerprinted object without damaging the prints, which would be difficult to do in an inconspicuous manner.   Anything that rubs the print will smudge it, making the act of surreptitiously concealing it quite difficult.

  3. The owner (and anyone nearby) must remain ignorant of the theft and not use Find My iPhone to lock the phone.

This is a higher-risk scenario for the victim, but not a guarantee of success for the thief.

 

MITIGATION

So, what can the iPhone 5s owner do to decrease the likelihood of theft, TouchID compromise, or passcode recovery and increase the chances that the phone can be recovered?

  1. Enable Find My iPhone.   Anyone who doesn’t have this enabled is asking for trouble.

  2. Be situationally aware.  Don’t let anyone watch you unlock your phone if you can avoid it, or use the passcode unlock in a manner where no one can see the screen.

  3. Clean the screen often, even if this means simply rubbing it on your shirt to smear existing fingerprints.

  4. Set your phone to require your passcode immediately.  If you are in a higher theft risk environment, lock your iPhone by pressing the power switch on the top.

  5. If you discover that your phone is missing, immediately go to icloud.com and enable "Lost Mode" under Find My iPhone, locking it with your passcode.  Enable the sound alert, which may help you discover where the phone is if it is within earshot.  If it appears to have been stolen, track the location and provide it to the authorities.

Remember that a thief can still steal your phone, turn it off, and sell it to an unsuspecting buyer, which still represents a potential reason to steal it.   Hopefully once those potential buyers become aware of the anti-theft protections in iOS 7, they will require proof that the phone can be activated again.

WHAT APPLE CAN DO

One very simple change to TouchID that Apple could make easily in software to dramatically increase the chances that a real-world attack would fail would be to require two fingerprints to be presented in a specific order.    This would yield 90 possible combinations (10^2-10) of two-finger ordered combinations - far greater than the 5 chances permitted to unlock the device - and dramatically decrease the chances of success with both finger identification and fingerprint recovery.   The added time to unlock the iPhone is likely still less than that required to enter the passcode, yet offers much more inherent security.

Alternatively, Apple could display a matrix of small icons, one of which is the user’s chosen icon, and which changes position every time it is displayed.  The fingerprint plus the correctly selected image would unlock the phone, and each incorrect fingerprint OR selected image would count towards the five possible incorrect guesses.   Having an unfixed pattern of icon placement would ensure that each position was selected peridically, eliminating the possibility of observing the placement of fingerprints and determining the correct icon.

CONCLUSION

The chances of a thief successfully bypassing TouchID on an iPhone 5s stolen at random in a snatch-and-run type theft are essentially zero.   There are simply too many obstacles to overcome to make it even remotely possible; and that small chance of success requires a certain degree of luck, all of which must be weighed against the odds of being caught.   It’s simply not worth it.

A targeted attack has a greater chance of success, but requires both the right environment, a victim who is not protecting the phone, and the ability to recover the right fingerprint.   This is far from a certainty, and again, entails risk and an investment of time for potentially no reward.

For these reasons, I believe that TouchID is secure enough for the real word, and is nowhere near easily defeated outside of a controlled experimental environment such as those that have been demonstrated thus far.  Further, Apple can augment the security of TouchID in easily achievable ways to bring the level of security high enough to make even a controlled-environment attack infeasible.