Tech + Engineering

10
Sep

New iPhone May Have Fingerprint Authentication—Could It Be Hacked?

Biometric identification has been “just around the corner” for years. But today, that really might be the case. Apple is holding a press event at 1 PM Eastern where it’s expected to release a new iPhone. One of the notable features, confirmed by the Wall Street Journal, a historically accurate predictor, is likely to be a fingerprint sensor in the device’s iconic home button. Pressing a finger to the round receptor could trigger a sensor that would verify your print, granting you access to your secured iPhone without requiring a PIN.

It’s a type of biometric identification called verification. In verification, the owner would submit their fingerprint on their iPhone, and the record would be stored on the device. It’s a pretty secure system—no need to send the print over the internet for verification—but like any security system, digital or physical, it’s vulnerable to hacking. Just how hackable is it?

fingerprint
Any system can be hacked, but would an iPhone with fingerprint authentication be particularly vulnerable?

Here’s security expert Bruce Schneier, writing for Wired:

I’m sure that someone with a good enough copy of your fingerprint and some rudimentary materials engineering capability — or maybe just a good enough printer — can authenticate his way into your iPhone. But, honestly, if some bad guy has your iPhone and your fingerprint, you’ve probably got bigger problems to worry about.

The final problem with biometric systems is the database. If the system is centralized, there will be a large database of biometric information that’s vulnerable to hacking. A system by Apple will almost certainly be local — you authenticate yourself to the phone, not to any network — so there’s no requirement for a centralized fingerprint database.

As I discovered in my reporting on biometrics for NOVA Next, databases are often the weakest point in a biometric identification system. Verification systems like the one rumored in the new iPhone are among the most secure precisely because they have no centralized database:

The technique simply compares a submitted biometric with a reference copy stored on a device like a credit card, which is carried by its owner, [Anil] Jain says. To use it, you would insert your card into a reader and then present your biometric. The reader would compare your submitted biometric with the record on the card. If the two match, the transaction would be approved. It’s just like the signature on the back of your credit card, but less easily faked.

It’s likely that Apple has big plans for fingerprint authentication with the new iPhone, well beyond simply unlocking your phone. For a hint at what’s possible, reread that last sentence quoted above. By adding a fingerprint sensor, electronic payments via iPhone just became a whole lot more secure.

Biometric identification systems have been restricted to specialized niches for years. With the new iPhone, that’s about to change.