Despite touting security, iPhone 5S scanner raises concerns

Another year, another iPhone – well, two. The build up to Apple’s flagship launch o’ the year was typical in its pre-event hype, but as the expected fingerprint scanner in the 5S was made official, some eyebrows were raised from usually enthusiastic corners of the Apple-rabid press. With privacy such a hot topic at the moment, what are the experts saying about the iPhone 5S?

Apple promises its fingerpint identification system is basically uncrackable and that the peaks and contours of your index will remain yours. But criticisms have been launched from every angle – with one pundit claiming thieves may even mutilate their victims to gain access to their phones.

Carrying around a victim’s finger in your pocket probably isn’t appealing to the most vicious of muggers, but it alarmed Marc Rogers from mobile security company Lookout.

“Thieves in some regions have worked out that you can force a victim to unlock a secured device, and in some extreme cases have also mutilated victims in order to steal their equipment,” Rogers said. “Fingerprints can be a useful addition to security but their value depends highly on the type of fingerprint reader and how it is being used – for example, the best use of a fingerprint is to provide a convenient way to unlock something in a medium to low security scenario”.

The Free Software Foundation, meanwhile, flagged Apple’s familiar walled garden of delights as a threat to digital freedoms.

Executive director John Sullivan said Apple has provided new hardware with the “same old restrictions”, letting customers use only Apple approved software. This will put user data, privacy, and freedom of expression in the hands of Cupertino, where operations “are secret and demonstrably untrustworthy”.

“We can’t imagine a more hostile reaction to the wave of privacy concerns sweeping the world right now than debuting a proprietary, network-accessible fingerprint scanner as your new ‘feature'”, Sullivan said.

Perhaps it’s not surprising the FSF took such a hostile view to the latest of Apple’s trademark gimmicks. For some time, Apple has been trying to win over its fanbase with this or that ‘feature’ – first with the iPhone 4’s charming rubber band that promised to fix its reception problems, then with Siri, then with a mapping system that told users to drive into lakes, for example.

With the Snowden revelations reverberating around the planet, the tinfoil hatted conspiracy folk will be joined by reasonably privacy-concerned citizens in wondering just what could be done with data gleamed from biometric scanning.

After all, what we know is that security agencies in the United States had actively been leaning on American tech companies to install back doors and even having a significant say in encryption standards.

Privacy speculation notwithstanding, vulnerability management company Rapid7 said overall, the built in fingerprint sensor should improve security for iOS devices.

But Rapid7’s Dirk Sigurdson warns: “Apple has on a number of occasions released flawed versions of its passcode lock implementation which allows attackers to bypass lock screen protections”.

“With the added complexity of biometric authentication it’s likely that continue to see vulnerabilities related to these features,” Sigurdson said. “It will remain important for companies to monitor iOS vulnerabilities”.

Speaking with TechEye, Sigurdson said Apple has gone to great lengths to publicly tout the device’s security, with the fingerprint data cryptograhically stored internal to the A7 chip, with only the touch ID module able to access it. “Apple’s reputation would be greatly harmed if it intentionally gained access to and shared this information,” Sigurdson said.

Arxan Technologies’ Vince Arneja, vice president of product management, said the fingerprint scanner certainly can represent an advance in personal device security. But users should understand security does not begin and end on the device itself, and there are serious concerns about application layer protections from reverse engineering or other intrusive attacks.

“We analysed the top banking applications on both Android and iPhone and found that all of them are vulnerable to these emerging hacker attacks and insertion of malware exploits,” Arneja said, “meaning cyber criminals can take a legitimate app, crack it open and insert malicious code, then repackage and redistribute”.

Like it or lump it, Apple could well be a driving force behind the fingerprint as a payment method, according to analyst house CCS Insight.

Ben Woods, chief of research, CCS, expects Apple to open its touch APIs to partners like banks and Paypal, as an alternative authentication method, provided the take-up is far reaching enough.

“Apple has over 575 million iTunes accounts with associated credit cards,” Woods said.

“Touch ID could easily be used as a way of facilitating micropayments for online and physical retailing,” Woods said. Better watch those fingers.