Feeds

iPhone 5S: Fanbois, your prints are safe from the NSA, claim infosec bods

But is it a decent authentication method? The jury's out...

High performance access to file storage

Apple’s decision to bundle a fingerprint scanner with its newly unveiled iPhone 5s has the potential to become a game-changer for personal device authentication.

But the success of "Touch ID" fingerprint authentication will depend on security as well as reliability, according to market-watchers. The fruits of Apple's acquisition of fingerprint tech firm AuthenTec for $356m last summer are the long awaited arrival of a fingerprint-based authentication system, that only comes in the top-of-the-line iPhone 5S.

The authentication system features a redesigned home button and a metal sensor ring around it. Apple's promotional blurb explains: "[The sensor] uses advanced capacitive touch to take, in essence, a high-resolution image of your fingerprint from the sub-epidermal layers of your skin. It then intelligently analyses this information with a remarkable degree of detail and precision."

The technology will be used to authorise purchases through the Apple store as well as the obvious application of unlocking the device.

Fingerprint authentication has been bundled with laptops for years and has been a feature of handheld computers (such as Pocket PCs) for almost as long. External readers are also readily available. Nonetheless, a new fingerprint reader for iPhone smartphone is likely to spur widespread use of fingerprint readers as authenticators, the argument goes.

Tony Cripps, principal device analyst at market watchers Ovum, noted that "integrated capacitive fingerprint sensor will build legitimacy for the technology in mainstream consumer electronics, although privacy concerns are bound to raise their heads in these newly paranoid times."

Apple's previous security missteps have made security experts cautious about whether it's got its fingerprint recognition technology right at the first attempt.

Dirk Sigurdson, a mobile risk management specialist at vulnerability management and pen testing firm Rapid7, commented: "Apple has on a number of occasions released flawed versions of its passcode lock implementation which allows attackers to bypass lock screen protections.

"With the added complexity of biometric authentication it’s likely that we’ll continue to see vulnerabilities related to these features. It will remain important for companies to monitor iOS vulnerabilities and to implement a method for updating devices when fixes are available."

Biometrics: What's stored on the A7 stays on the A7

Apple is storing biometric information locally on the iPhone in a "secure enclave" on the new A7 chip that, says Cupertino, can only be accessed by the fingerprint sensor itself.

"Fingerprint stays only on the A7, never goes to iCloud, and is encrypted," noted Rik Ferguson, veep of security research at Trend Micro in one of a series of tweets playing down fears over the iPhone 5S's privacy features (examples here and here).

Ferguson slapped down accusations that Apple is somehow fulfilling an NSA request by introducing fingerprint recognition tech on its high-end smartphones.

He said: "Why is a fingerprint sensor on an iPhone such a violation of privacy when laptops have featured them for years and no one even blinked? Giving our fingerprints to Wintel PCs and various border control for years but Apple = NSA? This is crazy."

Paul Henry, security and forensic analyst at security software house Lumension, said that testing is needed to verify Apple's claims that the device offers locked down security for biometric data.

"What we need to know is how good a job did Apple actually do securing the biometric data. They say it’s encrypted and not shared with other applications, but we’ll have to wait and see how it works in practice. We also need to know if it’s a single sign on approach. If a single fingerprint grants access to other services (particularly iCloud), that’s a frightening prospect if Apple hasn’t done a truly expert job at securing that local credential."

High performance access to file storage

More from The Register

next story
Report: Apple seeking to raise iPhone 6 price by a HUNDRED BUCKS
'Well, that 5c experiment didn't go so well – let's try the other direction'
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Nvidia gamers hit trifecta with driver, optimizer, and mobile upgrades
Li'l Shield moves up to Android 4.4.2 KitKat, GameStream comes to notebooks
AMD unveils Godzilla's graphics card – 'the world's fastest, period'
The Radeon R9 295X2: Water-cooled, 5,632 stream processors, 11.5TFLOPS
Sony battery recall as VAIO goes out with a bang, not a whimper
The perils of having Panasonic as a partner
NORKS' own smartmobe pegged as Chinese landfill Android
Fake kit in the hermit kingdom? That's just Kim Jong-un-believable!
Gimme a high S5: Samsung Galaxy S5 puts substance over style
Biometrics and kid-friendly mode in back-to-basics blockbuster
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.