Posted by Grant Bowen at 11:00 AM
The iPhone 5S, released to the public this past Friday, September 20th, ushers in a new era of smart phone security – it can be unlocked using just a fingerprint. By pressing a finger to the home button, iPhone 5S users will be able to access their phone without having to swipe an unlock button, or set up, remember and enter a password as previously required. Furthermore, users will be able to log into their personal Apple iCloud and iTunes accounts in order to purchase apps, music, and videos.
However, this new innovation, dubbed “Touch ID”, not only brings opportunities for convenience, but also questions of security. Unlike passwords that are memorized and frequently changed, biometric data, which connects people at the most intimate level to their information, never changes. If a hacker were to get a hold of biometric data (a fingerprint, retina scan, or facial recognition information), the results could be devastating. These are key markers used in surveillance, passports, and now smart phones and laptops across the world. And, because these cannot be altered like a traditional password, once corrupted, there is no chance for a user to recover. Essentially, hackers may have the opportunity to steal a user’s actual personage – not just the numbers, codes and passwords that currently make up a person’s “identity”.
Apple claims to have an answer to this though: storing the information solely on the device itself in mathematic algorithms, rather than in a centralized server or cloud. When a user presses their finger to the circular glass pane embedded in the home button, tiny plates contact and close a circuit, generating current. The software then reads the energy of each cell and stores it in the phone’s encrypted microprocessor. Additionally, because Apple currently allows the fingerprint to unlock only the phone and access a user’s iTunes account, security risks at launch are minimal.
However, IT experts are not convinced this evades threats of cyber-attackers. The issue at the core of the security threat is simple: users do not control what their applications do with the information put into them. So, as Apple begins to open the fingerprint scanner to app developers, they are simultaneously opening the door to millions of security threats for every iPhone 5S owner. Once users start to log into these apps with their fingerprints, they could be allowing developers to access the fingerprint information stored on the device. And what these developers do with the biometric data they collect is out of the users’ hands – possibly collected and sold to marketing agencies, social networking sites, or even the National Security Administration.
Additionally, there is a threat of fingerprints being lifted off of any surface, reproduced and then used to unlock the phone, allowing access to private user data stored on the phone. In fact, there is already a $2200 bounty for the first person to post uncontroverted evidence of a successful Touch ID security breach using this method.
It is inevitable someone will figure out a way to either collect biometric data through app use, or find a way to hack past the fingerprint scanner on the iPhone 5s. And, the unfortunate truth is there are many companies and individuals across the world that would invest large amounts of time and money in order to do so. By controlling what could be the “ultimate” password, companies may be able to create databases of individuals using their services, link fingerprints to IP address, or intimately track their clients and employees. Worse, identity thieves could potentially hack personages, rather than just the numbers and codes we rely on to define our “identities” now. If there is one certainty with the release of Apple’s iPhone 5s, it’s this: starting on September 20th, millions of people across the globe will confront new biometric security threats.