If my iPhone 5s fingerprint data is walled off from the rest of A7 chip and the rest of iOS 7 in a 'Secure Enclave' and is never accessed by iOS or other apps, as Apple claims, then how come it all vanished when my iPhone crashed and I had to go through the entire fingerprint scan registration process again? Apple is remaining very quiet about it...
As regular readers will be aware, I was quite impressed with the new iPhone 5s which has set new speed records in the smartphone sector. I was, however, less impressed with how quickly it ate my fingerprint data and cast it aside never to be seen again.
Here's the thing, I cover IT security for a living. I've been writing about it, and consulting with companies regarding it, for the past twenty years. I am also a confirmed gadget nut, so when Apple announced it was going to release an iPhone with integrated fingerprint scanner there was no way one wouldn't be in my greasy palm as soon as possible. Sure, I know that fingerprints as a biometric isn't the authentication panacea that some of the more hype-struck media, along with the Apple marketing department itself, might lead us to believe. Some 'threats' to the integrity of fingerprint access technology are more credible than others, but even the likes of the Chaos Computer Club fingerprint cloning demo are in the realm of James Bond rather than posing any real threat to ordinary users. And it is ordinary users for whom the addition of the fingerprint scanner is such a security boost. Many of them, you see, simply don't bother with a PIN to unlock the iPhone as it takes too long to enter. They certainly don't bother, as I do, to change the default PIN entry to a much more secure passphrase. But they are much more likely to use the fingerprint scanner as once set up it adds nothing to the start up time of the handset; the simple act of your thumb being on the home button (which doubles up as the fingerprint scanner) is all that is required to authenticate identity, seamlessly and speedily. That, my friends, is what is known in security circles as A Good Thing.
What is not a good thing is when all of a sudden that fingerprint scanner appears to stop working. Which is what happened to me recently. My iPhone 5s was running the latest patched iOS 7 install, and was also running a large number of apps in the background as I had forgotten to dismiss them all. The primary app running in the foreground, however, was the BBC iPlayer which was happily streaming a radio show when it froze. Not only did the app stop working, but the iPhone refused to respond to any touch input. The home button became unresponsive and the device would not switch off. I resorted to the 'long hold' of the power button and eventually, but without the usual 'slide to power down' message, it shut off. Equally eventually, it let me power back on. After a power down, as a security measure, you have to enter your PIN or passcode rather than let your fingerprint do the work. So it was only when I went into standby mode and then tried to use the iPhone again that I discovered the fingerprint reader wasn't working, I had to enter my passcode every time.
A little bit of investigation of the device configuration options soon revealed that the scanner was actually OK, what was missing was my previously scanned and stored fingerprint data. I had registered both thumbs and the index finger I primarily use to poke at the screen with. All had vanished and were no longer recognised. I had to go through the fingerprint registration process again to get things working properly.
You might put this down to one of those things, and just a minor inconvenience. However, as this fingerprint data is used for authentication purposes and has a security impact, I am unable to simply write it off as anything of the sort. I imagine that there was a memory usage issue which caused iOS 7 to barf in the first place, but as Apple has been at pains to point out that the mathematical representation of your fingerprint is encrypted and stored in a 'secure enclave' of the A7 chip which is "walled off from the rest of A7 and as well as the rest of iOS" and "Therefore, your fingerprint data is never accessed by iOS or other apps" it worries me that a crash could corrupt it or delete it at all. If that's the case, then how come the fingerprint data could be impacted by a crash? This sounds like a bug with some security implications to me, something that someone might be able to exploit for nefarious purposes perhaps?
I have, of course, contacted Apple to ask for an explanation as to what could have caused this to happen and if it has happened to others, and whether it might reflect a security risk. Unfortunately, as any journalist who isn't on the select list of those few that Apple will talk to will confirm, getting any response from Apple is akin to a blood and stone situation. Such has been the case here, a deadly silence and nothing else.
If Apple does bother to get back to me, I will be sure to pass on the response. In the meantime, I would be interested to know if any other iPhone 5s users have experienced a similar total deletion of fingerprint data and under what circumstances.
