Does missing iPhone 5s fingerprint data pose security threat?

happygeek 0 Tallied Votes 411 Views Share

If my iPhone 5s fingerprint data is walled off from the rest of A7 chip and the rest of iOS 7 in a 'Secure Enclave' and is never accessed by iOS or other apps, as Apple claims, then how come it all vanished when my iPhone crashed and I had to go through the entire fingerprint scan registration process again? Apple is remaining very quiet about it...

As regular readers will be aware, I was quite impressed with the new iPhone 5s which has set new speed records in the smartphone sector. I was, however, less impressed with how quickly it ate my fingerprint data and cast it aside never to be seen again.

Here's the thing, I cover IT security for a living. I've been writing about it, and consulting with companies regarding it, for the past twenty years. I am also a confirmed gadget nut, so when Apple announced it was going to release an iPhone with integrated fingerprint scanner there was no way one wouldn't be in my greasy palm as soon as possible. Sure, I know that fingerprints as a biometric isn't the authentication panacea that some of the more hype-struck media, along with the Apple marketing department itself, might lead us to believe. Some 'threats' to the integrity of fingerprint access technology are more credible than others, but even the likes of the Chaos Computer Club fingerprint cloning demo are in the realm of James Bond rather than posing any real threat to ordinary users. And it is ordinary users for whom the addition of the fingerprint scanner is such a security boost. Many of them, you see, simply don't bother with a PIN to unlock the iPhone as it takes too long to enter. They certainly don't bother, as I do, to change the default PIN entry to a much more secure passphrase. But they are much more likely to use the fingerprint scanner as once set up it adds nothing to the start up time of the handset; the simple act of your thumb being on the home button (which doubles up as the fingerprint scanner) is all that is required to authenticate identity, seamlessly and speedily. That, my friends, is what is known in security circles as A Good Thing.

What is not a good thing is when all of a sudden that fingerprint scanner appears to stop working. Which is what happened to me recently. My iPhone 5s was running the latest patched iOS 7 install, and was also running a large number of apps in the background as I had forgotten to dismiss them all. The primary app running in the foreground, however, was the BBC iPlayer which was happily streaming a radio show when it froze. Not only did the app stop working, but the iPhone refused to respond to any touch input. The home button became unresponsive and the device would not switch off. I resorted to the 'long hold' of the power button and eventually, but without the usual 'slide to power down' message, it shut off. Equally eventually, it let me power back on. After a power down, as a security measure, you have to enter your PIN or passcode rather than let your fingerprint do the work. So it was only when I went into standby mode and then tried to use the iPhone again that I discovered the fingerprint reader wasn't working, I had to enter my passcode every time.

A little bit of investigation of the device configuration options soon revealed that the scanner was actually OK, what was missing was my previously scanned and stored fingerprint data. I had registered both thumbs and the index finger I primarily use to poke at the screen with. All had vanished and were no longer recognised. I had to go through the fingerprint registration process again to get things working properly.

You might put this down to one of those things, and just a minor inconvenience. However, as this fingerprint data is used for authentication purposes and has a security impact, I am unable to simply write it off as anything of the sort. I imagine that there was a memory usage issue which caused iOS 7 to barf in the first place, but as Apple has been at pains to point out that the mathematical representation of your fingerprint is encrypted and stored in a 'secure enclave' of the A7 chip which is "walled off from the rest of A7 and as well as the rest of iOS" and "Therefore, your fingerprint data is never accessed by iOS or other apps" it worries me that a crash could corrupt it or delete it at all. If that's the case, then how come the fingerprint data could be impacted by a crash? This sounds like a bug with some security implications to me, something that someone might be able to exploit for nefarious purposes perhaps?

I have, of course, contacted Apple to ask for an explanation as to what could have caused this to happen and if it has happened to others, and whether it might reflect a security risk. Unfortunately, as any journalist who isn't on the select list of those few that Apple will talk to will confirm, getting any response from Apple is akin to a blood and stone situation. Such has been the case here, a deadly silence and nothing else.

If Apple does bother to get back to me, I will be sure to pass on the response. In the meantime, I would be interested to know if any other iPhone 5s users have experienced a similar total deletion of fingerprint data and under what circumstances.

happygeek 2,411 Most Valuable Poster Team Colleague Featured Poster

Just to clarify, as I have been asked already how deleted data can be a security threat (it can, it's the method of deletion that it is the weakness) I am concerned that in this case the data was lost when the device crashed, yet it is meant to be totally isolated from the system for security reasons - if it is not totally isolated, and this event appears to suggest that might be the case, then it opens the door to the possibility of other access...

BigPaw 17 Master Poster

Finger print recognition is generally more of a convenience than an increased security feature. You can't forget your finger(s) and you can't lose your finger(s) in the same way you could lose a swipe card. But, at the end of the day, it's all just software, digital data. It would be naive to assume that any of this is impenetrable.

The good thing about the above report is that the data identifying your fingerprint was lost. I would rather have someone capture my password over something I cannot change, a piece of me.

Computer security is a contradiction in terms, a myth.

happygeek 2,411 Most Valuable Poster Team Colleague Featured Poster

The worrying thing remains, that the secure enclave on the A7 chip may not be as secure as Apple has made out...

Chris_17 0 Newbie Poster

Very interesting. I've been thinking about the potential for Apple to introduce Touch ID as a means for login authentication for websites or apps, in the vein of Google and Facebook Connect. I definitely see the aforementioned scenario with the lost data being a major issue if Apple attempted to implement such a service.

Kelly Burby 44 Posting Pro

well as far as i am concerned i tried to use it and found it not very accurate so i am switching back password lock !

happygeek 2,411 Most Valuable Poster Team Colleague Featured Poster

I am actually not buying a new iPad until Apple adds TouchID, that's how much I like it. I actually find myself trying to access my iPad 2 using my left thumb on the home button :)

Seriously though, I'm surprised it's inaccurate for you; I've scanned both thumbs and a an index finger and all three were registered OK and are recognised under all circumstances in a flash.

Kelly Burby 44 Posting Pro

I don't know !! i think there is a problem with my device or something ???

happygeek 2,411 Most Valuable Poster Team Colleague Featured Poster

Maybe there is something wrong with your fingers? ;-)

sebastianedu -2 Light Poster

As you have told your fingur print reconization failed , it may be your data has been loosed by the memory whihc is stored in the recored , you have need to contact your iphone custmer care .
Thanks .

Kelly Burby 44 Posting Pro

@happygeek now that is very funny !!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.