Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Offers Additional Details on Touch ID, iPhone 5s Won't Store Fingerprint Images

vastoholic said:
Same for me. Former military with security clearances. The government has just about all the information on me that they need already. I'm not too worried about my fingerprint being hacked by the NSA.
Click to expand...
Are you saying that you don't care about every phone call you make being recorded, and every email or text you send is being saved, and every web site you visit is being logged, and everywhere you drive your car it is photographed and stored with the time and location, which is correlated using the GPS in your phone and also in your car? Are you saying you don't care that every purchase you make is logged?

And all this is being done not because you are important, but despite the fact that you are not important.
 
vastoholic said:
Same for me. Former military with security clearances. The government has just about all the information on me that they need already. I'm not too worried about my fingerprint being hacked by the NSA.
Click to expand...

Ex NASA employee with top secret clearance here.

Apparently I'm the only one of us who's had their entire life scrubbed that still understands the difference between background checks for security clearance and possible continuous data and location logging that are tied to a piece of biometric data.

Please stop with this "the government already has my fingerprint" nonsense. It's not about them simply having that one piece of data. It's about the possibility of them tying that absolute unique piece of data to every activity you undertake on your device. After that who knows what the possibilities are.
 
Explanation

mechno said:
It's not called paranoid anymore.

This reply from an Apple spokesperson makes me more nervous, actually, because of its misdirection.
The distinction between a fingerprint and name correlation versus a "fingerprint data" and name correlation seems artificial.

If I get a phone that has this (likely) i will never turn this feature on.
Click to expand...

I'm not sure if you can appreciate the distinction. Let me put it this way... you enter passwords onto websites right? Well, the web site does not (or should not) store the raw password. In fact, it doesn't even store an encrypted version of the password, or at least not one that is reversible. Instead, it stores a "hash"... basically a piece of data that, if the password is passed through an algorithm correctly, will result in the same exact "hash" or key. This authenticates you to that web site.

In the same way, the fingerprint is not stored, just some information to ensure that the fingerprint is the same as a known fingerprint. The image data is discarded and all the analysis information. That just lasts long enough to create a "hash" and then compare to the known values. Depending on how this hash is created (most like one-way, RSA 1024 bit or something like that...) it's impossible to reverse that into a fingerprint or anything that could point back to a user identity. Again, Apple states that none of this touches the cloud or Internet. It's all local to the device, and even further... down not leave the processor.

Compare this to all the passwords you kick around on a daily basis. Your password is being sent in an encrypted method that uses SSL which is inherently bidirectional (aka, it needs to be unencrypted on the other side). While this encryption is really strong and required private keys and such... it's still technically weaker than one-way encryption. Plus you are shipping this across the Internet and need to pray that passwords are encrypted in the database in a secure fashion. Most of the time these are stored as MD5 hash which has proven to be crackable. However, worse yet is you can just Google common MD5 hashes and get the password.

I hope that explains things. Basically this is a very secure way to lock a device. It's completely optional (if you are that scared by it).
 
Porco said:
Dear Apple, I'm sorry because I realise it's not really your fault, but I don't trust that the NSA haven't nobbled you, and nothing you have said so far leads me to… um think different, as it were.
Click to expand...

OK Let's break this down. Let's say the NSA Can demand whatever they want from Apple and Apple has to comply. The ENCRYPTED fingerprint data is only stored on the phone not in an Apple Data Center. So if the NSA forces Apple to provide de-encryption keys for your phone, it only does them any good if they already have your phone in custody. At which point I assume they could get your fingerprint from say.. dusting your phone for fingerprints or making you give them your fingerprint.

Do people just bitch about everything for the sake of bitching these days??
 
rydewnd2 said:
OK Let's break this down. Let's say the NSA Can demand whatever they want from Apple and Apple has to comply. The ENCRYPTED fingerprint data is only stored on the phone not in an Apple Data Center. So if the NSA forces Apple to provide de-encryption keys for your phone, it only does them any good if they already have your phone in custody. At which point I assume they could get your fingerprint from say.. dusting your phone for fingerprints or making you give them your fingerprint.

Do people just bitch about everything for the sake of bitching these days??
Click to expand...

Going with the "I believe everything giant corporations tell us" argument I see. Be careful that one can come back to bite you in the butt.
 
doelcm82 said:
Are you saying that you don't care about every phone call you make being recorded, and every email or text you send is being saved, and every web site you visit is being logged, and everywhere you drive your car it is photographed and stored with the time and location, which is correlated using the GPS in your phone and also in your car? Are you saying you don't care that every purchase you make is logged?

And all this is being done not because you are important, but despite the fact that you are not important.
Click to expand...

So they'd see i'd been googling fart sounds and facebooking all day, texting my girlfriend to remind her to buy TP, sitting at my office, and driving home. Very concerning...

----------
Parise said:
Going with the "I believe everything giant corporations tell us" argument I see. Be careful that one can come back to bite you in the butt.
Click to expand...

Honestly I could give two ***** even if they are lying. I scanned my fingerprint to get into Disney world last summer and didn't give it a second thought.
 
rydewnd2 said:
So they'd see i'd been googling fart sounds and facebooking all day, texting my girlfriend to remind her to buy TP, sitting at my office, and driving home. Very concerning...
Click to expand...

They're not actually "seeing" that. Just collecting it and filing it away, in case it becomes useful later. They're also recording the fact that your girlfriend was not really where she told you she was when she texted you back.
 
Last edited:
Parise said:
Seriously man, a two second google search.

http://m.theatlanticwire.com/nation...knocking-doors-because-google-searches/67864/
Click to expand...

Yup. A two second goole search tells you that it's a bunch of crap.

http://www.slate.com/blogs/the_slat...r_search_was_not_due_to_nsa_surveillance.html

"Seriously man":rolleyes:

----------
gnasher729 said:
There's this well-reported case of a couple where the wife wanted to buy a pressure cooker, while at the same time her husband was interested in buying a backpack, and suddenly they had police in force on their doorstep...
Click to expand...

Wrong. See previous post.
 
At little off topic from the current discussions, but there is one specific issue I have with any fingerprint ID system. If someone knocks you out and then robs you, they can use your fingerprint to unlock the device and turn off auto-lock. Once there, what data do they have access to inside your phone that is protected only by the Touch ID?

For example, can they remove the Touch ID without the passcode as well (my guess is not)? Obviously they can purchase a bunch of stuff on iTunes but I'm not particularly worried about that. Is there any data that can be accessed by the Touch ID alone that a criminal might want?

Also, I wonder if they will create APIs for secure fingerprint access. The iPhone can handle the verification "outside of the app" but send info to the app to permit secure access. If say, 1Password, decides to use such an API to access stored passwords (I'm not saying such an API is available but I imagine that many people will be asking for it at some point), this could be highly problematic.

What I hope to see is for data that needs a high level of protection (e.g. turning off Touch ID, reseting the phone, and other actual data) will be protected by the Touch ID and some passcode/password. For everyday stuff, the Touch ID will suffice (unlocking the phone, iTunes purchases, etc.), but sometimes an additional safeguard will be necessary in situations when a criminal has your phone and access to your fingerprint as well.
 
diegogaja said:
Subtly shape opinion with words like you just did? "Obama NSA"? The NSA has been doing this much longer than Obama has been in office...
Click to expand...

Because the Obama administration lifted the limits on what could be gathered in terms of domestic information. Those are the facts, deal with them.
 
So when you have gloves on this winter

Hmm when it is snowing, raining or just balls cold this winter. Good luck when you have gloves on. Hope you still have the pass code option.
 
gnasher729 said:
If the police has your fingerprints in a database, they they could find you if your fingerprints are found at a crime scene. (On the other hand, I think the infamous Unabomber was found because the police found a fingerprint on a letter that he sent, which was found to belong to an employee at a copy shop where the paper had been purchased, and that led eventually to the bomber. )
Click to expand...

The Unabomber was found because his brother turned him in after recognizing some of the manifesto that the feds eventually published. Without that, he'd likely still be in his little cabin outside of Lincoln, MT.
 
Freida said:
I would have to troll on your post and get banned. Your post is crazy.
If you are so concerned about time lost whilst unlocking the phone then why are you on macrumors chatting about it. I'm sure that lost you way more time.

Facepalm is NOT enough in this case!
Click to expand...

Actually, get some ice ready for your face. That kind of long term "time is money, money is time" thinking is one approach Jobs used to get things done. Imagine if it took an extra minute to start up a MacBook Pro, and every day you turn it on twice, then you'd be losing about 11 hrs or so each year just waiting for it to boot. In the reality distortion field Jobs utilized, imagine if a million people lost 11hrs a year...then that means 11 million hours...just extra time waiting for computer to boot. It's like saving a life.

----------
lilo777 said:
Entering four digit pin takes about a second (and works 100% accurately). That's probably about on par with the sensor when sensor matches your fingerprint quickly. Since the sensor will not be able to match the fingerprint quickly all the time, in some cases it will take longer. On average sensor will probably cost you money.
Click to expand...


But you'll be able to unlock your phone without focusing on it. Imagine how nice this could be, for example, with Siri.
 
lilo777 said:
We'll see about the faster part. The scanner does not add any security because you will still has the pin. If anything, having two ways to unlock the device creates more options for hacking (compared with he single option).
Click to expand...

No it's pin plus fingerprint. If you go 48 hours or restart the phone. You have to finger print scan then pin. So more secure. There is an alternate pass code to use but you can set that as a alphanumeric code.
 
lol...

I dunno weather this is a "given' that Apple admitted this or the fact that they think all of us are dumb.... seriously Apple. :rolleyes:

Why on earth would you even want your finger prints stored on a device ??

I thought this was about "no fingerprints on screen" Now THAT would be something better, but this ?

ok... its equally good to know. I'm just wondering why this is that interesting ? I mean, this IS for security after all, why bother invert the action that "Its secure, but it may be assumed it store's the image"

That's like saying "UAC is secure, but anyone can turn it off" ... Just eliminates the entire purpose. Is Apple trying to tell us that that haven't done this properly ?.

Just by the act of telling us is doesn't sore the image.... I bet you people will try and prove this now...
 
Last edited:
shiseiryu1 said:
For those that don't know, the 4-digit password on the iPhone can be broken in several seconds using hacker tools. There was a Macrumors article on this a year or more ago. Therefore, this fingerprint sensor is WAY better. Much less considering that someone can watch over your shoulder to get your puny 4-digit code.

When I get the phone I'm going to make a very secure alphanumeric password and hopefully never have to use it because I'll block with my finger.

It is too bad that developers won't be able to utilize the fingerprint yet. Seems like a missed opportunity. Maybe there will be an API in iOS 8?...
Click to expand...

Not really mate, after 48 hrs without unlock or reboot of the phone the scanner is bypassed by the pin password.
 
uberman15 said:
At little off topic from the current discussions, but there is one specific issue I have with any fingerprint ID system. If someone knocks you out and then robs you, they can use your fingerprint to unlock the device and turn off auto-lock. Once there, what data do they have access to inside your phone that is protected only by the Touch ID?

For example, can they remove the Touch ID without the passcode as well (my guess is not)? Obviously they can purchase a bunch of stuff on iTunes but I'm not particularly worried about that. Is there any data that can be accessed by the Touch ID alone that a criminal might want?

Also, I wonder if they will create APIs for secure fingerprint access. The iPhone can handle the verification "outside of the app" but send info to the app to permit secure access. If say, 1Password, decides to use such an API to access stored passwords (I'm not saying such an API is available but I imagine that many people will be asking for it at some point), this could be highly problematic.

What I hope to see is for data that needs a high level of protection (e.g. turning off Touch ID, reseting the phone, and other actual data) will be protected by the Touch ID and some passcode/password. For everyday stuff, the Touch ID will suffice (unlocking the phone, iTunes purchases, etc.), but sometimes an additional safeguard will be necessary in situations when a criminal has your phone and access to your fingerprint as well.
Click to expand...

You will tell them your password if your phone doesn't have Touch ID. They will make sure that you tell them. :D
 
My Advice to all the Fingerprint worrying ppl - Dont commit a crime


Security has always been priority to apple - we should all know this by now.

From your Macs to "no folder" system on your iOS devices

We always have an excuse for an Apple Feature - Siri now TouchID

Commit a crime and they gonna be all over your fingerprint which you leave everywhere on your phone and house without the TouchID.

no matter what you think, its still gonna sale like it was given out for free, people love things that makes them feel unique and special - " you cant unlock my iphone without me touching it" - well till after 48 hours
 
BC2009 said:
For those who don't understand cryptographic one-way hashes, they cannot be reversed to produce the original data without a dictionary attack. A dictionary attack in this case would require a collection of actual human fingers or replicas of them to run through Apple's Touch ID to see which cryptographic hashes match the one stored on the device.

Also note, that their is a really really really small chance that two fingerprints will generate the same cryptographic hash. Cryptographic hashes by their very nature have LESS data than the source data for which they are hash. This means that the if the source data has potentially quadrillions of combinations that there may be only billions of values that they hash to (a one to many mapping of hashes to source data). More likely scenario is that your fingerprint hashes to the same value as a fingerprint that does not currently exist on the planet today and may never exist.

edited.
.
Click to expand...

OK, my head hurts. Badly.

Let's assume for brief moment that the US government alone hasn't collected all the USS coins of various denominations (like that movie Enemy of the State suggested) from various sources (banks, parking meters, video games from the arcade days, etc) AMD hasn't collected fingerprints over the last 3 decades alone (just to be modern), and doesn't have a large breadth of dictionary hash available for US citizens to check against.

Is this not possible or already a valid consideration and usable?! Just a curious thought.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back