Apple Offers Additional Details on Touch ID, iPhone 5s Won't Store Fingerprint Images

[Pagemakers]

Until apple allow other apps to make use of the scanner it's kind of pointless and totally under utilised at the moment.

 

[SvenSvenson]

I don't get why people get so uptight about NSA. It's there to protect you. If you aren't doing anything wrong then they have no reason to snoop on your data. Simple.

Not quite - they are snooping on all your data to see if you have anything to hide.

 

[imaginex20]

As I have worked in the biometric industry before, what Apple is doing is pretty much "fool" proof from hackers being able to obtain your "fingerprint". Without the image of your fingerprint the authentication cannot be hacked. Apple is storing the templates (Basically a GUID that gets generated by the biometric identification/matching algorithm) inside the volatile memory of the iPhone.

The volatile memory is also encrypted using RSA encryption or some other proprietary encryption. I am sure Apple would render the iPhone useless if this volatile memory has been tampered with in any way shape or form and the device would then have to be restored and your fingerprint data would no longer be on the device.

I don't know why people are all worried about their data, you already use yahoo and Gmail...you should be more worried about that than your fingerprint data.

 

[airamerica]

Last year 17m people walked through the front gate of The Magic Kingdom in Florida... The majority are US citizens, the rest visiting from all over the world.

Most of these people placed their finger in a scanner, to gain entry. At the same time they used some kind of ID (ticket or door key) to validate their entry credentials. A ticket or door key directly linked to a payment method, hotel check in data and a family name!

How is this any more or less of an issue - in fact even children are required to present a finger... Not all children will have an iPhone!

Disney, developed their technology in conjunction with the NSA!!! Disney work closely with Apple. So, 17m of you do the math - you are already in the system. That's not to mention the millions of other people visiting other Disney properties.

Has you world come crashing down in some kind of NSA conspiracy? No.

An iPhone isn't going to give you a problem. Did you stop and debate the merits of using the sensor at Disney. No. You were on vacation etc. presented your digit and went in.

The iPhone shouldn't require any more of your consideration, in my opinion.

 

[BSben]

Hmm when it is snowing, raining or just balls cold this winter. Good luck when you have gloves on. Hope you still have the pass code option.

Typing your passcode with gloves on doesn't actually work unless you get special gloves.

 

[juanmanas]

Are you saying that you don't care about every phone call you make being recorded, and every email or text you send is being saved, and every web site you visit is being logged, and everywhere you drive your car it is photographed and stored with the time and location, which is correlated using the GPS in your phone and also in your car? Are you saying you don't care that every purchase you make is logged?

And all this is being done not because you are important, but despite the fact that you are not important.

Ok, so who cares then about your fingerprint?

----------

Dear Apple, I'm sorry I'm moving to Samsung Note 3

Post it to apple... Not in a thread about fingerprint scanners

----------

Why worry about cracking the phone to get to the fingerprint images or data? Just order the prints/data from NSA. They get it effortless from their dear friends at Apple, who will never admit they work together and to what extend...

Source?

----------

I use gmail. The NSA has therefore all my private conversations, bank statements etc.

----------

Dear Apple, I'm sorry I'm moving to Samsung Note 3

Not sure we need to move all your moves. Let us know when you go to the toilet too...

 

[iBug2]

Are you saying that you don't care about every phone call you make being recorded, and every email or text you send is being saved, and every web site you visit is being logged, and everywhere you drive your car it is photographed and stored with the time and location, which is correlated using the GPS in your phone and also in your car? Are you saying you don't care that every purchase you make is logged?

And all this is being done not because you are important, but despite the fact that you are not important.

No he's not saying he doesn't care. He's saying that they already have his fingerprints on file, so this won't give them anything new. The NSA can already track your activity using the current iPhones. What else is your fingerprint going to give them? You activate your phone by giving them your name, your address already. From the moment you activate your phone, they already know who you are and who is using that phone. Unless you are a spy and want to use someone else's phone, in which case, you'll simply use rubber gloves and unlock the phone in traditional means, I don't see how this gives them any more control over you they don't already have.

I hate government tracking, I hate corporate tracking, I hate all the anti-privacy actions. But is there anything I can do to get around it? No. I have to use google, or bing, or yahoo to be able to actually work. I have to get a cellphone in this day and age to keep up with the communication craze. Can't give any of them up, and they all track me. Too bad, this is the world we live in and I'll do my best to change that, but I have to still depend on these tools.

 

[Masquerade]

We'll see about the faster part. The scanner does not add any security because you will still has the pin. If anything, having two ways to unlock the device creates more options for hacking (compared with he single option).

passwords will lock the device. Retrying on the finger device not. Oh wait

 

[gnasher729]

If device is locked with a fingerprint I wonder the repercussions? Could authorities force you to unlock your device with your finger or successfully use a fingerprint on file in some creative manner?

They are only allowed to search the content of your phone with a search warrant. There have been cases where phones were searched during an arrest, there is now precedence that this is illegal and any evidence found is inadmissible.

If they have a search warrant, the police are allowed to use any technical means to unlock the phone. And you are required to unlock it, unless the fact that you can unlock it is in itself evidence to you (if you claim it isn't your phone for example).

 

[delToros]

Let's think rationally.

Does security concerns justified? Yes. Mostly because you give more of your personal data on the device.

Does hackers often steal personal data from apple? No.

Will NSA or other country government agency will try to obtain this data? Yes, as always. As soon as you give information outside your mind to any digital device (especially connected to web), there is strong possibility that government will access this data. Not necessary as soon as possible, but if they will want to obtain it personally from you, they will.

Does this feature is deal-breaker? As always with new technologies, no. Give it 2-3 years, i think it will become very useful. But foe now, it is nothing more than "nice touch".

 

[nascimento]

Safety? Trust?

...do you mean we should TRUST Apple with all our information because they assure our safety and privacy???

-the same way that all our data has been handed over so easily to government without our consent?

-the same way (allegedly) Gov can access data on our iphones??

So now we should trust a phone maker with our biometric data??????


I Love my iphones but if there is no way they can assure me that my fingerprint is not stored by default there is no way il buy another iphone...

everyone should do the same thing and send a clear message to Apple

 

[BvizioN]

People in USA must really be terrified of NSA!!

Are you guys all criminals or something?

 

[nascimento]

They are only allowed to search the content of your phone with a search warrant. There have been cases where phones were searched during an arrest, there is now precedence that this is illegal and any evidence found is inadmissible.

If they have a search warrant, the police are allowed to use any technical means to unlock the phone. And you are required to unlock it, unless the fact that you can unlock it is in itself evidence to you (if you claim it isn't your phone for example).

Even if the Info can not be used in court it most likely has been seen and or stored somewhere. Do you feel safer?! I thought that under the premiss of you being a terrorist (as we all seem to be now) they sort of had cart blanche.

 

[daijholt]

You live obviously in a parallel world, consisting of fear, fear and fear. Thank god, that i live in the real world.

On the contrary, I'm not afraid at all. But considering how apparently easy it is for people to hide amongst the crowd, a few extra measures to root them out is a small asking price. There is a line of course, but I've yet to see the intelligence communities, or the government for that matter, cross it. If they start rounding people up in martial law, then we've got a problem.

 

[nascimento]

Can someone please enlighten me on why people are so fussy about the NSA getting fingerprint data? What can they do with that information? It's not like they can even sell it to marketers.

What I would say to anyone that thinks the way you do is...

You dont deserve to live in a Democracy

 

[topper24hours]

...do you mean we should TRUST Apple with all our information because they assure our safety and privacy???

-the same way that all our data has been handed over so easily to government without our consent?

-the same way (allegedly) Gov can access data on our iphones??

So now we should trust a phone maker with our biometric data??????


I Love my iphones but if there is no way they can assure me that my fingerprint is not stored by default there is no way il buy another iphone...

everyone should do the same thing and send a clear message to Apple

No thanks.

Also, if you have to actively launch Touch ID & train it for 30 seconds per fingerprint... how in the hell would it store your fingerprint "by default" unbeknownst to you, pray tell?

 

[ValSalva]

Until apple allow other apps to make use of the scanner it's kind of pointless and totally under utilised at the moment.

I don't know about pointless but it probably is underutilized. Don't forget, the first iPhone didn't even have third party apps. Give it some time. Apple will most likely (hopefully) open up the fingerprint sensor to third parties. Just like it has with Siri

 

[Giev]

For those who don't understand cryptographic one-way hashes, they cannot be reversed to produce the original data without a dictionary attack. A dictionary attack in this case would require a collection of actual human fingers or replicas of them to run through Apple's Touch ID to see which cryptographic hashes match the one stored on the device.

Also note, that their is a really really really small chance that two fingerprints will generate the same cryptographic hash. Cryptographic hashes by their very nature have LESS data than the source data for which they are hash. This means that the if the source data has potentially quadrillions of combinations that there may be only billions of values that they hash to (a one to many mapping of hashes to source data). More likely scenario is that your fingerprint hashes to the same value as a fingerprint that does not currently exist on the planet today and may never exist.

Think of a large 500-page book as a just a collection of letters, numbers, spaces, and punctation. You could pound on the keyboard and produce a book of random text or you could carefully craft an actual readable book. The hash reduces the book to a hash of say 500 characters which is generated in such a way that even changing a single letter in the book or the capitalization of a single letter produces an entirely different hash (cryptographic hash algorithms magnify any change to cyclically change other parts). Obviously, there is no way you could take 500 characters of data and regenerate the 500-page book (that would be the most amazing lossless-compression algorithm in the world, but also mathematically impossible). Because of this you cannot reverse it. You could however, run a hash on all books known to man to find the one that matches the same value (a dictionary attack). Finally, there is a possibility that two carefully crafted books hash to the same value, but it is far more likely that a book's hash would match some of the billions of permutations of random letters , numbers, spaces, and symbols that have never been bound into a book.

It is the same for fingerprint data. Your actual fingerprint could only be determined if somebody already had a replica of your finger in a database and could make Apple's Touch ID sensor generate the same hash from it. The worst somebody could do is break into your phone or prove that a phone did indeed belong to you. What's more, the odds of somebody else's fingerprint matching yours is like two monkeys pounding out the exact same content on a keyboard after an hour of bashing away at it. Either way, there is no chance of your fingerprint being cloned and used in other places to impersonate your presence.

Form a cryptographic PoV, a key point here is that how long the HASH is and there have been a lot of workarounds with fixed prefixes. For example, they could use a relatively fixed (or series of fixed) prefix into a 128 bit hash with only 64 bits being calculated of user data. The net result is 128 bit long but only a s strong as 64 bits and can easily be brute forced.

I am not claiming this applies to the finger print data, but using a one-way hash doenst mean its safe at all.

Here's an idea Apple, since your TouchID is super duper secure, be open about it. Not likely to happen I know, you get the idea.

And finally the remark from Apple about not storing the images is laughable. The data in many (if not all) cases is as good as the image. The whole idea is to uniquely identify users, so as long as you have the data you can use the same algorithm to calculate the result and compare results. Its like claiming we don't store car images and only keep number plate info.

 

[marksman]

I like it. Not having the actual image means apple converts data points to use for matching. As they said this keeps one from reverse engineering fingerprint data.

Requiring a passcode after a reboot or 48 hours is good as well. Most people should choose a longer more secure passcode over a four digit one, in that case extending security on the device.

Still would be good if they optionally allowed two step authentication for those who want it requiring the fingerprint and passcode each time.

----------

Dear Apple, I'm sorry because I realise it's not really your fault, but I don't trust that the NSA haven't nobbled you, and nothing you have said so far leads me to… um think different, as it were.

Yeah it is unlikely YOU have anything the NSA wants. So don't worry about that. Worry about protecting yourself against people who actually might care about your data.

----------

It's not called paranoid anymore.

This reply from an Apple spokesperson makes me more nervous, actually, because of its misdirection.
The distinction between a fingerprint and name correlation versus a "fingerprint data" and name correlation seems artificial.

If I get a phone that has this (likely) i will never turn this feature on.

If it makes you more nervous you don't understand it.

----------

No offence taken! But please read one of my earlier posts on these forums and then decide for yourself whether the tin-foil joke is really all that apt.

https://forums.macrumors.com/posts/17875081/

It's not paranoia when they are admitting going after everyone's data is part of their job!

They really don't care about YOUR data. If people choose not to use security because they think the NSA has access to everything, they are being silly. The average persons biggest security threat is not the NSA.

----------

That and if you were ever booked as part of an arrest, did military service, held a high level security clearance or applied for a drivers license in some states, the data is already there.

Now the question is, yes someone may find "your" fingerprints somewhere but that is not conclusive proof that you were there.

For the last twenty years, silicone materials and masking techniques have been around where you can easily lift a fingerprint off almost any smooth surface and apply it to a silicone material surface to make a counterfeit fingerprint impression. The cost of these materials is less than $20 and can be picked up at any good chemical or rubber supply shop.

I can see the DefCon seminar now, "How to spoof the iPhone 5S with Counterfeit Fingerprinting"

The basic techniques are out there on the 'net already.

Yeah the sensor requires more than an image of a fingerprint, it requires the finger be attached to it. So having my fingerprints on file with a state licensing board will not allow people with access to those prints to be able to unlock my phone.

----------

This has always been my opinion as well. I'd genuinely be interested to hear this position be proven wrong, because as far as I can tell, it can't be.

I'm happy for intelligence services to snoop on me, my phone calls and my emails, I'm not involved in anything seedy and as long as it helps keep terrorists or other aggressors away from the people I care about, they can carry on.

Granted, you could preach privacy laws and all, but try using the "but it's wrong to spy" argument on a psychopath bent on the destruction and death of millions of people. Ain't gonna fly.

I am not happy for it but anyone who previously thought their data was safe from an entity like the NSA was living in Naiveville. What did people excpect the NSA did? I always assumed they had the most advanced abilities to usurp any kind of security. It is pretty much why they exist. This does not mean spying on Americans is okay but from a technological standpoint their being able to access / break through most security shouid not really be a surprise.

 

[gnasher729]

Even if the Info can not be used in court it most likely has been seen and or stored somewhere. Do you feel safer?! I thought that under the premiss of you being a terrorist (as we all seem to be now) they sort of had cart blanche.

WTF are you on about? The question that I replied to was whether the fingerprint sensor allowed the police access to phone data that was otherwise not possible. And even if they have your fingerprint and can unlock your phone, they can only do that if they have your phone. So in the context of police doing legal things, the fingerprint sensor doesn't make a difference. And in the context of police or NSA doing illegal things, it doesn't make a difference either.

 

[marksman]

What a ridiculous claim. If you're storing enough about the fingerprint to do reliable identification, then you are for all intents and purposes storing the fingerprint itself.

No

----------

so your prints are on the phone screen/home button.. someone can dust it and make a copy clone and makes a 3D print out of it and wala your key has been copied

Again, NO

 

[kdarling]

They are only allowed to search the content of your phone with a search warrant. There have been cases where phones were searched during an arrest, there is now precedence that this is illegal and any evidence found is inadmissible.

This Forbes article details what's current law. Only the blue states require a warrant. The red ones allow a search when you're arrested.

 

[Moshu]

There is no need to store actual passwords or fingerprint ID etc.

Any half-decent programmer or security guy will use a Hash algorithm, like the MD5 on the password, and only store the result. (http://en.wikipedia.org/wiki/MD5)

While it is true that it can be theoretically possible to find a password or fingerprint configuration that will produce the same result after being digested with a Hash algorithm, it will most definately be different than the user password or his personal fingerprint.

Therefore, it is impossible to reverse-engineer someone's fingerprint starting from a Hash-result of his fingerprint configuration and it is enough to store this Hash-result.

If it would be possible, no one would use compression algorithms anymore like the ones which produce for example the .ZIP or.RAR formats, as you would be able to "compress" any ammount of information to only 32 bytes (in the case of MD5 algorithm).

 

[smoking monkey]

People in USA must really be terrified of NSA!!

Are you guys all criminals or something?

They is some real paranoia going on in this thread. It's beyond ridiculous I still think the mods should close this thread as its attracting all the creepy people.

 

[Cormac2014]

Yeah but the treasonous CIA has spent billions on creating hacking and decryption software. Also many big IT firms have given the scumbag CIA backdoor access to their mail clients.