Touch ID and security

[PBMB]

Sorry if this has been discussed previously, but I am really concerned about security if I activate Touch ID in my iPad. Shouldn't be? Apple says no but I am not convinced. Hackers these days are way too much capable to break into anything.

Any insight on this issue?

PS: by security I mean the possibility for someone to reverse engineer the actual fingerprint stored in the iPad. Apple says no way but I think it is a matter of time for this to happen.

 

[joeblow7777]

How would TouchID make your iPad any more vulnerable to hackers? Lifting a fingerprint isn't nearly as easy or practical as some people make it out to be, and a few failed attempts and it goes back to requiring the passcode. And each time the device is turned off it needs to passcode for the first unlock.

TouchID neither enhances or diminishes security, because ultimately the passcode is the real defence. It just enhances convenience. I wouldn't want to go back to entering digits every time I want to get into my phone or tablet.

I suppose on the larger scale it has improved security though because I know that many people never secured their devices at all because they hated punching in even 4 digits and they felt that there was nothing important on it (likely there was more valuable information than they realized). Now, those same people use TouchID because it takes so little effort that there's little reason not to.

 

[PBMB]

How would TouchID make your iPad any more vulnerable to hackers?

Hm, you are right, my phrasing is ambiguous. I added a remark in the end of the original post to make it more clear.

What I mean is security beyond the device. Say for example that someone manages to steal and reproduce my fingerprint that is stored in my iPad. Then, he can do anything and "sign" with my own physical imprint. For example commit a criminal action and leave behind my (or anyone's) fingerprints.

It is very difficult but not impossible in principle. I know I sound paranoid but before Touch ID this was impossible even in theory.

 

[joeblow7777]

Hm, you are right, my phrasing is ambiguous. I added a remark in the end of the original post to make it more clear.

What I mean is security beyond the device. Say for example that someone manages to steal and reproduce my fingerprint that is stored in my iPad. Then, he can do anything and "sign" with my own physical imprint. For example commit a criminal action and leave behind my (or anyone's) fingerprints.

It is very difficult but not impossible in principle. I know I sound paranoid but before Touch ID this was impossible even in theory.

That is indeed VERY improbable and impractical. If you are worried about it though, remember that you only need to use one fingerprint for TouchID. I'm no legal expert, but I think it would be hard to frame someone by leaving a single fingerprint at the scene, and the police would need to have probable cause to arrest you, or already have your prints on file to even know that it's your print. Realistically, it would be easier to get a full set of your prints by taking any item that you touch regularly rather than hacking into a device and trying to get at information that I'm pretty sure is encrypted.

 

[840quadra]

You should really read about the Secure Enclave within the iPad.

https://support.apple.com/en-us/HT204587

Information on the secure Enclave within the iPad is Not an image file, and the data it converts it to is encrypted. It would be much easier for someone to take the physical fingerprints off of your iPad, than it would be to hack into the encryption.

If you are that worried, Perhaps you can use the knuckle of your pinky, or a midpoint print to unlock your phone. Something a little less common. And yes, those will register and work with TouchID.

 

[chabig]

Fingerprints are not stored. TouchID creates a numerical description of the print it sees. When you touch the sensor, it repeats the math and compares it to the stored value. It's impossible to build a fingerprint from the stored data.

 

[beernut]

Realistically, it would be easier to get a full set of your prints by taking any item that you touch regularly rather than hacking into a device and trying to get at information that I'm pretty sure is encrypted.

^^ This

OP -- If you're worried about these sorts of things, then unless you're wearing gloves all day everyday to interact with stuff, i suggest you should be more worried about the things you've handled / touched throughout the day and left behind (cups? utensils at restaurant? door knobs?) than the touchID on your idevice.

 

[Night Spring]

Say for example that someone manages to steal and reproduce my fingerprint that is stored in my iPad.

The way I understand it, is it's not possible to reproduce your fingerprint from the iPad, because your fingerprint isn't stored on the iPad. What is stored is some numbers/code that are derived from your fingerprint, and the process of converting your fingerprint to these numbers isn't reversible.

 

[PBMB]

You should really read about the Secure Enclave within the iPad.

https://support.apple.com/en-us/HT204587

Information on the secure Enclave within the iPad is Not an image file, and the data it converts it to is encrypted.

Yes, this is the link I posted initially. I understand that it is very difficult, but in theory at least it is possible.

If you are that worried, Perhaps you can use the knuckle of your pinky, or a midpoint print to unlock your phone. Something a little less common. And yes, those will register and work with TouchID.

Very interesting, I didn't know it can work like that. Thanks for the tip!
[doublepost=1475245819][/doublepost]

If you're worried about these sorts of things, then unless you're wearing gloves all day everyday to interact with stuff, i suggest you should be more worried about the things you've handled / touched throughout the day and left behind (cups? utensils at restaurant? door knobs?) than the touchID on your idevice.

OK, this is something. What worries me more with the fingerprint data stored in an iPad is that they are invariable and stored in a known place, while the physical contact will leave something that is imperfect and wiped immediately after someone else touches.

Today it seems impossible to crack the transformation algorithm but who knows what may happen after some time. Is it possible to erase completely the fingerprint data from an iPad, once stored there?

 

[Night Spring]

Yes, this is the link I posted initially. I understand that it is very difficult, but in theory at least it is possible.

No, in theory, it is impossible.

Let's say I give you the number "3" and ask you what equation I used to come up with that number. Well, you can't tell, because there are an infinite number of equations to which the answer is 3.

So TouchID scans your fingerprint, then converts it into a number, and the number is stored in the secure enclave. Even if hackers got hold of that number, they can't reproduce your fingerprint from it.
[doublepost=1475247156][/doublepost]

Today it seems impossible to crack the transformation algorithm but who knows what may happen after some time.

I don't know enough math to explain it to you, but some mathematical operations just aren't reversible. If I gave you the formula x-y=3, and asked you to come up with what numbers I used for x and y, you couldn't do it, because there are infinite possibilities. What Apple is using is something a lot more complex, where it is mathematically impossible to derive your fingerprint from the stored data. Future technological advancements aren't going to change the laws of math.

 

[PBMB]

No, in theory, it is impossible.

Let's say I give you the number "3" and ask you what equation I used to come up with that number. Well, you can't tell, because there are an infinite number of equations to which the answer is 3.

So TouchID scans your fingerprint, then converts it into a number, and the number is stored in the secure enclave. Even if hackers got hold of that number, they can't reproduce your fingerprint from it.

When Apple says "mathematical representation" I understand a sequence of numbers that are generated according to certain rules not including randomness. This means some people know the rules. So in theory it is possible to reverse engineer this sequence.

But for the sake of the discussion, let's say that this is impossible. Now, if I understand well, these encrypted and hidden fingerprint data can be used to make purchases. What if someone steals them and starts using them? He does not need to decode them or reproduce the actual fingerprint image. Of course the same holds with credit card data, but you can stop and change your card. Your finger? No. What would be the solution in this case?

 

[Phil A.]

When Apple says "mathematical representation" I understand a sequence of numbers that are generated according to certain rules not including randomness. This means some people know the rules. So in theory it is possible to reverse engineer this sequence.

But for the sake of the discussion, let's say that this is impossible. Now, if I understand well, these encrypted and hidden fingerprint data can be used to make purchases. What if someone steals them and starts using them? He does not need to decode them or reproduce the actual fingerprint image. Of course the same holds with credit card data, but you can stop and change your card. Your finger? No. What would be the solution in this case?

No need to say for the sake of the discussion - it's a mathematical impossibility and always will be: Some things just can't be reversed: @Night Spring explained why above - even if you know the answer and the equation, you can't always get the start point (Such as their x + y = 3 example: You know you have to add two numbers and you know the result, but there are an infinite number of values for x and y that will give you that result such as 1 and 2, 2 and 1, 3 and 0, 10 and -7, etc, etc)



In theory, it may be possible some time in the future to do a brute force attack by trying every single possible fingerprint pattern against the same algorithm Apple use to see if you get the same result but not on current or foreseeable hardware

As for your latest worry - your fingerprint isn't used to make a payment, it's used to authorise access so even if someone could steal the data from secure enclave (which they can't) and upload it to another phone (which they can't) all it would achieve would be you could use your fingerprint to authorise Apple Pay on that device. If you want to go further and say what if they could steal card details and upload them to another phone (which can't be done), you could just stop the card like you do now

 

[ActionableMango]

But for the sake of the discussion, let's say that this is impossible. Now, if I understand well, these encrypted and hidden fingerprint data can be used to make purchases. What if someone steals them and starts using them? He does not need to decode them or reproduce the actual fingerprint image. Of course the same holds with credit card data, but you can stop and change your card. Your finger? No. What would be the solution in this case?

You have a fundamental misunderstanding of how all of this works.

The secure enclave takes your fingerprint pattern from the TouchID sensor and runs it through an algorithm including unique identifiers from the secure enclave itself, creating a token that is unique to that specific secure enclave.

Your fingerprint data cannot be stolen from the iPhone because it does not even exist on the iPhone--only the token is stored, and because it is unique to that secure enclave, it is useless anywhere else. That unique token never leaves the secure enclave, in fact there is no known path for it to leave. The only thing the secure enclave does is check that the fingerprint currently pressed against the sensor ends up with the same token as the stored token. The only data that leaves the secure token to the phone is "yep, it's a match" or "nope, it's not".

The misunderstanding is that you keep referring to it as your "fingerprint" being stolen, but it's not your fingerprint any more, it's the unique token. And again, not only is there no known way to steal that (because there's no path to that data from the rest of the iPhone), but even if someone got physical access to your phone, disassembled it, and pulled the token data out, it's completely useless data anywhere else. Nothing else is asking for, wants, or can even use that token for anything.

TL;DR:
1. Your fingerprint data cannot be stolen from the iPhone because it doesn't even exist.
2. The unique token that does exist is probably impossible to steal.
3. Even if that unique token is somehow stolen from the secure enclave, it is not useful outside of the secure enclave.

 

[masotime]

Put it another way. Add your phone number, your social security number, your birthday, plus maybe a hundred other numbers associated with you.

You now have a giant number that represents you.

Now think about it - it's theoretically possible to reverse engineer all those numbers that make up the number that was created. How practical do you think that is?

 

[Ledgem]

Your fingerprint data cannot be stolen from the iPhone because it does not even exist on the iPhone--only the token is stored, and because it is unique to that secure enclave, it is useless anywhere else. That unique token never leaves the secure enclave, in fact there is no known path for it to leave. The only thing the secure enclave does is check that the fingerprint currently pressed against the sensor ends up with the same token as the stored token. The only data that leaves the secure token to the phone is "yep, it's a match" or "nope, it's not".

It's also worth mentioning that you need to set up your fingerprints completely fresh on every iOS device, and this is probably at least one of the reasons why.

As others have said, TouchID is the equivalent of the passcode to unlock your phone/tablet or authorize your phone/tablet to take certain actions, and it ultimately makes you safer. Before TouchID, most people weren't locking their devices; those who were, just continued to use the relatively weak four-digit PIN code, because it's inconvenient and sometimes impractical to go with something much longer. If someone is determined enough, they can lift your fingerprints and go through the fairly specialized and difficult process of tricking the sensor... but they could also brute-force your password (or more easily, just watch over your shoulder as you type in your password). Apple has implemented potential features to guard against these measures, but nothing is perfect.

My advice? Enable TouchID, and then double or triple the length of your current password. You'll still have to enter it from time to time, but TouchID will still allow you to get into and out of your phone quickly. It's not perfect, but unless you're being targeted by a government agency or a highly sophisticated crime group, you're safe.

 

[PBMB]

You have a fundamental misunderstanding of how all of this works.

The secure enclave takes your fingerprint pattern from the TouchID sensor and runs it through a algorithm including unique identifiers from the secure enclave itself, creating a token that is unique to that specific secure enclave.

Your fingerprint data cannot be stolen from the iPhone because it does not even exist on the iPhone--only the token is stored, and because it is unique to that secure enclave, it is useless anywhere else. That unique token never leaves the secure enclave, in fact there is no known path for it to leave. The only thing the secure enclave does is check that the fingerprint currently pressed against the sensor ends up with the same token as the stored token. The only data that leaves the secure token to the phone is "yep, it's a match" or "nope, it's not".

The misunderstanding is that you keep referring to it as your "fingerprint" being stolen, but it's not your fingerprint any more, it's the unique token. And again, not only is there no known way to steal that (because there's no path to that data from the rest of the iPhone), but even if someone got physical access to your phone, disassembled it, and pulled the token data out, it's completely useless data anywhere else. Nothing else is asking for, wants, or can even use that token for anything.

TL;DR:
1. Your fingerprint data cannot be stolen from the iPhone because it doesn't even exist.
2. The unique token that does exist is probably impossible to steal.
3. Even if that unique token is somehow stolen from the secure enclave, it is not useful outside of the secure enclave.

Very interesting and clear. Thank you.

My next question is: in case my iPad is stolen, should I take some special actions? Is there anything to prevent, regarding unauthorised use of the token generated by my fingerprint data? Let's suppose that the person who stole my iPad had luck and managed to break my (weak) passcode. Of course, having the passcode opens the door for anything, but in light of the previous explanations regarding the token, I would like to know if there is something more to take into account in such a case.

 

[840quadra]

1. Enable find my ipad
2. Turn on the password attempt limit
3. Make sure you can log into and see from another mac / iOS device
4. Stop worrying

With find my iPad on, the device is more or less useless unless they also have iTunes account info. But since you are security sensitive, you have 2FA enabled right?

 

[PBMB]

My advice? Enable TouchID, and then double or triple the length of your current password. You'll still have to enter it from time to time, but TouchID will still allow you to get into and out of your phone quickly. It's not perfect, but unless you're being targeted by a government agency or a highly sophisticated crime group, you're safe.

Well, indeed, I reckon that such protection would not stop these guys.

I have rather in mind the case of common criminals or of losing my iPad somewhere, making it land in the hands of a random person. After all that has been said so far, I guess that in such cases there is no reason to worry, right? It seems that the data used for Touch ID are pretty much useless for anything else.

 

[ActionableMango]

Is there anything to prevent, regarding unauthorised use of the token generated by my fingerprint data?

Yes, not having your finger prevents unauthorized use of the token originally generated by your finger.

You should be worried about the much weaker parts of the system. Set up Find My iPhone so you can do a remote wipe if the iPad is stolen. Set up two-factor authentication so your account cannot be stolen. Change your weak passcode to a strong one.

 

[840quadra]

Yes, not having your finger prevents unauthorized use of the token originally generated by your finger.

You should be worried about the much weaker parts of the system. Set up Find My iPhone so you can do a remote wipe if the iPad is stolen. Set up two-factor authentication so your account cannot be stolen. Change your weak passcode to a strong one.

Strong password plus auto erase after 10 attempts = winning.

So long as you actually use a complex password.

 

[cableguy84]

I have a special chip built into my head, all my touch id information is stored there

 

[Newtons Apple]

Sorry if this has been discussed previously, but I am really concerned about security if I activate Touch ID in my iPad. Shouldn't be? Apple says no but I am not convinced. Hackers these days are way too much capable to break into anything.

Any insight on this issue?

PS: by security I mean the possibility for someone to reverse engineer the actual fingerprint stored in the iPad. Apple says no way but I think it is a matter of time for this to happen.

Like the others said, your print is not stored, an encrypted digital representation is and without the passcode there is no way to even put the digital representation back together and it would not look like your fingerprint.

 

[Defender2010]

Well, indeed, I reckon that such protection would not stop these guys.

I have rather in mind the case of common criminals or of losing my iPad somewhere, making it land in the hands of a random person. After all that has been said so far, I guess that in such cases there is no reason to worry, right? It seems that the data used for Touch ID are pretty much useless for anything else.

Finally you grasp the concept. If you are really so concerned about Touch ID just don't use it. You obviously watch too much C.S.I.
I suggest using the longest hexadecimal passcode you can, so you can sleep soundly at night.

 

[BurgDog]

https://www.grc.com/passwords.htm will generate single use very secure passwords. I used this for my home WiFi password, 63 characters is overkill, but still...