US Senator Al Franken has waded into controversy over Apple’s Touch ID biometric system on the iPhone 5s, challenging the Cupertino firm to address his security concerns about stolen fingerprints and data privacy. In an open letter to Apple CEO Tim Cook – in which he’s quick to point out that he himself uses an iPhone – Senator Franken highlights the fact that fingerprints, unlike a password, cannot be changed by the individual. “You have only ten of them” the senator writes, “and you leave them on everything you touch; they are definitely not a secret.” However, while the letter makes some reference to Apple’s already public security measures, it also seems to confuse exactly which part of the finger Touch ID is assessing.
Senator Franken’s questions fall into two general categories: the security of the fingerprint scanning technology itself, and the privacy policies of the data it collects. On the former, despite talk of people “lifting” fingerprints with adhesive tape and using them to spoof fingerprint scanners, Apple’s system supposedly relies not on the surface of the fingertip but what’s going on underneath it.
In an explanation on Apple’s support pages, the company describes how the “500 ppi sensor” relies on information from the “subepidermal layers” of the finger to identify each user:
“This high-resolution 500 ppi sensor can read extremely fine details of your fingerprint … The sensor uses advanced capacitive touch to take a high-resolution image from small sections of your fingerprint from the subepidermal layers of your skin. Touch ID then intelligently analyzes this information with a remarkable degree of detail and precision. It categorizes your fingerprint as one of three basic types—arch, loop, or whorl. It also maps out individual details in the ridges that are smaller than the human eye can see and even inspects minor variations in ridge direction caused by pores and edge structures … It then creates a mathematical representation of your fingerprint and compares this to your enrolled fingerprint data to identify a match and unlock your iPhone. Touch ID will incrementally add new sections of your fingerprint to your enrolled fingerprint data to improve matching accuracy over time. Touch ID uses all of this to provide an accurate match and a very high level of security” Apple
Unfortunately, specific details on the subepidermal system involved are still in short supply. The suggestion is that by relying on what’s beneath the surface of the fingertip, it’s impossible to dupe the Touch ID system with a copied print lifted from, say, a glass or touchscreen. That would fit with our own attempts to fool the iPhone 5s as part of our review using prints picked up with Scotch tape.
As for where the fingerprints themselves are stored, as Franken notes Apple is using a secured area of the A7 chip in the iPhone 5s. “Is it possible to extract and obtain fingerprint data from an iPhone? If so, can this be done remotely, or with physical access to the device?” the Senator writes, also questioning whether it would be “possible to convert locally-stored fingerprint data into a digital or visual format that can be used by third parties.”
iPhone 5s Touch ID demo:
According to Apple’s own security policy, an image of the fingerprint itself is never actually retained. Instead, Touch ID calculates a “mathematical representation” of the key shapes of the fingerprint, which is than only ever kept locally on the iPhone 5s itself, not backed up to the cloud.
“Touch ID does not store any images of your fingerprint. It stores only a mathematical representation of your fingerprint. It isn’t possible for your actual fingerprint image to be reverse-engineered from this mathematical representation. iPhone 5s also includes a new advanced security architecture called the Secure Enclave within the A7 chip, which was developed to protect passcode and fingerprint data. Fingerprint data is encrypted and protected with a key available only to the Secure Enclave. Fingerprint data is used only by the Secure Enclave to verify that your fingerprint matches the enrolled fingerprint data. The Secure Enclave is walled off from the rest of A7 and as well as the rest of iOS. Therefore, your fingerprint data is never accessed by iOS or other apps, never stored on Apple servers, and never backed up to iCloud or anywhere else. Only Touch ID uses it and it can’t be used to match against other fingerprint databases” Apple
Although the technological side of the biometric system is one part of the lawmaker’s concerns, the others center on how the extra user data fits into privacy policies and legal requests for information disclosure about iPhone 5s users. As Senator Franken points out, the USA Patriot act, the FBI’s National Security Letters, and other legal challenges can force companies to disclose information about electronically-stored information and data on subscribers.
“Under American privacy law, law enforcement agencies cannot compel companies to disclose the “contents” of communications without a warrant, and companies cannot share that information with third parties without customer consent. However, the “record[s] or other information pertaining to a subscriber… or customer” can be freely disclosed to any third party without customer consent, and can be disclosed to law enforcement upon issuance of a non-probable cause court order. Moreover, a “subscriber number or identity” can be disclosed to the government with a simple subpoena. See generally 18 U.S.C. § 2702-2703
Does Apple consider fingerprint data to be the “contents” of communications, customer or subscriber records, or a “subscriber number or identity” as defined in the Stored Communications Act?” Senator Al Franken
As we’ve seen clarified in recent months regarding FISA requests, Apple is obligated to hand over certain user data if the proper legal channels are employed. However, comments the company made regarding iMessage conversation disclosures would appear to hold true for Touch ID data.
At the time, Apple pointed out that it could not be expected to hand over data that it itself had not retained, such as Siri requests, or indeed data that it cannot decrypt, such as iMessage chats:
“There are certain categories of information which we do not provide to law enforcement or any other group because we choose not to retain it … For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data. Similarly, we do not store data related to customers’ location, Map searches or Siri requests in any identifiable form” Apple
Apple is yet to comment on the Senator’s questions, though the “Secure Enclave” section of its security document states that the actual fingerprint cannot be reverse-engineered from the information Touch ID gathers. That implies that, even if a subpoena was deemed to cover the local content of an A7 chip (since Touch ID data isn’t backed up to Apple’s servers), little practical use could be made from the mathematical representation itself.
Much of the uncertainty around the Touch ID technology appears to come from questions about how the system works. According to Securosis‘ Rich Mogull, unlike the optical fingerprint sensors on some laptops and older Motorola smartphones, Apple’s system relies upon the unique capacitive resistance of the finger rather than simply its physical appearance.
In fact, the Touch ID sensor tracks the electrical conductivity – as well as other, more subtle characteristics – of the fingertip, which differs where the non-conductive surface layer of skin and the conductive tissue underneath are marked in arches, loops, or whorls. Whereas optical sensors could be confused with as little as a photocopy of a fingerprint, or indeed marred with scratches or ink stains on the user’s fingertips, Apple’s will prove far tougher to break through.
“It’s harder to spoof as you have to emulate the capacitive properties of the finger rather than just reproduce its appearance,” Mogull explained to us. “Every little variation in your finger is going to affect that conductive field.”
Senator Franken has requested that Apple respond to his concerns within a month, while a crowdfunding campaign to hack the system is already underway. Meanwhile, the advice to anybody particularly concerned with security on the iPhone 5s is to pair Touch ID with a complex alphanumeric passcode, which will be automatically required after five failed attempts to unlock the handset with a fingerprint.