Adrian Schoeman Re: 10 MILLION FINGERPRINTS HACKED

This article is technically inaccurate.
The iOS device stores the encrypted fingerprint locally on the A7 chip and returns a "yes or no" response to software/apps utilising fingerprint authorisation.
Fingerprint data is not even sent back to Apple, and it's most certainly not shared with any 3rd party vendor.
To say that the 3rd party software vendor "stored" the fingerprints is completely impossible, since it never had access to the fingerprint data in the first place.
Posted: 3 February 2014 at 20:26

Gavin Chait Re: 10 MILLION FINGERPRINTS HACKED

Adrian, thanks for your comments.

All we have to go on regarding the implementation of Apple's biometric storage on the iPhone are Apple’s own pronouncements. Unlike the practice recommended by absolutely every security specialist, including those referenced in this Mindbullet, Apple has not published the encryption and storage methodology for expert scrutiny and peer review. The NSA has recently been revealed, as part of the Snowden papers, to have deliberately compromised the encryption algorithm behind BSAFE, used by RSA. That is horrifying but knowing this permits experts to change any compromised systems rapidly. We have no idea what system Apple uses.

Apple has - to date - not released an API for the fingerprint reader and the system can currently only be used to unlock the phone and verify iTunes purchases. “For now…” (“Apple Senior Vice President Phil Schiller confirmed to AllThingsD that developers won’t get access to use a fingerprint as a means of authentication. He declined to comment on whether that might come in the future.” http://allthingsd.com/20130910/iphone-developers-wont-get-fingerprint-reader-authentication-option-for-now-anyway/) That’s not a decisive “no” and does not stop Apple changing its current approach in the future and making the reader more generally available to increase its wider use.
Posted: 4 February 2014 at 09:46

Gavin Chait Re: 10 MILLION FINGERPRINTS HACKED

Neither are Apple products immune from the hacking experienced by other software companies. iPhone apps have been compromised and will be compromised in the future (4.6 million users compromised at Snapchat http://techcrunch.com/2013/12/31/hackers-claim-to-publish-list-of-4-6m-snapchat-usernames-and-numbers/).

Competitions like Pwn2Own and Pwnium have demonstrated that sufficiently motivated hackers will figure out how to break sandboxed environments (http://en.wikipedia.org/wiki/Pwn2Own). Apple Safari is so poorly regarded that hackers don’t bother with it (see 2013, in which no teams showed up). Apple iOS has been comprehensively compromised (http://www.eweek.com/security/samsung-galaxy-apple-ios-fall-in-pwn2own-hacking-contest.html). It is telling that Apple’s supposedly bulletproof biometric security was hacked before the product was even on the market (cf. the Chaos Computer Club hack).

Given the value of hacking iPhones to access biometric data it is a very clear and present target.

The purpose of a Mindbullet is to offer a probably future. Depending on the perceived value or threat in that future, we encourage our readers to respond appropriately. Under these circumstance, this Mindbullet is a reasonable assessment of the future and recognises a very genuine risk in the implementation and use of biometric systems for user verification.
Posted: 4 February 2014 at 09:47
Comments by users of MindBullets are those of the authors and are not necessarily shared, endorsed and/or warranted by FutureWorld. All MindBullet content is Copyright FutureWorld International © 2017. All Rights Reserved.