Are smartphone fingerprint scanners safe?
October 30, 2018 7:37 AM Subscribe
Should I use the fingerprint scanner on my phone? I'm not worried about someone getting into my phone as much as the fingerprint data being stolen. After all, you can change a password but not a fingerprint. Now that fingerprint scanners have been used commonly for many years, have there been any cases of fingerprints being hacked or leaked in any way?
I understand the companies claim the data is stored in a secure location, never uploaded, and not stored as a photo. But isn't any data vulnerable at some point? Of course some may argue that a stolen fingerprint is useless, but I don't like the idea of my fingerprint data floating out in the internet or some hacker database.
I understand the companies claim the data is stored in a secure location, never uploaded, and not stored as a photo. But isn't any data vulnerable at some point? Of course some may argue that a stolen fingerprint is useless, but I don't like the idea of my fingerprint data floating out in the internet or some hacker database.
Huh...not a hash, at least for iphone. If data were accessed, someone could make a fake fingerprint that wouldn't necessarily look like your fingerprint, but could fool a phone using the same algorithm.
posted by If only I had a penguin... at 7:44 AM on October 30, 2018
posted by If only I had a penguin... at 7:44 AM on October 30, 2018
it was my (very lay) understanding that fingerprint technology isnt really imaging your fingerprint and isnt all that secure.
From that article, id assume that if a "skeleton key" type fingerprint could be developed that works 2/3rds of the time, the amount of actual data that the phone is scanning for is pretty slim, certainly not enough to reliably produce a usable copy of your fingerprint.
Its basically taking a picture of your fingerprint that is analgous to a silhouette of a person - you could reliably say they were around 5'6" with an afro or long hair or a big belly or whatever, but you couldnt produce a quality drawing of them based on the image.
posted by Exceptional_Hubris at 7:50 AM on October 30, 2018
From that article, id assume that if a "skeleton key" type fingerprint could be developed that works 2/3rds of the time, the amount of actual data that the phone is scanning for is pretty slim, certainly not enough to reliably produce a usable copy of your fingerprint.
Its basically taking a picture of your fingerprint that is analgous to a silhouette of a person - you could reliably say they were around 5'6" with an afro or long hair or a big belly or whatever, but you couldnt produce a quality drawing of them based on the image.
posted by Exceptional_Hubris at 7:50 AM on October 30, 2018
From Apple's official documentation:
Touch ID can read multiple fingerprints, and it can read fingerprints in 360-degrees of orientation. It then creates a mathematical representation of your fingerprint and compares this to your enrolled fingerprint data to identify a match and unlock your device. It’s only this mathematical representation of your fingerprint that is stored—never images of your finger itself. Touch ID will incrementally update the mathematical representation of enrolled fingerprints over time to improve matching accuracy.
posted by blob at 7:52 AM on October 30, 2018
Touch ID can read multiple fingerprints, and it can read fingerprints in 360-degrees of orientation. It then creates a mathematical representation of your fingerprint and compares this to your enrolled fingerprint data to identify a match and unlock your device. It’s only this mathematical representation of your fingerprint that is stored—never images of your finger itself. Touch ID will incrementally update the mathematical representation of enrolled fingerprints over time to improve matching accuracy.
posted by blob at 7:52 AM on October 30, 2018
have there been any cases of fingerprints being hacked or leaked in any way?
Do you wear gloves at all times? If not, you're
posted by zamboni at 7:58 AM on October 30, 2018 [10 favorites]
Do you wear gloves at all times? If not, you're
leakingyour fingerprints.
posted by zamboni at 7:58 AM on October 30, 2018 [10 favorites]
OPM Says 5.6 Million Fingerprints Stolen in Cyberattack, Five Times as Many as Previously Thought. WaPo, Sept 23, 2015:
Breaches involving biometric data like fingerprints are particularly concerning to privacy experts because of their permanence: Unlike passwords and even Social Security numbers, fingerprints cannot be changed. So those affected by this breach may find themselves grappling with the fallout for years.posted by Little Dawn at 8:11 AM on October 30, 2018
As with everything security-wise, it depends on what kind of attacker you're protecting yourself against.
One of the many reasons biometric systems are considered insecure is that law enforcement in the US can compel you via search warrant to unlock your phone using a fingerprint or face ID. Passwords and PINs, on the other hand, are covered under the Fifth Amendment and therefore you cannot be compelled to share them with law enforcement.
I was going to say that this threat vector isn't significant for non-state actors, but based on Little Dawn's link I'd have to change my assessment there. In general, thieves aren't going to bother stealing your fingerprint to unlock your phone, but biometrics databases being compromised and out in the wild for attackers to use changes the calculation. It means that, if your phone gets stolen, the thief can now try to match a fingerprint from the database to unlock it. I don't know if there are any practical tools out there making that kind of attack easy for phone thieves, but if there aren't now there will be.
PINs don't take that much longer to enter than swiping your finger on a scanner, so I really can't justify using biometric locks given the massive problems they have.
posted by tobascodagama at 8:22 AM on October 30, 2018 [3 favorites]
One of the many reasons biometric systems are considered insecure is that law enforcement in the US can compel you via search warrant to unlock your phone using a fingerprint or face ID. Passwords and PINs, on the other hand, are covered under the Fifth Amendment and therefore you cannot be compelled to share them with law enforcement.
I was going to say that this threat vector isn't significant for non-state actors, but based on Little Dawn's link I'd have to change my assessment there. In general, thieves aren't going to bother stealing your fingerprint to unlock your phone, but biometrics databases being compromised and out in the wild for attackers to use changes the calculation. It means that, if your phone gets stolen, the thief can now try to match a fingerprint from the database to unlock it. I don't know if there are any practical tools out there making that kind of attack easy for phone thieves, but if there aren't now there will be.
PINs don't take that much longer to enter than swiping your finger on a scanner, so I really can't justify using biometric locks given the massive problems they have.
posted by tobascodagama at 8:22 AM on October 30, 2018 [3 favorites]
Response by poster: Are these "biometric databases" the same things as the fingerprint data on phones? It seems from the article that maybe it was actual fingerprints like those that would be stored in a government database that were stolen, but it is not completely clear. Would the "mathematical representations" that are stored on a phone be vulnerable in the same way?
posted by roaring beast at 8:36 AM on October 30, 2018
posted by roaring beast at 8:36 AM on October 30, 2018
According to Bruce Schneier, "many systems don't store the biometric data at all, only a mathematical function of the data that can be used for authentication but can't be used to reconstruct the actual biometric. Unfortunately, OPM stored copies of actual fingerprints."
posted by Little Dawn at 8:46 AM on October 30, 2018 [3 favorites]
posted by Little Dawn at 8:46 AM on October 30, 2018 [3 favorites]
Also, it looks like "the US Supreme Court hasn't seen a case involving compelled production of fingerprints land on its desk yet and there's very little in the way of federal court decisions to provide guidance." I think it is a question that gets complicated very quickly, but government compulsion of fingerprint data does seem like a type of "leak" that is possible due to the technology.
posted by Little Dawn at 9:06 AM on October 30, 2018
posted by Little Dawn at 9:06 AM on October 30, 2018
I certainly don't expect the current SCOTUS or any plausible future one -- at least in the short term -- to rule against the police on this subject if a relevant case ever gets to their level.
posted by tobascodagama at 9:13 AM on October 30, 2018
posted by tobascodagama at 9:13 AM on October 30, 2018
Best answer: Are these "biometric databases" the same things as the fingerprint data on phones?
Almost certainly not.
Would the "mathematical representations" that are stored on a phone be vulnerable in the same way?
That depends on what exactly they're doing, which is likely to be a Deep Dark Secret.
Lots of computer security relies on the idea of a "one way function." This is anything where it's easy to take the input and generate an output, but much much harder to reason your way from the output to what the input must have been.
A common example is that it's really easy to multiply two large prime numbers together, but very very hard to look at a ginormous number and figure out which two prime numbers it's the product of. Likewise, (hopefully) none of the systems you input a userid and password into know what your password even is -- they take your password, run it through a one-way(-ish) function, and store that output. So when you type in your password it can easily verify that you typed in the right thing, but someone who gets the password file can't (easily) figure out what to type to create that output thingie.
So whether or not someone would be able to reconstruct enough of your fingerprint to be useful from whatever's stored in the phone depends on what, mathematically, they're doing with it. And I don't think anybody's inclined to be very forthcoming about exactly what's going on under the hood.
In any case, anyone interested enough in your fingerprints to gain physical access to your phone, hack into it, and try to reconstruct your fingerprints from the reader data wouldn't ever do that. They'd just follow you around and take stuff you'd touched, or in the extreme just mug you and forcibly take your fingerprints.
posted by GCU Sweet and Full of Grace at 9:33 AM on October 30, 2018 [1 favorite]
Almost certainly not.
Would the "mathematical representations" that are stored on a phone be vulnerable in the same way?
That depends on what exactly they're doing, which is likely to be a Deep Dark Secret.
Lots of computer security relies on the idea of a "one way function." This is anything where it's easy to take the input and generate an output, but much much harder to reason your way from the output to what the input must have been.
A common example is that it's really easy to multiply two large prime numbers together, but very very hard to look at a ginormous number and figure out which two prime numbers it's the product of. Likewise, (hopefully) none of the systems you input a userid and password into know what your password even is -- they take your password, run it through a one-way(-ish) function, and store that output. So when you type in your password it can easily verify that you typed in the right thing, but someone who gets the password file can't (easily) figure out what to type to create that output thingie.
So whether or not someone would be able to reconstruct enough of your fingerprint to be useful from whatever's stored in the phone depends on what, mathematically, they're doing with it. And I don't think anybody's inclined to be very forthcoming about exactly what's going on under the hood.
In any case, anyone interested enough in your fingerprints to gain physical access to your phone, hack into it, and try to reconstruct your fingerprints from the reader data wouldn't ever do that. They'd just follow you around and take stuff you'd touched, or in the extreme just mug you and forcibly take your fingerprints.
posted by GCU Sweet and Full of Grace at 9:33 AM on October 30, 2018 [1 favorite]
I'm more worried about the fact that my wonderful landline provider published my landline, address and name to the web in the "white pages." The landline is long gone, but all of that information is still out there. That info, when combined, is way more useful than a fingerprint.
posted by JamesBay at 11:29 AM on October 30, 2018
posted by JamesBay at 11:29 AM on October 30, 2018
Specifically on the iPhone (prior to the iPhone X or whenever they went to that dumb face ID thing), your fingerprint data is stored in/using* the Secure Enclave, which is a tamper-resistant coprocessor / crypto module. AFAIK it has not been compromised, at least not in a way that is widely known. You will notice if you have ever backed-up and restored an iPhone, that you have to re-enter all your fingerprints; they are not stored as part of the phone's backup data, because they aren't in user- or program-accessible memory; the memory they're stored in is only accessible to the processor within the SE itself.
N.B. Decent Android phones have similar architectures, although there is—as typical with Android—no consistency across the market; low-end Android phones without crypto coprocessors, or ones from untrustworthy manufacturers, should be considered insecure IMO.
Fingerprint data is not uploaded from the device, it is stored locally; Apple doesn't maintain a database of fingerprint images somewhere. (I suppose if you were the target of a very sophisticated attack, someone could surreptitiously replace your phone with a compromised one that does something funny with your fingerprint data, but it's way easier for someone to just search through your garbage and pull your prints off a soda can. As others have said, you are "leaking" your fingerprints all the time.)
Furthermore, the way the fingerprint is stored is not a literal image; they are storing a representation of it (probably, although this is speculative on my part as I have no inside knowledge of Apple hardware, a sort of vertex/edge graph of the intersections in the lines on your fingerprint, typically called a minutia map). The minutia map is not an image of your fingerprint, and while extracting the minutia map might allow you to open your phone (though this would require compromising the Secure Enclave), it wouldn't necessarily allow someone to open another device secured with your fingerprint, or reconstruct your fingerprint generally. Furthermore, I suspect—again, speculation here, but it isn't a huge stretch—that what the SE actually stores is some sort of one-way-transformed (i.e. hashed or similar) representation of the minutia map.
There are entities who do maintain giant databases of fingerprints, specifically government agencies. The biggest I'm aware of is maintained by the FBI, called the Integrated Automated Fingerprint Identification System (IAFIS), and due to the way it works—which allows for partial matches—I think it actually does store actual fingerprint images as well as vector representations / minutia maps. There are certainly others. These databases are a legitimate privacy concern, both from the perspective of misuse (by whatever definition you care to use) by the government agency controlling them, and also because the government leaks data like a sieve. There's a lot of room for reasonable people to disagree on how, and in what form, and to what degree of accessibility, this data should be stored.
That said: fingerprint authentication/unlocking is best treated as a convenience feature. If you are actually concerned about being compelled to unlock your phone, you may want to stick to a passcode. However, that only matters in the rather narrowly-defined scenario where your adversary is willing to compel you to unlock using your fingerprints, but isn't going to just laugh at you and take a wrench to your toes (or put you in jail and psychologically torture you) until you tell them the code. (Always-relevant XKCD.) FWIW, I think it's a reasonable convenience feature—especially since the temptation to use a crappy passcode is very high, if you have to enter it 50 times a day.
* I am not sure whether it is more proper to say that data is stored "in" the Secure Enclave or stored "using" the Secure Enclave; it's a bit unclear to me whether data is physically stored in memory inside the SE module or if the SE encrypts it and then stores it in system memory. Some block diagrams suggest the former, but hardware practicalities suggest to me that the latter is literally true.
posted by Kadin2048 at 11:44 AM on October 30, 2018 [4 favorites]
N.B. Decent Android phones have similar architectures, although there is—as typical with Android—no consistency across the market; low-end Android phones without crypto coprocessors, or ones from untrustworthy manufacturers, should be considered insecure IMO.
Fingerprint data is not uploaded from the device, it is stored locally; Apple doesn't maintain a database of fingerprint images somewhere. (I suppose if you were the target of a very sophisticated attack, someone could surreptitiously replace your phone with a compromised one that does something funny with your fingerprint data, but it's way easier for someone to just search through your garbage and pull your prints off a soda can. As others have said, you are "leaking" your fingerprints all the time.)
Furthermore, the way the fingerprint is stored is not a literal image; they are storing a representation of it (probably, although this is speculative on my part as I have no inside knowledge of Apple hardware, a sort of vertex/edge graph of the intersections in the lines on your fingerprint, typically called a minutia map). The minutia map is not an image of your fingerprint, and while extracting the minutia map might allow you to open your phone (though this would require compromising the Secure Enclave), it wouldn't necessarily allow someone to open another device secured with your fingerprint, or reconstruct your fingerprint generally. Furthermore, I suspect—again, speculation here, but it isn't a huge stretch—that what the SE actually stores is some sort of one-way-transformed (i.e. hashed or similar) representation of the minutia map.
There are entities who do maintain giant databases of fingerprints, specifically government agencies. The biggest I'm aware of is maintained by the FBI, called the Integrated Automated Fingerprint Identification System (IAFIS), and due to the way it works—which allows for partial matches—I think it actually does store actual fingerprint images as well as vector representations / minutia maps. There are certainly others. These databases are a legitimate privacy concern, both from the perspective of misuse (by whatever definition you care to use) by the government agency controlling them, and also because the government leaks data like a sieve. There's a lot of room for reasonable people to disagree on how, and in what form, and to what degree of accessibility, this data should be stored.
That said: fingerprint authentication/unlocking is best treated as a convenience feature. If you are actually concerned about being compelled to unlock your phone, you may want to stick to a passcode. However, that only matters in the rather narrowly-defined scenario where your adversary is willing to compel you to unlock using your fingerprints, but isn't going to just laugh at you and take a wrench to your toes (or put you in jail and psychologically torture you) until you tell them the code. (Always-relevant XKCD.) FWIW, I think it's a reasonable convenience feature—especially since the temptation to use a crappy passcode is very high, if you have to enter it 50 times a day.
* I am not sure whether it is more proper to say that data is stored "in" the Secure Enclave or stored "using" the Secure Enclave; it's a bit unclear to me whether data is physically stored in memory inside the SE module or if the SE encrypts it and then stores it in system memory. Some block diagrams suggest the former, but hardware practicalities suggest to me that the latter is literally true.
posted by Kadin2048 at 11:44 AM on October 30, 2018 [4 favorites]
I'm going to endorse everything in Kadin2048's comment directly above. So, to specifically answer your questions:
> Should I use the fingerprint scanner on my phone?
Yes! It's an enormous increase in security with minimal effort. (Think of the time that you will leave your phone on the subway, or at the dentist's office - your passcode of "1111" is not helping.)
> I'm not worried about someone getting into my phone as much as the fingerprint data being stolen. After all, you can change a password but not a fingerprint.
This is almost exactly the wrong thing to worry about. You *should* worry about someone getting into your phone, because it logs where you've been, who you've called or messaged, what you've emailed, what websites you've visited, your health records, your credit cards, your personal photos, and more. You leave your fingerprints everywhere - that restaurant you last ate at has a gorgeous set of your prints on the glass of water - but who cares? If the attacker has all the info on your phone, why do they even care about your fingerprints?
> Now that fingerprint scanners have been used commonly for many years, have there been any cases of fingerprints being hacked or leaked in any way?
If you're talking about a modern iPhone, no, there are no known* leaks of fingerprint info. The Secure Enclave only returns a Match/No Match response, so it's not obvious how such info could leak, short of state-level actors trying to brute force it. But (unless you're of Snowden-level interest to the government) that's not your big problem.
And - if you don't already know this - you can trivially lock out biometric IDs (TouchID or FaceID) on an iPhone by holding down the power button for a bit. So - about to go through Customs and worried about someone forcing your finger on to the sensor? Hold down the power button, then cancel - you don't have to power off - and all biometric ID is locked out until you supply your (arbitrarily long) passcode.
Good luck holding out against that $5 wrench, though.
posted by RedOrGreen at 1:18 PM on October 30, 2018 [1 favorite]
> Should I use the fingerprint scanner on my phone?
Yes! It's an enormous increase in security with minimal effort. (Think of the time that you will leave your phone on the subway, or at the dentist's office - your passcode of "1111" is not helping.)
> I'm not worried about someone getting into my phone as much as the fingerprint data being stolen. After all, you can change a password but not a fingerprint.
This is almost exactly the wrong thing to worry about. You *should* worry about someone getting into your phone, because it logs where you've been, who you've called or messaged, what you've emailed, what websites you've visited, your health records, your credit cards, your personal photos, and more. You leave your fingerprints everywhere - that restaurant you last ate at has a gorgeous set of your prints on the glass of water - but who cares? If the attacker has all the info on your phone, why do they even care about your fingerprints?
> Now that fingerprint scanners have been used commonly for many years, have there been any cases of fingerprints being hacked or leaked in any way?
If you're talking about a modern iPhone, no, there are no known* leaks of fingerprint info. The Secure Enclave only returns a Match/No Match response, so it's not obvious how such info could leak, short of state-level actors trying to brute force it. But (unless you're of Snowden-level interest to the government) that's not your big problem.
And - if you don't already know this - you can trivially lock out biometric IDs (TouchID or FaceID) on an iPhone by holding down the power button for a bit. So - about to go through Customs and worried about someone forcing your finger on to the sensor? Hold down the power button, then cancel - you don't have to power off - and all biometric ID is locked out until you supply your (arbitrarily long) passcode.
Good luck holding out against that $5 wrench, though.
posted by RedOrGreen at 1:18 PM on October 30, 2018 [1 favorite]
This thread is closed to new comments.
posted by If only I had a penguin... at 7:42 AM on October 30, 2018