Now Your Finger Will be Hacked

co-authored by Dr. Stephen Bryen, CEO Ziklag Systems

Apple is installing a finger print reader on its new 5S phone. The idea behind it is that a fingerprint is a strong biometric and you will no longer need to use passwords (if you use them now). Instead your fingerprint will "open" the phone and it can also be used (in the future) to open certain APPS such as on line banking or credit cards. You won't have to remember anything (other than hoping your finger is not detached involuntarily from your hand).

Fingerprint readers have been around for a long time, and there are different schemes on how to "read" a fingerprint. Recently, for example, this author went to Dulles Airport in Virginia to register for a U.S. Custom's Traveler's Program. A fingerprint is required, since the fingerprint activates the automatic machines at U.S. points of entry that will let you in without having to wait in line.

Unfortunately, my fingerprints did not "scan" correctly and I could not complete enrollment in the program. It seems the fingerprint reader was unable to pick up enough "points" that define places on my finger so it could not register. Of course I was less than happy since registering in the program cost $200 (non refundable). I asked the agent doing the work how common this problem was. He told me that roughly 25% of the applicants can't register because of the inability to scan the fingerprint.

It would seem that either Apple has come up with incredible fingerprint technology, or alternatively, they are using a dumbed down fingerprint scanner. This means that the fidelity of the fingerprint scan is likely low in order to avoid rejects. If this is the case, it also means that spoofing the fingerprint reader will not be too difficult.

When a fingerprint is scanned, the result is a supposedly unique number. Naturally, the "uniqueness" of the number depends on how many "points" are counted in the scan. The resulting number can also be manipulated to make it more difficult to guess.

A key problem in all this is the fingerprint scanning system is living on top of a highly vulnerable hardware that can be hacked in a multitude of ways. Apple's products, following the news accounts, are no better or worse than the smartphones of other vendors --and all smartphones face serious and strong internal and external threats. An internal threat is a threat to plant something on a phone that can copy all the transactions of the phone. An external threat is an intercept either on or through the telephone company, the WIFI connection, Bluetooth, "Bump" or NFC or other connection to the phone.

Since a typical smartphone is vulnerable on multiple fronts the chance of having a fingerprint number or image stolen is highly likely. It will not take the hackers very long to figure it all out, and fingerprint scanning (or any other biometric) will be no more secure than the platform it "lives" on.

In short, the fingerprint scanner may be more of a gimmick than a serious security measure for a smartphone. If users are forced to scan their fingerprints, the frustration level over failed attempts, errors, and wrong ID numbers may destroy any marginal value it might have. We will have to wait and see, of course, but this may go the way of the Ouija board.