Apple for the day

Nick Summers has a BusinessWeek article about Apple in Sweden:

Plenty of investors feel whiplashed by Apple. The company’s stock surged 86 percent from the day of Steve Jobs’ death to its all-time high in September of 2012, then lost 44 percent of its value in the next seven months.
But that zigzag looks downright gentle next to the fortunes of some of the suppliers in the global smartphone market that Apple leads. Two Swedish makers of fingerprint sensors, Fingerprint Cards and Precise Biometrics, saw their shares leap 523 percent and 675 percent, respectively, from 1 January 2013 through early September of 2013, as speculation built that Apple would include a fingerprint function in its new iPhones, and lead the rest of the industry to scramble to buy the technology to keep pace.
Now the two Swedish companies have come crashing down, on news that a European hacker group claimed to have defeated the security feature— by photographing a fingertip at extremely high resolution, printing the result onto a transparent sheet, and pouring “pink latex milk” onto the pattern. Fingerprint Cards lost as much as 36 percent in Stockholm trading, and Precise Biometrics lost 34 percent.
Fingerprint Cards CEO Johan Carlstroem gave this somewhat alarming quote to Bloomberg News in response to the hack: “Do you think it’s easy to first take a high-resolution picture of your fingerprint and then steal your mobile? Wouldn’t it be better to pick up a gun and press it against your temple and ask you to unlock it?”
Google’s Android mobile operating system has more users than Apple, but the iPhone is where tomorrow’s technology is often introduced to the masses. That includes multitouch screens and scratch-resistant glass.
As Bloomberg News has reported, Apple’s products draw from a thirty billion dollar global network of at least 247 suppliers, from audio chips to plastics. Those companies gained in trading today after Apple announced it had sold nine million new iPhones in the first weekend they were available.

Rico says he always thought the fingerprint thing was stupid, anyway, and David Meyer has another BusinessWeek article on the problem:

You know the fingerprint sensor built into the Home button on the new iPhone 5s, for unlocking the handset and buying stuff through iTunes and the App Store.
I thought the fingerprint was stored in some secure chip. How’d it get hacked?
It is, and this isn’t a hard-core technological hack so much as a good old-fashioned fake fingerprint technique. You find the iPhone owner’s print somewhere (the device itself may carry a few on its glossy surfaces), put some powder on it to make it more visible, then photograph or scan it at high resolution. Clean up the reversed image, print it at high resolution using thick ink, then use that to make a thin latex dummy, which you can put on your finger and use to unlock the iPhone.
I thought TouchID was supposed to be smarter than that. Well it was, and I admit I’m a bit confused by what was revealed on the weekend.
A big selling point of the new generation of fingerprint readers, including that in the iPhone 5s, is that they don’t simply read the outer, dead layer of skin— instead, they use a radio frequency scanner to read a living layer of skin underneath. According to a Citeworld report, this assures the system that it’s dealing with a living finger, nixing both the old lift-a-print trick (see above) and the chop-off-some-poor-person’s-finger-to-unlock-their-phone trick.
But according to the Chaos Computer Club (CCC) and hacker Starbug, who claimed TouchID’s breakage on Sunday, “the marvels of the new technology” are less impressive than touted. Here’s what Starbug said in a statement:

“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake.”

If that’s correct— and it should be noted that Apple itself only talks about taking “a high-resolution image from small sections of your fingerprint from the subepidermal layers of your skin” in its online FAQ— then TouchID isn’t actually that good at making sure it’s dealing with a living finger. It appears that it can be fooled, as Starbug describes, by breathing on the latex sheet “to make it a tiny bit moist” before using it on the sensor.
“We’re quite surprised that it just works out of the box, the same attack that we published ten years ago,” CCC spokesman Dirk Engling told me.
Noting that there are several ways of detecting living tissue— current flowing between the finger and device; minuscule changes in the fingerprint’s geometry to indicate a pulse— Engling suggested that Apple may have allowed the flaw when trying to balance security and ease of use. “In the end you have to shift the balance to more comfort, and that’s apparently what Apple did,” he said. “Out in the field, people would have problems unlocking their iPhones if they were to be too strict. This is a basic problem of biometrics.”
I’m waiting for Apple to comment on all this, and will add their response as and when I get it.
Can we trust Starbug?
In the first of the two videos Starbug has published on YouTube, someone programs the iPhone with their index finger, then puts the latex sheet on another finger to unlock the device. In the second, a completely different person dons the sheet to fool the phone. It looks legit.
Starbug has been around for a while. Also, even though there’s a crowdfunded bug bounty out there for cracking TouchID, the CCC is Europe’s largest hacker organization and it has a reputation to uphold. I sincerely doubt anyone’s pranking the world on this one.
As an iPhone 5s user, should I be afraid?
Depends on the scenario you’ve got in your head. If it’s pickpocketing you’re worried about, then bear in mind that your iPhone is probably covered in your fingerprints. That said, making a fake print of the quality we’re talking about here is not trivial and it also takes a while, making it likely that the owner would just remotely wipe the device before anything can be accessed. So I guess it depends on the caliber of pickpocket, and their desire to do more than simply steal and sell the hardware.
If it’s muggers or overzealous law enforcement or border agents that you’re thinking about, then this “hack” doesn’t make a blind bit of difference. Merely having a biometric access mechanism makes it possible to grab your hand and use it to unlock the phone— much simpler than having to go through the tedious process of passcode extraction (or making fake prints).
The only real worry here relates to a more targeted attack, perhaps by a private investigator who’s after some juicy corporate secrets. If the victim’s fingerprint has already been lifted from somewhere— which any idiot with a degree of patience could achieve— and a corresponding latex sheet made, then a skilled pickpocket armed with that sheet could get very quick access indeed.
For most people this won’t be a problem. And, indeed, if you’re the type who forgoes passcodes because they slow you down, it’s better to use TouchID than to use no security at all. Also, it’s not like we’re talking about someone hacking into the phone’s secure A7 chip.
But do remember that, compared with passcodes, the inclusion of biometric access can in certain circumstances make it just that little bit easier for someone to get into your phone. And if that phone carries secrets that others really want to steal, you may want to bear this new risk in mind.