Tuesday, 3 May 2016

Fingerprint Security Can Actually Make Data on Phone More Vulnerable to Government, Authorities

Fingerprint security should keep data safer from everyone but the recent cases have shown that the government can actually force someone to use their own fingerprint to unlock their phone, possibly incriminating themselves in a case.

Image by National Institute of Standards and Technology [Public domain] via Wikimedia Commons

There is an increase in the number of smartphones today that have fingerprint sensors. In a sense, they can be safer than passwords as they can't be compromised without the physical help of the owner itself.

After the legal debacle between Apple (NASDAQ: AAPL) and the FBI over a criminal's iPhone 5c, there is now an ongoing debate in a Los Angeles case regarding a woman that is being forced to use her fingerprints to unlock the Touch ID to unlock her iPhone. Several experts in the legal field are now arguing whether the case is contradicting the Fifth Amendment's protection against self-incrimination.

The United States Supreme Court has already ruled that law enforcement authorities can easily get a search warrant for mobile phones and they will be able to require people to hand over any physical evidence that they may have including fingerprints. This is even possible without a direct order from the judge.

Legal experts are saying that the recent case has different circumstances and factors. Forcing a person to place their fingers to access an iPhone can be in violation of the Fifth Amendment as it would be a form of self-incrimination, according to MacWorld. Some of them are even saying that it would be similar to forcing someone to testify against themselves in court.

The recent case could be a bad precedent for future cases as authorities can just force someone to unlock their iPhones, which could possibly lead to self-incrimination. In this case, passwords could actually be safer as they can't be forced to be inputted on the phones.

In the recent Farook case, Apple has consistently denied to comply with the judge's order to unlock the San Bernardino shooter's iPhone 5c. The phone was locked by a code and not a Touch ID sensor.

If the FBI was going to try and unlock the iPhone 5c, they could risk having the data inside being wiped out after several wrong attempts. Apple was ordered to unlock the phone but they would have to get pass the encryption and security measures by developing a software that would let the authorities unlock the phone.

As Apple was not complying with the order, the FBI took the matter to their own hands by hiring third-party professional gray-hat hackers to do the deed. The hackers were able to unlock the iPhone 5c without having to wipe the data off from the phone by using a previously unknown exploit.

The authorities and the government are now discussing whether to disclose the exploit to Apple in order for the Cupertino-based company to patch it up. However, it would seem that they are reluctant to share the information as they could still use it for future cases.

If Farook's iPhone had a Touch ID sensor, then it would have been easy for the authorities to just unlock it. They had Farook's corpse and it would only take a couple of seconds to unlock the phone. Another issue is that fingerprints can also be stolen just like passwords. For some people, it might even be easier to steal as all they need is one print off a flat surface.

Fingerprints are supposed to be more secure than passwords because they can't be stolen remotely compared to passwords and PINs, which can easily be compromised through an exploit or a virus. However, there have been recent developments that can prove that fingerprints are just as unsafe as passwords too.

3D printers today can even be used to print molds of fingerprints that can be used to unlock a phone with a fingerprint sensor. Of course, this would rely on the fact that the person printing the mold should have an image or the help of the prints' owner.

However, technology today has evolved to a point that hackers can even print a 3D mold of a person's fingerprint through just a high-resolution image. In 2014, Starbug security researcher has used their technique to create a working model of the fingerprint of a German defense minister all based on a photograph, according to The Verge.

With today's smartphone cameras continuously improving, it wouldn't be long before those photographs on Facebook (NASDAQ: FB) or Instagram can be used against a person. If the image has a quality high enough for the prints to be seen and recognized, another person could also make a working mold model of their fingerprints.

Still, fingerprint security has benefits over the traditional password and PIN logins. Even if another person has the 3D printed mold, they would also have to gain access to the owner's phone itself. Hackers who would try this method need to be close to the person to actually use the mold on their smartphones. For instance, a hacker from the other side of the world wouldn't be able to use their trick if they don't have the smartphone of the victim itself. Passwords, on the other hand, can be used to login at several places at once. A hacker could use a user's password even if he or she is miles away from the actual person. This is because the accounts on smartphones can be linked to the Internet and data could most likely be saved there as well. They can just access their accounts in their own computers if they already know their passwords.

Since fingerprint molds can be made off from an image, the US government can easily make them considering that they have a database of fingerprints. The Los Angeles case was a bit difficult as the suspect was not in their databases. If a person did not want to unlock their iPhone Touch ID, the authorities can still make a mold of their fingerprint if the person is in their databases. The recent case proves that fingerprint security can be used against the owner as well.

Author: Lord Marin