 |
| Image from: Wikipedia Commons |
I am
far from a fan of apple, but I always admit that it is one of the most
brilliant technology companies. The ultimate goal for high-Tech products is to hide the
technology. All that matters is to give a natural experience to the user.
The
Touch ID, according to Apple, is the combination of “some of the most advanced
hardware and software”. It scans your fingerprint while you press the home button
and unlocks the phone if the scanned image matches what you have recorded. This
is a complicated process involving sensor recognition, hardware encryption and
software optimization.
The
Touch ID sensor is hidden behind the sapphire home button. The sensor is
thinner than a human hair, housing an 88x88 array of capacitors to catch every detail on your finger (a
resolution of 500 pixels per inch). Two noticeable aspect of this high-Tech
button is the dark areas on the sensor die and the metal ring surrounding the
button. Chipworks imaged the die of the sensor and it is unusual to see that
the silicon has been partially etched to provide a recessed shelf within the
die area for wire bonds at the top and bottom edges. Although the wire bonds is old-fashioned, this trick allows the chip surface to touch directly to
the sapphire disc, minimizing the finger-chip distance and thus maximizing the
accuracy. At the front side of the button, the metal ring that everyone notices
is more than just decoration. It is actually part of the sensor. This ring
detects your finger and wake up the sensor chip before the button is touched.
This time interval gives the user an illusion
that the matching process happens in no time. He may even forget that the phone
is securely protected.
Now,
your fingerprint is protecting your phone, but who is protecting your
fingerprint? For this, Apple implemented the solution developed by ARM, a
microprocessor IP provider. ARM developed the so called “Trustzone” technology,
which is a portion on the microprocessor that is only accessible by certain
hardware but not any software from the OS system. This hardware encryption makes
it impossible for any app to steal your fingerprint information.
Actually
the fingerprint technology has been existed for long and Apple is not the first
smartphone company to implement fingerprint sensors. Samsung, Moto and HTC all
have released products using fingerprint to protect the phone, but no one
managed to attract enough public attention. Indeed, technology is one thing;
how the fingerprint recognition is integrated with the phone-unlocking process
is another. The ease to use sometimes determines. In fact, more than half the
users leave their smartphone unprotected to avoid the trouble of entering
password. Touch ID seems the best fingerprint based solution that embraces both
convenience and security, although it is still too early to conclude.
Everything happens with only one press on the button.
Yet
Touch ID is not unbeatable. Shortly after the release, the Chaos Computer Club successful
hacked it with a fake finger and documented the video. They took advantage of the
fingerprint image left on the touch screen to replicate a fake one, which for a
daily used phone could be harder but still doable. This is the Achilles’ heel
for not only Touch ID, but all biometrics solutions that use individual’s
biological trait to secure the information. The words from Frank Rieger, who is
the spokesperson of the Chaos Computer Club, really worth attention:
“We
hope that this finally puts to rest the illusions people have about fingerprint
biometrics. It is plain stupid to use something that you can´t change and that
you leave everywhere every day as a security token. The public should no longer
be fooled by the biometrics industry with false security claims. Biometrics is
fundamentally a technology designed for oppression and control, not for
securing everyday device access.”
Our biological
information is unique and unchangeable. Plus, most such information is also
hard to protect. Take fingerprint for instance, anything you’ve touched will
have your fingerprint left on. On the other hand, for something that is not normally
accessible, if you are hacked once, you are hacked forever. This makes it
extremely essential to protect such information itself. The “Trustzone”
technology is good enough to block software attack, but it still needs to
demonstrate the protection over forceful read at the hardware itself.
Perhaps,
there is no 100 percent security. The implementation of Touch ID may not fully
secure your phone, but it definitely makes it harder for someone to break into
your phone. Indeed, engineering is the art of trade-offs. If someone has the
resources to break into your phone for information, he probably already has
many other ways to spy on you. It is also always advised not to store sensitive
information in consumer electronics. In this regard, whatever Touch ID provides
is sufficient. Most importantly, it is thousand times more convenience than
entering password!
