Right off the top: I like Wil Weaton. I like his serious attitude towards beer, I like his Tabletop board game webcast (porn couch and all) because board gaming is awesome, I like his wit, and I like that he puts in time and effort on behalf of needy animals and homeless pets. In general, I would rate him a “good guy”.
But when it comes to technology, well, um … did I mention that Wil is a damn fine actor? He is! Which is good, because he isn’t going to make his way in the world as tech guru any time soon.
Yesterday, after the release announcement of the iPhone 5S and the embedded security system based on fingerprint recognition, Wil took to Twitter:
I know he means well. With
Big Brother’s the U.S. government’s attitude that your data is their data and they don’t need no stinking warrant to get it … being careful is a smart thing. But the problem here is twofold: One, he hasn’t actually got the faintest clue as to how the technology actually works. And two, lots and lots and lots of people have such a tenuous grasp on news, technology, reality, and facts that they read a tweet like this (retweeted gawd-knows-how-many times by all and sundry) and take it as 100% gospel. And in a world were knowledge is power, the sad corollary is that lack of knowledge gives people power over you.
So let’s take Mr. Weaton’s bit of knee-jerk misunderstanding apart and see where he went wrong. His statement is a conclusion without any actual steps towards the proof so we have to do a bit of filling-in of the blanks, but it’s pretty obvious that he is inferring:
- A visual image of your fingerprint is taken by the new iPhone
- Said fingerprint is stored somewhere on a remote server
- The U.S. government probably has backdoor (or tacit front door) access to that server and can get your fingerprint
Ugh. Really? This is a veritable smorgasbord of technical naiveté topped of with a dessert cart full of just not thinking. It’s time for a crash course in topology, scanning techniques, capacitance, hashing, and good old common sense. Don’t worry, this won’t hurt. Much.
Does the authentication system compare your finger on the sensor to a stored picture of your fingerprint?
No. If you have any experience in topology analysis, you will know that comparing recursive visual patterns with a computer is an insanely long and processor-intensive process. Not 64-bit desktop intensive, we are talking multi-box processor-farm intensive. What will actually be compared is a digital “profile” that is created from the patterns in the fingerprint. Storing and comparing pictures is slow and tedious, in addition to needing a complete and properly-oriented picture every time you wanted to open up your phone. Comparing segments of profiles is how these things are done.
So there is a digital “profile” created. Big deal, someone could still use that, right?
Not unless they were able to pull together virtually all the computing power in the world. And then managed to get extremely lucky. The long stream of digits is turned into what is known as a “hash”. Unlike encryption, where the data is turned into unreadable gobble with the idea that you need to “un-gobble” it later on, a hash is strictly a one-way thing. You take a data item (lets use the word “Alice”) and then run it through a one-way hashing algorithm and come up with a string of nonsense (let say “glxXympittl23ez”). Every time you input “Alice” you get “glxXympittl23ez”. But there is no way to start with “glxXympittl23ez” and work back to “Alice”. Because the hash is a one-way equation and uses internal values that are embedded in that phone and that phone only, it’s nearly unbreakable. And by nearly, I mean virtually. Yes, you could break it eventually, given enough computing horsepower and time, but without the aforementioned luck that time would most likely be measured in decades and not something reasonable like hours and days.
So you’re saying that there’s a chance.
Yes, there is a chance. And guess what – even if they do manage to break the hash, they still aren’t going to get a picture of your fingerprint. The iPhone 5S uses a capacitive scanner, not an optical one. Instead of a picture, the phone is recording and then hashing a digital series that is based on the placement of hundreds of thousands of different electrical values (the sandwich of the conductive layer of your skin, the non-conductive layer of your fingerprint, and the conductive scanner creates an organic capacitor, in case you wondered) that make up your fingerprint. The values are stored as items in relation to each other, not as am absolute map.
Meaning that even if the NSA / CIA / FBI / insert-your-own-shadowy-U.S.-government-big-brother-agency-here gets lucky and breaks the hash, they will get nice long data string that in no way shows what your fingerprint actually looks like. Imagine a football stadium full of people. Now take one of those thermal imaging pictures that shows the crowd as a pattern or warm and dark spots. Can you tell from that pic which teams are playing? No. Same thing here. You can deduce that there is a game on, sure, but not what the hell is actually happening on the field.
As an unrelated but interesting aside, it also means that your phone can’t be unlocked with a photo of your print. Or by sneaking in and chopping off your finger in the night. It’s got to be a live digit.
But still! You don’t know what the future holds … maybe someday they will figure out how to break these hashes and then what? I don’t care, I don’t want that information stored on Apple’s servers!
Dude. Get a grip. Better yet, take a moment to think this thing through. Do you really think that Apple is going to give you a device that you can’t unlock unless you are actually connected to the net? Or that you have to wait gawd-knows how many seconds to unlock while the transaction works its way through the interpipes? Duh. The hashed value of the capacitance of your print is stored on the phone, and only on the phone. It would be moronic to do it – or even think to do it – any other way. The fact that they even mentioned this, which should have been obvious to anyone, just shows how bad the invasion of people’s personal data has become, and how seriously the crew at Apple is taking it. Geez.
So what, the system is perfect?
No, of course not. There are always trade-offs and compromises. That’s what design is all about. But this is about as secure as you are going to get right now – it’s local and it’s secure. And if it (a) gets more people actually (b) locking their phones, and (b) makes capacitance-based fingerprint recognition a mainstream and comfortable technology, then that’s about as close to win-win-win as there is.
UPDATE: It looks like the “luck” factor is being taken out of the equation. The locally stored hash of the fingerprint profile expires after 48 hours of idle time, and the phone falls back to a mandatory manual password. This is, of course, to stop baddies from taking your phone and spending weeks and months and years trying to force the hash. They’ve got 48 hours to get it done, and that takes the whole thing from “virtually” to “literally” unbreakable. And yes, I do mean literally.