Senator Al Franken Wants To Know If Touch ID Can Be Used To Steal Your Fingerprint


Touch ID
Photo: Apple

U.S. Senator Al Franken has been very vocal about his Apple opinions for years, and this time he’s sent a letter to Tim Cook regarding Touch ID in the iPhone 5s.

Franken has “substantial privacy questions” when it comes to Touch ID’s security, and given the recent NSA findings, his concerns come at a time when the American public’s questioning of online security has heightened.

Apple has made it very clear that the Touch ID fingerprint sensor in the 5s can’t be accessed by any parts of the phone, as the data is stored in a secure enclave of the A7 processor. But Franken still questions whether a third-party could somehow convert fingerprint data to make it readable. Other questions Franken asks are if the data can be read with physical access to the phone, what diagnostic information Touch ID sends to Apple, and whether Apple can be forced to provide fingerprint data to the government.

Back in 2011, Franken lead the discussion on the uncovering that iOS was silently logging location data without the user’s explicit permission, or what was commonly called “Locationgate” amongst the tech press. Today’s letter from Franken on Touch ID falls under the same umbrella of public security concerns. An excerpt:

Passwords are secret and dynamic; fingerprints are public and permanent. If you don’t tell anyone your password, no one will know what it is. If someone hacks your password, you can change it—as many times as you want. You can’t change your fingerprints. You have only ten of them. And you leave them on everything you touch; they are definitely not a secret. What’s more, a password doesn’t uniquely identify its owner—a fingerprint does. Let me put it this way: if hackers get a hold of your thumbprint, they could use it to identify and impersonate you for the rest of your life.

Apple has detailed Touch ID’s security measures on its FAQ page. Craig Federighi, Apple’s head of software, recently explained how the company went about ensuring that the sensor was secure:

Wouldn’t it be great that you could use your finger to unlock your phone or to make a purchase? It sounds like a simple idea, but how many places could that become a bad idea because you failed to execute on it? We thought, ‘Well, one place where that could be a bad idea is somebody who writes a malicious app, somebody who breaks into your phone, starts capturing your fingerprint. What are they doing with that? Can they reuse that in some other location? Can they use it to spoof their way into other people’s phones?’

That would be worse than never having done the feature at all if you did those things, right? And so you take that all the way to that spectrum, and we said, ‘My gosh, in our silicon we’re going to have to build a little island, a little enclave that’s walled off so that, literally, the main processor—no matter if you took ownership of the whole device and ran whatever code you wanted on the main processor—could not get that fingerprint out of there. Literally, the physical lines of communication in and out of the chip would not permit that ever to escape.’ It was something we considered fundamental to solving the overall problem.

You can read Franken’s full letter to Apple at the source link below.

Source: Al Franken

  • Gregory Wright

    Senator Franken what are your ideas on making phones more secure? How about assigning responsibility for phone security to the phone owner. How about that.