[Note - this is long but offers a reasonable amount of insight into how not secure your new iPhone is. When I mention 'sensitive data' remember that items which fall into this category include bank details, ID details, password lists, insurance details etc. You don't have to be a spy to have sensitive data on your phone.]
And virtually no-one is surprised, although I'm fairly sure everyone knows some ifucktard who has been letting everyone know about this particular feature on the iPhone 5s (the first new hardware feature since the introduction of the camera on the front of the phone, on the iPhone 4).
While I'm not doubting that a combination of fingerprint and passcode are more secure than a passcode alone, most people who have never had to use one significantly overestimate how secure a fingerprint sensor is. Here are some of the flaws in this now aged technology:
- Fingerprints sensors have been included on laptops for almost ten years now. They haven't really caught on, largely because they worked poorly. If you have a considerable amount of cellulose, adhesive, ink, gelatine, glue (etc) on your finger the sensor would struggle to detect the grooves in your finger. This means they function poorly when you have dirty hands. Also users found the security measure inconvenient - on 'professional' operating systems, users have to type their username, so typing a password is less effort.
- Fingerprints aren't secret. Everything you touch leaves a fingerprint. Particularly glass surfaces, such as... an iPhone. While many of you will have, at some point in your life, duplicated one of your fingerprints with tape; it would be more than possible to lift very accurate duplicate fingerprints using more advanced tools.
- Fingerprint sensors have frequently been fooled by glue or gelatine reconstructions of fingerprints, or even photocopies with a very thick layer of toner.
- If someone steals your fingerprint, you cant change it like you would a passcode. Well, reasonably.
Has Apple changed anything?
The scanner alone is quite secure. The problem is that it is not very secure. A very large number of iPhone 5s users will use it with a 'something is better than nothing' approach, and it's an exceedingly small group of people that would consider lifting a print just to read your text messages, but reading a passcode is much easier. So a fingerprint sensor is probably more secure amongst your friends than a 4 digit passcode.
They're a much more attractive proposition on a phone than a laptop, simply pressing one button that you'd have to press anyway and your phone unlocks, or doesn't if you don't own the phone. Also you don't have to type in your username on an iPhone. That answers the first point above.
However, a phone thief isn't your friend, and if you work with sensitive information or research this is not optimum security.
The iPhone fingerprint scanner has successfully been hacked by the infamous German hacking group, the Chaos Computer Club (CCC). They used the same technique they first used when fingerprint scanners first appeared in 2004.
Here's a simplified version of the CCCs 'how to clone a fingerprint' guide:
- Take a hi-res (2400dpi) photograph of the fingerprint.
- Invert the image so the valleys of the print are black.
- Laser print (1200dpi) the image with a very thick toner setting.
- Smear white woodglue (or latex) over the printout and allow to set.
- Carefully peel off the glue or latex sheet.
- Breathe on the surface so it's slightly moist and conductive.
- Unlock phone.
The CCC group used a fingerprint photographed from the surface of the phone.
So they are still relatively* easy to hack, just like every other scanner ever made.
As for the fourth point, you could have fingerprint transplants but really???
And the point of all that?
When your $650 phone is 'lost' and found by some fortunate arsehole who doesn't return it, you tell the police and your network carrier. Your carrier then blocks the IMEI number associated with the phone, rendering it useless unless the IMEI is changed, which requires special equipment. The thief probably knows this, so sells it to someone else who can change the IMEI, unlock the phone and sell it for profit. This person is probably also more than capable of copying one of your fingerprints off the glass (providing the thief didn't use the phone much), giving him direct access into your phone. He sees all your data, takes what's useful, wipes it, and changes the IMEI before selling it on.
If you have absolutely no sensitive data on your phone, then feel free to use the scanner alone. However, if you do you should use a combination of fingerprint and passcode.
*relative - takes 1 - 2 hours of work for a skilled hacker, several hours more waiting.