As cool, high-tech, and futuristic as biometric authentication systems can be, there’s definitely a dark side that many security and privacy advocates have been concerned about for years — the collection and storage of biometric data such as fingerprints, facial recognition data, and retina eye maps that is required to drive these systems.
In short, if you can authenticate to something with part of your body, information on that body part has to be stored in some way, and if there’s a data breach, it’s far easier to change your password than your fingerprints.
This week, The Guardian reported on these worst fears coming true, as over a million fingerprints and facial recognition profiles were disclosed as part of a major security breach in a biometrics company, Suprema, used by banks, police, and defence firms in the U.K. for managing access to secure facilities like warehouses and office buildings.
A pair of Israeli security researchers looking for holes in companies’ security systems found that the database of stored fingerprints and other biometric data was “unprotected and mostly unencrypted” and were able to easily gain access to a staggering amount of data.
The researchers had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.
With Suprema’s Biostar 2 locks being used in over 1.5 million locations around the world, this could possibly represent the most serious breach of biometric data ever revealed.
A Rookie Mistake
It’s worth noting that Suprema implemented its systems so poorly that it arguably had no business developing security products in the first place.
Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposesNoam Rotem and Ran Locar, Israeli security researchers for vpnmentor
Sadly, one of the researchers said the problem wasn’t unique to Suprema, and that there are “literally millions of open systems” out there, some of which are “quite sensitive.”
Why iPhone Users Don’t Need to Worry
Many people are understandably cautious about using features like Touch ID and Face ID — we’ve encountered friends and family in our own circles who refuse to enable it on their iPhones for fear that their fingerprints and facial recognition data is being stored and possibly even shared with Apple — and reports like this do nothing to assuage these fears. The reality, however, is that iPhone users actually have nothing at all to be concerned about, as Apple has not only done the basics right, but has gone far above and beyond in guaranteeing as secure of a solution as possible.
Firstly, there are the basics. A company with the financial and engineering resources of Apple wouldn’t make a rookie move like storing biometric data, or even passwords, without at least a basic level of encryption. However, Apple’s security goes WAY beyond that.
No Fingerprints or Faces Are Stored
No developer worth its salt would ever consider storing even a password without “hashing” it, and this is even more true when dealing with biometric data.
A “hash” is basically a software engineering term for a one-way algorithm that converts a chunk of data — whether it’s a simple password or a fingerprint or face — into an alphanumeric value that cannot be turned back into the original data. Hashing algorithms aren’t anything new either — they’ve been used for decades for data such as passwords.
Without getting too far into the mathematics of it, the idea here is that the provided password, fingerprint, or facial profile is always run through the hashing algorithm and compared to the stored value.
In other words, when setting up Touch ID or Face ID, your iPhone doesn’t store your actual fingerprint or facial profile, but rather a complex alphanumeric representation of it. This is done in such a way that it’s mathematically impossible to turn it back into your fingerprint or your face.
When you unlock your iPhone, it simply runs the same algorithm that it did when you first set it up, producing the same alphanumeric hash and comparing that to the stored hash to see if they match.
So a hacker can’t get your fingerprint or your facial data from your iPhone because it’s not actually there.
Nothing Leaves the iPhone
Apple has also made a point of doing all of this processing on the iPhone itself. So even the hashes of your fingerprints or facial data aren’t stored anywhere except on your iPhone (or iPad, or Mac).
There’s simply no need for Apple to store this data in iCloud, and in fact it doesn’t even form part of the backups you make of your iOS devices. This is why you need to set up Touch ID or Face ID again from scratch if you restore your iPhone.
So while your biometric data is already very secure by being stored in hashed form, it’s also impossible for somebody to obtain it by compromising Apple’s servers, because it’s not stored on Apple’s servers.
The Secure Enclave
If that weren’t enough, Apple has also taken some really clever and impressive steps to make it virtually impossible to get even the stored hashes of your biometric data off your iPhone or iPad, even if a hacker has physical possession of it.
The magic here is found in Apple’s Secure Enclave, a special co-processor that’s been included in every iPhone since Touch ID was introduced with the iPhone 5s, and forms part of the T1 and T2 chips used in modern MacBooks.
The Secure Enclave is the keeper of the encryption keys for all of the ultra-sensitive data that gets kept on your iPhone, iPad, or Mac. This includes not only your Touch ID or Face ID data, but also things like Apple Pay credit and debit cards.
Think of the Secure Enclave as a separate computer running on your iPhone, iPad, or Mac. It runs it own special operating system and is completely isolated from direct access by the iOS or macOS operating system. It’s basically a big, burly guard blocking access to all of your most sensitive and important data.
When it comes to Touch ID and Face ID, fingerprints and facial data is routed directly through the Secure Enclave, not the normal A-series CPU on your iPhone, and as a result they’re never stored anywhere that they can be accessed by anything but the Secure Enclave. The Enclave also doesn’t provide any way to actually revealing these hashes — it only receives new hashes that are presented to it for comparison, sending a simple “Yes” or a “No” as a response.
In other words, your hashed biometric data — which is already non-reversible — can’t be retrieved even with physical access to your iPhone, iPad, or Mac, because it’s not stored in a way that’s accessible.
Is it totally foolproof?
No system is totally foolproof, but Apple’s design makes it virtually impossible to get at your biometric data in any form.
Of course, “virtually” impossible isn’t quite the same as actually impossible. Hackers may eventually find a way to circumvent the Secure Enclave, which would give them access to much of the data stored there. So far, however, although researchers have succeeded in decrypting the Secure Enclave OS, this has only given them some insight into how it works, but nobody has yet figured out a way to access the data stored in the Secure Enclave.
However, even if the Secure Enclave gets thoroughly hacked, the only biometric data that a malicious hacker would be able to retrieve for you are relatively useless hashes of your fingerprints or facial data, and they would not only need physical access to your iPhone, but would likely need to disassemble it and remove the Secure Enclave in order to do so. For all practical purposes, this seems like something that very few people will ever need to be concerned with, and those who are worried about being the target of organizations with the kind of resources to do this likely have problems that consumer technology can’t solve.