Tech-Speak: Fingerprints vs. Numerals and the Idea of Cyber Safety
When writing about technology and tech-trends, sometimes it is better to be late to the party, this or that tech retailing mega corporation is throwing, because it gives you time to sit down and have a good think. You know, read some articles, play with the demo model at your nearest (insert blank) mobility store, and weep over the woeful state of your personal finances in the presence of the latest incarnation of your overpriced and flashy cellular god. Because in reality, the thinking is the important bit and this can’t really be overstated when it comes to discussing people (like myself) who are caught up in a culture of consumption that’s slogan can be summed up not so much by words but by a series of obsessive knee jerk reactions involving an overtaxed credit card and a slurring of garbled cat speech to the tune of: “ehr-mehr-gerd eh haaf-tah-hab-dat!”
Now as far as the visible signs of an addiction go, a knee jerk reaction to purchase something because its shiny isn’t necessarily all that bad when put on a spectrum with the likes of: uncontrollable shaking, uncontrollable voiding and unexpected heart failure. There’s less of a smell for one, and less embarrassed awkwardness at being wheeled out by a couple of burly men who (being the well trained clinicians they are) are in the midst of informing you that despite your chronological age being somewhere in the range of your mid to late twenties; that your heart on the other hand, is a dead ringer for one belonging to a rather unhealthy man around the age of 75…
Symptoms of underlying problems are, for the lack of a better word, generally ‘symptomatic’ of a much larger problem. And like said elderly man’s heart in a late-twenty-year-old’s body, the fact that the two biggest retailers of smartphones are backing the same thumb scanning horse at the moment, implies some ‘things’ about the types of other ‘things’ which are going on within the polished plastic veneer of the smartphone that is currently making you reevaluate your personal take on the difference between a want versus a need.
In truth, finger scanning technology isn’t exactly ‘new’, and the idea of sticking it into something that you don’t want other people to look at isn’t all that new either. So what we have here is a hand full of companies (Samsung and Apple being foremost amongst them) dropping an old idea into a new chassis and claiming its new and somehow praiseworthy (to say nothing of being price worthy at the very least). And as with any new iteration of an ‘old’ piece of technology that’s been dusted off for yet another ride on the merry go round, we have to ask ourselves: just what the heck is the problem that they are trying to fix?
Now at this point I’d imagine that a good chunk of you are probably thinking one of two things. The first being: “Why the hell am I still reading this?” And the second being: “Are you actually saying that Apple and Samsung are somehow being less than truthfull with us about the usefulness of thumbprint based security systems?” To which I would most emphatically answer “PLEASE KEEP READING!” and “No…,” but in a roundabout way, “kinda yeah…” Or at least “kind of…” if you are of the opinion that fingerprint based systems and their associated interfaces offer you more security than a 4 or 5 digit numeric password when it comes to dealing with “all kinds” vs. “some” or even “most” kinds of potential avenues for identity theft.
What we’re up against and what the marketing departments don’t really want to tell you
Before moving onto other things, I would just like to touch on the somewhat obvious idea that there are in fact many different ways for someone to gain access to a device that has multiple points from which they can access it from. And in regards to your smartphone these access points are generally four fold and can be broken down into the categories of touch, talk, wired, and wireless. As of writing this article I’ve yet to find a smartphone manufacturer or tech company that makes use of a verbal input for the purposes of locking someone else out of your phone, but it is a possibility. Rather, what we will be focusing on in this not so brief aside the importance of the other three.
Most people who have owned a cell phone are familiar with the idea of ‘screen-locking’ or ‘logging out’ after ‘x’ amount of time, or the press of ‘y’ button, whereby the phone’s screen will fade out and go into either idle or standby mode. As cell phone technology became more complex, and as cellphones started to incorporate more of the features traditionally associated with (the then competing) Personal Digital Assistants (PDA’s), it became increasingly important for the phones to be able to be password protected in order to keep other people from accessing potentially sensitive information.
The creation of wireless networks, and the subsequent proliferation of wi-fi, corresponded with the addition of still more levels of password protection. As people now needed to enter there password/code to access their phone, to long onto the internet, to access their emails, to log into their PayPal accounts, etc, etc. Yet if there is one thing that our species demands whenever possible, it is the optimization of laziness. A phenomenon which is easily seen in our tendency to opt for the path of least resistance. And considering that we have actively encouraged software developers to create programs which could remember our passwords for us, the importance of the 1st layer of protection has become exponentially more important. Which, as it turns out, is actually quite a big problem, because like any form of passcode or rudimentary encryption limited to 4 or 5 inputs based on a series of numbers between 0 and 9, cell phone (and later smartphone) users ran the risk of having someone crack their passcodes through a process of trial and error.
On the other hand, cell phone thieves with a little bit of technical knowhow, a smidge of coding skill, and access to a computer with a comparable power adapter (or a SIM card reader as it may be) could circumvent the nominal security provided by the passcode/password screen, by plugging into the device directly. Hacking (which isn’t as easy as some people seem to think, nor as flamboyant an activity as Hollywood would have you believe) is the process of taking over a program by exploiting it with other programs.
A hacker will create a piece of code which asks another program what it is doing, and makes note of its response. Once the hacker figures out what the program that you are trying to hack does, and how it responds to the initial programs probing. They then boot up a whole series of other programs and algorithms designed to break down and exploit whatever it is that they are trying to hack until they can access said programs root system files. At which point the hacker could choose to ignore, disable, or rewrite the phones original passcode.
However, physically taking apart or plugging into a phone is ultimately a rather rudimentary way of trying to commit identity theft, as it still requires you to physically steal someone’s phone or other wireless device. And why run the risk of getting caught trying to steal something, when you can take what you want from it wirelessly? Technically, a hacker (or hackers) familiar enough with a particular cellular network could (and can) access whatever’s on your phone by logging onto it from the other end. Many of you may have heard of people who have had their phones “Tapped.” “Tapping” is a term used to describe what happens when a hacker or other external party uploads invasive software onto your phone. Software which allows them to remotely take control of your phone and access whatever sensitive data you may have stored on the device.
The thing to remember about this discussion of touch, wired and wireless threats to your smart phone’s security is not that you are at the mercy of hackers, but rather that what hackers are looking for, is to: understand what the programs on your phone are doing, and how they do it. Or simply put, they are looking to see what goes where, and the way in which whatever it is, gets put there.
Catwomaning Prints vs. Punching Numbers vs. Those who know 1’s and 0’s mean something
So with that not so brief aside out of the way, lets get down to the business of picking apart just what this fingerprint scanning technology is meant to do, and the ways in which people have already circumvented the “added” level of security its proponents claim to offer. In her article “How does the Samsung Galaxy S5 fingerprint scanner work?” Pocket-lint’s Britta O’Boyle describes S5’s finger scanner as an “alternative means to entering passwords.” The S5 is also capable of recognizing and registering multiple fingerprints so that other people can access the phone, and so that you can boot up specific apps by keying them to the prints of particular fingers. Now some of you might be thinking that this sounds pretty good, after all everyone’s fingerprints are unique to the person who the finger happens to be attached to, but there’s a problem.
If you think back to that scene in “Diamonds are Forever” where Jill St. John’s character Tiffany Case checks Sean Connery’s Bond’s fingerprints by pulling them off of a martini glass. Or, in a similarly themed scene from Christopher Nolan’s “The Dark Knight Rises,” where Anne Hathaway’s Catwoman steals a copy of Bruce Wayne’s fingerprints from the unintentional residuals he left on his safe. You begin to understand the problem of having a print based security measure on a device upon which you leave your fingerprints. And as surprising as it may sound, ‘Print Pulling’ appears to be a viable means of getting around the fingerprint scanning tech of both the S5 and the iPhone5 as well.
If you head on over to TheWire.com or CBC.ca you can find articles by Polly Mosendz and The Associated Press which both deal with how you can go about making your own fake fingerprints to unlock someone else’s phone. The process itself is long, conspicuous, and of course illegal (as stealing fingerprints is a recognized form of theft) and that should come as wonderful news to anyone who happens to own either device. Contradictory as it may sound, fingerprint scanners do add a strong layer of security against someone being able to physically open your device. However, the same cannot necessarily be said for the types of people who might be trying to access your phone in either a wired or wireless fashion.
Remember when I said that a hacker’s primary goal (at least initially) isn’t to steal everything off of your phone but rather to figure out what goes where and how root system files operate. The problem with a fingerprint, much like a numeric passcode, is that its image has to be stored somewhere, because the fingerprint program needs to have some way of remembering what your fingerprint looks like. It needs to have some way of comparing the two, and the image it uses as a comparison tends to be stored on your phone. If it wasn’t, you’d have a hang of a time trying to unlock your device in an area that has no signal.
But this isn’t a new issue, and at the end of the day we should take comfort in the knowledge that most software companies and smart phone developers have entire departments of people whose sole duty is to figure out how to make their respective products less likely to be compromised.
To Sum Up
Ultimately, I’m not saying that you shouldn’t go out and buy the shiny knew smartphone that’s been catching your eye for fear of what a hacker might do; but what I am saying is that I’m not sure that the ‘implied’ increase in security (and therefore personal saftey), which the creators of these fingerprint scanners are trying to convince us of, should be considered a compelling selling point. At least not until they can figure out a way to keep the undesirables from getting in through the back door and doing the cyber equivalent of lopping off your fingers on the way out.