Apple biometric systems and their security

[Tomcat]

Today, most people have a passcode on their mobile devices - this can be either a short PIN code or a password using letters and numbers. But it would simply be inconvenient to enter it several dozen times a day. Therefore, many companies have come up with ways to simplify the process of unlocking their devices using biometrics - a fingerprint, face scan or retina scan. All these methods have their pros and cons, but in general they successfully accomplish their main task - they quickly unlock the device.

Biometrics is not a full replacement for a passcode, since when working with security settings and once every 48 hours, you must enter it. However, it makes life much easier. On the other hand, in the case of a password code, the only carrier of this information is your brain (yes, yes, the author is not aware of the existence of paper and pen, that’s all true), from where it is, of course, possible to extract information, but it is very difficult. It would seem that with biometrics everything is exactly the same. But no. With some effort, you can get the owner’s biometrics without him noticing: a fingerprint, facial parameters, and the retina of the eye (this is the most difficult to access information, but it is still more difficult to get a password from the brain without resorting to known methods).

Therefore, using biometrics, you cannot access the same security settings - you will be required to enter a password in any case.

Another way you can take to gain access to your information is to hack the device that contains the biometrics and password. That is why companies take special care to protect such data not only at the software level, but also at the hardware level. How? Let's talk about this by first looking at how scanning your biometrics actually works.

Touch ID​

I think logically and chronologically we should start with the biometrics of your fingers. It is the simplest and most understandable, but also vulnerable, of course.

What is a human finger made of? Of several phalanges, of which we are interested in the most extreme one, namely the distal phalanx or, in simple terms, the tip of the finger. On its inner side there is a pad that forms a unique pattern of concentric grooves. Despite the uniqueness of the pattern, it can indeed be repeated in some people, but the chance of this repetition is extremely small. Apple's Touch ID security article states that the chance of matching even the smallest areas of different fingerprints is only 1 in 50,000 for a single stored fingerprint.

The technology for reading biometrics uses this very unique pattern, which is called a papillary pattern. How does this happen? Let's start with the device of the scanner itself. The main element here is the central part, where the sensor is located. It is made of sapphire crystal, which provides high wear resistance and acts as a lens that focuses on the finger. Next comes a small steel ring, which visually demarcates the button and the body of the device. In addition, the ring is a sensor that detects a finger and sends a signal to the main sensor to start scanning. If you immediately put your finger on the sensor without touching the ring, biometrics will not be read.

Having understood the device, let's move on to its operation. Let's start with the most basic point - registering a fingerprint. When you first start setting up your device with Touch ID, you're prompted to enroll your fingerprint. You repeatedly place your fingertip on the scanner, as a result of which the fingerprint image is recorded in the device's memory over and over again, down to the smallest details. They are divided into 3 categories - arc, loops and curl. And all together they form a general drawing of a human finger, onto which the details of the scallops are also superimposed.

Once a detailed image is created, it is converted into a mathematical representation that goes straight into the device's memory... well, almost. Since user biometrics, along with their password codes and bank card data, is a sacred cow for Apple, they are protected in a special way. Namely, using SecureEnclave and secure non-volatile storage.

Secure Enclave is a separate chip inside Apple Silicon processors that is responsible for encrypting confidential user data. In short, after receiving a mathematical image of your biometrics in encrypted form, it passes this information through two more levels of encryption and writes it to secure storage. It is not part of the Secure Enclave, but is associated only with it and nothing else.

Now the secure storage contains an image of your fingerprint in the form of an encrypted code. The image of the pad that the scanner receives as input is removed immediately after converting it to a mathematical representation.

Using the information in the secure storage as a template, the device can authenticate incoming fingerprints. How does this happen? You need to unlock your smartphone, which means you need to put your finger on the scanner. A scan is performed and the mathematical representation is sent to the Secure Enclave. In turn, the enclave compares the received fingerprint with a template from a secure storage, and if a match is found, the phone is unlocked. And the data obtained will help to refine the template a little. By the way, there can be several of them, just like the fingers on your hand (yes, in the phone settings you can add several fingers).

About Touch ID hacking​

Despite the fact that the device protects the received biometrics well, it is possible to gain access to it, and therefore to all confidential information, without resorting to hacking. Cybersecurity companies have repeatedly tricked Touch ID. It was like a typical spy movie.

They found a surface on which there were imprints of registered fingers aaaand... they simply photographed them. In Photoshop, the photo was made monochrome and the contrast was increased. Then they printed on acetate film using a laser printer. To give volume to the picture, we used toner (a special powder for adding volume). Finally, they applied regular glue to the film, thus imprinting the structure of the finger.

That's all. Access was allowed. Touch ID unlocked the device despite the fake finger.

Cisco Talos has conducted research into possible technologies that can be used to hack Touch ID. At least three reliable ways to bypass smartphone security have been identified. The first is a snapshot taken from the victim’s finger (for example, during sleep). The second is taking a fingerprint from any surface that the owner of the finger came into contact with (for example, a suitcase). The third is from the databases where the fingerprint is stored (for example, government agencies).

So, despite the work of Cupertino engineers, you can hack Touch ID without much effort.

This technology was introduced more than ten years ago - back in 2013 on the iPhone 5S. Although it left the screens of flagship iPhones after 4 years, it still continues to be used in other Apple devices - laptops, tablets and SE-series smartphones. It was replaced in 2017 by Face ID technology.

Face ID​

In 2017, the era of frameless smartphones arrived - the Samsung Galaxy S8 was released, and then the iPhone X. In the Apple smartphone, it was decided to abandon Touch ID in favor of a new facial recognition technology for the company, which required several different sensors and a separate neural processor.

What does Face ID consist of? Unlike Touch ID, which uses just one scanner and a simple touch sensor, Apple's facial recognition system uses a projector, an emitter and a special camera to scan the face.

When you want to unlock your phone, the device projects thirty thousand dots on you, which are necessary to create a three-dimensional image of your face. The emitter then directs infrared light at you. And at the end, an infrared camera takes a photo of you, producing a 3D volumetric image.

How? The camera can receive information about the distance of each pixel in the photo, which allows you to analyze the depth of the image. This is done by recording the reflection time of the beam projecting the pixel. We read the reflection time of thousands of pixels and, please, your 3D image is created.

The Neural Engine is responsible for image processing and, in general, for the operation of the entire Face ID system . It also integrates a secure neural module that converts the 3D image into a mathematical image and then encrypts it for sending to the Secure Enclave. The coprocessor checks against the specified template and makes a decision on identification. Here everything happens exactly the same as with Touch ID, so let's move on.

Hack Face ID​

According to Apple, the chance of another person unlocking your device is 1:1,000,000. This reliability is ensured by the collaboration of three sensors at once, creating a three-dimensional image. This eliminates the possibility of bypassing the system using a printed picture. You might assume that you can bypass Face ID by creating a mask of a person, but in this case, it was designed to create not just one infrared photo, but several. This allows you to recognize the slightest changes in facial expressions in order to understand that there is a living person in front of the scanner.

And yet there is a flaw. He touches the glasses. See, Face ID requires your eyes to be open during authentication. But when you are wearing glasses, it cannot track this as well due to light refraction. Therefore, the scanner switches to a different algorithm - if there is a white dot on a black background (pupil) in the eye area, then the eyes are recognized as open.

The guys from Tencent took advantage of this and created such simple glasses.

To pass authentication, it was enough to put these glasses on a sleeping person and bring the smartphone to his face. There was another way - to create a 3D mask and put glasses on it.

Let’s not forget about using Face ID for twins or simply similar people. Apple also does not recommend using Face ID for children under 13 years of age. Since among them there are much more often faces similar to each other.

Despite this, Face ID is being improved year after year, the algorithms are being improved, and the hardware is being improved. In general, Apple managed to create a good and reliable biometric authentication system. It works stably and the company is not thinking of abandoning it. Yes, many, including the author of the article, do not like the design decision directly related to Face ID - the bangs with the iPhone X and the gap with the iPhone 14 Pro. But on the whole it is justified. So we have what we have, and we are going to the latest Apple biometrics system for today - Optic ID.

Optical ID​

In the summer of 2023, Apple Vision Pro glasses were presented at the traditional Apple WWDC2023 presentation . They are positioned as a mixed reality device that allows you to plunge into the virtual world without falling out of the real one. Why is it needed? The company presents these glasses for designers, 3D modelers, engineers and many other professions. Thanks to Apple's unified ecosystem, AVP easily interacts with regular work applications on the same Macs: Photoshop, video editor, sound editor and other programs work in a single space.

It’s clear, like any Apple gadget, this one needed its own protection. There’s nowhere to put Face ID, Touch ID... you can, of course, on the power button, but the Cupertino team took a different route, creating a system that reads eye biometrics. To gain access to the glasses, Optic ID scans the iris of the human eye and thus performs authentication.

How? Look, AVP has a system that tracks the human gaze. It consists of a series of cameras and LEDs, including infrared cameras. As you might guess, these are what you need for Optic ID.

Before explaining the principle of operation, I will give a short explanation of what the iris of the eye actually is. This is a circular, vertically standing plate with a round hole - the pupil. It acts as a diaphragm and regulates the amount of light entering the eye. When we are in bright light, the pupil narrows, and in weak light, it dilates.

The iris has a unique pattern - a trabecular meshwork . It consists of depressions, ridges, grooves, rings, wrinkles, freckles, vessels and other features. The network is formed towards the end of intrauterine development and does not change until the end of a person’s life. Due to a huge number of small factors, the network is unique to each person, so as a means of authentication it provides the highest security.

This is such beauty

When recording the iris, infrared cameras take a series of high-quality photographs. This process, as in the case of Face ID, is invisible to us. Then segmentation occurs - the neural processor selects the iris itself, and also separates its inner and outer borders and the boundaries of the eyelids. If there were any glares during scanning or an eyelash got into the frame, they are also removed.

The next process is normalization. The resulting image is converted to a polar coordinate system and turned into a rectangle for more accurate identification of correspondences. And finally - parameterization, selection of a control area over which new data will be verified.

The template contains all the smallest connections of blood vessels, grooves and other fragments of the iris. Particularly striking are the unique patterns that do not depend on the pigmentation (color) of the iris.

The resulting template is sent to secure non-volatile storage via Secure Enclave in the form of a mathematical image. During identification, a template is checked, and Secure Enclave determines whether to grant access to the user or not. Everything as usual.

Among the interesting little things, I note that in addition to the new method of unlocking the device, Optic ID takes care of the privacy of the user’s view. No one will know about the areas where your gaze was directed when you were using the device. Information will only be transmitted about clicks, as would be the case with a regular cursor.

Optic ID virtually eliminates third-party hacking of Vision Pro entirely.

If people could deceive Touch ID and Face ID, given due diligence, it is almost impossible to use a retinal scanner. I haven’t come across information about it on the Internet, so if you have something, it will be interesting to see. Although even Apple itself estimates the chance that a random user will be able to unlock AVP as less than 1 in 1,000,000. By the way, the likelihood of hacking increases if only one eye is registered (yes, you can register just one eye).

It is no exaggeration to say that Optic ID is currently the most reliable method of biometric security. This does not mean that it cannot be hacked - it certainly can, we just don’t know about it yet. The only question is the cost and time spent on hacking.

Afterword​

At the end of the article, I would like to dispel one popular myth regarding the privacy of your biometric data in famous Californian gadgets.

Apple constantly states that your biometrics are highly protected and even the company itself cannot access it. Which is often followed by irony in the style of “ha ha, of course, Apple doesn’t keep anything at home or send it to the intelligence services.”

It would seem, indeed, why shouldn’t Apple send data to the cloud and, upon request, to intelligence agencies? Many fear that their data will leak, and special structures have complete control over the information on a private phone, including access to biometrics.

But. Firstly, even if the special services have mathematical images of biometrics sent to them, this will not help in any way to unlock the device, since the code enclosed in the conditional txt file is not an image, but is represented by a set of symbols and numbers.

Second, Apple's claims that secure data never leaves the device correlates with multiple failed hacking attempts, including by the FBI and NSA. Spending hundreds of thousands of dollars and using hackers, they were able to hack only one iPhone.

How? With the help of a bug that allowed us to try various variants of the password code and ultimately arrive at the desired result. To identify this bug, it took not only a lot of money, but also a team of Israeli specialists to wire the motherboard of the phone itself. After discovering the bug, Apple, of course, quickly fixed it. The window closed.

In addition, if biometrics were stored on cloud servers, iPhones would be opened every other time, since accessing the cloud is clearly easier than accessing the phone’s protected memory.

Thirdly, I think no one will argue that the iPhone is the most popular phone today. This means that it has been comprehensively studied and analyzed for many years. Security patches are analyzed “under a microscope”, vulnerabilities and bugs are studied. However, during all this time it was not possible to detect the fact that biometric data had leaked anywhere. Because if this really happened, then for Cupertino everything would turn into a huge scandal with millions, if not billions, in losses. And most importantly - loss of reputation.

All together allows us to say that Apple really does not send biometrics to the cloud. And the costs that Apple could incur due to the discovery of the very fact of sending biometrics would have huge consequences for the company. At least to satisfy all lawsuits from gadget users.

Sources

• Touch ID - https://support.apple.com/ru-ru/105095
• Hacking Touch ID - https://appleinsider.ru/eto-interesno/mozhno-li-vzlomat-touch-id.html
• Face ID - https://support.apple.com/ru-ru/102381
• Hacking Face ID - https://habr.com/ru/news/463163/
• Optic ID - https://support.apple.com/en-tj/HT214051