Now that the iPhone 5s is in our hands, the public FUD about its new finger print scanner (branded Touch ID) has begun. This piece from Ars raises the following questions:

(1) Is it possible to convert locally stored fingerprint data into a digital or visual format that can be used by third parties?

(2) Is it possible to extract and obtain fingerprint data from an iPhone? If so, can this be done remotely, or with physical access to the device?..
Likely answers: yes and yes. To the first question - the fingerprints are stored in a digital format on the device, since it is, a digital device. That data could be harvested from the device, if it was convinced to reveal the data it is storing. Assuming it’s a one-way encryption,[1] it wouldn’t be trivial to break the encryption,[2] but you could also intercept the data coming off the reader if the hardware has been compromised to that point.

Here’s my question: who cares? Is getting my fingerprint data from my phone easier than just grabbing something I throw away at the mall? Why not snag my credit card from the waitress when I pay for a meal? There are lots of other ways to get this data, and they don’t involve invoking the Patriot Act.

  1. The data is stored encrypted, and when swiped, incoming data is encrypted. The two encryptions are matched for validation. ↩︎

  2. Obligatory encryption-breaking joke about our government here ↩︎