That’s it – the Samsung Galaxy’s biometric login is useless. The cops have cracked it and successfully unlocked a murder victim’s phone by using previously recorded fingerprints. Clearly this means we should discard the useless biometric technology and go back to strong, unique passwords like we always did, right?
This is often the knee jerk reaction after a mainstream security control like this is circumvented. There’ll inevitably be a chorus of “it’s not perfect therefore we shouldn’t trust it” and a general eroding of confidence thus ensues.
We heard similar arguments after the San Bernardino shooter’s iPhone was eventually unlocked by the FBI. This was the case where the feds wanted access to the shooter’s phone and attempted to compel Apple to produce a weakened iOS version to get in there. As I explain in the link above, there were many issues here beyond just the technology itself, indeed there were important precedents that both the government and Apple were trying to set. Eventually, the FBI unlocked the phone with the help of a private security firm and one-million-something dollars. And again, there was a chorus from the internet peanut gallery decrying that the security of a mobile device was untrustworthy.
But security is a far more complex fabric than the absolute positions of “it’s unbreakable and fine” versus “it can be broken therefore is useless”. Samsung’s and Apple’s examples are perfect illustrations of this: here we have security controls that will protect the phone when it’s left in a bar, stolen out of someone’s handbag or even just picked up by a curious child. The biometric implementations do a sensational job of protecting against the real risks that the vast majority of people actually face.
In terms of how those devices were eventually compromised, I’m quite ok with that. I’m ok with the fact that the police had to go to specialised biometrics researchers in order to eventually unlock the phone after many attempts. I’m also ok that the barrier to entry to an iPhone being unlocked is a million bucks. In both situations, it took a very determined adversary who was very well resourced to be able to break the security.
Now having said that, the feds and the cops are not high up the list in my personal “threat model”. There are other people for whom well-resourced state actors are a serious threat. Political dissidents. Free speech proponents in authoritarian countries. Criminal actors. But for these guys, there’s an easy solution: turn off the biometrics, limit login attempts and use a strong PIN or password. There are many other “opsec” steps beyond this they may take too of course, but the point is that these devices can be configured more securely for those who need it by disabling certain usability features.
Gaining physical access to your device and circumventing access controls is almost certainly of no interest to your local police or government. Even if it is, it’s going to cost them; they have to really want to gain access and that usually means you’re going to have to give them a good reason first. And lastly, you can bet your bottom dollar that in the wake of the incidents mentioned here, both manufacturers are further enhancing the security of the devices which will put future versions even further out of the reach of those who actually want to access your phone.
