We’re all familiar with how the iPhone 5s’s Touch ID sensor secures your phone via your fingerprint, and that the information is stored in a secure area on the A7 microprocessor inside the phone, accessible only to the sensor itself. But now it turns out that’s not the only way Apple safeguards your prints.
We’ve taken a closer look at Touch ID and, through collaboration with repair company mendmyi, found that Apple has taken extra precautions beyond the secure enclave, on a hardware level that we’ve never seen implemented before.
Apparently Apple pairs each individual Touch ID sensor cable to each individual iPhone it’s installed in. If you remove a Touch ID sensor from an iPhone 5s, and install it in another, identical iPhone 5s, that sensor will fail to work. The reason iMore looked closer at the situation was because of an inquiry from mendmyi about an issue involving Touch ID on a customer’s phone. The video below demonstrates the issue.
In order to try and rectify the problem, many steps were attempted. These included swapping out the Touch ID sensor for one verified to work, replacing the dock connector the Touch ID makes contact with, and even replacing the logic board itself. When each different hardware fix was attempted, a DFU restore was performed as well. Nothing worked. It was baffling. It was then discovered that the Touch ID sensor currently in the device was not the original one that came in the device. Once the original was returned, Touch ID started working again.
At this point they further tested the theory of the mated Touch ID sensor by opening two other handsets and swapping the Touch ID sensors. After reassembly, both Touch ID sensors failed. When returned to their original devices, both sensors worked correctly. iMore queried their resident security expert on why he thought Apple might finds such steps necessary, and his thoughts were as follows:
It’s hard to say why Apple might lock the A7 chip to a specific Touch ID sensor. One possibility could be to try and prevent any sort of sniffing or interception taking place between the Touch ID sensor and the secure enclave. Sort of like a hardware equivalent to SSL certificate pinning. By pairing the A7 chip to a specific Touch ID, this could make it more difficult for tinkerers to try and intercept communications to reverse engineer how the components talk to each other. This could also mitigate possible risks of malicious third-party Touch IDs being installed in a user’s device without their knowledge which could capture a user’s fingerprint for an attacker, while passing it on to the A7 chip to allow a user to continue to use their device as normal, without any indication it has been tampered with. If Apple instead used some sort of shared key that was used by all Touch ID sensors to authenticate with the A7 chip, it would only take one Touch ID’s key being hacked to compromise all of them. Being tied to a unique Touch ID sensor on each phone means installing something like a malicious Touch ID sensor would require cracking each device you want to attack individually.
For you, the consumer, this is good news. You’ve got an extra layer of protection protecting you when you use your device. A universal hack against Touch ID probably won’t work. For DIY repairers, things just got a bit more difficult. When removing the screen, say to replace a cracked screen, you’ll also need to remove the Touch ID cable to transfer it to the new screen. Extra care will need to be taken to ensure the cable isn’t damaged.