The new bank heist – hacking Apple’s biometric datbases

Today Apple announced their new shiny shiny – the iPhone X.

<Nicholson Joker Voice> You thought the celebrity photo leak was bad? The Equifax hack terrorized? Wait until you get a load of the biometric hack. </Nicholson Joker Voice>

Apple swears “the detailed biometric data points that Face ID will use to identify individuals will stay local, stored on the phone and not remotely” BUT “face ID will work with third-party apps.

The gold mine of biometric data won’t be held in Apple’s Fort Knox, but shared “on the open road” with third parties?

Never mind Apple. Forget about trying to get into their billion dollar systems. If I was an evil mastermind, this would be by four-step plan…

  1. Wait and see what new app requiring the iPhone X facial recognition takes off in popularity
  2. Hack their low-secure angel-funded 20-people-in-the-whole-company database
  3. Sell the users’ biometric data on the dark web
  4. Profit

If I was an government employee evil mastermind, this would be by four-step plan…

  1. Create multiple new apps requiring iPhone X’s facial recognition (match the celebrity funny face, make your own emojis, group party chat, who’s the hottest, etc)
  2. Keep a master database of all faces using the app AND constantly scan everything the camera “sees” while running in the background
  3. Keep the users’ biometric data in my master database – create cross references of who the user associates with through matching biometric facial scans, their GPS locations, and who they have in their contact list (Apple already allows app access to GPS position and contact lists BTW)
  4. Profit in a very serious long-term way

Read Apple’s statement again. The biometric data points are not generated and deleted with every use. They are stored. On the local phone.

That stored information will be shared with third-party apps.

Biometric scans are a mathematical algorithm. Your facial patterns create an identifier unique to you. There’s no changing it. Once your unique biological mathematical algorithm is out in the open, there’s absolutely no way to put that genie back in the bottle. The last cornerstone of individual security will turn to dust.

I expect the first public-aware hack in two years.