Future iPhones might collect fingerprints, photos of thieves
An Apple patent application published on Thursday describes a method of storing an unauthorized user's biometric information, which can help strengthen security management or assist in device recovery and criminal prosecution in the case of a theft.
As published by the U.S. Patent and Trademark Office, Apple's invention covering "Biometric capture for unauthorized user identification" details the simple but brilliant -- and legally fuzzy -- idea of using an iPhone or iPad's Touch ID module, camera and other sensors to capture and store information about a potential thief.
In practice, the proactive security system works in much the same way as existing Touch ID verification processes.
Currently, users have five attempts to unlock iPhone or iPad with Touch ID before the device defaults to a 6-digit passcode or custom alphanumeric code. Ten failed passcode attempts results in a "cool down" period or a complete data wipe, depending on user settings. Further, passcodes are required after restarting the device, after more than 48 hours has elapsed between unlocks and when an owner wants to manage Touch ID and Passcode device settings.
Apple's patent is also governed by device triggers, though different constraints might be applied to unauthorized user data aggregation. For example, in one embodiment a single failed authentication triggers the immediate capture of fingerprint data and a picture of the user.
In other cases, the device might be configured to evaluate the factors that ultimately trigger biometric capture based on a set of defaults defined by internal security protocols or the user. Interestingly, the patent application mentions machine learning as a potential solution for deciding when to capture biometric data and how to manage it.
Other data can augment the biometric information, for example time stamps, device location, speed, air pressure, audio data and more, all collected and logged as background operations.
Flowcharts illustrating various implementations of Apple's invention. | Source: USPTO
The deemed unauthorized user's data is then either stored locally on the device or sent to a remote server for further evaluation. In some embodiments, stored information is purged at regular intervals to save onboard space. Alternatively, purges can also take place when the system determines the data is no longer needed. For example, a device owner's child who is not provisioned to use the device might attempt to access it anyway, leading to multiple invalid attempts over a given period of time.
As for offloading the biometric data, Apple says server-side systems may be able to cross reference fingerprint and photo information with an online database containing information of known users. Additionally, the system can log keystrokes to determine what operations the unauthorized user was attempting to execute while using the device. Given today's litigious climate and emphasis on personal privacy, however, these last two features feel a bit intrusive.
Apple ushered in the era of tenable biometric security technology with Touch ID, a fingerprint sensor that delivers quick, accurate and consistent results. Most importantly, and especially with zippier hardware introduced in iPhone 6s, Touch ID is integrated seamlessly into iPhone's user experience, meaning more people use it.
Touch ID has in some respects cut down on the scourge that is smartphone theft. Thieves doing risk/reward calculations now think twice before stealing an iOS device that might very well turn into a brick.
That being said, today's invention moves away from industry standard countermeasures and into the gray area of proactive digital forensics. As such, it is unlikely that Apple will introduce the technology in a consumer product anytime soon.
Apple's application for collecting biometric information from unauthorized device users was filed for in April and credits Byron B. Han, Craig A. Marciniak and John A. Wright as its inventors.
As published by the U.S. Patent and Trademark Office, Apple's invention covering "Biometric capture for unauthorized user identification" details the simple but brilliant -- and legally fuzzy -- idea of using an iPhone or iPad's Touch ID module, camera and other sensors to capture and store information about a potential thief.
In practice, the proactive security system works in much the same way as existing Touch ID verification processes.
Currently, users have five attempts to unlock iPhone or iPad with Touch ID before the device defaults to a 6-digit passcode or custom alphanumeric code. Ten failed passcode attempts results in a "cool down" period or a complete data wipe, depending on user settings. Further, passcodes are required after restarting the device, after more than 48 hours has elapsed between unlocks and when an owner wants to manage Touch ID and Passcode device settings.
Apple's patent is also governed by device triggers, though different constraints might be applied to unauthorized user data aggregation. For example, in one embodiment a single failed authentication triggers the immediate capture of fingerprint data and a picture of the user.
In other cases, the device might be configured to evaluate the factors that ultimately trigger biometric capture based on a set of defaults defined by internal security protocols or the user. Interestingly, the patent application mentions machine learning as a potential solution for deciding when to capture biometric data and how to manage it.
Other data can augment the biometric information, for example time stamps, device location, speed, air pressure, audio data and more, all collected and logged as background operations.
Flowcharts illustrating various implementations of Apple's invention. | Source: USPTO
The deemed unauthorized user's data is then either stored locally on the device or sent to a remote server for further evaluation. In some embodiments, stored information is purged at regular intervals to save onboard space. Alternatively, purges can also take place when the system determines the data is no longer needed. For example, a device owner's child who is not provisioned to use the device might attempt to access it anyway, leading to multiple invalid attempts over a given period of time.
As for offloading the biometric data, Apple says server-side systems may be able to cross reference fingerprint and photo information with an online database containing information of known users. Additionally, the system can log keystrokes to determine what operations the unauthorized user was attempting to execute while using the device. Given today's litigious climate and emphasis on personal privacy, however, these last two features feel a bit intrusive.
Apple ushered in the era of tenable biometric security technology with Touch ID, a fingerprint sensor that delivers quick, accurate and consistent results. Most importantly, and especially with zippier hardware introduced in iPhone 6s, Touch ID is integrated seamlessly into iPhone's user experience, meaning more people use it.
Touch ID has in some respects cut down on the scourge that is smartphone theft. Thieves doing risk/reward calculations now think twice before stealing an iOS device that might very well turn into a brick.
That being said, today's invention moves away from industry standard countermeasures and into the gray area of proactive digital forensics. As such, it is unlikely that Apple will introduce the technology in a consumer product anytime soon.
Apple's application for collecting biometric information from unauthorized device users was filed for in April and credits Byron B. Han, Craig A. Marciniak and John A. Wright as its inventors.
Comments
Wouodn't it be great if Apple had a department who phoned the registered owner of the phone in this scenario to check somehow if their phone was stolen or missing before proceeding to the next level?
"Apple says server-side systems may be able to cross reference fingerprint and photo information with an online database containing information of known users."
...Call them on what? The missing phone?
Through Find my iPhone with an extra setting similar to Lost Mode. This would start the procedure of collecting data. A message on the lock screen stating the device is in "Theft Mode" would warn people the iPhone is recording data.
All that's left is a way to disable Airplane Mode such that a phone that's missing can't be put into Airplane Mode by a thief. My idea is requiring Touch ID to enable Airplane Mode if it's accessed from the Lock Screen. Another idea I'd like to see is if an iPhone hits certain battery levels that it automatically comes out of Airplane Mode just to check in and see if it's been sent anything from Find my iPhone and to report its last location. Or a device that's in Lost Mode would allow a crook to turn on Airplane Mode (make them think it's on) when in fact the device still has connectivity.
Sound reasonable to me.
There are a couple features I'd to see in future devices.
I was reading this post while I waited and showed it to their security chief. He pretty much repeated your thoughts on its usefulness, particularly for them where they control access to many individual units - all with different key holder groups. Being a security guy his eyes lit up at the thought of monitering unlawful attempts to bypass security.
Not sure about usefulness for consumers but that's not my area.
Bravo Apple!!