thoughts on the iPhone fingerprint hack

We all knew this would happen, although I was a little bit surprised as to how quickly The Chaos Computer Club’s recent unveiling of a technique to bypass the fingerprint sensor on the iPhone 5s followed the introduction of the new must have mobile.  (I wonder if they were using a blingy gold iPhone for their hack).  So what does this hack mean for the average user and corporations using the iOS platform?

According to security guru Bruce Schneier

Apple is trying to balance security with convenience. This is a cell phone, not a ICBM launcher or even a bank account withdrawal device. Apple is offering an option to replace a four-digit PIN –something that a lot of iPhone users don’t even bother with — with a fingerprint. Despite its drawbacks, I think it’s a good trade-off for a lot of people.

I mostly agree with Bruce, but the fact that a person with my unlocked iPhone has access to my email account and could reset passwords on many critical web accounts including my bank account, does sort of make the iPhone a bank account withdrawal device.  So, let’s take a look at the problem and what we smartphone users can do about it.   This post is a work in progress and I will be updating it as new information becomes available.

While the process for making the fake fingerprint is not rocket science,  pulling off this hack does require a number of things to be successful.

The attacker must act quickly if they are physically taking the phone.  IOS 7’s beefed up “Find My iPhone” feature allows users not only to track their wayward devices and erase data from them, but also to prevent the phone from being reactivated without entering their Apple ID and password.  Hopefully, this will discourage opportunistic thefts of iPhones, since their resale value will be nil (unless someone hacks the activation lock feature as well).

The attacker needs access to a good quality enrolled fingerprint from his or her victim.  The phone screen could be a source of this, as could a drinking glass or other smooth surface.  However, a clever iPhone user could make the attacker’s life a bit harder by not enrolling their thumbprint (the most obvious finger to use).  Using another finger (preferably on your non dominant hand) will make it less likely that the attacker gets a good print image.  Wiping your phone’s screen before placing it somewhere other than your pocket or purse would also be an easy way to make the attacker work a bit harder – I would think most attackers are going to hope for a print on the phone screen.  I can also foresee fingerprint resistant screen protectors as a growth industry.

The attacker has just 5 tries to get it right.  If their fallacious fingerprint fails authentication 5 times in a row, the fingerprint sensor will lock out and require the user to enter the four digit passcode which they created during device setup.  At this point, we are back to the same security level and mechanism as in IOS 6.

So what to do?   Here are some initial thoughts for the paranoid…

Physically secure your device.  If you have physical control of your device, the bad guys don’t.  If you think you have lost your device or it has been stolen, log in to “Find My iPhone” and wipe and disable it.  If it turns up later, restoring your data and apps from a backup is not too difficult.

Don’t use your thumb as an unlock finger for the iPhone.  Getting thumb prints is pretty darn easy, while finding good prints of your ring and pinky fingers on your non dominant hand will be more difficult for the attacker.  Be creative.

Don’t enroll all of your fingers.  Be random.  Enroll a finger from your significant other as a backup (if you trust them).

Remember that there are also some other lock screen related security flaws in IOS 7… You need to address these as well.  If you leave Siri enabled from the lock screen, an attacker can use that to put the phone into Airplane Mode so that they can work on breaking in without “Find My iPhone” shutting them down.  If you leave the Control Center enabled from the lock screen, attackers will be able to access your photos and send emails, tweets and Facebook updates without your PIN or fingerprint.  They will also be able to make calls from your locked phone.  The fix for this is to go to the Settings app, choose Control Center and turn off the “Access on Lock Screen” toggle.   Apple is working on fixes for these issues and will most probably release a software update pretty quickly.

Keep things in perspective.  If an attacker has physical control of your <insert mobile device here>, there is a chance that they will be able to compromise it.  Passcodes, fingerprints and the like are speed bumps which give you time to fully secure your lost or stolen device by remotely wiping and locking it.

For most individuals, passcodes, fingerprints and keeping track of where your phone is will provide a good balance between security and usability.  If your current phone has no passcode, the fingerprint authentication will be a definite improvement.

Should companies using iPhones or with BYOD policies be more concerned about the 5S than older iPhones?  For most organizations, I don’t think so.  There are a lot easier ways to get into your employees’ email (malware for example) than by stealing a phone.  Physical theft has a much greater risk of being caught than using techniques like malware.  Most device theft is opportunistic and aimed at reselling the phone, rather than getting at data.

These are my initial thoughts on this whole brouhaha – I’ll update this post as more information becomes available.

Stay tuned.

Leave a Reply