Posted in authentication, CSO, hacks, worst practices

more iPhone fingerprint issues

   2013-10-04

Another attack on the iPhone 5s TouchID sensor… a German security firm has claimed to be able to use an iPhone 4s camera to grab a fingerprint image and then make that image into a fake finger mold.  It still takes a bit of effort, but one barrier to entry (hi res camera) has been removed.

In addition, the same company claims to have defeated the Activation Lock feature which cripples lost/stolen phones by:

Getting a good photo of the target’s fingerprint

Making a fake finger mold

Putting the device into airplane mode

Going to another computer and requesting a password reset on the target’s Apple ID

Unlocking the phone with the fake fingerprint

Turning airplane mode off just long enough to receive the password reset email and resetting the password on the account.

Once this is done, the attacker would have the ability to unlock the phone.  The key to this attack is getting the phone into airplane mode, which can be done from the lock screen if Siri and/or the Control Center are enabled on the Lock Screen.  I would again recommend that 5s users turn off access to Siri and Control Center from the Lock Screen.

The same webpage includes a video showing the fake fingerprint technique used successfully on another phone as well as on a Lenovo laptop.

It is starting to look like fingerprint based authentication on corporate/consumer devices is still a work in progress and CISOs in organizations with BYOD policies need to do a risk analysis to determine whether the convenience of fingerprint authentication is outweighed by the potential risks.  This is not a “one size fits all” calculation and really depends on the profile of your attackers.  For some organizations, this is easy – I would hope that a defense contractor targeted by nation states would not use fingerprint authentication.  For small businesses or consumers who are mostly concerned with device loss and non targeted theft, fingerprints may be good enough (especially if devices were not protected with passcodes in the past.  Unfortunately most businesses fall somewhere in the middle of these two cases.

PS – One small positive item I left out from my previous posts on this topic… if you power off your 5s altogether or have not authenticated to the phone for 48 hours, you will be required to enter your passcode to access the phone.

Leave a Reply