thoughts on the iPhone fingerprint hack

We all knew this would happen, although I was a little bit surprised as to how quickly The Chaos Computer Club’s recent unveiling of a technique to bypass the fingerprint sensor on the iPhone 5s followed the introduction of the new must have mobile. ¬†(I wonder if they were using a blingy gold iPhone for their hack). ¬†So what does this hack mean for the average user and corporations using the iOS platform?

According to security guru Bruce Schneier

Apple is trying to balance security with convenience. This is a cell phone, not a ICBM launcher or even a bank account withdrawal device. Apple is offering an option to replace a four-digit PIN –something that a lot of iPhone users don’t even bother with — with a fingerprint. Despite its drawbacks, I think it’s a good trade-off for a lot of people.

I mostly agree with Bruce, but the fact that a person with my unlocked iPhone has access to my email account and could reset passwords on many critical web accounts including my bank account, does sort of make the iPhone a bank account withdrawal device. ¬†So, let’s take a look at the problem and what we smartphone users can do about it. ¬† This post is a work in progress and I will be updating it as new information becomes available.

While the process for making the fake fingerprint is not rocket science,  pulling off this hack does require a number of things to be successful.

The attacker must act quickly if they are physically taking the phone. ¬†IOS 7’s beefed up “Find My iPhone” feature allows users not only to track their wayward devices and erase data from them, but also to prevent the phone from being reactivated without entering their Apple ID and password. ¬†Hopefully, this will discourage opportunistic thefts of iPhones, since their resale value will be nil (unless someone hacks the activation lock feature as well).

The attacker needs access to a good quality enrolled fingerprint from his or her victim. ¬†The phone screen could be a source of this, as could a drinking glass or other smooth surface. ¬†However, a clever iPhone user could make the attacker’s life a bit harder by not enrolling their thumbprint (the most obvious finger to use). ¬†Using another finger (preferably on your non dominant hand) will make it less likely that the attacker gets a good print image. ¬†Wiping your phone’s screen before placing it somewhere other than your pocket or purse would also be an easy way to make the attacker work a bit harder – I would think most attackers are going to hope for a print on the phone screen. ¬†I can also foresee fingerprint resistant screen protectors as a growth industry.

The attacker has just 5 tries to get it right.  If their fallacious fingerprint fails authentication 5 times in a row, the fingerprint sensor will lock out and require the user to enter the four digit passcode which they created during device setup.  At this point, we are back to the same security level and mechanism as in IOS 6.

So what to do? ¬† Here are some initial thoughts for the paranoid…

Physically secure your device. ¬†If you have physical control of your device, the bad guys don’t. ¬†If you think you have lost your device or it has been stolen, log in to “Find My iPhone” and wipe and disable it. ¬†If it turns up later, restoring your data and apps from a backup is not too difficult.

Don’t use your thumb as an unlock finger for the iPhone. ¬†Getting thumb prints is pretty darn easy, while finding good prints of your ring and pinky fingers on your non dominant hand will be more difficult for the attacker. ¬†Be creative.

Don’t enroll all of your fingers. ¬†Be random. ¬†Enroll a finger from your significant other as a backup (if you trust them).

Remember that there are also some other lock screen related security flaws in IOS 7… You need to address these as well. ¬†If you leave Siri enabled from the lock screen, an attacker can use that to put the phone into Airplane Mode so that they can work on breaking in without “Find My iPhone” shutting them down. ¬†If you leave the Control Center enabled from the lock screen, attackers will be able to access your photos and send emails, tweets and Facebook updates without your PIN or fingerprint. ¬†They will also be able to make calls from your locked phone.¬† The fix for this is to go to the Settings app, choose Control Center and turn off the “Access on Lock Screen” toggle. ¬† Apple is working on fixes for these issues and will most probably release a software update pretty quickly.

Keep things in perspective.  If an attacker has physical control of your <insert mobile device here>, there is a chance that they will be able to compromise it.  Passcodes, fingerprints and the like are speed bumps which give you time to fully secure your lost or stolen device by remotely wiping and locking it.

For most individuals, passcodes, fingerprints and keeping track of where your phone is will provide a good balance between security and usability.  If your current phone has no passcode, the fingerprint authentication will be a definite improvement.

Should companies using iPhones or with BYOD policies be more concerned about the 5S than older iPhones? ¬†For most organizations, I don’t think so. ¬†There are a lot easier ways to get into your employees’ email (malware for example) than by stealing a phone. ¬†Physical theft has a much greater risk of being caught than using techniques like malware. ¬†Most device theft is opportunistic and aimed at reselling the phone, rather than getting at data.

These are my initial thoughts on this whole brouhaha – I’ll update this post as more information becomes available.

Stay tuned.

thoughts on the iPhone fingerprint hack

japan cloud oopsie reveals confidential treaty data

A cautionary tale of cloud computing… apparently, a Google Groups group set up by the Japanese Ministry of the Environment to (internally) share documents and messages regarding negotiations about an international treaty was misconfigured, leaving the information therein world readable. ¬†Cloud computing is here to stay folks and governments, companies ¬†and other organizations (and their security folks) need to figure out ways to keep confidential data either out of the cloud or, better yet, safe in the cloud. ¬† IMHO, we need cloud providers to come up with creative ways to allow organizations to encrypt particularly sensitive data with keys controlled by the data owner.

japan cloud oopsie reveals confidential treaty data

NLRB continues push to regulate social media in non union companies

No union? No problem…

It seems that the National Labor Relations Board (NLRB) is continuing to extend its push into the regulation of social media in non unionized work places. ¬†According to this Morgan Lewis LawFlash, two recent cases (which may end up in the appellate courts) continue the Board’s assault on workplace social media confidentiality policies.

In the first case, involving Costco, the NLRB found that a whole section of the firm’s social media policy dealing with prohibition of posting confidential information to social media platforms was rendered invalid because it included a ban on posting “payroll information,” which the NLRB felt pertains to protected activity under section 8(a)(1) of the Labor Relations Act.

The second case, involving an auto dealer named Knauz, struck down the employer’s social media policy based on the following language:

[c]ourtesy is the responsibility of every employee. Everyone is expected to be courteous, polite and friendly to our customers, vendors and suppliers, as well as to their fellow employees. No one should be disrespectful or use profanity or any other language which injures the image or reputation of the Dealership.

The Board felt that the language would discourage employees from using social media for activities covered under section 7 of the Labor Relations Act, such as organizing a union or having discussions about work conditions.

The lesson? ¬†Make sure that your company’s Social Media policy passes muster with your legal team – and make sure your legal team knows about what the NLRB has been up to in this area. ¬†Social media has the potential to be an exfiltration vector for your organization’s confidential information; you don’t want to end up with a policy which is thrown out when you need it most.



NLRB continues push to regulate social media in non union companies

epic fail – hackers gonna hack… unless they don’t have to

Earlier this week, an Australian firm providing billing and support services to web hosting firms found that their web site had been destroyed, their Twitter account hacked,  and 1.7G of data (including customer information and hashed passwords and credit card numbers had been posted to the Internets for the world to see.

You‚Äôd think that the hackers who went on this rampage must have been really clever and exploited some arcane vulnerability to gain access to all of this valuable data.¬† Or maybe they used some uber-slick piece of malware to get the information.¬† You’d be wrong.

What appears to have happened is that the attackers were able to figure out the answers to the ‚Äúsecurity questions‚ÄĚ for the company‚Äôs lead developer and use this information to con the webhost running the company‚Äôs web site to provide him with the administration password.¬† It appears that the admin password was also the corporate Twitter account password.¬† Doh!

Lessons we can learn from this:

  • Security questions suck as an authentication mechanism. ¬†Think about the last few times you had to establish security questions ‚Äď how easy would it be to guess your answers by looking at your Facebook, LinkedIn, or Twitter accounts?¬† If the information is not there, a quick browse throw people search web sites may yield the information.
  • Using the same password for multiple sites is a bad idea.¬† It appears that the same password was used for both the victim company‚Äôs server administration and corporate Twitter account.

What you can do to protect yourself and your company:

  • Build yourself a legend.¬† Come up with a set of (false) security question answers which cannot be guessed by attackers.¬†¬† For example, your first car could be a ‚Äú1931 Bugatti Royale Kellner Coupe,‚ÄĚ your first school could be ‚ÄúHarvard,‚ÄĚ and the town you grew up in could be ‚ÄúPeoria‚Ä̬† ¬†¬†(or if you are really good, one of these places).¬† Above all, don‚Äôt use answers that can be found on your social media profiles or by Googling yourself.
  • Don‚Äôt use the same password for multiple sites.¬† You don‚Äôt want the compromise of one password to lead to an attacker getting access to all of your stuff.¬† Use a password manager like LastPass or Keepass to easily and securely save you (per site) passwords as well as the fake answers to your security questions.


epic fail – hackers gonna hack… unless they don’t have to

security wtf of the week

Here is a textbook description of what companies should NOT do when someone privately reports a security vulnerability in their publicly available web site which is chock full of PII…

SC Magazine:
Security Researcher Threatened with Vulnerability Repair Bill

A couple of observations about the article…

The guy who found and reported the vulnerability was a customer of the firm in question and seems to have done everything in an above board manner.

It sounds like the vulnerability involved changing a single parameter in a URL in order to access another customer’s account. ¬†Whoever designed/wrote that application needs some serious re-edumacation at the very least. ¬†Maybe¬†these are the folks who should be paying to fix the vulnerability.

I’m not sure why they are demanding the researcher’s computer. ¬†The nature of the vulnerability would make it extremely easy to make sure he did not access additional PII by simply reading the web server logs.

I’ll bet that plenty of people at this organization are wishing that this incident never hit the news. ¬†Had they simply thanked the researcher and fixed the bug, their customers and business would have been protected and they would not have gotten such a public flogging. ¬†If I were a customer of theirs, I’d be wondering about the rest of their information security right about now.

So, to sum things up… WTF!



security wtf of the week

it never ceases to amaze me…

…how often companies botch the termination process for an employee with “destroy the network access” and are then shocked, shocked I tells ya, when the network, is in fact, destroyed. ¬†This week’s episode is especially chock full of security fail… ¬†Network administrator dude resigns from company over a dispute with a senior manager. ¬†His former manager (and close friend) convinces company to keep said dude on as a consultant due to his deep knowledge of said company’s networks (FAIL!!!). ¬†Fast forward a few months… the manager/friend now finds out that *he* is about to be laid off. ¬†He refuses to hand over some passwords and his buddy logs in using valid credentials from a local McDonalds and deletes a bunch of VMs… according to a story on Wired’s Threat Level Blog

‚ÄúThe Feb. 3 attack effectively froze Shionogi‚Äôs operations for a number of days, leaving company employees unable to ship product, to cut checks, or even to communicate via e-mail,‚ÄĚ according to the complaint filed against him, which asserted that the hack cost Shionogi about $300,000. That figure rose to $800,000 in later court documents.

Really, really basic controls broke down here… if someone with “destroy the network access” is upset enough to leave the company (especially in a crappy economy like we are in now) – show them the freaking door and cut all of their access before it hits them in the ass on the way out! ¬†And don’t allow vital knowledge to accumulate in one person’s head, making them irreplaceable. ¬†Finally, make sure that there are checks and balances in the termination process to insure that these steps are completed quickly and properly. ¬†This is infosec 101, people!

it never ceases to amaze me…

it’s not always nice to share

Sharing is for weenies. (This is why it is good that I have no kids)

From the department of things that should be common sense, but are not… it is not safe to put confidential data on cloud based file sharing sites like RapidShare, FileFactory and Easyshare. ¬†Some researchers in Belgium did some poking around on these sites and the results are yet another that security through obscurity just doesn’t cut it.

it’s not always nice to share

a post mortem tribute to (less than) mediocrity

He may look like Inspector Clouseau, but... oh, wait...

I love the obituaries in UK newspapers… none of that namby pamby covering up of the dearly departed’s foibles or less than stellar achievements. ¬†This past week, the Telegraph ran a (sort of) tribute to Colonel Albert Bachmann who in the words of the of the obit writer, “had reduced the Swiss military intelligence agency, in which he had mysteriously managed to rise to a senior role, to a state bordering on chaos, not to mention bankruptcy. So catastrophic was his impact that, when he was finally unmasked, many assumed he must be a double agent. He was not.”

Read all about it here…


a post mortem tribute to (less than) mediocrity