Ride the Lightning

The iPhone 5s: How Secure is the Touch ID?

September 26, 2013

This is a still developing story, so there may be updates. John and I penned this one together for Law Technology News, so it's longer than my usual posts!

*******************************************

It came asno surprise that the new iPhone was hacked within a couple days of its release.The hack was hyped in the headlines all out of proportion to the hack itself.And the security vulnerability uncovered was really old and tattered. We haveknown for a long time that fingerprints could be compromised.

But it wasdownright fun to read in SC Magazine that there was already a crowdsourcedbounty to crack the iPhone 5s – the first Apple product to feature authenticationvia a fingerprint scan – even before the phone was released. The bounty wasaround $20,000 when we saw it, though the amount dropped later when someonereneged on their pledge.

Within twodays of the phone’s release, the German biometrics hacking team of the ChaosComputer Club (CCC) – an interesting name – successfully bypassed the biometricsecurity of Apple's TouchID.

Here is themethodology that was used as described by the CCC. “First, the residualfingerprint from the phone is either photographed or scanned with a flatbedscanner at 2400 dpi. Then the image is converted to black & white, invertedand mirrored. This image is then printed onto a transparent sheet at 1200 dpi.To create the mold, the mask is then used to expose the fingerprint structureon photo-sensitive PCB material. The PCB material is then developed, etched andcleaned. After this process, the mold is ready. A thin coat of graphite sprayis applied to ensure an improved capacitive response. This also makes it easierto remove the fake fingerprint. Finally a thin film of white wood glue issmeared into the mold. After the glue cures the new fake fingerprint is readyfor use.”

We have tosay this this methodology doesn’t sound all that easy to us. But it wouldcertainly be relatively simple for someone who was targeting a specific phoneand knew what they were doing. We do agree with CCC’s statement that “It isplain stupid to use something that you can´t change and that you leaveeverywhere every day as a security token." And we agree that whereas a lawenforcement officer can’t compel you to divulge your PIN, they could swipe yourphone over your handcuffed hands.

There aresome security safeguards in place. You can’t unlock the phone with afingerprint only if the device hasn’t been unlocked in 48 hours or has beenreset – then you need the traditional PIN.

Apple hasemphasized that the fingerprint data will be encrypted and stored locally on adevice – never uploaded to a cloud. But still . . . we take our fingerprintseverywhere we go – is this really a good security mechanism?

It wouldhave been a true advancement if Apple had permitted users to choose BOTHfingerprint authentication and a PIN. But this option is not available, even tothose who would elect two-factor authentication in the name of security. Still,we are mindful that the Touch ID is better than no PIN – which is where manyiPhone users are now. It may even be more secure than a four digit PIN as well.And to put things in context, any evildoer must steal your phone as well asyour fingerprint to get to your data. The odds of that happening are not great– unless you are targeted.

Ourrecommendation remains the complex password, certainly for lawyers who do carrysensitive data on their phones. Also remember that the iPhone even stores data(e.g. screen shots) that you didn’t intentionally save, which may includeconfidential information.

On a sidenote, the worst Apple flaw we’ve seen is the issuance of iOS 7, which includedan easy way to deactivate ‘Find my iPhone’ or ‘Find My iPad’ even when thedevice is locked. All a bad guy has to turn do is turn on airplane mode whichcan be done via Siri or in the Control Center, a feature new to iOS. Since thatwill disable mobile and Wi-Fi features, the location apps are defeated. How theApple security geniuses let that one get through is beyond us. If you are likemost security specialists and tired of Apple’s slow response, just go to theControl Center and turn off the “Access on Lock Screen” feature.

It isgratifying to see Apple paying more attention to security, even if there aresome missteps along the way. Security for smartphones will continue to evolve.The technological futurists all recognize that we live in a “Passwords areDying” world and that two-factor authentication is a certain requirement for lawyers in the fairly near term. We are fans of tokens(something you have) along with passwords (something you know) as the mechanismfor authenticating. The problem with biometrics – fingerprints, retina scans,etc. – is that they can all ultimately be compromised.

And this iswhy all lawyers should attend a security CLE update at least once a year –nothing evolves as fast as technology and the recommended means of securing it!

http://twitter.com/sharonnelson