If Apple 's Touch ID is All About Security, Why is it so Easy to Bypass?

[G+_Michael A. Curtis]

If Apple's Touch ID is All About Security, Why is it so Easy to Bypass?

Jose Rodriguez, a 36-year-old soldier living in Spain’s Canary Islands, has found a security vulnerability in iOS 7 that allows anyone to bypass its lockscreen in seconds to access photos, email, Twitter, and more. He shared the technique with me, along with the video above.

 

As the video shows, anyone can exploit the bug by swiping up on the lockscreen to access the phone’s “control center,” and then opening the alarm clock. Holding the phone’s sleep button brings up the option to power it off with a swipe. Instead, the intruder can tap “cancel” and double click the home button to enter the phone’s multitasking screen. That offers access to its camera and stored photos, along with the ability to share those photos from the user’s accounts, essentially allowing anyone who grabs the phone to hijack the user’s email, Twitter, Facebook or Flickr account. 

 

iOS 7 Bug Lets Anyone Bypass iPhone's Lockscreen To Hijack Photos, Email, Or Twitter

http://onforb.es/1adZaDK

 

Yesterday the BBC reported on another two security flaws involving the Touch ID security:

 

One flaw concerns a user's ability to recover their data if a device has been stolen. The much-vaunted "Find my iPhone" feature can be disabled be a thief simply by putting the iPhone or iPad into airplane mode, preventing the device from communicating.

 

In iOS7 this can be done even when the phone is locked with a passcode, as the voice-activated assistant Siri can be instructed to carry out the task.

 

The other flaw is potentially even more serious - allowing users' email and social networking accounts to be hijacked even when the user has locked and password-protected their phone,

 

Security holes unearthed in Apple's iOS7

http://bbc.in/1a97Mvj

 

 

Meanwhile, United States Senator Al Frankin has raised security fears with Apple's CEO Tim Cook over "hacking" of fingerprint sensors on its new iPhones, saying that the Touch ID system could be potentially disastrous for users if someone does eventually hack it.

 

While a password can be kept a secret and changed if it's hacked, he said, fingerprints are permanent and are left on everything a person touches, making them far from a secret.

 

"Let me put it this way: if hackers get a hold of your thumbprint, they could use it to identify and impersonate you for the rest of your life," the Democrat said in a letter to Apple CEO Tim Cook.

 

Apple officials didn't immediately return an email seeking comment on Franken's letter.

 

US Senator writes to Apple over fingerprint sensor 'hack' fears

http://bit.ly/18iEZmS

[G+_Demian Dellinger]

This is great news! Now I just have to steal all the phones!

[G+_Dave Peters]

To my understanding the detail in question as far as accessing mail, pictures and such does not even involve the Touch ID sensor and if you read the FAQ on Apple's page you would know that there are times and events that even with the finger print scan you are required to also key in your security password

 

 http://support.apple.com/kb/HT5949?viewlocale=en_US&locale=en_US

 

As for a Senator questioning Apple about this Technology, has it not already been established that not all of the grasp technology to a degree to understand the topics they are asking about

[G+_Vin Brown]

That's right Dave Peters the Touch ID has been completely bypassed in these cases allowing the possessor of the phone to access the owner's email and social networking accounts even when the user has locked and password-protected their phone. 

 

The point the Senator was making was also made by Cory Doctorow in his recent presentation to iWeek in Johannesburg about South Africa's new ID cards.  He pointed out how using a fingerprint for authentication is a terrible idea and is not secure:

 

“The problem with biometric security is that biometrics leak… your finger prints are all over this conference room, and so are mine.” Doctorow said, “That makes them bad authentication tokens as they’re easy to obtain and impossible to revoke.”

 

"Your fingerprints are not secret and as a result they are bad authentication tokens because they are easy to clone and hard to revoke.  It's like issuing you a password at birth and then never letting you change it.  It's an incredibly bad idea from a security perspective."

[G+_Dave Peters]

The phone used in the video I would say is at least a 4 or 4S based off the screen size, which means touch ID does not even factor into the argument here.

 

As for comparing things between a CAPITATIVE TOUCH sensor on the iPhone and the traditional finger print sensor that would be in an ID card (common sense says you cant use the same tech due to thickness of the card), pardon the pun but it is an  Apples and Oranges comparison 

[G+_Vin Brown]

Dave Peters The iPhone in the video is not a 5s, but this doesn't change the fact that the 5s (also running iOS7) can be accessed without the need to scan the finger.

 

Frankin and Doctorow were both pointing out that a fingerprint is not a secret, nor irrevokable and is therefore not secure.   You are probably right in assuming the South African ID cards and Touch ID are not the same technology though and I probably should have left it out of this post.  I enjoyed your pun. :-)  

[G+_Vin Brown]

That didn't take long - the Touch ID has just been hacked by creating a fake finger that uses lifted prints to fool the scanner into believing it’s dealing with its rightful owner:

 

The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple's TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.

 

"In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake", said the hacker with the nickname Starbug, who performed the critical experiments that led to the successful circumvention of the fingerprint locking. "As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."

 

http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid