German hacker collective the Chaos Computer Club (CCC) grabbed headlines after showing a method to fool the iPhone 5s's Touch ID fingerprint scanner, but it's nothing that ordinary people need to worry about too much, according to a security expert.
CCC hacker Starbug created a fake fingerprint by scanning a real one, printing it and ultimately creating a fake print by transferring it to latex rubber or wood glue. The group claims that this is proof that biometric security isn't effective and shouldn't be used. Starbug calls his method "very straightforward and trivial."
Security expert Marc Rogers - director of security operations at the DEF CON hacking conference and principal security researcher for mobile security software developer Lookout - posted an entry to the Lookout blog entitled Why I Hacked Apple’s TouchID, And Still Think It Is Awesome. Rogers explains:
Hacking TouchID relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician.
He talks about some of the issues involved in acquiring an unsmudged print and transferring it. Contrary to Starbug's claims of triviality, Rogers says:
It is a lengthy process that takes several hours and uses over a thousand dollars worth of equipment including a high resolution camera and laser printer.
Rogers underscores that Touch ID is useful as a convenience factor, not as an improved method of security.
Today just over 50 percent of users have a PIN on their smartphones at all, and the number one reason people give for not using the PIN is that it’s inconvenient. TouchID is strong enough to protect users from casual or opportunistic attackers (with one concern I will cover later on) and it is substantially better than nothing.
Rogers also says that Touch ID would be improved if it were a two-factor authentication system - something you have (in this case, your fingerprint) and something you know - a PIN number or passcode. You can't install Touch ID without putting a passcode on your iPhone 5s as well, so the parts are there, if Apple's willing and able.
Over the years a number of studies have been done on smartphone security. And while the number of smartphones in use, and the variety of operating systems in use has increased, the number of users who protect their devices with a lock code or passcode has stayed within a few digits of 50 percent.
As Rogers points out, the number one reason why smartphone users don't use a passcode is because they're inconvenient. Touch ID handily addresses the convenience problem. While biometric security isn't perfect, no security is perfect.
If Touch ID's lasting contribution will be to provide that other 50 percent with a viable method of locking and unlocking their phone, Apple will have made a really positive contribution to the smartphone market.
What do you think? Is Rogers understating the risk to Touch ID users? Has Chaos Computer Club overstated how easy Touch ID is to override? I want to hear from you, so share your thoughts in the comments.
Source: MacRumors
Gorgeous new Pride Apple Watch bands are now available at some Apple Stores
Apple's latest Pride Apple Watch bands are now available to buy in some Apple Stores, although whether you can walk into a store and pick one up yourself will very much depend on where you happen to be.
Rare Steve Jobs check for $9.18 goes under the hammer, could fetch $25k
A rare check signed by Steve Jobs dated July 23, 1976, has just gone up for auction and could be worth a lot more than it was originally written out for...
Apple store workers get surprise pay rise as union pressure grows
Apple plans to give U.S. workers a pay rise in the face of growing pressure from unions that are emerging in some retail locations.
Track your sleep to see your night habits and develop better resting tools
Getting proper sleep these days can be hard, but a good sleep tracker can potentially help fix the problem. Tracking your sleep can give you valuable data on how long and well you slept, as well as insight into how you can ultimately get better rest. Here are the best ones.