German hacker collective the Chaos Computer Club (CCC) grabbed headlines after showing a method to fool the iPhone 5s's Touch ID fingerprint scanner, but it's nothing that ordinary people need to worry about too much, according to a security expert.
CCC hacker Starbug created a fake fingerprint by scanning a real one, printing it and ultimately creating a fake print by transferring it to latex rubber or wood glue. The group claims that this is proof that biometric security isn't effective and shouldn't be used. Starbug calls his method "very straightforward and trivial."
Security expert Marc Rogers - director of security operations at the DEF CON hacking conference and principal security researcher for mobile security software developer Lookout - posted an entry to the Lookout blog entitled Why I Hacked Apple’s TouchID, And Still Think It Is Awesome. Rogers explains:
Hacking TouchID relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician.
He talks about some of the issues involved in acquiring an unsmudged print and transferring it. Contrary to Starbug's claims of triviality, Rogers says:
It is a lengthy process that takes several hours and uses over a thousand dollars worth of equipment including a high resolution camera and laser printer.
Rogers underscores that Touch ID is useful as a convenience factor, not as an improved method of security.
Today just over 50 percent of users have a PIN on their smartphones at all, and the number one reason people give for not using the PIN is that it’s inconvenient. TouchID is strong enough to protect users from casual or opportunistic attackers (with one concern I will cover later on) and it is substantially better than nothing.
Rogers also says that Touch ID would be improved if it were a two-factor authentication system - something you have (in this case, your fingerprint) and something you know - a PIN number or passcode. You can't install Touch ID without putting a passcode on your iPhone 5s as well, so the parts are there, if Apple's willing and able.
Over the years a number of studies have been done on smartphone security. And while the number of smartphones in use, and the variety of operating systems in use has increased, the number of users who protect their devices with a lock code or passcode has stayed within a few digits of 50 percent.
As Rogers points out, the number one reason why smartphone users don't use a passcode is because they're inconvenient. Touch ID handily addresses the convenience problem. While biometric security isn't perfect, no security is perfect.
If Touch ID's lasting contribution will be to provide that other 50 percent with a viable method of locking and unlocking their phone, Apple will have made a really positive contribution to the smartphone market.
What do you think? Is Rogers understating the risk to Touch ID users? Has Chaos Computer Club overstated how easy Touch ID is to override? I want to hear from you, so share your thoughts in the comments.
This Navy Blue iPhone 12 Pro concept shows Midnight Green is so last year
Rumors of a Navy Blue iPhone 12 Pro have circulated a few times and we're right here for it. After watching this concept, you will be as well.
Appeals court dismisses anti-conservative bias lawsuit against Apple
An appeals court has dismissed a lawsuit claiming Apple, Google, Facebook, and Twitter were biased against conservative views.
Apple TV+ lands its biggest film yet
Apple TV+ has landed the right to 'Killers of the Flower Moon', a Martin Scorsese film starring Robert De Niro and Leonardo DiCaprio.
If you're in need of a CD drive for your new Mac mini, these are the best!
Just as there's still a need for home printers, there are still cases where you need a good ole' optical drive for your Mac mini. We've compiled some of the best options to fit whatever your needs might be.