Apple's latest iPhones are vulnerable to the same fingerprint forging attack as the older iPhone 5S, allowing access to the phone via a fingerprint fabricated with some specialized knowledge and materials costing less than a thousand dollars, according to a researcher who reproduced the attack against the latest iPhones.
Mark Rogers, principal security researcher for mobile security firm Lookout, used techniques common to law enforcement investigators and prototypers to first lift latent prints from the device and then create a mold from a custom circuit-board kit. Then, using glue, he made a thin rubber print that he placed over his thumb, fooling the Touch ID sensor on the latest iPhones.
While his experiments suggested that Apple improved the sensor on the latest iPhones—it rejected slightly fewer legitimate prints and slightly more fake prints—Rogers found that the technique still works on the iPhone 6 and 6 Plus.
"The process with both of them is exactly the same," he said. "I would not call it a walk in the park, because it took me roughly eight hours to do. Yet someone who is not doing this for research could probably complete the process in two or three hours."
Announced last year, Touch ID debuted on the iPhone 5S and is included on the latest models of Apple's larger phones. Initial attacks on the Touch ID sensor underscored the major weakness in the application of fingerprint recognition technologies to mobile devices: a user's access codes—that is, fingerprints—are left everywhere, including on the device. If a thief can steal an iPhone, the device often carries with it fingerprints that are of high enough quality to unlock the phone.
Yet, past successful attacks also show that Apple's implementation is generally good enough to protect iPhones against the most common risk: being stolen by thieves, erased, and then resold, Rogers said. Attacking the fingerprint technology can be done in one of two ways. Either an attacker can use a laser printer to create a mold out of layers of ink or use a transparency to photo-etch a printed circuit board and create a mold. In both cases, glue—sometimes mixed with glycerol—is used to simulate skin and retain the print.
Getting it right in five tries, however, is another matter, said Rogers. The process is tricky enough that, combined with the limited number of attempts that Apple allows to access the phone, Touch ID is an effective countermeasure against theft.
"I was aided by the fact that I had unlimited attempts, and it took quite a few attempts to get any usable print and quite a few attempts to refine that print into something that would work," Rogers said. "It is not something that I would expect a street criminal to use."
Overall, Touch ID has increased the security of the iPhone, because ubiquitous use of Touch ID means that far more iPhone users are locking their phones against unauthorized access. Anywhere from 54 percent to 67 percent of smartphone users do not protect their phone with even a simple passcode, according to two studies released in 2011.
Just as safes are used to protect valuable information and objects in a locked house, mobile users should install more serious security to protect valuable data on their phone, even if it is locked with a passcode or fingerprint, Rogers said.
"Touch ID is great for locking the iPhone, and it will keep most people out, but when it comes to really sensitive data, you should consider another security measure," he said.
The question also remains whether Touch ID will be enough to secure Apple's devices when the company's payment solution, Apple Pay, begins to become more popular. Apple Pay will use the Touch ID sensor to initiate a payment using one of the credit-card accounts stored on the phone. If the process catches on, there will be a lot more money to be made in stealing a phone, according to Rogers.
"We are talking about putting a lot of financial transactions though the iPhone, and that money will incentivize criminals to refine the process, and that could open up a scenario where there is risk to the consumers," he said.
Listing image by Megan Geuss
reader comments
157