Some in Financial Services seemed to think that now, finally, it would be easy to do serious business with Apple’s new iPhone 5S TouchID mobile device. The advanced biometric authentication would, so the argument goes, secure the environment — the device and its use — in ways that were going to make risk management easy…
…”Oh, those sad Windows users. What will we do with them?”
The German hacker organization “Chaos Computer Club” (CCC) uploaded a YouTube video appearing to demonstrate a successful hack of the new iPhone TouchID biometric authentication. In the short video an individual appears to access an iPhone 5S using a fabricated fingerprint.
This new option was promoted by Apple as a better way to protect devices and to protect sensitive information stored on or accessed by them.
Just last week, I heard an industry pundit say — seriously — that “mobile security was solved” because of the strength of Apple’s biometric security.” When I responded with a muted challenge, the individual’s demeanor suggested pity for me (at best).
CCC member with the pseudonym starbug said on the organization’s site, “For years we have repeatedly warned against the use of fingerprints for access control. We leave fingerprints everywhere, and it is a breeze to create fake fingers from it.”
The CCC approach, as described in their announcement on Sat, Sept. 21st, used materials that are common in most households:
- Photograph the fingerprint of a targeted user with a resolution of 2400 dpi.
- Invert the photo on your computer
- Print on transparency film it using a laser printer at 1200 dpi.
In a CCC video, the technique appeared to involve etching a PCB board,,, Not everyone has easy access to board etching equipment, but it is not that unusual (maybe as common as lock picks?)
- Apply a skin-colored latex milk or white wood glue to the image.
- The “pressure lines” create a fingerprint image in the deposited material.
- After drying, remove the counterfeit finger.
- Moisten the “fingerprint” slightly by breathing on it.
- Unlock the targeted iPhone with it.
Frank Rieger, speaker of the CCC, said that “The public should no longer be led around by the biometrics industry with false statements on the nose. Biometrics is suitable to monitor and control people not to (secure) everyday devices against unauthorized access.”
Biometrics have always been a challenge. That state continues.
In the case of the Apple 5S TouchID, the Apple marketing may have been a little misdirection as well — as in, ‘Hay! Look at this great new button over here!” — rather than dealing with the difficult block & tackle work of building out secure secure-enough endpoints and supporting cloud infrastructure across their entire life-cycles. There may be niches in the consumer market for the TouchID, but it seems like the iPhone 5S implementation does not deliver for real business.
If this announcement described the real state of the Apple 5S TouchID technology and implementation, that identity infrastructure is still not ready for broad or routine integration into the operations of Financial Services enterprises.
What do you think?
By Rose Sodre, Sep 23, 2013
By frank, 2013-09-21 22:04:00
[This page is in German.]
[A video containing more details about the techniques used to copy and misuse a fingerprint against Apple iPhone 5S TouchID]
Published on South China Morning Post (http://www.scmp.com)
“iPhone 5s: About Touch ID security.”
“Investigating Touch ID and the Secure Enclave.”