We know that any type of software is bound to be hacked eventually, but Apple is claiming that nothing will get past its new fingerprint scanning technology. While its security implications far exceed those of a traditional PIN, could a hack of this nature truly be dangerous to high profile individuals? What would a hack like this mean for an enterprise or government agency? In part three of our discussion of Apple's fingerprint scanning technology for the iPhone 5S, we discuss where these attacks are likely to come from and what this means for your mobile security.
Darren:We already know that if you can lift a good enough print and image it at a high enough resolution and carefully construct a false finger from it, you can authenticate using someone else’s finger print. We know that I can duplicate your fingerprint if I have enough information, so I'm going to set that one aside because that's well documented and lots of people have done great work on that.
There's a lot of vectors that people aren't really talking about much. I briefly mentioned the possibility of malware. Depending on how the fingerprint data is protected, the malware even from the jail breaking repositories or even from the app store could access fingerprint data and send it to me over the network so I can possibly duplicate enough of your fingerprint to authenticate your phone without having to take a lot of risks or do a lot of planning. It's possible that malware could access this trust zone and store a new enrolled finger which happens to be mine. That would be a lovely attack and I think it's a matter of time before we see something like that.
There's also the possibility of exploiting some kind of a backup. Supposedly, Apple claims this won't be in iCloud, but when they were asked would it ever be in iCloud, they declined the comment. I wouldn't be surprised to see at some point this data accidentally or intentionally making it off the device somewhere where it could get hacked by somebody else. I could just crack the device open and start talking with the armed chip directly. There are people out there that go as far as dissolving the cap off of a CPU in order to reverse engineer it. Does the average person have to worry about that? I don't think so, but when you look at things like forensic recovery, if you're worrying about travelling internationally and having some police agency or national security agency recover sensitive information off of your phone or a determined industrial espionage activity of some kind then it's worth worrying about that a little bit.
The last idea is there's now this tiny little sensor that fits under the home button on the iPhone and I don't know how many people have taken apart an iPhone, but the home button is a millimeter or two thick. It's a very tiny device and I would not be surprised to start seeing something in the spirit of a credit card scanner. I can just replay the data. We've seen it with credit cards, we've seen it with ATM chip and PIN devices, we've seen them in biometric passports. I wouldn't be surprised to see it under this circumstance, too.
Jared:I really liked the RFID one because the hardware to mimic that kind of stuff is just becoming so cheap. These are more sophisticated fingerprint scanners but so is the technology to attack them. There's a lot of different ways to use existing hardware to attack these kind of things. It might go physical based attacks. You could probably start distributing things through the mail and see who leaves their prints on things.
Jared:The hardware stuff is very interesting, especially when you get to biometrics and even outside the phone. You've got the iOS scanners, there was a good iris presentation last year, where once they have enough images, they were able to generate fake irises and bypass that in five to ten minutes.
Darren:These sorts of people are very clever. It doesn't take them very long to reverse engineer this stuff. The hardware and software in the wild, I expect to see that one of the first attacks, at least attempts of attacks in very short order.
Darren:I don't think I would ever tell someone not to be concerned at all, but I think that the average user, if you look at your threat model, the average user is looking at a net increase in security. I think that for the common person, implementing touch id and using their fingerprint to authenticate against their device is superior, certainly for people who don't have a PIN and I think even for people who do. Right now with the current state of what the attacks are, I wouldn't say that the normal user should really be concerned about using touch id.
Jared: It's much more convenient. It's basically somewhat targeted attacks in terms of someone physically watching. There are more available software attacks for the PIN code and there will probably be some attacks for hardware on touch id eventually, but touch ID makes it convenient and for the average user, it's a net win.
Darren:I think that won't be very difficult to convince Apple to add this in the future. There's enough enterprise security appetite. I'm actually not sure if that convincing will come from the hacking community. I think what the hacking community will do will certainly bolster the argument, but for a lot of enterprises, the appetite for two factor is really going to be the driver there.
Jared:It's virtually in every post that has a good discussion about fingerprinting technology that you should have dual factor authentication. That's pretty much unanimous around the security community. I can see why Apple would just want to roll this out because people aren't using the PIN code and they offered dual right away. They're going to face a lot of people from enterprise and from people outside. People are wondering what are you doing with my data? Where does that go? How can I set this up just so when I do a secure wipe, I know for a fact it also dumps that fingerprint?
There are going to be concerns that should be addressed and should be documented in terms of exactly how it is. We talked a lot about the trust zone. It's really probably the most suspicious area for them to store in, but then they have to do it. Apple has a history of doing things their own way and in that case there might be more opportunity for hacking and jail breaking tools to apply.
Darren:If you're managing security for enterprise, you have to look at hacks like the CCC attack and take them much more seriously, especially if you have high profile people or your business is involved with a lot of intellectual property or any kind of highly sensitive business material. This is a good wake-up call that you shouldn't be relying on the OS to protect that data. You should have your own internal extra controls. You’re on mobile device management policy, your additional layers of security, validating your software supply chain to make sure that the apps don't have malware embedded in them.
Jared:The classic example would be government, right? You've got somebody with an M-16 who's just watching people walk by. That can be easily used to bypass that kind of security because all the guard is waiting for is something to go wrong. That's not an issue as long as you can keep a biometric scanner.