Thursday, September 26, 2013

IPhone 5s hacked

Germany's Chaos ComputerClub says it has cracked the protection around Apple's fingerprint sensor on its new iPhone 5S, just two days after the device went on sale worldwide.
In a post on their site, the group says that their biometric hacking team took a fingerprint of the user, photographed from a glass surface,and then created a "fake fingerprint"which could be put onto a thin film and used with a real finger to unlock the Iphone.
The claim,which is backed up with a video, will create concerns for businesses which see users intending to use the phone to access corporate accounts.While it requires physical access to the phone,and a clean printof one finger which is one of those used to unlock the phone,it raises the risk of a security breach.
This demonstrates– again – that fingerprint biometrics is unsuitable as  access control method and should be avoided," said the Chaos Club's blog post author, "Starbug". "In reality,Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake. As we have said now for more than years,fingerprints should not be used to secure anything.You leave them everywhere,and it is far too easy to make fake fingers out of lifted prints."
The group does not claim to have extracted the fingerprint representation from the phone itself,where Apple says it is held on a securechip. Instead it relies on capturing a high-quality fingerprint elsewhere,and having access to the phone.
"Relying on your fingerprintsto secure a device may be okay for casual security– but you shouldn't depend upon it if you have sensitive data you wish to protect," commented security specialist Graham Cluley.
Apple did not respond to a request for comment on the hack.
The revelation is the third security failing discovered since the phone and its iOS 7 software were released last week. First, a hacker found that they could use a flaw in iOS 7's Control Centre feature on the iPhone 4S and 5 to access photos and send emails. Another found that the Emergency sreen can be used to place a call to any number.
The Chaos Club details its methods for the fingerprint hack,which begins with a high-quality finger print lifted from a glass, door knob or glossy surface. The print, which essentiallyconsists of fat and sweat,is made visible using graphite powder or a componentof superglue,and then photographed at high resolution to create a 2400 pixel-per-inch scan. That is then printed onto an overhead projector plastic slide using a laser print,forming a relief. That is then covered with wood glue, cut and attached to a real finger.
Apple introduced Touch ID, as it calls the fingerprint system,on its top-end iPhone 5S, unveiled earlier in the month.The technology uses a scanner builtinto the home buttonof the phoneto take a high-resolution image from small sections of the fingerprint from the sub-epidermal layers of the skin. Apple says "Touch ID then intelligently analyses this information with a remarkable degree of detail and precision."
Users can choose to use up to five fingerprints- which can be changed- to unlock the phone and optionally pay for iTunes Store purchases.They have first to create a passcode of at least four digits,and then "enrol" fingerprints separately. Apple says that the process creates a mathematical representation of the finger print representation, and that it is only stored on the phone.
Apple'sown notes about its Touch ID system on its site say thatTouch ID will incrementally add new sections of your fingerprint to your enrolled fingerprint data to improve matching accuracy over time. Touch ID uses all of this to provide an accurate match and a very high level of security".
The company says that"Every fingerprintis unique,so it is rare that even a small section of two separate fingerprints are alike enoughto register as a  match for Touch ID. The probability of this happening is 1 in 50,000 for one enrolled finger. This is much better than the 1 in 10,000 odds of guessing a typical 4-digit passcode. Although some passcodes, like "1234", may be more easily guessed,there is no such thing as an easily guessable fingerprint pattern."

No comments:

Post a Comment