Just one day
after the new fingerprint-scanning Apple
iPhone-5s was released to the public, hackers claimed to have defeated the
new security
mechanism. After their announcement on Saturday night, the Chaos
Computer Club posted a
video on YouTube which appears to show a user defeating Apple’s
new TouchID security by using a replicated fingerprint.
Apple has not
yet commented on this matter, and, as far as I can tell, no third-party agency
has publicly validated the video or the hacker group’sclaim. In theory, the
techniques used should not have defeated the sub-dermal analysis (analyzing
three dimensional unique aspects of fingerprints rather than just
two-dimensional surface images) that Apple was supposed to have used in its
fingerprint scanner, but, as I mentioned in my article last week (Your New iPhone Can Put Your Identity At Risk), systems
are not always implemented exactly as planned, and there are sometimes
exploitable vulnerabilities that people may be strongly incented to find.
The video posted by the hacker group does not show the preparation
of the replicated print used to inappropriately authenticate. In fact, the
video may make the process of defeating the security seem far simpler than it
is – creating a replicated print similar to the one the hackers apparently used
to defeat the fingerprint sensor involves some work; lifting and printing a
high-resolution mirror image of a print onto a surface (which seems to be what
was done based on the video) is not something that the average user can easily
do today. However, as I noted last week, if criminals stand to make significant
money by doing so, they will quickly acquire the skills and the resources
needed to achieve their goal.
Hence, if the technique claimed by the hackers is found to work
(even if it works only some of the time), there is serious risk to any user
using fingerprint authentication on its own. Coupled with the other risks that
I described last week, as well as with the possibility that fingerprints and
forced fingerprint authentication may not be protected by the Fifth Amendment,
this new revelation makes me even more certain in my concerns about fingerprint
authentication on smartphones.
source: Forbes Tech
previous article
Newer Post
No comments
Post a Comment