Pinterest Stumbleupon Whatsapp
Ads by Google

The iPhone’s new fingerprint sensor seems like a great way to use biometrics Why The Latest iPhone Announcement Was More Significant Than You Think [Opinion] Why The Latest iPhone Announcement Was More Significant Than You Think [Opinion] Another underwhelming iPhone was announced: the same size, the same basic features, and it doesn't even make your morning cup of coffee yet. Sigh. Read More to keep the device secure and personal, but could the feature be used against the owner to circumvent existing protections?

According to one YouTube video, the answer is “yes” – but there’s a bit more to it than that. Let’s take a look at whether the 5S introduces a new security  threat, and what you can do to ensure your iPhone remains your iPhone.

The Video in Question

Take a look at the video below, which shows a knowledgeable would-be thief hijacking an iPhone. We should all know that allowing someone access to your primary email account is like handing them all of your personal accounts on a platter, so the latter part of the video is somewhat irrelevant. It’s the passcode circumvention and Apple ID hijacking we’re really interested in here:

Seems like pretty scary stuff, huh? And it was that easy? Well the video assumes many things to prove its point.

The achilles heel here is the fingerprint sensor, and use of biometrics in general. All biometrics are susceptible to this form of attack at present, so if you’re using fingerprint recognition to unlock your laptop or other personal device, you should be aware that the spoofing of fingerprints isn’t all that difficult if the thief has the know-how and equipment.

Ads by Google

The video assumes there is a usable fingerprint on the device, and that’s exactly where the problems arise. Leave a thumbprint (not just thumb-tip) print on your device and there’s a possibility the thief would be able to gain access. This is of course provided they know the process of successfully extracting, copying and then creating a woodblock print good enough to pass as a human finger.

Another assumption is that the phone allows the use of Control Centre from the lockscreen, a setting which is enabled by default (so this itself is believable in the majority of cases). The video also presumes that the thief would successfully receive the email before Apple’s wipe request is processed by the device.

The final assumption in the hijacking of the account (and indeed phone) is that the Apple ID recovery address is tied to the iPhone – again, I have no issues here, I believe most people would allow this for convenience.

Not Quite So Simple

While the logic here is sound, the main crux of the argument is based on the fact that there is a usable fingerprint on the device. Looking at my screen after sending a few messages and checking my email in bed, I currently see no way a thief would be able to extract a print from my device. For me, it’s either smeared in the usual stuff that collects on our touchscreens or sparklingly clean after the old trouser-buff treatment.

That’s not to say this is never going to happen, but in the rush to steal the device and disable communications with the outside world there’s a very real possibility of destroying that usable print. How likely it is that a working woodprint fingerprint spoof could be created depends on the quality of the print and the skill of the individual. Though I don’t doubt it’s possible I’m skeptical that the average snatch and grab thief would go to such lengths.

>

Another area that is somewhat glossed over is the retrieval of mail for the Apple ID password reset code. I’d like to think after the many hours of creating woodblock fingerprints, everyone else’s inbox would be as congested as mine; something that’s not factored in here. Whether this would create enough of a delay for the Find My iPhone wipe request to be processed is unclear, but within a short time of being phone-less I’d have changed my email passwords and revoked access tokens myself.

This would make the thief’s effort a waste of time – after all, Find My Phone now comes with activation lock Buying or Selling a Used iPhone or iPad Running iOS 7? Read This First! Buying or Selling a Used iPhone or iPad Running iOS 7? Read This First! It's no secret that iOS is a secure operating system, but Apple's latest firmware update adds yet another level of protection for consumers. Read More , which requires your Apple ID password to remove. Without access to the email accounts the thief would be unable to reset this password, the phone is useless to the thief and your Apple ID is secure.

What You Can Do About It

While these techniques aren’t unbelievable, and with enough effort an intruder could possibly get in, there are a few things you can do to make sure you never find yourself victim to such an attack. Fingerprint unlocking is very convenient, but as the technology is built for convenience we have to be able to use it. This means that unlocking with a convincing fingerprint spoof is going to be a problem for the foreseeable future on any devices. If you’re concerned, don’t use it.

Similarly, being able to set a timer or work out a quick bill from the lockscreen using one of the Control Centre shortcuts is very handy indeed but in its current form poses a security threat in the form of airplane mode. You can disable Control Centre access from the lockscreen in the Settings > Control Centre menu, though if Apple were kind enough to remove this option from the menu in a future update we could all breathe easy.

You should also avoid using a common passcode like 1234 or 0000 (here’s a nice list to avoid), though remember there are only 9999 simple codes to choose from. If you’re really concerned you can disable the 4-digit passcode from the Settings > General > Passcode Lock menu, and set a longer more complex one 5 Free Password Generators For Nearly Unhackable Passwords 5 Free Password Generators For Nearly Unhackable Passwords Read More of your choice. And if you’re intent on breaking out your tinfoil hat, set your phone to erase all data upon 10 wrong passcode attempts from the same menu.

Other measures include making sure your Apple ID recovery address isn’t linked to your phone (probably tough for most users), and that if you suddenly notice your phone is missing then change your important passwords and revoke any access the missing device has to important accounts. You know, the obvious stuff.

It goes without saying that upgrading to iOS 7 and ensuring Find my iPhone is enabled Buying or Selling a Used iPhone or iPad Running iOS 7? Read This First! Buying or Selling a Used iPhone or iPad Running iOS 7? Read This First! It's no secret that iOS is a secure operating system, but Apple's latest firmware update adds yet another level of protection for consumers. Read More under Settings > iCloud provides the best line of defence, so use it.

No Cause For Alarm

While the video highlights what’s possible in ideal circumstances, with an extractable fingerprint and a victim who doesn’t change their passwords or revoke device access upon noticing their phone is missing, the odds of a successful attack occurring are slim. Those of you genuinely worried should take the appropriate measures above, namely ensuring you don’t allow the unlocking of your phone with a fingerprint and that you use a passcode that’s not easy to guess.

In response to the question we set out to answer: does the iPhone 5S fingerprint scanner increase the chance of theft? No, not really. It would be nice to see Apple implement a few of the changes suggested in the video for peace of mind, though.

What do you think? Have you had your iPhone stolen? Do you use your 5S fingerprint scanner to unlock your phone? Let me know in the comments below.

Image credits: randychiu, Fingerprint close-up (Chad Miller), Who’s been using my phone? (Chris Isherwood)

  1. Mel
    November 4, 2013 at 8:46 am

    My 5s is due to be delivered today but I'm wondering if there isn't another simple suggestion left off of the list for the user: simply use a different digit for TouchID than you use when using the device.

    For example, I almost exclusively use my left index finger for typing and tapping buttons. So if I don't register that finger with TouchID, the odds of finding a usable print for a TouchID-acceptable entry are dramatically reduced.

  2. Mel
    November 4, 2013 at 8:43 am

    "The video also presumes that the thief would successfully receive the email before Apple’s wipe request is processed by the device."
    He actually comments on that assumption in the video and says that has been his experience five times in a row.

  3. Anonymous
    October 28, 2013 at 3:55 am

    If users could choose which functions were accessible from each level of security, that would be helpful. Examples might be:
    Lock: music, timer
    Fingerprint: above, plus text, safari,...
    4-digit code: above, plus everything but email
    Passphrase: above, plus email.

    Some programs already require their own passwords (like keepass does), and there's no reason Apple couldn't just add an optional password each time the email app is used.

  4. jason warren
    October 23, 2013 at 7:32 pm

    Another downside to biometric authentication was mentioned in a Slashdot post recently: once compromised you're sunk forever. You can reset a compromised password, but, short of serious surgery you can't "reset" your fingerprint...or iris pattern...or or ....

  5. HAM
    October 23, 2013 at 6:29 am

    I still don't understand how the fingerprint sensor can be regarded as safe: if someone was interested in your data other than just the hardware, wouldn't it be easier for him/her to knock you out and use your actual finger on the spot to unlock the phone, rather than go through this process? - The thief will also earn time in the process until you come back to your senses.

  6. tl
    October 22, 2013 at 9:11 pm

    Very informative & thank you. How about writing an article on the procedural steps to take once when phone is found stolen.

    • Tim B
      October 23, 2013 at 6:24 am

      That's now on my to-do list! :)

    • Bonerrific
      October 24, 2013 at 4:52 am

      Deez Nutz!!

Leave a Reply

Your email address will not be published. Required fields are marked *