iPhone 5s security limping out of gate, proving it has a lot to learn

iPhone 5s security limping out of gate, proving it has a lot to learn

Summary: It's been a rough start for Touch ID and iOS7 security

TOPICS: iPhone, Security

During ZDNet's Great Debate prior to the release of Apple's iPhone 5s with Touch ID, I argued that once released hackers would determine the strength of the fingerprint scanner and other iOS7 security features.

iPhone 5 security

Well, the results are funneling in and it seems there are plenty of soft spots. Touch ID has already been hacked and the first to do it is set to collect a bounty that may exceed $11,000.

In fact, the hacker, known as Starbug, told ArsTechnica, "There was no challenge at all; the attack was very straightforward and trivial."

Also, there have (again) been lockscreen bypass flaws uncovered, and methods discovered to con Siri into giving an intruder access to messaging and social media apps. And there is the fact that Touch ID can be bypassed entirely by rebooting the phone and hacking on the 4-digit passcode instead.

While all of this is likely erased with eventual OS upgrades, it gets at a larger point I was making last week; as Touch ID moves from pilot phase and its on-phone sandbox does Apple have the chops to design a security system worthy of consumer, and more important, enterprise mobile computing?

The early returns don't point to a favorable outcome. And they point at a broader issue and to why Apple should keep failing, learning and innovating.

Identity, authentication and authorization won't come in one finger or even one package.

Identity and access management needs multiple authentication methods with varying degrees of security used alone or in combination. The environment will be a tiered labyrinth of security with trusted stewards and interoperable hubs.

Today, the National Institute of Standards and Technology's (NIST) Electronic Authentication Guidelines describe four levels of assurance, which grade credentials on how an identity was registered, how the user authenticates, and if the credential meets the needs of the Web site considering the authentication request. The guidelines define areas within each level that dictate identity-proofing, registration, tokens, management processes, authentication protocols and related assertions.

It is that kind of layering of proof points that will allow authentication and authorization to be stretched among networks, clouds and mobile computing. And stretch it will. Gartner said earlier this year that by 2016 federated single sign-on (SSO) will be the most predominant SSO technology; deployed by some 80% of enterprises.

NIST, via its National Strategy for Trusted Identities in Cyberspace (NSTIC) has already invested $16 million in private sector pilot programs to understand how all that technology and layering will provide credentials (fingerprints and biometrics included) that match the right amount of identity proofing (down to in-person proofing at the highest level of assurance) with the right online access and transactions.

Apple itself invested $356 million to acquire AuthenTec and its fingerprint reader technology. Based on iPhone 5s sales to date there is a good chance that will be deemed a worthy investment.

But if Apple wants to continue to invest in security features, not just to protect the phone, but to protect access to applications, including corporate apps, it will have to log these tough days of hack attacks as the price on entry into the broader authentication and authorization landscape.



Topics: iPhone, Security


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Yes but

    How do you fix this? You're talking about the exact fingerprint and it very much shows the technology is limited... It has to be some biometric device that doesn't leave an external print.
    • The problem is not the limitations of technology

      All technology is limited when first implemented. It takes time and development to make things work, and improve on a current imperfect system.

      The reason people are relishing over Apple's failure is because Apple, in past, was quick to SLAM others over implementation of new technology that also did not work perfectly. They would wait until technology had matured (over other's backs), swoop in and tout "it just works!"

      So, yes Apple deserves this and more. I cannot wait until Samsung, HTC, and Motorola start making commercials about this. You know, the way Apple use to make Mac/PC commercials...payback is a bitch -
    • 2 Factor Authentication

      Biometric devices such as fingerprint scanners are most effective when used in pairs; fingerprint scanner + retinal scan, etc. As a standalone option fingerprint scanners are weak. A retinal scan on the other hand isn't easily thwarted due to the fact that no one can surreptitiously make a copy of your retina!
  • Nosing Up

    Plunked down for a digital version of Bud Sagendorf's first four Popeye Comic books. In one, a fight promoter has manipulated public opinion to think Popeye is a coward, and one kid walks past the sailor who yam what he yam with his nose pointed firmly up. "Coward" he say. Popeye explains what he knows of the manipulation (which included duping Olive Oyl into convincing him that fighting is barbaric). Nose still up in the air, the kid says "Coward" and walks off.

    Okay, isn't the prediction that the next security thing that someone does will be cracked the obvious one to make? The one that requires an under/over to make any wagers interesting?

    The first obvious point is that Apple will sell a bunch of 4S and 5c phones which do not have TouchID. If past is prologue, then we know these people will not set a passcode. Should Apple have continued on that way and not bothered with TouchID on the 5s or done as it has, move the security bar a bit forward on one of its products with the likelihood that, if it works to the satisfaction of the consumer, not only will it be on other Apple products in incrementally improved state, but on competitors' products as well. We all assume, and you say, this will get better with time. We all know that TouchID is better than no pass code. We all expect that for most of us, the phone is far more valuable than our data.

    As to Emergency dialing, here's a place where security being the inversion of usability manifests. A more stringent barrier to bypass would be more secure and more dangerous to a user who needs to use a phone now because it is an emergency.

    In both cases, it's not perfect, it's not even at the place where the industry standard will be in ten years, it's a start and all these cracking demos have assumed the cracker has the phone.

    Don't you security experts consider it all over any way at that point?
    • I'm pleased your arguments destroyed his conclusions, Dan

      And your allegorical story was a perfect foil to his blog points. (And well stated, I might add. Grin)

      I bet dollars to donuts he felt the Motorola Atrix's biometric scanner was the best thing since sliced bread only because it wasn't manufactured by a certain company with an apple logo. (Yes, I sensed his bias when I read his article, too.)
      • Seriously?

        The best you can come up with is the old "he must hate Apple" rhetoric? My this place is getting long in the tooth, indeed.

        Let's face facts here. The best Apple could come up with this time around to woo potential market share away from the burgeoning and rapidly improving Android market (and I ALWAYS add the sidebar that I am a happy iOS user) is to re-hash a technology that's been around for decades. Yes, they typically have a history of turning age old technologies into ones people actually want to use, but this time it's just too little to be of real value without an intensely strong security infrastructure behind the scenes. And this article is simply pointing that out.

        Where is this so called bias?
        • In retrospect, perhaps my accusation of biased opinions was inaccurate.

          However, it is fair to say that Mr. Fontana had objectives for his article and to validate his blog points, he needed to present the security aspects of Apple's Touch ID fingerprint recognition tech in the worst possible light. He also needed to downplay, as much as possible, Apple's combined efforts in smartphone system security efforts. Both of those debate tactics exaggerate a single side of an issue at the expense of reporting counter arguments. And, as such, colors his points of view so much as to give the impression of bias.

          Let me explain. (Since you asked)

          Mr. Fontana expresses a less than flattering opinion of Apple's security efforts to date and offers a pessimistic opinion over their future security efforts. For example, in reference to the Touch ID sensor itself, he quotes Starbug and in doing so, implies he agrees with Starbug's assertion that "There was no challenge at all; the attack was very straightforward and trivial."

          However, in Ed Bott's latest ZDNet blog, Apple's advanced fingerprint technology is hacked; should you worry?, Mr. Bott points out that the techniques used to fool Apple's Touch ID sensor are anything but "trivial". Ed's conclusion is that, for it's intended use, Apple's Touch ID sensor tech incorporates sufficient built-in security features. (By the way, I rate Ed's article free of bias or straw dog debate tactics in contrast to Mr. Fontana's blog efforts.)

          Again, Mr. Fontana opines that Apple's efforts to date lack the technical "chops" needed for acceptable consumer and enterprise smartphone security protection or that, in his opinion, Apple's prospects for improvement in this category are very doubtful, at best.

          Nowhere does he mention counter arguments to that hypothesis. For example, an article in the Verge points out that the NYPD endorses the adoption of Apple's iOS 7 for it's security features. Specifically, and I quote form the article, "Devices running iOS 7 can be remotely secured when lost, making it so that a device's associated Apple ID and password must be entered before it can be wiped and used again. In effect, the new system could make an iPhone almost unusable when stolen, should the system work as planned. The NYPD is evidently hoping that it will discourage thieves."

          Those interested can read the entire article at http://www.theverge.com/2013/9/22/475834/nypd-promotes-ios-7-activation-lock-to-reduce-apple-picking-theft

          Finally, your comment opinion that Apple's Touch ID sensor tech is lacking "real value without an intensely strong security infrastructure behind the scenes" can find far too many reputable counter arguments published on the Internet to mention (in addition to the ones I cited to counter Mr. Fontana's "unbiased" conjectures.
    • Nice but incomplete

      Great rhetoric but missing the point unless you agree this is another "gimmick" put forth by Apple to enhance appeal to the masses. What was portrayed, rumored and hinted at turned out to be not much of anything.
      Fingerprint biometric security - whoopee....... I do know my job will not allow use of it on a device that can access work. This makes it less than useless.
      My biggest concern is how will this affect the hardware lifespan of the home button.
  • knocked out, drugged,dead drunk, or sleeping hard

    What about when street punks start knocking out people with the iphone 5s, then scanning with their limp finger so they can restore to factory settings? What about the same thing happening after someone is slipped a roofie, passed out drunk, or simply asleep.
  • Pathetic Article

    First off, Apple still is a consumer good company. Excessive compatibility with the much more stringent demands from business customers is not Apples cup of tea.

    By scolding Apple on its omissions and failures we should keep an eye on Microsoft. Its heap of infamous blunders and messed up sw updates is epic to say. If that is not enough how about the mind twisting Java security holes.

    So, let's keep it real. Apple is not worse than all in the others in that department.
    • Exactly!

      Microsoft gets racked over the coals when they fail. Why should Apple be excluded from the same scrutiny?

      Pointing a finger at Microsoft doesn't diminish the issues Apple is having. It is effectively saying "Hey look over there! Don't look at this."

      Fingerprint scanners have existed in computers for a long time now. If they were so secure and great they would dominate security for PCs, but they don't. Apple is using it as a marketing point and a slight convenience for its users, but presenting it as some sort of hardening for their phones that make them harder to hack... which they don't
  • straightforward and trivial?

    All this 'easily hacked' nonsense sounds like you leave your phone in a bar and the next person picks it up and unlocks it in minutes. Has anyone even actually unlocked one of these from a random print left on a phone? You'd need to be a forensic scientist with latex gloves, plastic bags, and a few hours to spare to even have a chance. I mean come on folks!
    • No you don't.

      You need about $150 worth of equipment and a phone to practice on. Once you know what your doing, it's easy money.