Apple's just launched fingerprint scanner may already be vulnerable

Share this article:
Apple's recently announced iPhone 5S Touch ID is designed to keep intruders out of phone.
Apple's recently announced iPhone 5S Touch ID is designed to keep intruders out of phone.

Fingerprint security will soon be available on the iPhone. After years of speculation, tech giant Apple made the big announcement at its Tuesday conference that the long-desired feature, now known as Touch ID, will be available on its iPhone 5S, launching on Sept. 20.

The sensor – 170 microns thin and capable of sensing 500 pixels per inch – is built right into the device's capacitive touch home button, which has been physically upgraded to a tougher sapphire crystal to avoid damage from overuse. The sensor is capable of scanning a user's sub-epidermal skin layers, as well as reading a fingerprint from any orientation in 360 degrees.

Longtime owners of the popular mobile who are set in their ways can still enjoy the old four-digit code method of unlocking their phones, but users who make the jump to Touch ID will be able to unlock their device more quickly, as well as authorize transactions from iTunes or the App Store.

Capable of handling more than one fingerprint at a time, Touch ID data is only secured to the device and is never stored on other servers, including Apple's.

Ehsan Foroughi, director of research at security consulting firm Security Compass, told SCMagazine.com on Tuesday that he believes Touch ID is a strong feature for device security, but added that it would benefit from integration with logging into Gmail, Twitter, Facebook and other popular websites.

“IBM laptops have used fingerprint readers, but it didn't get to anything further than logging into the laptop,” said Foroughi. “It's the same [right now] with this technology. It makes baseline security better because people are a bit lazy and don't want to type in a four-digit PIN to unlock their phone. It's just more convenient.”

For those who use their iPhones for important matters, Foroughi said he would avoid using the feature right out of the gate due to possible bugs and kinks in the software that attackers may be able to exploit. He also expressed some concern over what would happen if the sensor was physically damaged.

And, when it comes to bypassing biometric security altogether, things get a tad movie-like. Foroughi said that hackers have found success by pulling fingerprints off soda cans, reproducing them on plastic moldings and using them to act as the fingerprint. Another way involves freezing up RAM memory on a device to retain its state and then installing the RAM on a separate device.

“For a regular user, I would start using it. It's safe, it's user friendly – why not?” said Foroughi, explaining iPhone owners should continue to use tracking apps and remote wiping apps for added protections.

Dave Aitel, CEO of software security company Immunity, told SCMagazine.com on Tuesday that he is more skeptical of the feature. “Biometrics work in a layered security setup, as one more thing an attacker has to get past, but shouldn't be relied on any more than that,” he said. “The other point to consider is that fingerprints are not proven to be unique. A lot of times things that seem unique are predictable. But they are not a secret. That part is something that kills them for authentication.”

Share this article:

Sign up to our newsletters

More in News

Report: SQL injection a pervasive threat, behavioral analysis needed

Report: SQL injection a pervasive threat, behavioral analysis ...

Long lag times between detection and resolution and reliance on traditional methods impair an organization's ability to combat SQL injection attacks.

WhatsApp bug allows for interception of shared locations

Researchers identified a vulnerability in WhatsApp that could enable an attacker to intercept shared locations using a man-in-the-middle attack, or a rogue access point.

Google tweaks its terms of service for clarity on Gmail scanning

The company is currently dealing with a lawsuit that challenges its email scanning practices.