On September 10th, Apple announced the new iPhone 5s. With many new upgrades, there was one new additional feature that particularly drew the interest of both the media and consumer. It was the announcement of the new fingerprint biometrics included in the iPhone known as the Touch ID. Finger print technology as a means for identification in the security industry has been utilized for years. Apple is the first smart phone company to incorporate it into a hand held consumer device. The Touch ID security is described as a way to use your fingerprint as a passcode. Apple has reported that “over 50% of smartphone users don’t use a passcode.” Apple’s Touch ID is an easier way for the consumer to activate the feature and secure the contents of the device. As with all security related software, it is just a matter of time before someone breaks the code and designs a work-around. Ten days after the launch, the hacking team known as Computer Chaos Club (CCC) designed a work-around for the new fingerprint security system. The interesting thing is that the process CCC used to compromise the Touch ID security is an update to a well-known technique known in security circles for years. According to news reports, in 2002 a Japanese cryptographer used gelatin (found in food items) and a plastic mold to create a fake finger which was used to fool fingerprint detectors four times out of five.
As with any technology, we have to look at it through the mind of the criminal element. The information on the smart device would have to be of great value to entertain such a process. For the average consumer, the information on their particular device is probably not worth the time or effort to compromise the data. The critical element here is the print itself. I would suspect it would have to be in very good, if not pristine condition. The slightest smudge would render the print ineffective for counterfeit purposes. The current work-around would more likely be used in a James Bond movie rather than to compromise an everyday consumer’s iPhone.
If you are an individual concerned by the above scenario then a secure data storage application would be an additional line of defence to protect your data. The encrypted data would be very difficult to access unless the perpetrator was versed in the application being utilized to protect the information. Once again, what does the average consumer have on their smart device that would be worth the effort to go through the process described by CCC? Remember, the perpetrator has only five attempts to break through the scanner or the security feature falls back to the passcode.
For anyone generally concerned about security on their new iPhone 5s, a few tips that can help further secure your phone:
* Turn Simple Passcode off. This alone will allow you to implement a passcode which is something longer and more secure with a variety of symbols, numbers, upper and lower case letters.
* Constantly delete/backup any information you would not someone else to have access to.
* Use of encrypted data storage applications to store information that you don’t want accessed by others. Some of those applications include “Stash,” “GoodReader,” “Vault,” etc.
Also, a comprehensive BYOD (bring-your-own-device) policy would be very beneficial. The amount of smartphone users is on the rise, but mobile security is still in its infancy. Using the steps listed above would be incredibly beneficial in limiting the scope of compromises and attempts to access the data on your device. The best security practice is to not store sensitive data on your phone or device. Each individual’s device and security needs are unique. There is no cookie cutter system for everyone. The level of security should be dictated based on needs of the user/consumer. For the majority of the iPhone 5s users, the Touch ID® security component is drastically more secure than just a four digit passcode. Nothing is ever 100% secure, but this additional feature is a step in the right direction. You will more likely be targeted by a phishing campaign than a targeted iPhone attack. Safe security implementations will allow you to be secure, and decrease the chance of your data being compromised.