Marc Rogers of Lookout wrote a nice analysis up on his experience replicating the attack on Apple’s new TouchID in Why I Hacked Apple’s TouchID, And Still Think It Is Awesome.
First, a few excerpts from Marc’s thoughtful conclusions, followed by my own analysis and perspective on the bigger picture to attempt to put it into context for both IT professionals and everybody else:
Does this mean TouchID is flawed and that it should be avoided? The answer to that isn’t as simple as you might think. Yes, TouchID has flaws, and yes, it’s possible to exploit those flaws and unlock an iPhone. But, the reality is these flaws are not something that the average consumer should worry about. Why? Because exploiting them was anything but trivial.
TouchID is not a “strong” security control. It is a “convenient” security control. Today just over 50 percent of users have a PIN on their smartphones at all, and the number one reason people give for not using the PIN is that it’s inconvenient. TouchID is strong enough to protect users from casual or opportunistic attackers (with one concern I will cover later on) and it is substantially better than nothing.
Today, we have more sensitive data than ever before on our smart devices. To be honest, many of us should treat our smartphone like a credit card because you can perform many of the same financial transactions with it. Fingerprint security will help protect you against the three biggest threats facing smartphone users today:
- Fingerprint security will protect your data from a street thief that grabs your phone.
- Fingerprint security will protect you in the event you drop/forget/misplace your phone.
- Fingerprint security could protect you against phishing attacks (if Apple allows it)
The key here is that Touch ID is better than having no password/PIN at all, which is how a large percentage of iPhone users have their phones configured according to Apple (and my own anecdotal surveys). Security is not about absolutes. It is about incremental improvements over some other state or situation. To judge whether something is an improvement you first have to be clear on the state things are in and situation the enhancement is meant to address.
Calling something out as “insecure” is an empty statement that makes one sound self-important and does everyone a disservice. There may be valid security concerns – there always are – but they cannot be properly evaluated and the risks/rewards weighed without contextual information.
Touch ID makes a lot of sense given the context of 1 in 2 phone users having no PIN protecting their phone at all – and the modern smart phone being a portal to everybody’s email, financial, and on-line service accounts.
Basically the objective seems to have been: Come up with something that users who are not using PINs at all will use, and that is nearly as secure as having a PIN in nearly all scenarios of casual loss or theft.
It is not about coming up with something more secure than a PIN. It is about having something that is better than no PIN that a non-technical and non-security aware user will bother to use.
If an attacker wishes to target an individual user, there are far lower hanging fruit than stealing the victim’s phone and then reproducing their fingerprint1. Off the top of my head, you could look over the victim’s shoulder, social engineer them, steal their phone while it’s unlocked, go for their laptop instead, hack their email, intercept and do a man-in-the-middle attack on their unencrypted WiFi at their favorite coffee shop, or tens of other possibilities.2
But, remember, we’re generally not concerned about targeted attacks. That is, not for folks that don’t even have PINs on their phones. These folks are literally sitting ducks for casual-happenstance-completely-untargeted-attacks and the overall goal is to simply improve their overall security posture. That is, to reduce the quantity and shallowness of their “low hanging fruit.”
A targeted attack is always harder to protect against. But this is not what Touch ID is about.
The phrase “potential to be hacked” – which I’ve seen tossed around as a vague criticism for the Touch ID – is a ridiculous statement. Fort Knox can be hacked. So can your bank. It’s all a matter of degrees of effort (and risk) required by the perpetrator3.
There are some valid reasons for not using Touch ID, but those only apply to the non-average user. The Chaos Computer Club talks about some of them in the last couple of paragraphs of their original report on hacking the Touch ID. They are valid points, but have nothing to do with the 1 in 2 users who do not have any protection against even the most casual of attacks or accidents.
Touch ID’s greatest legacy – assuming it stands up to further scrutiny that permits it to stay more secure than the other low hanging fruit relevant to casual non-targeted attacks – may be getting more users to put even a minimal amount of tamper resistance on their phone.
“Tamper resistance”, incidentally, is probably a fairly appropriate phrase to use here, but no one other than power users and security engineers will understand why. Which is kind of the point: this isn’t about them. But this type of security enhancement does help them in their jobs, at least if they are responsible for any information assets that are accessed by those 1 in 2 iPhone users without PINs on their phone.
I will close with one final thought. It is possible that some people will start using Touch ID believing it is secure against attacks it is actually not effective against. This is always an issue. After all, even what is secure against certain attacks today may not be tomorrow, as more information and new techniques are developed.
This is why there are people like security engineers, IT professionals, developers, and manufacturers who stay abreast of new developments. It’s their job to research and assess these things – not their users/customers though that can be helpful too of course – and then to provide guidance or solutions that help push their users/customers forward, elevating everyone’s security posture.
Security is a (perpetual) journey, not a destination.