Skip to main content

iPhone 5S's fingerprint authentication hacked

Well, that was quick

The iPhone 5S was just released, and already its highly-touted fingerprint authentication scheme has been hacked. The Chaos Computer Club, a European confederacy of hackers, has managed to hack an iPhone 5S's fingerprint authentication, and to do it without breaking a sweat.

Chaos Computer Club breaks Apple TouchID

Links from that article will show you how it's done. How easy is it? It's not a cakewalk, but I'm pretty sure I could do it.

I'm not too surprised by this. The security experts I've read generally don't regard fingerprint authentication as a very good way to secure anything very valuable. You can't change your fingerprints and you leave them all over the place. And it appears to be far easier to fake the tip of your finger than I would have thought.

It's complicated

Should you worry about this? I would, at least a little. [See addendum below.] Don't have a 5S here and I'm actually not quite sure what other options it might give users for security. For example, combining fingerprint authentication and a passcode challenge would probably be pretty secure — certainly much more secure than either one alone. If I did get an iPhone 5S, there's a good chance I'd stick with the four-digit code, or even better, use a longer alphanumeric passcode.

Of course, the strength of any security scheme has to be assessed in relation to the threat against which you are trying to protect yourself. In my neighborhood, I'm not worried — well, not very worried — about random gunshots or home invasion (thank God). The security system we have installed is better than we think we need, but the security at the White House is presumably much better. If you're just trying to keep your children or coworkers out of your iPhone, then fingerprint ID might be great. It might even be okay if you don't expect your phone ever to fall into the hands of intelligent thieves.

Cost or inconvenience are also important. Fingerprint authentication or touch ID is certainly easy and quick, much quicker and easier than typing a four-digit number. That's the big plus for touch ID.

And the four-digit number scheme isn't all that secure, either. For starters, there's a reasonably high chance that somebody could get lucky and guess your four-digits before the phone locks up. It's not a simple math calculation: We know for example that "1234" is an extremely common passcode. So if I were a thief, I'd try "1234" for starters. There's a pretty good chance that will get me in. And even if you manage to pick one of the least common pass codes, a thief can still get lucky. There's just no way that a four-digit passcode can protect my phone the way much, much longer and more complicated passwords protect my bank and email accounts.

Bottom line

Security is a very difficult problem — not difficult to understand, but difficult to solve. Best advice: Worry less about your iPhone and more about the accounts that are accessible inside your iPhone. If somebody steals your iPhone and manages to get into it, you want them to be unable to do much more than look at your pictures of your cat. So, make sure that the passwords you have on all of your important accounts are

  • long
  • hard to guess
  • unique to each account
  • not stored in the open anywhere
And to make this work use a password management tool like 1Password (what I use), LastPass. Do not store passwords in your browser! If you want more info, get Joe Kissell's excellent book Take Control of Your Passwords, or contact me directly.



ADDENDUM. I didn't come across Ed Bott's article on this subject over at ZDNet, but he says many of the same things I've said here. But, while I'm a little bit nervous about fingerprint authentication, Bott is reasonably positive. One point: "The real lesson in all of this isn’t that fingerprints are untrustworthy. In fact, the opposite is true. For everyday use, a fingerprint is far more secure than a four-digit passcode." Read his entire piece; it's good.

Comments

Popular posts from this blog

Setting up OAUTH with Google in FileMaker 16

Setting up OAuth with Google in FileMaker 16Posted by William Porter Intended audience: Intermediate to Advanced FileMaker developers Date of publication: 2017-June-06
One of the many exciting features in FileMaker 16 (released last month) is OAuth or Open Authentication. Open Authentication allows users to connect to a FileMaker database after authenticating with an external (non-FileMaker) account. At the present time, FileMaker supports OAuth through Google, Amazon and Microsoft.
If you're a developer there are two main questions to answer. First, should I do this? And second, how do I do it? I'll answer the first question later. It's important.
But the other question--How do I setup OAuth?--is answered in the attached document. I wrote this tutorial with the help of my friend and colleague Taylor Sharpe of Taylor Made Services, also here in Dallas. We provide step-by-step instructions on how to get your users authenticating into your FileMaker databases using Google. (A…

Virtual List Basics

The conceptThe basic trick behind virtual lists is the wonderful GetValue() function. GetValue() takes two parameters: A list of return-delimited values A number specifying which value in the list to get

For example say you have a field in a single record called “List of Values” and it contains the following:

   Apple
   Boy
   Cat
   Doorknob
   Elephant
   Fish
When that record is selected, GetValue ( MYTABLE::List of Values ; 4 ) will return “Doorknob”.

The brilliant idea is to replace the list of values stored in a field with a list in a global variable.

The basic implementation, part oneCreate a table called VIRTUALLIST. In it, define these two fields: VALUE NUMBER: a number field Value_calc: calc field returning text value, = “GetValue ( $$VALUES; VALUENUMBER )”. Make sure that this value is an unstored calculation.

Go to the layout for the VIRTUALLIST table and create some records. Later you can create hundreds or thousands, but right now just ten will do. Use ReplaceFieldContents to po…

Getting out of fullscreen mode in FileMaker Pro

In version 2 of Acquittal, our criminal defense case management app, we're doing some nifty stuff with windows, and that means we're finding out that even in FileMaker Pro 15, we still don't have quite all the tools we'd like for managing windows.  One problem is how to trap for the possibility that the user has switched into fullscreen mode. The other problem is how to get out of it.


Is this window in fullscreen mode?
This one's not too hard. This calc formula seems to do the trick:

Get ( WindowHeight ) = Get ( ScreenHeight ) and
Get ( WindowWidth ) = Get ( ScreenWidth)

That will return true if the window is in fullscreen mode, false if it's not.

Why does this matter? Because there are certain things that you can't do with a window if it's in fullscreen mode. In Acquittal, for example, there are times when we want to generate a second "sidecar" window, then display the main and sidecar windows side-by-side. Can't do it if the main window …