iPhone 5S: Fanbois, your prints are safe from the NSA, claim infosec bods

But is it a decent authentication method? The jury's out...

3 Big data security analytics techniques

If the implementation's crap, it'll get nicked

Poorly implemented fingerprint recognition could be readily defeated by thieves, Henry warns. Fingerprints are not secret: we leave fingerprint impressions wherever we go, and this might spawn problems.

"How secure is a fingerprint really," Henry said. "After all, we leave them quite literally everywhere and at a minimum, they’re all over the phone. So how secure is it? If I lose my phone, could the person who picks it up use the fingerprints I’ve left behind to gain access?"

"Again, this will depend on implementation, particularly on the quality of the sensor. A good fingerprint reader doesn’t just look at the ridges – it looks at pore, temperature, pulse, and other factors. If it doesn’t, it can be pretty easily cracked."

"As an example, a few years ago a company developed a mouse with an optical fingerprint scanner. If I breathed on the scanner to fog it up, it would recognize the fingerprint the previous user left behind and authenticate me," he added.

Security guru Bruce Schneier has posted a blog post, first carried by Wired, that broadly welcomes Apple's introduction of fingerprint recognition tech.

"Apple would be smart to add biometric technology to the iPhone. Fingerprint authentication is a good balance between convenience and security for a mobile device," Schneier writes.

"Biometric systems are seductive, but the reality isn't that simple. They have complicated security properties. For example, they are not keys. Your fingerprint isn't a secret; you leave it everywhere you touch.

"And fingerprint readers have a long history of vulnerabilities as well. Some are better than others. The simplest ones just check the ridges of a finger; some of those can be fooled with a good photocopy. Others check for pores as well. The better ones verify pulse, or finger temperature. Fooling them with rubber fingers is harder, but often possible. A Japanese researcher had good luck doing this over a decade ago with the gelatin mixture that's used to make Gummi bears."

'The tech's just not sophisticated enough'

Andy Kemshall, co-founder and technical director of two-factor authentication outfit SecurEnvoy, is keen to lump fingerprint authentication in with other biometrics as less mature technologies than the SMS authentication through mobile phones his firm sells.

“Fingerprint scanning, eyeball scanning, voice and face recognition are all at least a decade away from being reliable enough to use as authentication methods. The technology simply isn’t sophisticated enough. Take the face recognition method for example – as the technology stands, a device will unlock just by holding up a photo of the owner."

George Anderson, a marketing manager at security software firm Webroot, expressed broadly similar concerns about whether "temperamental" biometric technology was enterprise ready.

“If implemented well on the iPhone, biometrics could become a great mobile security measure," Anderson said. "If it turns out, however, that the fingerprint scanner will not be an additional security layer but a substitution for passcode authentication, that would be a disappointing news. Passcodes, while basic, are much less prone to errors than fingerprint biometrics. Biometrics is a temperamental technology and it should not be relied upon as a single security measure. A combination of both types of authentication is much more powerful from a security perspective than either on their own."

As a result of the wider BYOD phenomenon Apple iPhone 5Ss are going to make their way into the enterprise market sooner rather than later. Adam Ely, co-founder of enterprise mobile security startup Bluebox said the inclusion of fingering recognition technology in Apple's high-end smartphones could spur a revamp in corporate log-in technology that previous long standing availability of fingerprint scanners in laptops failed to encourage.

"Fingerprint scanners can be a big win for enterprise security,” said Ely. “Many enterprises wish to extend their IAM (identity access management) to mobile applications and devices but typing complex passwords is too cumbersome. Even though laptops have come with fingerprint scanners for many years, the need and application integration wasn't strong enough for enterprises to implement. Mobile may breath new life into this technology giving both end users and enterprises big wins."

Will authentication become the Achilles heel of the iPhone 5S?

Samsung was a major customer of AuthenTec before it was acquired by Apple. The Korean manufacturer is rumoured to be rolling out fingerprint scanning in future Galaxy devices. Independent security expert Graham Cluley speculates that the technology might find it's way onto Apple's iPad fondleslabs in future as part of a more general FAQ about the technology here.

Lumension's Henry added that reliability will be just as important as security in the success of the technology. "There’s a lot riding on the reliability factor," Henry said. "Will it work if I go for a swim and try to use my phone with raisin hands? What if it’s cold outside and my fingers have shrivelled a bit? Can I use my phone then? People aren’t going to be happy if they’re locked out of their phones because of environmental factors.

"As Apple well knows, if it’s not both reliable and convenient, users will turn it off," he added.

A good overview of the various security issues around the introduction of fingerprint authentication by Apple in the iPhone 5S model can be found in a blog post by John Hawes on Sophos's Naked Security blog.

The iPhone 5S boasts improved camera and battery life, and was launched by Apple alongside the more affordable iPhone 5C, a plastic affair that'll be available in a wide range of colours. ®

SANS - Survey on application security programs

More from The Register

next story
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
US mobile firms cave on kill switch, agree to install anti-theft code
Slow and kludgy rollout will protect corporate profits
Leaked pics show EMBIGGENED iPhone 6 screen
Fat-fingered fanbois rejoice over Chinternet snaps
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Report: Apple seeking to raise iPhone 6 price by a HUNDRED BUCKS
'Well, that 5c experiment didn't go so well – let's try the other direction'
Feast your PUNY eyes on highest resolution phone display EVER
Too much pixel dust for your strained eyeballs to handle
Rounded corners? Pah! Amazon's '3D phone has eye-tracking tech'
Now THAT'S what we call a proper new feature
Hearthstone: Heroes of Warcraft – A jolly little war for lunchtime
Free-to-play WoW turn-based game when you have 20 minutes to kill
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
prev story


Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.