Along with the new look and functionality of iOS 7, probably the biggest feature of the new iPhone 5s is TouchID, the integrated fingerprint scanner. To unlock the phone, the user now holds a finger over the "Home" button for half a second rather than keying in a passcode. The fingerprint not only unlocks the phone, it also serves as the user's iTunes credentials. As luck would have it, within three days of the first sales, the fingerprint scanner had already been hacked.
I have been involved in security planning and more specifically mobile security for years, and I typically take a fairly conservative approach--as do most security professionals. With the move to bring your own device (BYOD) initiatives, there is a growing concern about the vulnerability of corporate data that may be residing on those personally-owned devices. While there have been some "exotic" security mechanisms trotted out like Android's facial recognition, cellular callback mechanisms, grid cards, and various forms of biometrics, most organizations are sticking with the tried and true.
In the InformationWeek 2013 Survey on the State of Mobile Security we asked 424 IT professionals what device authentication mechanisms they use, and "User name/password" topped the list with 73% of responses, followed by "Password to access corporate data" (55%) and "Power on device password" (46%); multiple responses were allowed. About a third used on-device certificates, and about 20% use secure tokens. None of the "exotics" surpassed 5% of respondents.
So the big question is, will TouchID provide a level of security sufficient to appease the moderately to severely paranoid? The first thing to recognize is that any meaningful security measure is going to involve some degree of inconvenience. While I don't like it, I use a password to lock my iPhone--research indicates that 50% of iPhone users (including my wife) do not.
To hack the TouchID, you would first have to figure out which finger is being used, though it’s typically the thumb (no, you can’t cut it off). Then you would have to learn how to lift fingerprints--I’m guessing that watching 200 episodes of CSI won’t do the trick. Then you need to reverse the image and use an etching technique to burn it it into a medium. I find it hard to believe that anyone but a professional would be able to pull this off.
Beyond that, there are other inherent protections. The device will still have a password that must be reentered after either a restart, 48 hours of idle time, or five unsuccessful access attempts. Also, if the iPhone is stolen, you can lock it through iCloud.
While I'm not yet due for an upgrade (and I'm not so "rabid" as to want to sell my old one on eBay to buy the new one sooner), I am looking forward to this and I think the risks are more than manageable. It will be interesting to see where the "supremely paranoid" (which, by the way, is a justifiable level of paranoia in some environments) will come down on iTouch. Clearly the hackers will continue to pick away at it, but Apple seems to have done a more than adequate job of covering its bases. In the meantime, I’m going with David Pogue, for my security needs--I’m not worried.
Follow Michael Finneran on Twitter and Google+!
@dBrnWireless
Michael Finneran on Google+
