• About Us
Sunday, 15 December, 2019
IT Security Guru
Advertisement
  • Latest News
  • About Us
  • Topics
    • Cloud Security
    • Compliance News
    • Contactless News
    • Breaking Cyber News
    • Data Protection
    • DDoS News
    • Featured
    • Guru Picks
    • Hacking News
    • Malware News
    • Mobile Security
    • Network Security
    • News
      • Editor’s News
      • Top 10 Stories
      • This Week’s Gurus
      • Opinions & Analysis
    • Security News
    • Threat Detection
  • Product Reviews
No Result
View All Result
  • Latest News
  • About Us
  • Topics
    • Cloud Security
    • Compliance News
    • Contactless News
    • Breaking Cyber News
    • Data Protection
    • DDoS News
    • Featured
    • Guru Picks
    • Hacking News
    • Malware News
    • Mobile Security
    • Network Security
    • News
      • Editor’s News
      • Top 10 Stories
      • This Week’s Gurus
      • Opinions & Analysis
    • Security News
    • Threat Detection
  • Product Reviews
No Result
View All Result
IT Security Guru
No Result
View All Result

Fingering the hackers

by The Gurus
September 26, 2013
in Opinions & Analysis

The way that the industry collectively came together to offer a near $4,000 bounty for the first person to break Apple’s Touch ID fingerprint scanner shows an interest in research, and how determined we are to show fallibility.

In the story, the challenge to break Touch ID, introduced as part of iOS 7 last week, was launched by independent security researchers Robert Graham and Nick DePetrillo, who put their own money up in order to create a bounty that be awarded to the “winner”. This resulted in many others offering cash, bitcoins, books and alcohol for the first person to hack Touch ID.
However why did people come together to do this? Is it not a criminal action to break something and report it? Look at how it was actually broken by the Chaos Computer Club, by effectively creating a fake finger with an image of the user’s fingerprint. Hardly a zero-day threat or software vulnerability.
The other issue here is in regard to fingerprint authentication; yes it is unique to the user and hard to replicate, but look at your smartphone or tablet, there are fingerprints all over it. Is this the equivalent of writing your password on post-it notes and sticking it your computer? Well not really, but making a copy of something so present probably presents little challenge to the sophisticated minds out there.
How it was done by CCC is demonstrated in this video, and as you will see it is very unusual. Back in 2010, I asked if there was a flaw in biometrics if details are hacked, and it seems that this is the case here. Then LogLogic CEO Guy Churchward said that while biometric authentication is a great idea, the problem is that you cannot change your fingerprint like you can with a password.
In agreement with this was David Emm, senior security researcher at Kaspersky Labs, who said that if a passcode becomes compromised, he could replace it with a new one, but he cannot change his fingerprint.
“So if someone is able to fool a fingerprint reader by spoofing the fingerprint, you can’t just find a new fingerprint,” he said.
“If the CCC has indeed found an easy way to circumvent the Touch ID technology, then it would suggest that Apple’s ‘highly secure’ implementation may not be secure enough. Because of the nature of fingerprints, you effectively leave your password everywhere you go so unless a fingerprint reader is able to fully distinguish between a real finger and a fake one, a fingerprint scan is a poor substitute for a password.”
I have thought that the future was fingerprint authentication for some time, especially with the prevalence of shiny surfaces on mobile devices, and if I am honest I don’t see how this will go away. But the point is what Emm and I made in 2010, if the details are hacked and collected by a third party, it is not as easy as changing a password. Then again, you do have nine other fingers.
FacebookTweetLinkedIn
Previous Post

Banking malware goes back to basics, but is still effective

Next Post

Kids Are Coding

Leave a Reply

avatar
500
This comment form is under antispam protection
avatar
500
This comment form is under antispam protection
  Subscribe  
Notify of
IT Security Guru

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

wpDiscuz

This site uses functional cookies and external scripts to improve your experience.

More information
Privacy Settings / PENDINGGDPR Compliance

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Accept