Wednesday, September 25, 2013

Why I Hacked Apple’s TouchID, And Still Think It Is Awesome.


Screen Shot 2013-09-23 at 5.43.29 PM

 :September 23, 2013


  • By now, the news is out —TouchID was hacked. In truth, none of us really expected otherwise. Fingerprint biometrics use a security credential that gets left behind everywhere you go on everything you touch.
    The fact that fingerprints can be lifted is not really up for debate— CSI technicians have been doing it for decades. The big question with TouchID was whether or not Apple could implement a design that would resist attacks using lifted fingerprints, or whether they would join the long line of manufacturers who had tried but failed to implement a completely secure solution.
    Does this mean TouchID is flawed and that it should be avoided? The answer to that isn’t as simple as you might think. Yes, TouchID has flaws, and yes, it’s possible to exploit those flaws and unlock an iPhone. But, the reality is these flaws are not something that the average consumer should worry about. Why? Because exploiting them was anything but trivial.

    Hacking TouchID relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician.
    First you have to obtain a suitable print. A suitable print needs to be unsmudged  and be a complete print of the correct finger that unlocks a phone. If you use your thumb to unlock it, the way Apple designed it, then you are looking for the finger which is least likely to leave a decent print on the iPhone. Try it yourself. Hold an iPhone in your hand and try the various positions that you would use the phone in. You will notice that the thumb doesn’t often come into full contact with the phone and when it does it’s usually in motion. This means they tend to be smudged. So in order to “hack” your phone a thief would have to work out which finger is correct AND lift a good clean print of the correct finger.
    Screen Shot 2013-09-23 at 5.43.41 PM
    Next you have to “lift” the print. This is the realm of CSI. You need to develop the print using one of several techniques involving the fumes from cyanoacrylate (“super glue”) and a suitable fingerprint powder before carefully (and patiently) lifting the print using fingerprint tape. It is not easy. Even with a well-defined print, it is easy to smudge the result, and you only get one shot at this: lifting the print destroys the original.
    So now what? If you got this far, the chances are you have a slightly smudged print stuck to a white card. Can you use this to unlock the phone? This used to work on some of the older readers, but not for many years now, and certainly not with this device. To crack this control you will need to create an actual fake fingerprint.
    Creating the fake fingerprint is arguably the hardest part and by no means “easy.” It is a lengthy process that takes several hours and uses over a thousand dollars worth of equipment including a high resolution camera and laser printer. First of all, you have to photograph the print, remembering to preserve scale, maintain adequate resolution and ensure you don’t skew or distort the print. Next, you have to edit the print and clean up as much of the smudging as possible. Once complete, you have two options:
    • The CCC method. Invert the print in software, and print it out onto transparency film using a laser printer set to maximum toner density. Then smear glue and glycerol on the ink side of the print and leave it to cure. Once dried you have a thin layer of rubbery dried glue that serves as your fake print.
    • I used a technique demonstrated by Tsutomu Matsumoto in his 2002 paper “The Impact of Artificial “Gummy” Fingers on Fingerprint Systems”. In this technique, you take the cleaned print image and without inverting it, print it to transparency film. Next, you take the transparency film and use it to expose some thick copper clad photosensitive PCB board that’s commonly used in amateur electrical projects. After developing the image on the PCB using special chemicals, you put the PCB through a process called “etching” which washes away all of the exposed copper leaving behind a fingerprint mold. Smear glue over this and when it dries, you have a fake fingerprint.
    Screen Shot 2013-09-23 at 5.36.13 PM
    Using fake fingerprints is a little tricky; I got the best results by sticking it to a slightly damp finger. My supposition is that this tactic improves contact by evening out any difference in electrical conductivity between this and the original finger.
    So what do we learn from all this?
    Practically, an attack is still a little bit in the realm of a John le Carré novel. It is certainly not something your average street thief would be able to do, and even then, they would have to get lucky.  Don’t forget you only get five attempts before TouchID rejects all fingerprints requiring a PIN code to unlock it. However, let’s be clear, TouchID is unlikely to withstand a targeted attack. A dedicated attacker with time and resources to observe his victim and collect data, is probably not going to see TouchID as much of a challenge. Luckily this isn’t a threat that many of us face.
    TouchID  is not a “strong” security control. It is a “convenient” security control. Today just over 50 percent of users have a PIN on their smartphones at all, and the number one reason people give for not using the PIN is that it’s inconvenient. TouchID is strong enough to protect users from casual or opportunistic attackers (with one concern I will cover later on) and it is substantially better than nothing.
    Today, we have more sensitive data than ever before on our smart devices. To be honest, many of us should treat our smartphone like a credit card because you can perform many of the same financial transactions with it.  Fingerprint security will help protect you against the three biggest threats facing smartphone users today:
    • Fingerprint security will protect your data from a street thief that grabs your phone.
    • Fingerprint security will protect you in the event you drop/forget/misplace your phone.
    • Fingerprint security could protect you against phishing attacks (if Apple allows it)
    Fingerprint security has a darker side though: we need to carefully evaluate how its data is going to be managed and the impact it will have on personal privacy.  First and foremost is the question of how fingerprint data will be managed. As Senator Al Franken pointed out to Apple in his letter dated September 19, we only have ten fingerprints and a stolen or public fingerprint could lead to lifelong challenges. Just imagine your fingerprints turning up at every crime scene in the country!
    The big questions here are:
    1. What data does Apple capture from a finger as it is enrolled?
    2. How is this data stored and how is it accessed?
    3. Can this data be used to recreate a user’s fingerprint mathematically or through visual reconstruction?
    In a similar fashion, fingerprints are viewed quite differently to passwords and PINs in the eyes of the law. For example, the police or other law enforcement officials can compel you to surrender your fingerprints, something they currently can’t do quite as easily with passwords or PINs despite some recent judicial challenges to that position.
    As a technology, fingerprint biometrics has a flaw that’s likely to be repeatedly exposed and fixed in future products. We shouldn’t let this distract us or make us think that  fingerprint biometrics should be abandoned, instead we should ensure that future products and services are designed with this in consideration. If we play to its strengths and anticipate its weaknesses, fingerprint biometrics can add great value to both security and user experience.
    What I, and many of my colleagues are waiting for (with bated breath), is TouchID enabled two-factor authentication. By combining two low to medium security tokens, such as a fingerprint and a 4 digit pin, you create something much stronger.  Each of these tokens has its flaws and each has its strengths. Two-factor authentication allows you to benefit from those strengths while mitigating some of the weaknesses.
    Imagine a banking application where on startup you use a fingerprint for convenience – it’s nice and quick and only needs to ensure the right person has started it. However as soon as you want to do something sensitive like check a balance or transfer some funds we kick it up a notch by asking for a two factor authentication – the fingerprint and a 4 digit pin. This combination is strong enough to protect the user against most scenarios from physical theft through to phishing attacks.
    If implemented correctly, TouchID enabled two-factor authentication in enterprise applications could be a good defense against phishing attacks by attackers like the Syrian Electronic Army. You can trick a user into giving up any kind of passcode but, it is much harder to trick a user into giving up his or her fingerprints from the other side of the world.
    Despite being hacked, TouchID is an exciting step forwards for smartphone security and I stand by our earlier blog on fingerprint security. Hacking TouchID gave me respect for its design and some ideas about how we can make it strong moving forward. I hope that Apple will keep in touch with the security industry as TouchID faces its inevitable growing pains. There is plenty of room for improvement, and an exciting road ahead of us if we do this right.
    For starters, Apple —can we have two-factor authentication please?

The Myth of Steve Jobs’ Constant Breakthroughs

Apple line
Robyn Beck / AFP / Getty Images
Consumers line up to buy the new iPhone 5s and 5c at an Apple Store in Glendale, California on September 20, 2013


Most of Apple's improvements have always been incremental --
 and there's nothing wrong with that.

Last Friday, Apple’s iPhone 5s and iPhone 5c went on sale. 
The company sold nine million of them in the first weekend, breaking the five-million-phone record it set last year with the iPhone 5. I sort of thought that was clearly good news for Apple and the iPhone. Or at least not, you know, worrisome news.
Then I read a piece by Sandy Cannold at ABCNews.com (which I found via MG Siegler’s ParisLemon). Cannold says that the new iPhones selling so well and generating so much hoopla is potentially alarming:
To me though, all this over-the-top fanfare and even the record-breaking first weekend of sales could actually be cause for concern. Now before Apple lovers pillory me and say that I have no idea what I am talking about, hear me out. I fully concede that Apple is going to make billions in profit from the sale of these new devices and the company is in no danger of becoming Blackberry or Nokia. But the reason I am voicing a bit of doubt is that it seems like Apple is now trying to squeeze every last bit of profit it can out of an aging, shall we call it, iStone.
If you’ve read other pieces of this sort, you already know where Cannold is going with this:
This is no longer the Apple of Steve Jobs. The Apple that seemingly every couple of years rocked the consumer electronics world with a product so innovative that it changed industries forever. He did it with music, Smartphones, computing, the list goes on and on. But sadly since he passed away it seems like that era of innovation has given way to an age of incremental change. I firmly believe that Steve Jobs wouldn’t have been satisfied to only pocket billions upon billions on tweaked products alone.
O.K., that’s the issue. 
Under Steve Jobs, Apple released an epoch-shifting product every two years or so. Under Tim Cook, it’s capable only of the boring, evolutionary business strategy Cannold later calls “incrementalism.”
Except…
The golden age of Apple that Cannold pines for never existed. Steve Jobs didn’t change the world every two years like clockwork, and he was incrementalism’s grand master.
Just how many times did Jobs rock the consumer electronics world with a product so innovative that it changed industries forever? In Apple’s first nine years, from 1976-1985, there were two of them: the Apple II and the Macintosh. Maybe three, if you count the LaserWriter laser printer.
But for simplicity’s sake, let’s begin our accounting on July 9, 1997, the day that Gil Amelio resigned as Apple’s CEO, thereby restoring Jobs’ full control over the company he co-founded. And let’s end it on August 25, 2011, the day that Jobs resigned, formally turning the company over to Tim Cook. By my math, that’s 5,161 days.
Just about everybody, I suspect, will agree that the original iPod (2001), iPhone (2007) and iPad (2010) changed industries forever. (If you take issue with that assessment, I’d love to hear your reasoning.) The original iMac (1998) did, too; you could make the case that it was a triumph of packaging and marketing rather than technology, but its influence is still felt today.
Two Apple services also had impact of historic proportions: the iTunes Music Store (2003) and App Store (2008). Let’s add them to the list, too. By my standards, at least, we’ve now covered all of Apple’s seismic shifts that rattled the entire industry forever — the sort of stuff that hasn’t yet happened under Tim Cook’s stewardship.
That’s a total of six industry-changing items, or one every 860 days on average, though the gap was sometimes substantially longer. Now, that’s a remarkable streak. But it’s not a revolution every other year. And Tim Cook has been CEO of Apple for only a little over two years, so there’s nothing deeply troubling about the fact that he hasn’t boiled any oceans yet.
Of course, skeptics didn’t wait until Cook had been on the job for a couple of years before they started accusing him of incrementalism. The charge has hung over all of his product launches like a cranky little cloud, starting with the iPhone 4S’s debut way back in October, 2011. From the start, plenty of folks assumed he’d fail to live up to Jobs’ record.
Which is not an unreasonable thing to fret about. Cook does have the biggest shoes to fill in the history of the personal-technology industry, and neither he nor anybody else is capable of all the things that came naturally to Steve Jobs. But it makes more sense to fret based on concrete data points and an accurate accounting of Jobs’ achievements than raw emotion.
Me, I’ve always thought that it will be impossible to fully judge the Cook era until Apple does enter a wholly new product category. It’s going to do so at some point, and it’s possible that it’ll either go spectacularly well or be a fiasco. Or it might fall somewhere in between, as some of Jobs’ products did. (Exhibit A: The “hobby” known as Apple TV.) But Cook has plenty of wiggle room left before he falls substantially behind Jobs’ pace. I figure he has at least until the end of 2014 or so before there’s reason to join the worry-wart chorus.
Back to incrementalism. I don’t understand why Cannold — and plenty of others — think that it’s at odds with Steve Jobs’ legacy. For every great leap forward Apple ever made, it accomplished at least as much through small steps that made its products easier, faster, thinner, lighter, more polished and/or more useful. Apple’s most important products may have been the game-changers, but its best products, always, have been those that benefited from smart, evolutionary improvements. And as far as I remember, Jobs never seemed guilty about the profits they brought.
Remember: Even Jobs himself was constantly upbraided by pundits for releasing products they deemed to be snoozers. If Steve Jobs was incapable of being sufficiently Steve Jobs-like, isn’t it possible that the standard doesn’t have much to do with reality — and that it’s silly to make the case that Tim Cook has failed to uphold it?


Powerful September : Be the BEST version of You



 Be the BEST  version of You
 Do the BEST you Can