Exploiting a new iOS7 feature, they place a stolen iPhone 5S in flight mode using the new command centre, accessible from above the lock screen on the iPhone 5S. This prevents the phone from being remotely wiped, and gives the attackers time to use the fingerprint sensor to unlock the phone.
This second part appears to be rather trivial- using a iPhone 4S camera, they lifted fingerprints using the camera, printed them out using a laser printer and turned this into a fingerprint mould, which was then used to unlock the phone.
The researchers then used the email address stored on the phone to request a password reset using a desktop computer, and then briefly took the phone out of flight mode to retrieve the reset email, but not long enough for Find my Phone to wipe the phone.
This gave them full access to a users iTunes account, and basically locked the owner out of their own account. Once he reset the password, Ben Schlabs, an SRL project manager in biometric security said, he was able to completely "own" the iPhone: he could take over accounts from outside email providers, and reset passwords by getting email providers to send SMS messages to the hijacked phone.
"Once you have access to the email, you can engage in total online identity theft. You can get bank credentials or anything else," Schlabs said. Researchers are increasingly unanimous in saying Apple’s biometric approach does not confer any significant security advantage to iPhone users.
In short, said Chris Morales, a hacking expert and research director with NSS Labs of Austin, Texas: biometrics are not as secure as passwords. "As bad as passwords are, it’s more secure to know something than to be something," Morales said. "Biometrics only extends security for people who are extremely lazy." Apple has been touting the fingerprint reader as greatly enhancing security, and analysts have suggested the sensor would open even more doors for the iPhone in enterprise.
It would however appear from the volume of bugs and security issues uncovered so far, that the iPhone 5S and iOS7 has been more glitz than substance, and we would suggest a cheap Windows Phone would work just as well, and offer even better security.
No comments:
Post a Comment