Touch ID means you can be me — or — The return of the Gummy Fingers

Apple recently announced their latest iPhone — the 5S — and among the new features that has created a fair amount of buzz is a built-in biometric fingerprint reader, which can be used to unlock the phone or confirm iTunes purchases in place of a PIN or passcode.

That’s probably true but there is another side to consider. There’s a reason (in fact, there are many) why biometric systems haven’t replaced passwords universally and one of those is the potential for impersonation. One would think that since fingerprints are unique that this would be a great way to authenticate people but it turns out that they can also be faked.

This is not new news. In May 2002 (that’s over a decade ago for those of you keeping score at home),  Tsutomu Matsumoto, a researcher from Yokohama National University, demonstrated how he could fool fingerprint readers about 80% of the time using $10’s worth of commonly available materials. Here’s a link to the presentation with some nice graphics:

http://web.mit.edu/6.857/OldStuff/Fall03/ref/gummy-slides.pdf

Fast forward to September 2013 and Apple’s Touch ID comes onto the scene and I begin the countdown clock to when someone will pull off a similar attack. Not surprisingly, it didn’t take long. Within 2 weeks this video from the Chaos Computer Club (CCC) surfaced which shows a successful impersonation attack.

I won’t go into the details here but here’s a quick description from macworld.com. And if you’re wondering just where someone might be able to get the fingerprints from the authorized user in order to duplicate them, take a closer look at the CCC video and pay close attention to what the iPhone’s screen looks like when it’s turned off — fingerprint heaven.

So, should we give up on biometrics and declare Touch ID a failure. Maybe not. Apple says that  roughly half of iPhone owners don’t even bother to set up a PIN to protect their devices due to the inconvenience of having to enter it (which is great news for thieves). So, even if Touch ID isn’t perfect (and no biometric system ever will be), the fact that it is so much simpler to use than passcodes means that, hopefully, more people will use it and, therefore, security will be improved since even a relatively weak biometric is more secure than a stock phone with no PIN at all.

IAM in print

It’s been 13 years since I last authored a book so to avoid any comparisons to J. D. Salinger, known for his virtual disappearance from the publishing scene after releasing his most famous work (people often get us confused), I dipped a toe in the book business again in at least a small way …

If you’ve ever tried studying for the CISSP (Certified Information Systems Security Professional) exam, often referred to as the “gold standard” of professional certs for the IT security industry,  you’ve probably run across the Information Security Management Handbook. Now in its 6th edition, this collection of essays covering the 10 domains of what is referred to as the CBK (Common Body of Knowledge) is updated annually with new chapters on issues relevant to practitioners. 

This year’s update (Volume 7), includes 27 new chapters including my $0.02’s worth (maybe less) on Identity and Access Management (a.k.a. IAM) architecture. I adapted this from a presentation that the publisher saw me give at InfoSec World 2012 and hope you find it useful.

It’s an honor to have my words alongside those from some of the true leaders of the industry, many of whom are probably now scanning the table of contents and wondering how I slipped in.  🙂

Enjoy…

 

USB condoms

In my last post I wrote about an attack that has come to be known as juice jacking in which you use a USB charger, likely at a public charging station, to keep your cell phone or tablet going a little longer and, without your knowledge, someone has modified the charger to do more than just give your device a boost. 

The problem is that the USB connection can, in addition, to providing juice, also transfer data. This means that while you are getting a charge  someone could be stealing your sensitive data or planting a virus on your trusted electronic companion.

So, what should you do? You could simply avoid all USB chargers, which would be extreme, or just avoid all USB chargers that aren’t yours, which is inconvenient. Or you could use a “USB condom” for safe charging.

Let me be clear, I have not tried one of these devices (nor have I needed to) so I don’t know how effective they are but, at least in principle, the idea is interesting. What this device does is disable all the connections that involve data transfer leaving only the charging pathway open. A simple idea that could be quite effective.

Do you need one? The answer to that question has more to do with your tolerance for risk than any objective, technical criteria so I’ll let you decide on that one. Either way, it’s interesting food for thought…