The 4 digit PIN killer

Security professionals have been begging people to secure their mobile devices with a strong passcode for years. Yes, it’s a pain to have to type in all those characters on a tiny keyboard but the alternative is that anyone who can put their hands on your phone could read all your emails, texts, pics, view phone history, see everywhere you’ve gone and install malware that will keep track of all of this remotely (plus turn on your mic to listen on your conversations even when you aren’t making a call — ditto with the camera).

Maybe your life is an open book and you don’t care about privacy. Surely you care about your bank account, your reputation and your company’s confidential information, which, if not protected, could, at minimum, cost you your job (if not bankrupt the organization). Yes, a bad guy could use your phone’s mobile banking app to raid your funds or satisfy the second factor login requirement your financial institution’s web site requires for users of a web browser (assuming you bothered to set up those protections).

Many think, “OK, I’ll do a 4-digit PIN and that will be enough, right?” On the surface it sounds like a reasonable compromise. It’s not as inconvenient as an 8-character, alphanumeric passcode, but it still would mean that a hacker would have to try, on average, 5,000 different numeric combinations (half the total of 10,000 possibilities since the odds would be 50-50 of a correct guess at that point) to break in and who has that kind of time? Better still, the reasoning goes, “I’ve turned on that setting that automatically wipes the device after 10 incorrect tries, so the bad guy would have to be incredibly lucky to guess the right sequence that quickly.”

As the saying goes, “there’s nothing more dangerous than presumed security.”

What is being assumed, in this case, is that someone won’t come along and build a box that could automate the process of entering all those possible PINs and, here’s the kicker, disconnect the power supply on the device before it has a chance to wipe the phone’s storage after an incorrect guess. In other words, unlimited tries with no penalty. And what if the process of trying all 10,000 combinations could be done in roughly 4.5 days (bearing in mind that this is the worst case for the bad guy and the best case could be just a few seconds)? And what if this box only cost about $300?

What this means is that anyone who steals your phone (or just has access to it for some reasonable period of time, such as while you are asleep) could do all the nasty stuff described above to your bank account, company, Twitter feed, emails, photos and so forth. Well, that scenario exists.

So, while it may be a royal pain to enter that complex, 8 character passcode, it is, unfortunately, necessary. As an alternative, if you have one of the newer iPhones, you could simplify things with a fingerprint scan using the built-in Touch ID sensor. No, it isn’t perfect either. Nothing in security ever is, but it
could be a better trade off than the venerable but broken, 4-digit PIN.

Advertisement

Touch ID means you can be me — or — The return of the Gummy Fingers

Apple recently announced their latest iPhone — the 5S — and among the new features that has created a fair amount of buzz is a built-in biometric fingerprint reader, which can be used to unlock the phone or confirm iTunes purchases in place of a PIN or passcode.

That’s probably true but there is another side to consider. There’s a reason (in fact, there are many) why biometric systems haven’t replaced passwords universally and one of those is the potential for impersonation. One would think that since fingerprints are unique that this would be a great way to authenticate people but it turns out that they can also be faked.

This is not new news. In May 2002 (that’s over a decade ago for those of you keeping score at home),  Tsutomu Matsumoto, a researcher from Yokohama National University, demonstrated how he could fool fingerprint readers about 80% of the time using $10’s worth of commonly available materials. Here’s a link to the presentation with some nice graphics:

http://web.mit.edu/6.857/OldStuff/Fall03/ref/gummy-slides.pdf

Fast forward to September 2013 and Apple’s Touch ID comes onto the scene and I begin the countdown clock to when someone will pull off a similar attack. Not surprisingly, it didn’t take long. Within 2 weeks this video from the Chaos Computer Club (CCC) surfaced which shows a successful impersonation attack.

I won’t go into the details here but here’s a quick description from macworld.com. And if you’re wondering just where someone might be able to get the fingerprints from the authorized user in order to duplicate them, take a closer look at the CCC video and pay close attention to what the iPhone’s screen looks like when it’s turned off — fingerprint heaven.

So, should we give up on biometrics and declare Touch ID a failure. Maybe not. Apple says that  roughly half of iPhone owners don’t even bother to set up a PIN to protect their devices due to the inconvenience of having to enter it (which is great news for thieves). So, even if Touch ID isn’t perfect (and no biometric system ever will be), the fact that it is so much simpler to use than passcodes means that, hopefully, more people will use it and, therefore, security will be improved since even a relatively weak biometric is more secure than a stock phone with no PIN at all.

iTunes U interview on User Authentication

One of the hardest problems we face in the IT security space is that of user authentication. In other words, are you really who you claim to be? One the one hand, it’s something we do every day when we run into people we know (or don’t know), yet there have continue to be cases of impersonation, which means our systems for verifying authenticity aren’t perfect. Complicating matters is when this identity verification happens at opposite ends of a wire in cyberspace where many of the mechanisms we rely on in the physical world elude us.

Here’s a link to an iTunes U podcast interview I did with Dr. Steven Furnell, who heads up the School of Computing and Mathematics at the Plymouth University (UK). Apologies in advance for my weak sounding voice and seeming lack of energy as I had to go in for vocal cord surgery two days later.