backtop


Print 28 comment(s) - last by Mitch101.. on Sep 23 at 1:26 PM


  (Source: CNET)
But is the phone's highest profile feature vulnerable to hacking?

Apple, Inc.'s (AAPL) iPhone 5S launched today on Friday, Sept. 20, 2013, ten days after it was announced. And despite a lukewarm reception by media commentators and financial analysts, many of the iPhone faithful showed their support completing their now annual trek to camp, squat, or otherwise line up outside Apple stores across the country -- and around the world.

I. Annual Campouts Continue for Apple's Faithful Fans 

The Eaton Center, the biggest mall in downtown Toronto, Ontario, Canada saw hundreds of fans flock to the local Apple boutique, hoping to snag a new iPhone -- particularly the much desired, but rare gold-tinted iPhone 5S.
The line at the New York City store set a new record, while both the NYC and San Francisco stores sold out of their small stock of gold iPhone 5Ss.

iPhone 5S
No this isn't San Francisco's homeless population, it's Apple's unshowered fans.
[Image Source: Apple Insider]

Apple's executives showed up at stores in California in the early A.M. to greet fans.  CEO Tim Cook showed up to greet a line of over 230 fans in Palo Alton, Calif.: Eddy Cue (Apple's internet software and services VP) and Phil Schiller (worldwide marketing VP) were also on hand at the Stanford University's local Apple store: Clearly criticism aside, many Apple fans are still more than happy with the company's new device.

II. Hackers Hope to Break Fingerprint Sensor Protection

Another breaking story on Friday was a discussion on the security of the star feature of the iPhone 5S -- its fingerprint sensor.  While fingerprint sensing technology is nothing new or novel, Apple is looking to mainstream the technology for smartphones (The fingerprint sensor can only be used with dry fingers).

Apple claims that its data shows that nearly half of users don't password lock their phones, because they feel it takes too much effort.  At the iPhone 5S launch event ten days ago Apple executives lofted the iPhone 5S's in-button fingerprint sensor -- a smartphone industry first -- as a solution to this "problem".

iPhone 5S sensor
The iPhone 5S's sensor is secured by direct connections to the A7 SoC. [Image Source: Apple]

Apple bragged that the new sensor was ultra-secure, basically uncrackable.  Indeed the sensor features impressive security features.  The imaging sensor is protected by the laser-cut sapphire of the button head.  Intermnally it hooks up directly to a special portion of Apple's A7 system on a chip, which stores the fingerprint of the owner, encrypted, in embedded memory.

It seems like the iPhone is thus nearly impervious to digital attacks, short of disassembling the phone and tapping the lines to the fingerprint sensor.

But hackers are convinced the new security feature can be compromised.  A new URL asks a simple question that's exciting the iPhone hacking community: IsTouchIDHackedYet.com.  The site says the current answer is:

No! ...but the following have offered a reward to the first person who can reliably and repeatedly break into an iPhone 5s by lifting prints (like from a beer mug).

The site follows with a bounty list offered up by various contributors that range from $10,000 USD in cash (from I/O Capital Partners), Bitcoins, a free patent application on the hack (from Cipher Law), to  "$100, a dirty sex book, and a bottle of Bulleit Bourbon" from Violet Blue, a sex advice/erotica columnist for CNETZDNet, CBS Corp. (CBS), and (formerly) BoingBoing.
 

iPhone 5S
 
Given the difficulty of attacking the specialist circuit on the A7 SoC, as the above post states, hackers are directing their early efforts towards physical attacks on the sensor.  They hope to use fake fingerprints to spoof it, similar to how hackers have spoofed laptop-unlocking facial recognition software with manipulated pictures of the target user.

Charlie Miller, the most famous Apple device hacker whose name isn't "Hotz", says that he expects the sensor may be compromised in two weeks or less.  Mr. Miller, who works at Twitter now, respectfully declined to join the race to find an exploit for the sensor.

III. iOS  7 Exploits Kick Off With Control Center Bug

Arturas Rosenbacher, founding partner of Chicago's IO Capital, tells Reuters that the competition isn't looking to create exploits that could harm iPhone users.  Rather, he says that the competition is design to protect users against a false sense of security regarding a feature that might be less secure than Apple says.

He explains, "This is to fix a problem before it becomes a problem.  This will make things safer."

After a two tours of duty in Iraq with the U.S. Military, cyber-security analyst David Kennedy is among the users vying for the fingerprint sensor prize.  Mr. Kennedy, who has a security consulting firm TrustedSec LLC and organizes the DerbyCon hacker convention, comments, "I am just waiting to get my hands on it to figure out how to get around it first.  I'll be up all night trying."

But for now a far simpler exploit is grabbing headlines.  Jose Rodriguez, a 36-year-old soldier living in Spain’s Canary Islands, discovered a very simple vulnerability to unlock a password or fingerprint sensor locked iOS 7 device.  He showed off this simple vulnerability involving the new "control center" in a YouTube video post:


Apple has acknowledge the flaw breaks iOS 7 device security, and promised to roll out a patch shortly.

Sources: Twitter, Reuters, YouTube



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Already hacked
By momorere on 9/23/2013 9:53:53 AM , Rating: 2
Forgot to mention ANOTHER bug (or shall it be called a "feature"). I sure am glad that iOS 7 is so secure and bug free for all the techtards in the world.

http://arstechnica.com/apple/2013/09/new-ios-7-bug...


"We are going to continue to work with them to make sure they understand the reality of the Internet.  A lot of these people don't have Ph.Ds, and they don't have a degree in computer science." -- RIM co-CEO Michael Lazaridis














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki