You are the Key: Fingerprint Scanning on the iPhone 5S

So, here we are. Another iPhone launch and seemingly even less features. The September 10th launch of the iPhone 5S brings the only physical feature of note: fingerprint scanning via “Touch ID” which is built into the main button of the phone (an elegant way of doing it by the way). This turn of events is more about a push by Apple towards acceptable secure m-payments and stronger user authentication for the web and app store rather than just being completely about access control to the device itself. I’m pretty sure that there’s a strong pull from the business / enterprise sector as well for this kind of technology. In my experience, senior management seem to quite like things they’ve seen in a sci-fi film such as palm-print security access and voice recognition in front of big strong-room doors. Perhaps a blue LED or two to top it off. That of course, is real security. Not.

Just like in the movies! It must be secure!

So what does this technology really bring us and why hasn’t it been implemented before? Let’s concentrate on just the access control piece here.

Leaving your keys hanging around

Unlike PIN numbers, you leave a number of exact replicas of your fingerprints in various public places when you go about your daily business. That’s like leaving an exact imprint of your front door key over twenty times a day on things like the side of your car door, on a coffee cup and on the table of your favourite pub. In all likelihood, the back of your mobile phone probably contains a pretty good copy of your fingerprint right now. In 2008, the German interior minister Wolfgang Schauble found this out when hacktivists collected his fingerprints from a glass. And remember: once you’ve lost your fingerprint you can’t really get it back (you only have a limited number!).

There are some pretty extreme examples of people who’ve been tortured for bank PIN numbers and even one case in Malaysia where a man had his finger cut off to steal his fingerprint protected Mercedes.

There is an argument to say that most street thieves (like burglars) are not going to want a direct confrontation with the owner, but there’s also plenty of evidence of violence during mobile phone theft from people being shot or held at knifepoint, just for their phone.

One could easily imagine a scenario where the user is just forced to open up the device and remove the security protection before the criminal makes off. This scenario could just as easily be argued for users with PIN protection and it seems (from my unscientific hearsay point-of-view!) that we haven’t heard of many instances of thieves doing this. What seems to be more prevalent is either unattended theft or snatch theft where the phone is actually being used (and is therefore unlocked and ready to go).

“The number of phones found on the London Underground alone was 25,000 in 2011”

According to the Office of National Statistics’ report on Mobile Phone Theft [pdf], the Crime Survey of England and Wales for 2011/12 showed that 7 in 10 incidents of mobile phone theft were personal thefts (e.g. pickpocketing or snatch) or ‘other thefts of personal property’. These ‘others’ are defined as: “items stolen while away from home, but not carried on the person (such as theft of unattended property in pubs, restaurants, entertainment venues, workplaces etc.).”

Let’s also bear in mind that a lot of people could believe they’ve been pickpocketed or that their phone was stolen from somewhere when they have in fact just lost their device. The number of phones found on the London underground alone was 25,000 in 2011.

Convenience

What fingerprint biometric technology does give you is convenience, more so given that the sensor for Touch ID is built into the key that you would have to press anyway. Instead of having to make four or more finger movements and the possible engagement of brain to remember a PIN, you instead have almost instantaneous access, which when you consider how many times you have to enter your PIN into your phone every day is surely a good thing. What convenience then hopefully gives you is increased adoption by users, which overall is again a good thing. Most people using fingerprint access control security than a few using a PIN is a much better situation for everyone.

However, this is certainly not all a bed of roses. Usability is a big issue once you look into it (and I’m not sure how much Apple have taken this into consideration).

Some people just simply can’t use fingerprint readers. For example, the very young, the elderly and some disabled people. In addition “False negatives” can be caused by various factors such as:

  • Long fingernails
  • Arthritis
  • Circulation problems
  • People wearing hand cream
  • People who’ve just eaten greasy foods
  • Fingerprint abrasion, includes: the elderly, manual labourers, typists, musicians
  • People with cuts

In some senses, this functionality could be regarded as socially regressive, or at least a not socially inclusive and accessible technology. These types of users must fall back to things like PIN usage to provide access control.

Technology progression

Technical details of the Apple solution are not clear, but a lot of fingerprint technologies have failed in the past and I am sure that this one will come under intense scrutiny by security researchers. I have demonstrated the “gummy finger” attack against an optical fingerprint scanner myself at conferences and in lectures, even creating a working latex ‘replacement’ fingerprint aka ‘Diamonds are Forever’.

Researchers have even gone as far as ‘lifting’ fingerprints, reversing the image (to get it back to the right way round) and etching them in order to create a pattern for new, usable replicas (see the gummy finger link above for more details). Other researchers have also defeated ‘liveness’ or pulse detection too.

Summary

So what do I really think? I think for high-end enterprise use cases (one area that Apple has been really going after in the past couple of years), this does make sense. I can imagine a CEO complying with that kind of policy more than a mandatory very long PIN or password. If they’re really important people though, you can certainly imagine them being targeted to copy their fingerprints as I mentioned at the beginning.

For your average user, maybe just maybe, the convenience aspect will make this a success. What that would mean is more devices secured at rest (i.e. left on café tables), so an opportunistic thief would not be able to get immediate access. It could even provide a different, potentially more secure way of authenticating to banking and payment services over the web or in a shop. I truly hope that users do not become the targets of more violent assaults where they are forced to give fingerprint access to their device.

Lastly, I hope that the Apple security engineering team have done their job correctly. At the end of the day, your fingerprint is translated into 1s and 0s. A representation of this has to be stored on the device in some way. Each time you access your phone, your data is then processed through an algorithm to get compared. If that is not done properly using secure hardware, then there’ll be another set of people producing hacking tools to address a new market for criminals to get around the fingerprint protection. The first commercially sold fingerprint scanner on a phone that I remember was in 2004 in the GI100,a PanTech device that was released in Asia. I looked into and rejected fingerprint scanning as a possibility for mobile phones at Panasonic in 2005 for many reasons (not least the processing capability needed). Nearly 10 years later it’ll be interesting to see whether it really is a useful security technology or just simply a movie-inspired gimmick.

The phone theft debate continues…

A number of articles on mobile phone theft in the papers this weekend (20-21st July 2013). Regular readers will know that I’ve spoken quite a lot about phone theft in the past and at various events.

Snatch thefts are particularly high because the phone is ‘active’ at that point and not locked

The Daily Mail discusses the fact that Apple will publish the update later this year which will enable the “authentication lock” feature which will prevent the re-enablement of stolen phones after theft. It also mentions that GPS won’t be able to be disabled and the phone wiped – common methods used by thieves to prevent tracking of phones and one which also encouraged snatches of ‘active’ devices.

In the Daily Telegraph, Boris Johnson apparently said “Each of your companies promote the security of your devices, their software and information they hold, but we expect the same effort to go into hardware security so that we can make a stolen handset inoperable and so eliminate the illicit second-hand market in these products”.

This is badly off the mark – the problem is not the hardware security (this was addressed years ago and the work was acknowledged by the Home Secretary in 2008). The real problem is the export of devices – they are not blocked outside the UK so can continue to be used. This has nothing at all to do with hardware security, but it has everything to do with the ability to disable devices globally.

Other countries such as the US have only recently joined the party, claiming massive new street theft problems. The truth is this – phone theft will have always been a problem but it has only been recently that high profile violent robberies have forced them into action. What have the authorities been doing for the last ten or so years?

Apple’s authentication lock is not a kill switch

The terminology being used by politicians and the media is incorrect – preventing access to services is actually the opposite of reaching out and telling a device to ‘die’. Creating a real kill switch like that could in itself become a security problem. Imagine being able to turn off every phone in the world?

The reality is that the functionality for an “authentication lock” has only been technically possible in the past 5 years, because previously the manufacturer would have virtually no relationship with the customer. These days all the major OS providers ask users to sign up for an account with them to access services – and that’s the key. A relationship with the end user means that they can take action because they know when that phone gets used post-theft.

In the past, this simply wasn’t possible for the network operators. No operator (as far as I know) has presence in every country in the world, so it wouldn’t usually see a phone if it had been exported. Yes, the IMEI (identity of the device) could technically be shared with a global database called the Central Equipment Identity Register, but that one piece of data is not reliable for many reasons including a rash of counterfeit devices in some countries. However if a phone has to connect home over the web, it allows a lot of information to be checked and even shared with the rightful owner. Although it is not fool-proof, it is the right thing to do as it makes the phone less attractive to a thief. It does raise a question for the Android manufacturers particularly. Will they now ask Google to provide this functionality for them, or somehow try and build it into their own anti-theft find-and-locate apps (which will not be as robust as putting this in at the OS level)?

Next steps

Assuming the industry gets this right (and I hope they do), the ball will be back in government and Police hands. With rising theft figures, it is very easy to blame the manufacturers and operators. In reality this is a complex and largely social problem – people are still going to snatch expensive mobiles and try to use them to pay for things / use their functions etc and sell them. There’ll be a new, lucrative challenge for the cracking community to disable things like authentication lock. Up until 2011, the UK was the only country that had really done lots of things to help address theft in a proper manner including:

  • education for young people (youth-on-youth crime is very high)
  • posters in high crime areas like London
  • legal measures (making it illegal to change the IMEI number and possess the equipment to do so)
  • working with industry to harden devices (OMTP TR1)
  • encouraging industry to share information on theft (stolen IMEI numbers)
  • setting up a dedicated Police unit to target thieves

Mobile phone theft affects ordinary people – for that reason alone, politicians like Boris Johnson are going to continue to jump on what has been for years a populist bandwagon.

Helping ordinary mobile phone users manage their security

My company recently completed some work for the UK Police about giving some basic guidance on mobile phone security. It seemed to them (and to us) that there is a gap between the daily deluge from the media of new threats to mobile users and understanding the real situation (which is often highly technical). What this often means is that users are just completely forgotten in a sea of meaningless rhetoric. People using phones inevitably then do the wrong thing. We also found that the organisations setting policies also want to give basic advice to people about how they use their phones in their daily lives.

We wrote quite a long whitepaper (which will soon be available as a booklet) but with the help of the excellent team at Beyond Design, we decided to also create a leaflet that was easy to understand and which would capture the main points easily. After all, what we’re looking for is for people to remember and adopt the advice we’re giving out. The advice covers things like:

  • Personal safety
  • Lost and stolen devices
  • Using the features of your device securely
  • The types of threats you need to be aware of
  • Things that you can do to mitigate security issues or to help prevent them happening

We’ve had some good initial feedback and I understand a couple of universities in the UK are looking to distribute the leaflets for their students too.

What risks are you taking?

Free leaflet

I’ve decided to make the leaflet freely available for download and printing – you can take the print ready version and send it to a local printers or online service and then use it for your own purposes. Just click the links below to get a copy:

Mobile Security Advice leaflet (online version)
Mobile Security Advice leaflet (print-ready version)

I hope this is useful to people and we’d love to hear your feedback and who you’ve given the leaflets to. Drop us a line or add a comment below!

A note on giving out advice

The danger of course with doing something like this is that we a) miss something important or give bad advice and that b) the advice would be impractical and be ignored. We would hope that we have given out good advice based on our own experience, but please let us know if you really disagree with something. We acknowledge that there is a risk of b), but we also acknowledge that giving people nothing and just leaving them to fend for themselves is ultimately worse. Everything we do from a security perspective in our personal lives is about risk management decisions (or risk avoidance). Just as not every alley is going to have some guy lurking down it waiting to rob you, not every open WiFi connection you connect to is going to be compromised. It’s good to be at least ‘aware’ of the risks though.

"Apple does not have a process to track or flag lost or stolen product"

“Apple does not have a process to track or flag lost or stolen product”. That’s exactly what the Apple support pages say.

Having worked on the problem for years and seen the human consequences of violent theft, it appears a fairly arrogant statement to make. It’s not a safe, fluffy world out there (unless you live your life permanently in a gated development).


As Intel’s Robert Siciliano told Reuters in January‘Apple seems to have not considered stolen devices and instead is relying on the honor system’….’The honor system is devised with the mindset that we are all sheep and there are no wolves.’


There are certainly lots of wolves out there. Mobile phone theft appears to be starting to grow again.

Apple’s Q3 figures released in July 2012 showed a net profit of $8.8B. So is it too much to ask Apple to spend a bit of that profit on a process that helps consumers and reduces the desirability and ease of theft? They certainly have the global reach to do it (and currently, much more than the mobile network operators). It seems to me a little unfair for them to put everything on the mobile network operator just because they have the contract with the end user.

The Police (particularly in the UK) are doing their best against street crime and it is surely incumbent upon Apple as a good corporate citizen to try and help minimise theft of hot products such as the iPhone. 


Channel 4 did a great report on the situation in London last month:

Criminals are getting savvy – they’re also turning off the find and locate features of modern smartphones and wiping the devices so you’ll never get them back. They can even continue using the phones in the country they were stolen in, even if the IMEI number is blocked. They just don’t use the core “phone” functionality. WhatsApp and everything else will work just fine.

Phone theft is a tough nut to crack, as I pointed out in this talk. However, if certain companies are just putting their head in the sand and responding to the media with ‘no comment’, we’re in a bad place.

Combating phone theft – US takes a step forward but is it enough?

It seems that the theft of mobile phones is starting to be recognised in other parts of the world than the UK at the moment. A few of the American newspapers are reporting on the announcement that mobile network operators (or carriers as they are known over there) have done a deal with the FCC to block stolen mobile devices. This is all good news and I don’t want to pour cold water over what is going to be generally good for the consumer in the long term.

This never used to happen in the old days

Why has it taken until now?

The concept of a global blacklist (or Central Equipment Identity Register [CEIR]) for mobile devices has been written in stone (well the GSM specs) for a very long time. See this paper from mobile security veteran Charles Brookson from 1994, which talks about the CEIR. Operators have quietly ignored this requirement and very few are connected to it. Even local blacklisting has been an issue over the years, with issues over sharing information with other operators inside single countries. The practical difficulties are always cited as well as cost. Having been involved in a lot of this debate, a lot of the arguments just don’t wash. As an example, using prohibitive cost as a reason not to maintain a blacklist is laughable. Storage cost is ridiculously low, management is minimal and the operators themselves will see direct benefits from not allowing criminals to hook up stolen phones on their networks. The simple answer to network operator blacklisting is: “where there’s a will, there’s a way”.

Identity changing is not the issue it once was

Another argument that has been frequently wheeled out is that criminals will just change the identity (the IMEI number) of the device to side-step the blocking system. The fact is that IMEI number changing has dropped off massively since the turn of the century as more security has been built into devices (through a lot of effort in a number of industry initiatives). My presentation ‘Mobile Phone Theft: An unsolvable problem?’ from 2011 expands on some of this. There is a 42 day breach reporting process run by the GSM Association which nearly all the manufacturers are involved in. It seems as though the manufacturers have played their part, but it could be argued that the network operators haven’t.

What are governments doing?

It could also be argued that governments haven’t really played their part in all of this. Only the UK has really stepped up and addressed the criminals who actually perpetrate these crimes with legislation and through a dedicated Police unit, the National Mobile Phone Crime Unit. What meaningful steps have other countries taken to help their citizens from the blight of mobile phone theft?

Are we addressing the right problem any more?

Apparently the US system is going to take two years to become operational and this is where I have a bit of an issue. Development and deployment could probably happen a lot more quickly than this, given that the standards have already existed for nearly 20 years. My other issue is about whether we’re addressing the right problem anymore? If mobile phones have evolved to the point that they are now more mobile computer than phone, we should look at what will drive a thief. Thieves take phones generally for their inherent value. That is why historically, blocking a phone’s network access has essentially disabled the device and made it valueless. This isn’t the case in 2012. If you block the IMEI number, guess what? Anyone can still use the phone – you can use the WiFi connection to get on the web, you can use WhatsApp and Skype and you’ll still be able to download stuff from app stores. While this still remains the case, mobile phone theft is going to continue to be a problem. In some ecosystems, the vendor is actually in a very strong position (think those companies with fruits in the name) and they have actually provided additional tools to help against theft. What they need to make sure now is that those devices are not ‘re-activated’ after theft.

What can I as a user do to help myself?

  • It sounds a bit obvious, but make sure you use your device PIN-lock feature. It can be a pain to use, but it is highly effective in ensuring that whatever is on your device stays on your device. Although thieves generally just care about selling the device on, you still don’t want all your personal data potentially going astray.
  • Another piece of sensible advice is to be aware of your surroundings; don’t leave your phone on tables in cafes, be careful where you’re using your phone (in dangerous neighbourhoods etc) and when out and about at night. In big cities, tube and metro exits are commonly targeted as people turn their phones on when they surface.
  • And finally, write down your IMEI number – you’ll need this to give to the Police and network operator if your phone ever gets stolen. You can get the number from the back of your handset or by typing in *#06# at the home screen of your phone.

Don’t advertise your phone to thieves

We’re never going to stop people stealing things, but at least in the US and the UK life is being made slightly more difficult for thieves making things slightly more safe for you.

Mobile Security Week

This week is Carphone Warehouse’s Mobile Security Week. I worked with the guys there to create some advice on security for users which you can find on their site. An extended version is on this page. As part of their research, Carphone Warehouse conducted a survey of over 2000 people which highlighted a lack of awareness amongst users about the importance of protecting personal data. It is interesting that only about 54% of those surveyed think that data on their phone is secure. That is lower than I expected and shows that people are at least concerned about mobile phone security, but maybe aren’t sure what to do. The National Mobile Phone Crime Unit (NMPCU) have done some great work in the past few years behind the scenes to help prevent mobile phone theft and one of those is to create a database of property which you the user can use by registering at the link in the first tip. If your phone turns up, the Police can then easily identify it as yours. A lot of my readers are tech people, but most mobile users aren’t and they don’t necessarily want to be. Probably one of the most important messages I’d like to get across is for people to use their handset PIN lock – if you don’t want people getting access to your personal data, this is a simple way of preventing that.

It’s great to be able to get the message out this week to people to think about mobile security, so have a look at the tips and see if you and your family are safe and secure?

David’s Mobile Security Tips

As phones become more and more sophisticated, mobile security becomes increasingly important for users. Here are some tips on how to keep you safe and secure when using a mobile phone.

Record your phone’s identity number in case it is stolen

The International Mobile Equipment Identity (IMEI) is what identifies your phone to the network and is located on the back of your phone underneath the battery. Another way to get your IMEI number is to type *#06# into your phone keypad to display it. When you get your new phone, it should be also on the side of the box. Keep the box label in a drawer just in case you need it. If your phone is lost, report the IMEI number to your service provider and they can block your phone so it can’t be used to make calls. If it is stolen, you should also give the IMEI number to the Police.

You can also register your phone’s details and IMEI number on the UK National Property Register at: http://www.immobilise.com/. This helps the Police to return lost or stolen property to its correct owner.

Secure access to your device and voicemail

PINs and passwords can be a pain as they put a barrier in the way of things you do repeatedly. These days it can be difficult to remember all your different PINs and passwords or be very tempting to use the same password for everything. Firstly, voicemail. The recent phone hacking scandal in the UK showed how important it is to have a PIN on your voicemail to prevent people listening into your private messages. Ring your operator and make sure you have one setup, or alternatively have the service switched off entirely. Don’t choose obvious PINs e.g. 1111, 1234, dates of birth etc.

Make use of the handset locks to protect your data and messages. With touch-screen phones, these are often gesture based, meaning that a convenient swipe is all that is needed to unlock your phone, whilst still keeping your phone safe.

Learn how to manage your passwords without having to remember lots of complex details. You can do this by using password safes which can store lots and lots of different passwords and generate random ones for you. Make sure these are also backed up in a safe place.

Learn how to remotely lock and wipe your phone if you lose it

Losing your phone or having it stolen does happen and when it does, what do you do to prevent someone getting access to your work or personal data? This is where lock and wipe services come in. Many handsets are now capable of running applications which you can stop someone getting access to your data and if you’re sure you can’t recover it, to delete your data. It is a service that can give you invaluable peace of mind if the worst happens. Some services can even help you locate your lost phone by using the GPS function of the device to work out where it is.

Be very wary of WiFi hotspots

However tempting it may be to connect to free WiFi when you’re out and about, take a moment to consider who is providing that service and why. If they’re charging, who are you giving your credit card details to?

By connecting to an untrusted network, you could potentially allow an attacker to get into your accounts for social networking sites, your email and banking details. In general if you are connected to a public WiFi network, don’t do anything sensitive such as internet banking or making purchases.

Know what you are giving applications permission to do

Always think about what an application is supposed to be doing, where it came from and who made it. Simple internet searches can often verify the validity of an application if you suspect all is not well. Inspect the permissions that an application requests. Does this application really need access to your phonebook? Does it really need to send SMSs? If not, just don’t install it. It should be said that some phone permissions aren’t very well done and can be difficult to understand, so even a legitimate application can give a misleading impression of what it actually does. There are some tools available to help you manage your permissions, for example only giving one application the permission to get to your location.

A common practice amongst hackers is to create a fake copy of a genuine application. This might be free, to entice people to download it. Sadly, the free version is a “Trojan horse” and will do nasty things. Mobile malware is still at a very low level in comparison with the PC world, but is definitely on the rise in 2011 and you should be extremely careful with applications you download. Many hackers see mobiles as an increasingly juicy targe
t because your whole life is stored on there. You are putting yourself at increased risk if you ‘jailbreak’ your device or if you install untrusted applications. Anti-virus applications are now available for those people who want an added level of protection.

Be careful when clicking on web links and scanning 2D barcodes

Don’t be lured into clicking on an unknown link to a web page. A phone’s screen is much smaller and it is often more difficult to see a full link to a website and verify that it is what it says it is. Not only this, but links are often shortened so you can’t actually read the proper website it goes to. If you get messages or posts on facebook and twitter with links, stop and think. Do you know the sender? If you do, is this something that they would send you? If you do click, it is often too late once you realise that there is a problem. Don’t react to or reply to spam messages you may get over SMS or Bluetooth.

New technology allows barcode scanner applications to read 2D or Quick Response (QR) codes (kind of like square barcodes). These are often put in newspapers and on advertising boards. Be very careful – do you know and trust the source. Could the poster have been tampered with or be fake? The problem here is that you often can’t verify that the link is genuine or not, because you can’t decipher the barcodes with your own eyes. It could be linking to some very nasty stuff.

Always backup your data

This is something that is always on the to-do list but never quite gets done. Take a little time to think about what would happen if you lost your phone and phone numbers and how it would affect you. Then think about what you can do to mitigate that. There are lots of services and tools out there to help you do this on a regular basis without thinking about it. Choose one you trust, or if you decide to backup your data yourself, make sure you do it regularly and store it in more than one place just in case your backup fails.

Be careful when charging your phone on someone else’s computer or at a charge point

Be extra careful if you desperately need to charge your phone while out and about. A lot of phones combine a data connection with the charger so you could end up having your data stolen without realising it. Who is providing the service? Do you have to handover your phone to have it charged? Do you really need to connect to your friend’s laptop? At a recent hacking conference, a fake battery charging booth was setup offering free phone charge but then stole the data of the phones connected.

Protect your children whilst surfing

Kids often know more than their parents when it comes to new technology. Whilst a phone can give you peace of mind that your child is safe when out and about, it also has access to lots of functionality and content that you might not want to allow your child access to at home. There are some applications available that can be installed on mobiles to help you manage what your child can access or download. You can get a shop to set these up for you and set a password so that your settings can only be changed by you. Some great information on protecting your children online in The Carphone Warehouse’s Guide to Mobile Web Safety at: http://www.carphonewarehouse.com/mobilewebsafety  and also CEOP’s website: http://www.thinkuknow.co.uk/

Be aware of your surroundings when using your phone

Phones are an attractive target to thieves and whilst they’re with us all the time, they can be snatched or stolen easily. Think about your surroundings when you’re about to use your phone. Do you really want to turn your phone on, just as you walk out of the tube, or can you do it further down the street? If you’re sat in a café or bar, don’t leave your phone on the table. It is a prime target for snatching or a distraction theft. Of course, make sure that any handbags or rucksacks are secured too; trapping a chair leg around a handle is a good way to prevent a bag being stolen.

When you’re walking along and browsing such that you haven’t noticed if someone is near you? You are particularly vulnerable if you’re tied up doing something else. Rather than walking home at night on the phone to a loved one, put the phone away so that you’re aware of everything going on around you.