Security Researchers Detail New Combination of Touch ID and iOS 7 Security Feature Bypasses

[yegon]

A toggle for Airplane mode on the lock screen, assuming CC is enabled, has always surprised me.

Equally, wouldn't it be a good idea to ask for a PIN to switch the phone off? At least that way, signal permitting, there'd be a time window where you phone might still be accessible via Find my iPhone? Or am I missing something?

Edit : I see the latter may be a problem if your phone crashes, good point whoever made it.

 

[fallenjt]

How the hell can you get that fingerprint on the glass so easily? You coated your finger with some type of grease? I press my thumb hard on the glass and got no fingerprint at all after multiple times. Your method may work in theory, but in reality, you wont be able to get a fringerprint from iPhone screen. Even if you can get that print, it must be the correct fingerprint on file.
Somehow, middle finger can work the best for touch ID because you dont use it to operate the phone ever, but thumb and index fingers.

 

[fallenjt]

Alternatively, if the thief gets the iPhone before the pass code delay kicks in and the e-mail account is equally setup on the device is to reset the password via an e-mail link for iCloud and hey presto! switch off Find my iPhone!

You forget something: if a person turns on restriction with 4 digit code not to allow to turn off "Find My Iphone" just like me, you're out of luck. So, the thief must know your restriction code + fringerprint to be able to gain full control of your phone...it's unlikely that would happen

 

[fallenjt]

Can you walk us through this?

Settings/General/Restrictions/Enable Restrictions (enter 4-digit code)/Location Service: Don't Allow Changes (Make sure Find My iPhone already turned on)

 

[iMarc845]

I can't speak for anyone else but I use Airplane Mode a lot. Whenever I go into a movie theater, concert, dentist's chair... Anyplace where being interrupted is undesirable. And, oh yeah, also on planes.

As some others have indicated, the point of TouchID is not to make your iPhone impenetrable but to increase both security and convenience. I think Apple has done a good job with the implementation of it.

One thing most people haven't noticed yet is that if you enable TouchID for Passcode Unlock, the lock interval is set to "immediately" and there are no other options. Nice one, Apple! (I mean that, not being facetious here). Since it only takes a fraction of a second for TouchID to unlock the iPhone, I have no issue with it being required each time.

If you really have top-secret info that would end life as we know it, let your Bodyguard carry your iPhone.

 

[zecks420]

Why not just set a restriction (Settings | General | Restrictions) on making changes to accounts? Then the find my iPhone can't be turned off without knowing an additional 4 digit code

Exactly.... All this is just haters. The extra restrictions under settings and general (Restrictions) allows you to use a different 4 digit pin code that makes it so you cannot turn off find my phone even if they did get into it. Half of you never even used ANY security...now all of a sudden this isn't good enough? Please. Just like before... all the security in the world wont help if you don't even take the time to use your phone setting properly. There is more than enough security on this phone.

----------

Settings/General/Restrictions/Enable Restrictions (enter 4-digit code)/Location Service: Don't Allow Changes (Make sure Find My iPhone already turned on)

Bravo...

 

[northernbaldy]

I'm going to wrap my phone in tinfoil and hide it up my arse

Just to be safe

 

[technowar]

Settings/General/Restrictions/Enable Restrictions (enter 4-digit code)/Location Service: Don't Allow Changes (Make sure Find My iPhone already turned on)

Hey, thanks.

 

[applerocks]

The video also doesn't consider that Apple has been pretty (good) annoying about enforcing security questions. It really, really, really wants you to add them, and it bugs you a lot even as you set up iOS 7.

Even if you get your password reset link, you have to answer security questions. That would stop the guy dead in his tracks, and leave the iPhone useless once again. (The data is still compromised on the device). Apple is even smarter with two-step, because resetting your password means you need the recovery key (it doesn't even initiate an email).

I don't think the temp/perm lost mode matters. Instead, what matters is Apple warning people (as they suggest) to reset other account passwords that may be on the device. (And, they already have the lost mode vs. erase iPhone, so that really is your temp/perm scenario.) So, when you initiate erase mode, it should say "Apple highly recommends changing passwords to all accounts associated with your device, including email and social media accounts."

Not saying this isn't legitimate at all (it is). There is a way to gain access to your device. That's the part Apple can't easily fix without destroying user experience.

This ONLY works if you:
1) Lose your phone
2) Get your fingerprint taken or passcode snooped
3) Don't change your email password when the device is taken (you should, and Apple should remind you)
4) Don't have security questions (which Apple basically requires you to have now) OR don't have two-step.

So, basically, if you're at the bottom of the bottom security wise, you would be vulnerable ONLY IF all those conditions were met. And, if you're not even worried enough to enable two-step or security questions, then perhaps you aren't that worried about people taking your data. Now, with 700 million phones, many people are at the bottom level. Perhaps Apple can start requiring security questions or the account gets disabled. Or, require them to set up an Apple ID on a new device, no questions asked.

Something else that's new was Apple requiring security questions to make your first purchase on a new device. I had to reset my questions since I didn't remember them, so I know that's new within the last year. Once again, another layer of security. And, it reminded me to enable two-step on the Apple ID I use for purchases.

The other issue: Apple doesn't remind you to add new phones as verified devices when you buy them. That's a bit of a silly move.

 

[calaverasgrande]

I've actually been able to get into an application, start and play the game without entering a lock screen code. When I exited the game I was back at the lock screen.
entered my code, and the game then went back to the "opening" screen.
We need a 7.1.
This is a mess.

Oh yeah, and my new 5S wont accept my index finger print.
Maybe because I have a huge scar on my finger?
You would think a large vertical scar line would make it EASIER for the phone to scan it.

 

[TTile]

I've actually been able to get into an application, start and play the game without entering a lock screen code. When I exited the game I was back at the lock screen.
entered my code, and the game then went back to the "opening" screen.
We need a 7.1.
This is a mess.

Oh yeah, and my new 5S wont accept my index finger print.
Maybe because I have a huge scar on my finger?
You would think a large vertical scar line would make it EASIER for the phone to scan it.

I'm confused. You were able to play a game without entering a passcode. Could you access anything else on the phone or just the game?

A huge scar = no ridges. Therefore it can't get any useable data from this.

 

[PracticalMac]

Listen to.... what, exactly?

The recommendations offered.

I do not except a completely 100% secure lock, just make it so difficult only the most determined willing to spend a lot of time might have a chance to break in.

Most of the points given seem simple enough and make it harder for a casual thief to try and break in.

 

[Sakuraba]

There is a solution

Well, first of all - Remember that about 50% of users don't use any password at all! That makes "Touch ID" a great thing for those people.

Now to my solution, actually it is so obvious that I would bet money that Apple will implement this:

Schedule a password (preferably longer than 4 digits) to open your phone.
Let the user schedule the time intervals that the passwords must be used to open the phone. I would probably settle for 1 time/24 hour.

Others with "paranoia" could set the long password to be required every 6 hours or less. Thereby closing the "window of opportunity" for anyone to try and create a fake fingerprint.

But that would probably be unnecessary because in the best case scenario, Apple makes this scheduled password requirement impossible to disable without knowing the long password.

So there you have it! Users schedule how often they wish their iPhone s to ask for the long password together with Touch ID.

Good luck then for the iPhone thieves!

 

[iMarc845]

So there you have it! Users schedule how often they wish their iPhone s to ask for the long password together with Touch ID.

Good luck then for the iPhone thieves!

I really like your idea. It's simple, elegant, easy to implement and provides the User options to determine how often the iPhone will "nag" them.

But WHY would you wish thieves good luck?

I do realize you were being sarcastic

 

[mrluis03]

Simple.

Just require a password to turn off the phone.

Or better yet, require a password to activate airplane mode. With touch ID, it would be a simple step. I dont see how anything can get past that.

 

[priyamsingh]

I brought this article and video to the attention of Macrumors. I should have been given credit

 

[applerocks]

Just require a password to turn off the phone.

Or better yet, require a password to activate airplane mode. With touch ID, it would be a simple step. I dont see how anything can get past that.

I would guess the reason Apple doesn't do that is that you ALWAYS have the option of getting a case that blocks radio signals and effectively killing the phone's connection to Find my iPhone that way. There's no way to prevent an attacker from doing that, and it means any other prevention of Airplane Mode and/or turning off your phone is an unnecessary step that just makes the phone more annoying to use (though you might "feel" safer).

Security often aims to do one thing: make someone else's system a bigger target. That's what Apple has done here. They won't ever make the phone invincible. If you were a thief, today, would you steal the Samsung S4 or the iPhone? Apple's making it less likely to be the iPhone. We'll see if the crime rates start supporting that theory.

So, Touch ID and this setup make it tough for the standard thief. Once again, though, facts prove that if someone is determined enough, no system can prevent all attacks.