One of the marketing lines of the new iPhone 5s from Apple is that it is “forward thinking”. But one security strategist believes Apple’s new security measures weren’t forward thinking enough.
Richard Henderson, a security strategist and threat researcher for Fortinet’s FortiGuard Labs, said the device’s security sensor can be easily defeated.
“Apple’s keynote mentioned that the sensor resides under a sapphire crystal which effectively acts as a ‘lens’ – which means the sensor is taking a photograph of your fingerprint in order to authenticate. Apple’s current details on the nitty-gritty are scarce, but they do mention that there is a stainless steel ring around the sensor that acts as a capacitance sensor to determine that a finger (as opposed to a photograph) is touching the lens. Certainly, that’s going to keep your snooping sibling from taking a look inside the phone, but the capacitance technology is relatively easy to defeat – it’s just a ‘dumb’ sensor detecting the appropriate Farad change,” Henderson said.
Another glaring omission, according to Henderson, is unlike Apple’s new M7 co-processor, Apple didn’t release an API for the sensor. “It would be fantastic if Apple would allow third parties to utilize the sensor as a second factor of authentication. Want to use your company’s VPN? Please enter your password and place your finger on the sensor. The additional security to mobile apps like banking, Facebook, Twitter and the like would be a no-brainer as well,” Henderson said.
The advice Henderson gives to Apple is to open things up to other uses. If they don’t, Henderson believes it will be inevitable for a grass roots effort to break it open to occur.
“We saw something similar when a bounty was placed on the first Apple computers with an Intel processor. Geohot effectively made himself famous by getting Windows to run on the Intel Macbook, which led Apple to release BootCamp.”