An Israeli security researcher has found another way round
Apple’s Fingerprint ID security system – this time via a two-step
lock-screen glitch which works with the new iOS update 7.0.2, and allows
attackers access to the Phone app, including potentially valuable
address data, including the owners phone number and home address.
The “hack” is one of several such glitches which have exploited Apple’s “voice assistant” Siri, according to The Register - some of which were closed off in the recent update, 7.0.2.
Researcher Dany Lisiansky said
via his Twitter account, “Great update, Tim Cook! In my video, I
demonstrate the use of two Lock Screen bypass glitches. The first one to
initiate the phone call (using an emergency call glitch). And the
second one to get access to the phone app.”
The bypass glitch allows access to iPhone’s phone app, which could
offer a spouse, or cybercriminal valuable contact information, including
addresses, email addresses and phone numbers.
Lisiansky says, “Steps to reproduce:
1. Make a phone call (with Siri / Voice Control).
2. Click the FaceTime button.
3. When the FaceTime App appears, click the Sleep button.
4. Unlock the iPhone.
5. Answer and End the FaceTime call at the other end.
6. Wait a few seconds.
7. Done. You are now in the phone app.”
Apple’s Siri voice control has been the target of various
hacks against the device, both on the current iOS 7, and on previous
versions. Andy Greenberg of Forbes described the new hack as a “reminder
to turn Siri off on your lockscreen.”
At launch, Apple’s senior vice president of marketing, Phil
Schiller, described iPhone 5S as “most forward-thinking smartphone in
the world.” Apple’s handsets are often targeted by hackers who vie to
“jailbreak” each new operating systems first – but the Fingerprint ID
system in iPhone 5S has drawn the most attention with this update, with
researchers attempting various methods to “get round” the security
device.
Last week, Germany’s Chaos Computer Club demonstrated a method to “fool” the sensor - and warned users not to leave secure data on iPhone 5S. Their method was laborious, however – involving the use of forensics equipment, a laser printer, transparency slides and wood glue.
ESET Senior Researcher Stephen Cobb says that such hacks do not “prove” that biometric security cannot work.
“Bear in mind the effort required to defeat the biometric,
and also to crack your iPhone password, then ask yourself how many
people want your iPhone data that badly,” Cobb says.
“There is a constant tension between claims of security and
efforts to undermine that security. It is clearly true that having to
supply a fingerprint as well as a password to access the iPhone 5S, or
anything else, makes the data on the device more secure against certain
types of attack than only requiring one form of authentication.
“Whether that added level of security is enough for your to trust
“sensitive” information to your iPhone is a question for each user to
answer. Would I put priceless IP on a mobile phone? No. But read what it
takes to beat the fingerprint reader and ask yourself who would go to
that trouble for the stuff you do have on your phone.”
No comments:
Post a Comment