Monday 23 September 2013

Chaos Computer Club breaks Apple TouchID (the bad idea that is fingerprint biometrics and 'its cool to hack Apple now')

Well it didn't took long: Chaos Computer Club breaks Apple TouchID

For me the key statement of that post is: "We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token"

I have to say that I have never been involved in designing or testing fingerprint biometrics, but I always had this voice in the back on my head saying "...humm... it really doesn't sound good the idea that the security ID cannot be changed, and once that ID is stored in digital format, there is nothing that can be done to prevent its reuse...."

The other interesting development is how Apple is now starting to suffer the same 'security pressure' as Microsoft once did.

For a while the focus of researchers and attackers was on Microsoft, simply because they had the biggest market share and it was cool/easy to 'break Microsoft products'.

But now that Microsoft has some of the most mature secure SDLs out there (i.e. it is harder to find bugs/exploits in Microsoft products) and Apple 'exploit' brand is more valuable (in both kudos and target audience), Apple is going to have to pay a lot more attention to security (specially before the criminals increase their attacks to Apple product users (who tend to 'think' they are secure, simply because they are not using Windows)).

In a way, the focus/pressure that the security researchers are putting on Apple is very good for them, since it will 'empower' their internal security teams with more power and resources (for example my good John Wilander OWASP friend, which is now on Apple's 'Proactive Product Security' team)