Security firm says iPhone bug can thwart device wiper

2013-10-04 07:30
New iPhone 5s handsets let people use their fingerprints to unlock the smartphones at an iPhone event at Apple's headquarters in Silicon Valley. (Glenn Chapman, AFP)

New iPhone 5s handsets let people use their fingerprints to unlock the smartphones at an iPhone event at Apple's headquarters in Silicon Valley. (Glenn Chapman, AFP)

Multimedia   ·   User Galleries   ·   News in Pictures Send us your pictures  ·  Send us your stories

Boston - A German security company has uncovered a bug in the new iPhone's software that it said enables hackers to overcome a safeguard allowing users to remotely wipe stolen or lost phones.

Berlin's Security Research Labs, known as SRL, said on Thursday that the vulnerability could potentially give criminals time to break into the Apple phones, gain complete control of data, access e-mail accounts and then potentially take over the user's bank accounts.

The research firm also said it has figured out an easier way to crack the iPhone fingerprint scanner than has been demonstrated thus far.

SRL, which this summer disclosed a major security flaw in SIM card technology that affected mobile systems around the globe, said it has shared its research with Apple's security team.

Apple declined to comment. The company sometimes refrains from discussing potential security bugs while it reviews research.

Independent verification

If SRL's findings are verified, this would mark at least the fifth security bug in the iPhone and its iOS operating system uncovered since July. Apple has already fixed some of those flaws, including one disclosed at a summer hacking conference that make the devices vulnerable to snooping.

The company has remained silent since concerns have been raised about the security of its "Touch ID" fingerprint scanner on its top-of-the-line iPhone 5s, which went on sale in September.

A German hacker known as Starbug was able to crack Touch ID within two days of its release. Several experts in mobile security and biometrics say they have independently verified his work.

Apple's "Find My iPhone" feature aims to thwart thieves and hackers. It lets users log into Apple's iCloud and wipe a device, giving victims a chance to disable the phone before criminals can gain access. It also prevents criminals from registering those devices to another account.

Ben Schlabs, a SRL project manager in biometric security, said he has identified a new method for preventing those features from being initiated.

He was able to put an iPhone 5s on "airplane mode", cutting off iCloud's ability to communicate with the device to initiate the features. That bought him time to create a "fake finger" to fool Touch ID.

He said he created a fingerprint mould using the same basic approach as Starbug, who took a photo of an iPhone user's fingerprint with a high resolution camera, printed it out on a plastic sheet, then etched the mould.


Schlabs used a previous-generation iPhone 4S to take the photo. Once he gained access to the iPhone 5s with the fake finger, he looked up the user's e-mail address. He then went to Apple's website on an ordinary computer and instructed it to send credentials for resetting its password to the account of the phone's owner.

At that point, he turned off airplane mode for several seconds: Just enough time to retrieve e-mail, but not enough for the "Find My iPhone" feature to disable the device or initiate a wipe.

Once he reset the password, Schlabs said he was able to completely "own" the iPhone: He could take over accounts from outside e-mail providers, and reset passwords by getting e-mail providers to send SMS messages to the hijacked phone.

"Once you have access to the e-mail, you can engage in total online identity theft. You can get bank credentials or anything else," Schlabs said.

Chris Morales, a hacking expert and research director with NSS Labs of Austin, Texas, said the growing research on Touch ID underscores what members of the security community have long known: Biometrics are not as secure as passwords.

He said a facial recognition feature in Google Android operating system has been defeated using photos.

"As bad as passwords are, it's more secure to know something than to be something," Morales said. "Biometrics only extends security for people who are extremely lazy."

iPhone users can take steps to mitigate the potential for attacks using the newly identified approach, Schlabs said. For instance, users can adjust the phone's settings to prevent airplane mode from being activated when devices are locked.

Customers in Australia, Ireland, New Zealand, the United Kingdom and the US can opt for two-factor authentication, which requires the user to enter a four-digit code that is sent to their iPhone or other device.
Read more on:    online privacy  |  cybercrime  |  iphone

Join the conversation! encourages commentary submitted via MyNews24. Contributions of 200 words or more will be considered for publication.

We reserve editorial discretion to decide what will be published.
Read our comments policy for guidelines on contributions.
NEXT ON NEWS24X publishes all comments posted on articles provided that they adhere to our Comments Policy. Should you wish to report a comment for editorial review, please do so by clicking the 'Report Comment' button to the right of each comment.

Comment on this story
Comments have been closed for this article.

Inside News24


Book flights

Compare, Book, Fly

Traffic Alerts
There are new stories on the homepage. Click here to see them.


Create Profile

Creating your profile will enable you to submit photos and stories to get published on News24.

Please provide a username for your profile page:

This username must be unique, cannot be edited and will be used in the URL to your profile page across the entire network.


Location Settings

News24 allows you to edit the display of certain components based on a location. If you wish to personalise the page based on your preferences, please select a location for each component and click "Submit" in order for the changes to take affect.

Facebook Sign-In

Hi News addict,

Join the News24 Community to be involved in breaking the news.

Log in with Facebook to comment and personalise news, weather and listings.