Smartphones are fast becoming a digital wallet with access to every part of our lives. From bank details and mortgages to private correspondence and photos, it’s all there for the taking. But we have fingerprint security so we’re safe, right?
Sadly not – that feeling of safety is starting to crack after hackers have managed to get past Apple’s TouchID fingerprint sensor, uncover PIN codes and even penetrating iris scanning security.
So are we smart using our phones to store our lives or is there a better way to make ourselves more secure, no matter the convenience?
The metrics that matter
Since Apple decided to back biometrics on the iPhone 5S, the inclusion of fingerprint readers on smartphones has become commonplace, with many apps and smartphone features now capable of being locked away from prying eyes on nearly all flagship handsets.
Where once it was a case of tapping in a long-winded password on your computer, now you can now authenticate your PayPal payments on some smartphones using your fingerprint, no PIN needed.
The worry here is that fingerprints can be quite easily lifted from anything touched – even a thrown away coffee cup when out and about (as long as the prospective bio-thief thinks you’re worth the hassle).
One hacker, known as Starbug, aka Jan Krisller, now famously lifted the German defense minister’s fingerprint using a photo.
Starbug was able to take a photo of the minister’s finger and printed off a replica using a laser printer. Techradar also managed to hack an iPhone’s TouchID, with the help of security company Vkansee, using a blob of Play-Doh – it’s that easy.
So what can be done if fingerprints aren’t enough? The next step appears to be iris scanning, which is being used on Windows Phones now in the shape of the Lumia 950 and Lumia 950XL, in theory making things even more secure as surely the human eye can’t be easily cloned, right?
Apparently not. Despite the complexity and individuality of the human eye, Starbug has devised a way to lift this ‘print’ too.
Using a 200mm lens SLR camera he once again accessed the German deference minister’s details, this time in the form of an iris print. Starbug claims he can copy that image onto a contact lens using a laser printer, which should unlock an iris recognition device.
So we’re never going to be safe?
All hope is not lost. Starbug points out that “liveness is very important” (although still maintains that he can overcome it). Certain biometrics work to scan the rhythms of the individual, for example a pulse inside the eye, when iris scanning. This is the future, where simple lifting and printing won’t be enough to fool the systems.
And there are more options coming down the line which would be even harder to spoof: NEC has a new method which scans the inside of your eardrum, which is says is unique to each person, to provide instant confirmation you are who you’re claiming to be within a second.
It requires you to put in a headphone which emits a sound that sends back a picture of the ear canal, and would be useful for a system that verifies a user before a secure phone call goes ahead – and NEC believes it can have this system live by 2018.
So when you hear that the systems we’ve come to rely on to keep our phones (and lives) secure are easily spoofed, it’s easy to get scared. We all live in fear on some level that the world is going to crack into our lives due to our own ineptitude.
But here’s the better news: while each of these systems can be fooled in isolation, it becomes much harder when they’re combined to create ‘multi-layer authentication’. Building in multiple levels of security could help to solve most of the the worries that the majority of us have over smartphone security.
And thankfully that doesn’t have to mean more hassle or time spent unlocking the device, which would mean some of us would simply switch it off because of the hassle.
Stuart Clarke, chief technology officer of cybersecurity at security data specialist Nuix, says combining different ways to authenticate who we are is the key to making sure we’re not carrying open doors to our lives in our pockets.
He explains that there are three layers to security: something you know, like a PIN; something you have, like a fob; and something you are, like fingerprint or iris.
He says: “Biometrics are good because you don’t have to write them down, however […] a fingerprint is a single source of failure.”
By using two or even three layers a person is far more secure. Clarke points out that this doesn’t have to be a pin and a fingerprint, but can be multiple layers of biometrics.
“Or do we engineer advanced hardware for sophisticated biometrics and combine behavioural algorithms to detect anomalies in user activities?” he posits.
Let’s explain how that might look: imagine a smartphone that reads your fingerprint, which then activates a facial recognition scan at the same time. Someone would be hard pressed to gain the information to falsify both layers of security and would find it even more difficult to actually fool the smartphone.
Of course it could still be done, neither is infallible. But the point is that by combining layers the weaknesses of one layer of security are lessened by added the next layer.
As Clarke points out a third layer, using something you own, could also be employed. Google already allows a user to let their phone unlock when connected to trusted Bluetooth devices. This could easily be coupled in to offer another layer of security, depending on the level that makes you feel safe.
The issue we have is that this next level of security is still theoretical. Google offers Two-Factor Authentication to access your accounts (where you’ll need to type in a password and have your phone handy to receive a passcode by text) thereby offering a different angle on security.
However, if you’ve lost your phone and someone is already inside, you’ve also possibly lost your Google account as well – so preventing access at all to your handset is imperative.
Smartphones being used as the second layer of authentication is great in the wider world of identity theft prevention, but we’re still waiting for the big smartphone brands to offer multi-layer authentication to the average user’s handset.
OK – you feel good. You’ve dropped the ‘0000’ PIN that you were using on your iPhone and created a longer, more random one, which you shield from scary people looking over your shoulder. Given PINs are still used by many smartphones, and indeed banks for card access, they’re safe, right? Again, maybe not.
Using a malicious app, researchers at Cambridge University were able to extract the PIN on an Android phone allowing them to capture data through the camera and microphone. And this was back in 2013. Since then hacker hardware has improved and more and more ways are cropping up to get past a PIN code.
This technique alone was able to correctly identify a four-digit PIN from a test set 30 per cent of the time after two attempts, rising to 50 per cent after five attempts.
Fast-forward to now and PIN codes are still up for debate when compared with biometrics. Clarke says: “Sadly, most PINs on mobile devices are four to six digits [long] and can be cracked with just a few lines of code, not to mention techniques like PINSkimmer. PIN code lock outs can prevent attacks on [these] codes but there are ways around it.”
The issue we have is that our phones still default to a passcode if we can’t scan our fingerprints – for instance, when our digits are cold or wet, so a thief that’s learned your code can still easily just get around the security on the device.
But there’s a big difference between someone that’s out to get the data specifically from your phone, and someone who has opportunistically spotted your PIN when you tapped it out on the train and nabbed your handset from your pocket when you weren’t looking.
Ricahrd Mogull, security information specialist and founder of Securosis, says biometrics are still ‘definitely better’ compared to a PIN, despite the possibility of bypassing them.
“Biometrics on a phone, especially the iPhone which ties the hardware to the software, allows you to use longer passcodes but keep the convenience of essentially no passcode at all. A four character PIN can be relatively easy to crack if you lose your phone.
“Your fingerprint is generally only a risk if you are targeted specifically and also lose your phone, and your fingerprint. It’s possible, but much less likely.”
When asked if phones ever have a hope of being truly safe he refers to the encryption they currently employ, pointing out: “They already are. Just ask the FBI.”