iPhone 6 Touch ID has already been hacked


That was quick. Marc Rogers, Principal Security Researcher at Lookout, has managed to break the iPhone 6 Touch ID feature, and posted how he did it. Marc is the guy who did the same thing on the iPhone 5s when it came out about a year ago. What isn't so good is, despite a few noted improvements in the new version (a higher-resolution sensor, for example), Marc used the exact same procedure to hack the iPhone 6 Touch ID as he did with the iPhone 5s version - basically with a bit of  fingerprint powder and super glue.

While I don't see this as a show stopper for Apple Pay, it doesn't look good, and comes at a time when Apple is already on the defensive about security because of the recent iCloud hacking incident involving nude celebrity photos. Marc does note that the hack is hard to do, but I can see someone developing the necessary skill set when the stakes are high (for example, to break into some VIP's iPhone).

I've thought for a long time that fingerprint biometrics work better as a usability feature than as a security feature. For something like mobile payments, both usability and security are paramount. The technology offers a measure of security (just like the lock on your front door offers a measure of security ... if someone really wants to break it, and has the skills, time, and patience, they will do it). The security flaws of fingerprint biometrics - vulnerability to spoofing, etc. - have been widely discussed for years and are well known. Apple even acknowledged that they're aware of these flaws in their patent filing for the Touch ID technology.

A vulnerability in a given security control doesn't mean that it shouldn't be used: it just means that when it is used, it should be part of a well-conceived, defense-in-depth strategy, with additional security layers in place for when the control fails. Apple has provided additional layers - for example, the kill switch feature available for all IOS 8 devices, and the use of card number tokenization in Apple Pay. But I still think there's room for improvement with Touch ID.

(Via The Official Lookout Blog)

Locks, keys, and passwords have all seen their heyday


When I first started paying attention to smartphone-based locks, I was worried about them being hacked and their batteries going dead. Still am. I initially thought that we would still be defaulting to physical locks and keys for some time to come. But it turns out that those are compromised as well, with usable replicas of some of the most secure keys - so-called bump keys -- now able to be 3D printed.

With passwords falling out of favor at the same time (for good reason), we're going to have to reinvent how we securely access things, both physical and virtual, in the future. Very interesting times are ahead for authentication and access management technology. I guess we'll end up with an electronic something or other with wearables, biometrics, device fingerprinting and data analytics somewhere in the mix, but I expect a good bit of trial, error, security incidents, and maybe a startup bubble between now and then. The key (as it were) will be to strike that magic and elusive balance between security, usability, speed, and cost.

via Wired

Singapore is building one of the world's first smart airports

Singapore's Changi Airport, is transforming itself into one of the world's first smart airports, with the help of Singapore integrator ST Electronics. In the initiative, dubbed Intelligent Airport, all aspects of Changi's operations from flight arrivals and departures to baggage handling and passenger movement will be tracked via sensors which feed data to a unified operations center. Data visualization and predictive analytics software, combined with real-time alerts sent to staff mobile devices, will increase airport management's ability to both predict and react to changing situations in the airport, including, of course, security incidents. Specific security incident management enhancements include:

  • Smart fences, with sensors that can detect unusual movement around the airport property and direct cameras towards the event, which zoom in and create a live feed
  • CCTV cameras with face recognition that can home in on evolving incidents, identify known actors (both friendly and hostile) and quickly direct security personnel to the scene.

The Intelligent Airport is in its early stages, and many details of the project have not been released publicly. You can get a bit more detail about it here in ST Electronics' Electronics Review (PDF download - scroll to page 22).

I'm sure that airports all over the world will be keeping a keen eye on this pioneering initiative, and it will be very interesting to see how the whole thing turns out. The promise of increased operational efficiencies and a more secure environment is great, although what's not yet clear is how much all this will cost, and the airport's ultimate return on investment.

It's not too surprising to see this happening first in Singapore, which has long been willing to invest in strategic infrastructure to keep its competitive economic edge. There's a defensive factor as well, with Middle Eastern airports like Qatar, Dubai, and Abu Dhabi making inroads into Changi's share of global air traffic. As a small city state, Singapore has to continually reinvent itself to stay viable. It's a tough hand to play, but the results are often impressive.

(Via Wired)

Biometric ATMs are coming to Europe

Fujitsu has launched an ATM that uses a proprietary palm vein recognition system, PalmSecure, to authenticate customers. Fujitsu hopes to deploy these units to replace some of the 245,000 ATMs across Europe that are due to be retired in the next five years - and as part of the 40,000 new ones that are expected to be added. (Via Finextra)