Mobile Security: Threat Modeling Apple's TouchID

Screen Shot 2013-09-24 at 10.32.11 AM.png

 

InfoSec is usually a sliding bar between usability and security. When you gain one, you lose the other. The Apple iPhone 5s tries to balance usability and security with the release of TouchID.

Four-digit pins are more secure than having no passcode—but they’re more annoying to use. And having no passcode at all is the simplest option for the user, but it offers no security.

 

Meet TouchID

 

Apple’s TouchID, which just launched on the iPhone 5s looked to do something that isn’t often accomplished—to simultaneously improve both ease of use and security.

 

Compared to having no passcode whatsoever, using TouchID is slightly more complicated—but not much. But compared to using a four-digit passcode (which is what most people had, if anything), simplicity and security are both improved.

 

Threat modeling vs. a mobile phone

 

In order to say “security was improved”, one must ask, “Improved against what?” Threats matter. So let’s take a quick look at what the threats against 99 percent of mobile phones are:

  1. Friends / Acquaintances / Significant Others snooping on your device
  2. Theft of the device by common, opportunist criminals
  3. Targeting of your data by sophisticated attackers (criminals/government/etc.)

Looking at these three categories the point should leap out at you:

 

TouchID was designed to counter the top two threats (acquaintances and common thieves), not sophisticated criminals. Those in the third threat class are not going to be stopped by either a passcode or a fingerprint because they have other ways of getting that data.

 

Is it anyone’s honest opinion that when faced with an advanced attacker targeting your data, it’ll be the passcode on your mobile phone that will protect you? (For one thing, they don’t need your physical phone to wage an attack.) In short, TouchID fails only in the scenarios where it cannot possibly succeed. This is also the area where  there aren’t many good options in any case.

 

But for the situations it was built for, i.e. keeping the opportunist criminal and the overly curious from accessing your device, it advances the game in both security and simplicity.

 

--

 

Stay tuned for an upcoming analysis of the secuity features in the newly released iOS 7.

 

Daniel Miessler is a Principal Security Architect with Fortify on Demand, and can be reached at daniel.miessler@hp.comand on Twitter at @danielmiessler

 

Tags: 5s| apple| iphone| TouchID
Comments
sunil vadher(anon) | ‎10-08-2013 11:00 AM
as soon iphone5 introduce some one breack finer print lock / hached surprise. Mr. Sunil
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author
http://www.danielmiessler.com/about


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation