Amid both praise and criticism for the Apple iPhone 5s’s Touch ID fingerprint scanner and the new safety measures within iOS 7, a German security firm claims to have discovered a bug in the new mobile operating system. The glitch lets hackers overcome a safeguard that enables users to remotely wipe stolen or lost phones.
Security Research Labs in Berlin said Thursday that it had found a new vulnerability in the iOS 7, which can give anyone enough time to hack into the iPhone to gain complete control of data, access email accounts and even potentially obtain the user's bank accounts, Reuters reported.
“Once you have access to the email, you can engage in total online identity theft. You can get bank credentials or anything else,” Ben Schlabs, an SRL project manager in biometric security, told Reuters.
The security research firm also explained an easier method to bypass the Touch ID fingerprint scanner on the iPhone 5s than has been demonstrated so far.
SRL posted a video on its website, outlining a scenario in which a criminal could steal an iOS 7-powered iPhone 5s, use Control Center on the device’s lock screen to turn on the Airplane Mode and disable the handset’s connectivity.
Here is the video:
After disabling the phone’s connectivity, the hacker can use a fingerprint mold to bypass the lock screen and disable other security features.
SRL posted another video, showing how Touch ID can be compromised using information gathered from fingerprints left on the display of the victim’s phone. According to the security firm, a photo of the fingerprint taken with an iPhone 4s can be used for developing a mold.
The method for cracking the biometric security system is very similar to the one used by another German-based hackers group called Chaos Computing Club, which claimed to hack the Touch ID last week.
Take a look at the video here:
While it is not certain whether Apple (NASDAQ:AAPL) will come up with any fixes to address these issues, it’s worth mentioning here that users can avoid the simple bypass of the Remote Wipe feature by turning off access to Control Center from the lock screen.
Here are a few suggestions (courtesy of MacRumors) that SRL has offered to Apple to increase security effectiveness in the iOS 7:
1. Make Airplane Mode inaccessible from the lock screen by default and require PIN after setting Airplane Mode or removing SIM Card.
2. Warn users not to store password-reset email accounts on iDevices.
3. When device is lost for good, advise users to revoke its privileges.
4. Do not inform potential attackers how the device is protected.
5. Upon reconnecting to the Internet, iOS should not allow email retrieval before the device’s wipe- or don’t-wipe status can be retrieved.