Apple recently (Sep 12 2017) announced the release of new hardware, most notably the Apple iPhone X. (Tech note: "iPhone X" is pronounced as "iPhone ten" (the number) and not "iPhone ks" (the letter)). There were also updates to its flagship mobile operating system, iOS 11. Aside from several significant new features and updates, there are also new OS 11 features that relate to security.
Often when examining the contents of an iPhone (either by an attacker who steals the phone or by law enforcement officials) one of the first steps is to plug the phone into a computer for a forensic analysis. The iPhone would then display a message asking if the user was willing to trust the new computer before exchanging any data. Yet in order to complete this step no authentication was involved: anybody could tap OK and then upload the phone's contents to the computer for analysis. (Legal Note #1: Customs and Border Protection agents can take advantage of a loophole in the Fourth Amendment and search the device of someone entering the country, even an American citizen, without obtaining a warrant). However, with the new iOS 11 when a phone is connected to a computer not only must OK be tapped but also the phone's passcode or PIN must be entered as well. This prevents an unauthorized person from downloading and then analyzing data from the phone.
Another feature involves the Apple Touch ID. Touch ID was introduced four years ago and uses a fingerprint for authentication based on biometrics. However, the Touch ID has been shown to not provide a strong degree of security. An attacker could place the finger of a sleeping or unconscious iPhone owner on the home button to unlock the phone. Evidently that's what occurred last December when a six-year-old girl from Arkansas used the finger of her mother, who was sleeping on the couch, to unlock her mother's iPhone. The young girl then proceeded to order $250 worth of 13 different types of Pokemon gear. When her parents received 13 order confirmations they first thought that attackers had compromised their account, but later realized it was the work of an insider--their own daughter. When asked about the incident, the daughter calmly replied, “No, Mommy, I was shopping. But don’t worry—everything that I ordered is coming straight to the house.” (In a charitable gesture, instead of returning the loot the parents gave away nine of the items to relatives but kept four items for their daughter as Christmas presents, telling her that Santa Claus found out about her Amazon wishlist. Who says crime doesn't pay?). But more sophisticated attacks on the Touch ID, which involve "lifting" a fingerprint off an item to make a replica in order to trick the phone, have also been successful.
An update to iOS 11 involves Touch ID and gives protection against someone forcing your finger onto the home button to unlock it (this can also prevent a child in your house from purchasing Pokemon gear while you're asleep). Suppose an authority figure (or a very big person) demands that you turn over your iPhone immediately. Because Touch ID is activated you know that once you hand it over the next step will be for you to unlock it with your finger, either willingly or unwillingly. (Legal Note #2: Courts have ruled that criminal suspects cannot plead the Fifth Amendment and refuse to offer their fingerprints to unlock a phone, as they sometimes can with a password or passcode). With iOS 11 you can quietly tap the phone's home button five times to enable the lock screen (this lock screen has options such as allowing you to make an emergency phone call or providing the owner's emergency medical information). This also silently disables TouchID, so that it requires a passcode to unlock the phone. Powering the device off works too, albeit somewhat slower.
A second category of iOS 11 security involves the new Face ID, which we will cover in Part 2.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.