Exclusive: Security firm says iPhone bug can thwart device wiper

A woman holds her new Apple iPhone 5S after buying it at an Apple Store at Tokyo's Ginza shopping district September 20, 2013. REUTERS/Toru Hanai

By Jim Finkle BOSTON (Reuters) - A German security company has uncovered a bug in the new iPhone's software that it said enables hackers to overcome a safeguard allowing users to remotely wipe stolen or lost phones. Berlin's Security Research Labs, known as SRL, said on Thursday that the vulnerability could potentially give criminals time to break into the Apple Inc phones, gain complete control of data, access email accounts and then potentially take over the user's bank accounts. The research firm also said it has figured out an easier way to crack the iPhone fingerprint scanner than has been demonstrated thus far. It published a video demonstrating the newly discovered flaws on its website https://srlabs.de/spoofing-fingerprints/ SRL, which this summer disclosed a major security flaw in SIM card technology that affected mobile systems around the globe, said it has shared its research with Apple's security team. Apple declined to comment. The company sometimes refrains from discussing potential security bugs while it reviews research. If SRL's findings are verified, this would mark at least the fifth security bug in the iPhone and its iOS operating system uncovered since July. Apple has already fixed some of those flaws, including one disclosed at a summer hacking conference that make the devices vulnerable to snooping. The company has remained silent since concerns have been raised about the security of its "Touch ID" fingerprint scanner on its top-of-the-line iPhone 5S, which went on sale last month. A German hacker known as Starbug was able to crack Touch ID within two days of its release. Several experts in mobile security and biometrics say they have independently verified his work. ANOTHER WAY TO SKIN A CAT Apple's "Find My iPhone" feature aims to thwart thieves and hackers. It lets users log into Apple's iCloud and wipe a device, giving victims a chance to disable the phone before criminals can gain access. It also prevents criminals from registering those devices to another account. Ben Schlabs, an SRL project manager in biometric security, told Reuters he has identified a new method for preventing those features from being initiated. He was able to put an iPhone 5S on "airplane mode," cutting off iCloud's ability to communicate with the device to initiate the features. That bought him time to create a "fake finger" to fool Touch ID. He said he created a fingerprint mold using the same basic approach as Starbug, who took a photo of an iPhone user's fingerprint with a high resolution camera, printed it out on a plastic sheet, then etched the mold. Schlabs used a previous-generation iPhone 4S to take the photo. Once he gained access to the iPhone 5S with the fake finger, he looked up the user's email address. He then went to Apple's website on an ordinary computer and instructed it to send credentials for resetting its password to the account of the phone's owner. At that point, he turned off airplane mode for several seconds: just enough time to retrieve email, but not enough for the "Find My iPhone" feature to disable the device or initiate a wipe. Once he reset the password, Schlabs said he was able to completely "own" the iPhone: he could take over accounts from outside email providers, and reset passwords by getting email providers to send SMS messages to the hijacked phone. "Once you have access to the email, you can engage in total online identity theft. You can get bank credentials or anything else," Schlabs said. Chris Morales, a hacking expert and research director with NSS Labs of Austin, Texas, said the growing research on Touch ID underscores what members of the security community have long known: biometrics are not as secure as passwords. He said a facial recognition feature in Google Android operating system has been defeated using photos. "As bad as passwords are, it's more secure to know something than to be something," Morales said. "Biometrics only extends security for people who are extremely lazy." IPhone users can take steps to mitigate the potential for attacks using the newly identified approach, Schlabs said. For instance, users can adjust the phone's settings to prevent airplane mode from being activated when devices are locked. Customers in Australia, Ireland, New Zealand, the United Kingdom and the United States can opt for two-factor authentication, which requires the user to enter a four-digit code that is sent to their iPhone or other device. (Reporting by Jim Finkle; Editing by Edwin Chan, Martin Howell, Tiffany Wu and Phil Berlowitz)