German security firm says iPhone bug can help hackers thwart device wiper


By Jim Finkle, Reuters

BOSTON–A German security company has uncovered a bug in the new iPhone’s software that it said enables hackers to overcome a safeguard allowing users to remotely wipe stolen or lost phones. Berlin’s Security Research Labs, known as SRL, said on Thursday that the vulnerability could potentially give criminals time to break into the Apple Inc phones, gain complete control of data, access email accounts and then potentially take over the user’s bank accounts. The research firm also said it has figured out an easier way to crack the iPhone fingerprint scanner than has been demonstrated thus far.

SRL, which this summer disclosed a major security flaw in SIM card technology that affected mobile systems around the globe, said it has shared its research with Apple’s security team. Apple declined to comment. The company sometimes refrains from discussing potential security bugs while it reviews research. If SRL’s findings are verified, this would mark at least the fifth security bug in the iPhone and its iOS operating system uncovered since July. Apple has already fixed some of those flaws, including one disclosed at a summer hacking conference that make the devices vulnerable to snooping. The company has remained silent since concerns have been raised about the security of its “Touch ID” fingerprint scanner on its top-of-the-line iPhone 5S, which went on sale last month. A German hacker known as Starbug was able to crack Touch ID within two days of its release. Several experts in mobile security and biometrics say they have independently verified his work. Another Way to Skin a Cat Apple’s “Find My iPhone” feature aims to thwart thieves and hackers. It lets users log into Apple’s iCloud and wipe a device, giving victims a chance to disable the phone before criminals can gain access. It also prevents criminals from registering those devices to another account. Ben Schlabs, an SRL project manager in biometric security, told Reuters he has identified a new method for preventing those features from being initiated. He was able to put an iPhone 5S on “airplane mode,” cutting off iCloud’s ability to communicate with the device to initiate the features. That bought him time to create a “fake finger” to fool Touch ID. Most iPhone users can take steps to mitigate the potential for attacks using the newly identified approach, Schlabs said. For instance, users can adjust the phone’s settings to prevent airplane mode from being activated when devices are locked. Customers in Australia, Ireland, New Zealand, the United Kingdom and the United States can opt for two-factor authentication, which requires the user to enter a four-digit code that is sent to their iPhone or other device.