iPhoning It In

I’ve written before on the subject of smartphones, encryption, and data security.  And it’s probably fair to say that while smartphones have changed, my opinions haven’t. Then again, I’m rather set in my ways these days.
So it’s obvious for users that don’t like to have passwords on their devices (even if they head up a major public company) the advent of biometric readers on smartphones will at least be some improvement in security.

The fact is we already know that people are at, or beyond, the point at which they can absorb yet another password to remember and use.  Like some super-saturated solution, users are simply unable to absorb any more – and expecting them to be able to is pointless – it’s just not going to work.

It’s not surprising then that there is much excitement about the arrival of “impressive” new security features on the shiny new iPhone 5s. Magic fingerprint reading! What could be better? Away, away foul passwords! Now all I need is my fingerprint (handily attached to the end of my finger, by the way) and I’m safe and secure. Which was a nice idea – for a couple of days, anyway.

Then the hacker/security group CCC posted this little video which shows them (apparently) breaking into the phone using a high res printer and, of all things, wood glue.  (Who knew it was such a cool hacking tool as well as so useful for gluing, well, wood?)

The general consensus (rightly) on this is that most people who have an iPhone (and then lose it) aren’t going to be the subject to situation in which the hacker already has access to their fingerprint and is busy making copies for this kind of attack. Which means that, for most people, using the fingerprint reader is ok. 

But corporate security isn’t about what’s ok for most people. It’s about dealing with the black swans. It’s about measuring risk and reward and minimizing the former while maximizing the latter.

Frankly, it’s about being just paranoid enough.

And if that iPhone is used to access highly sensitive information, then you *do* need to worry about this kind of attack.

Securing mobile devices is important, and adding passwords (and yes, biometric readers) is worthwhile because it does move the ball down the field, and for most people it will be the difference between a major loss and a minor irritation. However, let’s never, ever forget that once a skilled attacker has physical access to a device, the rules change and all bets are off. Adding biometric readers to a smartphone, or frankly, any other security technology, doesn’t change the fact that a device I can lose in the back of a taxi or have my kid leave at school is not something that should be housing a large amount of highly secure data.

So we should expect controls like passwords and biometrics to act as barriers to low skilled attackers, and speed bumps to skilled attackers. At least when it comes to risk management thinking.

Ultimately then, we need to think of the device, especially a highly “losable” device like a smartphone, as a conduit to data, not a repository. And in the event they get lost/stolen/abducted by aliens, we need to be able to close that conduit.

In the end, as we move to a world of cloud services accessed from mobile devices, solving security problems are going to center more and more around monitoring for abnormal activity and managing access.

Because those are the things we can see, and actually control. Unlike, say, whose finger is on the iPhone right now.

What’s Hot on Infosecurity Magazine?