back to article Smartphones' security enhancements just make them more dangerous

Over the holidays I bought Apple’s newest, shiniest face scanner. For the first fortnight - and periodically since then, that constant lift-and-scan felt weird. As though my smartphone had suddenly become too intimate, too familiar. This is hardly the thin end of the wedge. It started with passcodes - which many people didn’t …

Page:

  1. John Smith 19 Gold badge
    Coat

    "a rapid DNA analyzer a la GATTACA -"

    I was thinking "La Femme Nikita"*

    *But only for the highest security secrets.

    1. Norman Nescio Silver badge

      Re: "a rapid DNA analyzer a la GATTACA -"

      It's not here yet, but it might be closer than you think.

      Oxford Nanopore's MinION "works by pulling DNA through around 500 nanoscopic pores and reading it as it passes through by measuring an electrical signal produced by each nucleotide" [Product details]

      What that article doesn't say is that the sample requires some rather involved pre-processing first [pre-processing kits], and the disposables are 'a bit' expensive....but they are working on the pre-processing bit.

      As for the size, the MinION is 'mobile phone sized', but they plan a sequencer that is smaller - the SmidgION.

      I know this seems like a product placement advertisement for Oxford Nanopore, but I have no connection, and I don't even use their products. It just looks like interesting technology to me - I found it when reading about it in 'The Economist' in an article about the Cassava Virus Action Project

      1. Anonymous Coward
        Anonymous Coward

        DNA scans would be no better

        You leave DNA all over the place. Someone just needs to grab the straw you've been drinking out of, your lipstick, your hairbrush (yeah it sounds like women would be easier targets here...) or whatever along with your phone. Just like someone could get accurate scans of your face to produce that 3D model, or snag your fingerprints off a glass or your phone itself, and so forth.

        Maybe if they embed a THz scanner it could map the blood vessels in your brain, though you might need to swallow something for contrast first...

        1. eldakka
          Coat

          Re: DNA scans would be no better

          > drinking out of, your lipstick, your hairbrush (yeah it sounds like women would be easier targets here...)

          >...

          > though you might need to swallow something for contrast first...

          So still targeted mostly at women then?

  2. Charles 9

    But what if it's not temporary safety we're buying but safety full stop (IOW peace of mind) without which we'd drive ourselves crazy living like Damocles and start wondering if civilization is worth all this?

    IOW, if Franklin really is right, then human civilization is essentially doomed.

    1. MacroRodent

      Muddle through

      IOW, if Franklin really is right, then human civilization is essentially doomed.

      He is both right and wrong. These things are not absolutes no matter what the extremists say. Civilization will just muddle through in the middle, as it has always done.

    2. wolfetone Silver badge

      "Safety full stop" would begin by not buying them at all.

      1. Charles 9

        I disagree. Not buying them means living under the Sword of Damocles, which by definition means "you're NEVER safe." Which means no peace of mind. Which is why I'm saying if the ONLY way to get ANY measure of safety is to give up your liberty, then what's the damn point of civilization at all? You're basically back to The Jungle.

        1. israel_hands

          How the hell does not buying a smartphone leave someone under under the Sword of Damocles? If you don't rely on a single device to hold almost your entire life then by definition all your private data is spread between disparate systems and so not vulnerable to being compromised by a single strategic security mistake, regardless of whether you're advocating passwords, biometrics or anything else.

          It's the very fact that smartphones hold so much in a single package that makes them so dangerously vulnerable and also so valuable if compromised.

          Also, try to avoid randomly capitalising so many words. It's like you're channelling the keyboard mashing of the Bombastic Knob.

          1. Charles 9

            Not buying a smartphone; buying a little peace of mind. What price peace of mind?

  3. redpawn

    Keeping Honest People Honest

    That's what a lock does. It keeps your spouse and children honest.

  4. Anonymous Coward
    Anonymous Coward

    A numerical pin code with a randomised layout is all you ever need in my opinion. I'm not paranoid but I would never give a phone (corporation) my fingerprint, face and certainly not my DNA.

    1. Sir Runcible Spoon
      Coat

      I'm not sure about anyone else, but I would much prefer not to store my life on a vulnerable device in the first place, that way I don't give a shit (other than the inconvenience) if it gets lost/stolen/hacked.

  5. 45RPM Silver badge

    Since your fingerprint (or face, or (presumably) DNA) is stored as a salted hash in the Secure Enclave of the phone, unreadable and unsynchronised with the cloud, I’m not hugely worried that this represents a security loophole. It might be a security hole, of course, but it’s insignificantly small compared with the massive security error that social networks represent.

    Through tools like Facebook, criminals can fairly easily work out your mothers maiden name, your place of birth, your real birthday (assuming that you haven’t been foolish enough to explicitly tell them), and may even in some cases divulge what you’re spending your money on, when and how much.

    With that little haul a malfeasant should be able to unlock your life without going to the inconvenience of nabbing your phone first. I think that putative problems with (correctly implemented) facial and fingerprint recognition are only worth worrying about once the far bigger security issues that millions face everyday have been resolved.

    1. imanidiot Silver badge

      That's all well and good. It's how it's supposed to work. But how does the average user figure out if that is ACTUALLY how it's implemented? For all we know One or Xaomi or Samsung thought, meh, to hell with all that, and stores them in plain text in the ROM. Someone skilled in phone OSes might figure that out (and lack of news about such stupidity seems to indicate it's done correctly) but "Joe Average" can't.

      And has been pointed out before, fingerprints should be considered a username. Not a password.

    2. DaLo

      "...is stored as a salted hash in the Secure Enclave of the phone, unreadable and unsynchronised with the cloud..."

      But what if, and I know this is pushing bounds of reality, a processor had a flaw that allowed un-privileged access to the secure enclave you mentioned, either by being able to read the encryption keys, the salt or directly from the authentication mechanism.

      However there is not much chance that a processor would have a design flaw like that, is there?

      1. 45RPM Silver badge

        @DaLo - such flaws, as we’ve seen over the past month, are entirely possible - but likely to be devilish difficult to exploit. And, given that there are easier means of stealing someones life (as discussed earlier), why would you bother?

        1. Sir Runcible Spoon

          And, given that there are easier means of stealing someones life (as discussed earlier), why would you bother?

          It used to be the case that we argued against security through obscurity (i.e. it doesn't work) but you seem to be implying that security through ignorance *will* work.

          Seriously, you have no idea whether there is a trivial way to exploit these processor bugs or not, and you also have no idea as to whether someone who wants to access your system will bother or not (assuming it is non-trivial).

          That kind of approach to security leads to moments of regret later on, guaranteed.

          1. 45RPM Silver badge

            @Sir Runcible Spoon

            You misunderstand me, or rather, perhaps I haven't been entirely plain in my meaning. I'm not saying that these security issues in hardware should be ignored, or that they aren't worth fixing. I'm saying that, if you want to steal someones life (bank account details, identity and so forth) there are easier means than trying to bypass biometric security.

            Put another way, I'm not suggesting for one moment that one should ignore flaws in the design of the lock, or put off replacing the lock with one that is more secure, I'm merely saying that a criminal is unlikely to force the lock if the kitchen window has been left open.

            Social networks are akin to an open window. The people who need to concentrate on more secure locks are those who eschew social networks in the first place (a minority these days, it seems). Those who have social network accounts probably need to look to deleting those first before worrying about how secure the biometrics on their phone are - because, realistically, the phones biometrics are going to be considerably more secure that their digital online presence, no matter how badly the phones manufacturer implemented it.

            I'm certainly not arguing for security through ignorance - quite the opposite. I'm suggesting that one should plug the bigger hole before concentrating on the smaller one. But yes, I agree with you entirely that security through ignorance (or obscurity) "leads to moments of regret later on, guaranteed."

            1. Sir Runcible Spoon

              Thanks for clarifying, I thought you were referring to the processor bugs in particular, but that doesn't change anything I don't suppose.

              Totally agree on fixing the most commonly exploitable holes first. Not having a smart phone or social media accounts (apart from this one) I tend to immediately focus on the next line of defense, such as fixing processor bugs etc.

              1. 45RPM Silver badge

                Upvote for dodging the social poison pill!

    3. Adam 1

      > Since your fingerprint (or face, or (presumably) DNA) is stored as a salted hash in the Secure Enclave of the phone

      Disclaimer, it has been a few years since I last looked into facial recognition (wasn't quite up to snuff back then), but I work on systems with deep integration of fingerprint and vein scan as well as regular password authentication.

      Hashed authentication for passwords/passcodes works because you can* store Hash(secret + salt) and later test whether Hash(guess + salt) == stored value without storing the secret itself. You don't need that secret, just statistical proof that it is neigh impossible for the guess to not be the actual secret**.

      Biometric templates are different because you are not able to get an identical scan for verification. Even two photos taken on the same camera on a tripod in a studio seconds apart will have subtle differences. If you were to perform a substraction operation on the bitmaps, it would not be pure black. Because of this, templates are more like a series of measurements of angles and ratios of various features. It can be thought of as a template in the sense that you can't take those numbers and reconstruct the original scan/photo, but the verification logic needs to have those numbers to determine whether the candidate finger/face is "close enough" to the template. (This is why we can meaningfully talk about false accept rate and false reject rate for biometrics). My point is that you can encrypt the template but you cannot hash it.

      *But please don't. Google scrypt or bcrypt and use one of them.

      **Aka a collision

  6. RyokuMas
    Stop

    Too late...

    "Or will we be so afraid of our digital selves falling into the wrong hands..."

    They already have - Google, Facebook, Apple, Microsoft, etc., etc...

    1. Anonymous Coward
      Big Brother

      Re: Too late...

      You forgot several governments...

    2. Anonymous Coward
      Anonymous Coward

      Re: Too late...

      We’ve always had to be careful when transporting objects of great value. It may be that we decide the wiser course is simply not to transport them at all.

      Obvious solution then: don't carry your data, put it in The Cloud instead.

      1. Anonymous Coward
        Anonymous Coward

        Re: Too late...

        "Obvious solution then: don't carry your data, put it in The Cloud instead."

        All you have to carry then is effectively the key to the safe. Lose the key - then quickly change the lock after using a spare key.

        However - that assumes that the safe's lock cannot be breached by other means.

        1. Sir Runcible Spoon
          Facepalm

          Re: Too late...

          Obvious sarcasm is obvious.

          1. Charles 9

            Re: Too late...

            The last sentence covers that. Basically, can you trust the safe owners to not possess a skeleton key? Perhaps one mandated by the government and concealed under a D-Notice?

  7. SpammFreeEmail

    Any Biometric is the least secure model I can think of.....

    While it may protect your device if the device is stolen there are far too many ways to collect fingerprint, facial and DNA data metrics to be able to 'spoof' them to fool the device.

    Any security model that relies on anything other then a secret known to and stored in the owners memory is fundamentally a flawed model, convenience is no substitute for a properly implemented strong security model.

    1. Psy-Q

      Re: Any Biometric is the least secure model I can think of.....

      Although it's a different story when the best secret that people can come up with is 123456.

      1. Anonymous Coward
        Anonymous Coward

        Re: Any Biometric is the least secure model I can think of.....

        --->Although it's a different story when the best secret that people can come up with is 123456.

        That's easy to fix:-

        1. It's a training issue and if people don't want to protect themselves that's a personal choice.

        2. 'Force' different levels of password/pin implementation onto the device (i.e. no usage of more then two continuous numbers, no usage of duplicate numbers).

        The reason these things aren't done 'properly' is people bitch about it, then complain when their data gets stolen and they haven't taken sensible simple precautions themselves.

        While I don't believe in the nanny state, I also don't believe that dumb fucks should drive security implementation models, security models should NOT be dictated by the dumbest/laziest common denominator.

        I'm reminded of a conversation I had years back when banks started to implement pin based security for phone banking, I had a multi week stand up argument with an implementation team manager who was happy to use a model that allowed staff to see the WHOLE pin number, rather then have to ask for say digits 3 and 5 of the pin which were then entered into a hidden field system for verification. When I asked what his view was when it was offshore staff doing the security checking and they would also have access to the whole number, he stated that wasn't his problem, that was the offshore contractors problem to manage. How I didn't punch him in the mouth I'm not quite sure to this day,

        1. Sir Runcible Spoon

          Re: Any Biometric is the least secure model I can think of.....

          I downvoted you because you missed an opportunity to lamp one of the fuckers that put us in these kind of messes :p

        2. Charles 9

          Re: Any Biometric is the least secure model I can think of.....

          "While I don't believe in the nanny state, I also don't believe that dumb fucks should drive security implementation models, security models should NOT be dictated by the dumbest/laziest common denominator."

          You MUST. They're the majority, and they outVOTE and outSPEND you. That's why you MUST take the Stupid User into consideration if you want to stay in business long-term.

          PS. Some people really DO have serious memory problems where "123456" becomes "271052" and "correcthorsebatterystaple" becomes "donkeyenginepaperclipwrong". AND they're too proud to ask for help. Yet if you don't deal with these kinds of people, what they house can take other people with them...including potentially YOU thanks to unknown connections.

          1. Anonymous Coward
            Anonymous Coward

            Re: Any Biometric is the least secure model I can think of.....

            Maybe they need to embed an fMRI scanner and have you think of the password. Since my brain presumably looks different thinking of 123456 than yours it might work :)

        3. eldakka

          Re: Any Biometric is the least secure model I can think of.....

          > 2. 'Force' different levels of password/pin implementation onto the device (i.e. no usage of more then two continuous numbers, no usage of duplicate numbers).

          You've just reduced the size (difficulty) of the problem set that has to be solved for a brute-force password attack by including those restrictions.

      2. eldakka

        Re: Any Biometric is the least secure model I can think of.....

        Stop looking over my shoulder when I unlock my luggage!

    2. Anonymous Coward
      Anonymous Coward

      Re: Any Biometric is the least secure model I can think of.....

      'here are far too many ways to collect fingerprint, facial and DNA data'

      Yeah, and another essential part of any lock / key system is the ability to change the lock, if you know that someone has been to Timpson's and had a duplicate key cut. Assuming that it's possible to spoof someone's face / fingerprints / dna.... How can i rescind any of that stuff when it's comprised? Plastic surgery? Using a stanley knife to adorn my fingerprints? Some kind of DNA editing? None of them seem like particularly pleasant options to me.

      1. Sir Runcible Spoon
        Joke

        Re: Any Biometric is the least secure model I can think of.....

        Here's an interesting though exercise: If an individual* cannot remember a password more complex than '123456' etc. what is the statistical likelihood that the data they are carrying will impact anyone other than themselves if the data is compromised.

        *All government employees are exempt

  8. tiggity Silver badge

    DNA

    Might be a bit awkward, you could easily have some other persons DNA on your fingers.

    I imagine p***y grabbing POTUS would be positively disappointed if a day passed where he did not get other DNA on his hands

    Seriously, DNA to unlock a phone is massively insecure (but so are fingerprints, faces so it might happen!)

    Mines the one with the long PIN

    1. Ken 16 Silver badge

      Re: DNA

      POTUS is like a really smart genius, no-one could possibly guess his password

      1. Anonymous Coward
        Anonymous Coward

        Re: DNA

        covfefe

  9. Pat 11

    To know != to be

    Shifting from something you know to something biometric is dumb as fuck. All the enemy need to do is wave your phone in front of your face and they're in. At least with a pin you have to consciously divulge something.

    1. Paul Crawford Silver badge

      Re: To know != to be

      And presumably you could have multiple PINs that unlock the phone in different, possibly partially data-earsing, ways?

      Or is nobody as paranoid / devious as me in the outside world? Or do we simply not put such stuff on our phones because we trust them as far as we can comfortably spit a rat?

  10. steelpillow Silver badge
    Pint

    My old Nokia

    This piece is a great advertisement for keeping my old Nokia another couple of decades.

    Or at least, until I can get a strap-down device (smartwatch?) with strongly encrypted cloud connectivity.

  11. Velv
    Pirate

    Didn't they circumvent the DNA checks in Gattaca quite easily?

  12. israel_hands

    If the author is unconvinced with using his face to unlock his phone why doesn't he just use a PIN? My new phone's got a fingerprint scanner built in but there's no way I'd ever enable it. That sort of idiocy is for people who can't tell the difference between a username and a password and don't know how easy it can be to spoof the biometrics.

    1. Charles 9

      "If the author is unconvinced with using his face to unlock his phone why doesn't he just use a PIN?"

      Perhaps he has a bad head for PINs? Can't use an ATM and so on?

      1. israel_hands

        There are some people who suffer such problems, although I suspect the author would have mentioned it if he fell into that category. They're by far in the minority though. Biometrics are the sort of thing that should be used as a method of last resort for edge cases, if at all, rather than the new default simply because it makes for a flashy sales gimmick and seems to be more secure to the average bloke in the pub who isn't particularly interested in this whole conversation.

        The point I'm trying to make is that companies that tout the security of their products should endeavour to good security practice.

        As ever it comes down to more input from engineers, less input from the clueless fuckwits in marketing.

        1. Charles 9

          Thing is, edge cases don't STAY edge cases for long.

          "The point I'm trying to make is that companies that tout the security of their products should endeavour to good security practice."

          Problem is, security clashes with ease of use, and the prole prefers the latter to the former and is not likely to take training. How do you do a secure solution for someone who doesn't care about security (and yes, you MUST care about their security since they become weak links to compromise others)?

  13. Dave 126 Silver badge

    Using a smart watch (or actually just a wrist-mounted RSA dongle - which could easily be incorporated into a watch - heck, some fella has even built one into a Casio F91W ) isn't a bad approach.

    Rolling codes could be entered manually into one's phone, or else scanned by the phone's camera or otherwise communicated (NFC, IR, sound).

    A list of modded F91W features below:

    https://github.com/carrotIndustries/pluto

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like