Full frontal vulnerability: Photos can still trick, unlock Android mobes via facial recognition Smartphones have boasted facial recognition for some time, but tests in the Netherlands suggest it still falls short of properly securing many devices. The tests, conducted by the country's Consumers Association, identified 42 smartphones out of 110 tested could be unlocked with only a high-quality photograph of the phone's …
Given that many of these devices have a fingerprint sensor, what cretin would enable basic face unlock? And lets be VERY clear. Face unlock is not enabled by default, and (on Android) comes with a warning that it's not the most secure form of locking your phone).
Clearly yet more clickbait from The Register.
I mean those devices have very smooth surfaces which you touch with the same finger you use to unlock them, so that's rather insecure.
Also obviously this is only the simplest step. The next step is using a photograph and using a pen to simulate blinking. Then there's putting 2 contact lenses (or other kind of bubble shaped piece of transparent plastic) onto the eyes. Eventually you'll reach the mask which will probably fool all of those devices.
Essentially biometry is broken for authentication. It doesn't matter if you add more obscurity to it, you cannot make it as secure as a password. However since many phone manufacturers refuse to let you have a propper keyboard, entering a password is near impossible on those devices.
If someone steals your phone, your phone will have your fingerprints on it, which could potentially be copied and used to unlock the phone.
As far as I'm aware, Apple's touch ID is secure against that sort of attack, but some other fingerprint readers are not.
Do you want to buy some magic beans?
Apple buy their fingerprint sensor from the same place everyone else does. You clearly have been brainwashed by Apple spin. Lifting a fingerprint and making fake fingers from them to unlock the phone, yes, it's possible, and it might fool a few older cherrypicked models of phone, but it's not going to work on recent devices, and it's not trivial to do. Saying fingerprint biometrics are insecure is grossly misleading, and pretending Apple have some magic sauce that the others don't is outright lies.
Actually TouchID is definitely not secure against this attack, as I demonstrated (a few years ago now) to a friend less than a week after he got his new iPhone!
He was proudly willy waving his iPhone around when we were over his place so I sent his son off to the local shop for some sweets. It took a few tries but I got his phone unlocked after warming up a gummy bear and kneading it thinner.
He shut up about his phone for a quite a while after that!
https://www.theregister.co.uk/2014/09/24/iphone_touchid_hack/
> Fingerprint sensors are useless
We need a Penis Unlock(TM) feature (or equivalent) instead. Would be much more secure, assuming the image is not available in the public domain. It would have the side benefit of discouraging dick pics as you would risk having your bank account cleaned out by whoever you sent one to.
Then again, the Apple Pay version may be to awkward to use in a the check-out line.
”We need a Penis Unlock(TM) feature (or equivalent) instead. Would be much more secure, assuming the”
Excellent idea, bravo!
”image is not available in the public domain.”
Oh no, there goes my security :/
How about a contact based solution? Penisid, or PID in short, would definitely increase security considerably.
However, there is a tricky question to answer before implementing: Where should the reader module go? With fingerprint sensors, some people prefer placement in front, some like it backside, others don’t care and will have it whichever way. Choices, choices...
Also, there must an equal opportunity for both, or in fact for all, sexes to enjoy the benefits of such an advanced security system. One implemention won’t suffice for all use cases.
Can anyone think of a similar technical solution for women? It could well be called Penisid, I suppose.
Cold weather outside, gloves on = useless fingerprint sensor, AND in many cases impossible or difficult to enter a pin / passcode, since even with special gloves that allow touchscreen to detect their touch, there is the 'fat finger' effect. Bad enough having to hit the right keys with just my fingers, with gloves it's much worse.
Yes face recognition and fingerprint is less secure than pin / password. Yes, biometrics is more like a 'username' than a 'password'. BUT security isn't binary. Ultimately nothing is completely secure, it's just a question of cost / effort / time to break it, which really just needs to be greater than teh value of whatever it is protecting. For the vast majority of people, face recognition or fingerprint is secure enough.
This post has been deleted by its author
Face unlock provides a reasonable level of security given you aren't being targeted for attack. A photo might unlock the phone, but most people are worried about access to their phone if they lose it. In the event a phone is lost, it is unlikely someone will discover the correct photo to unlock the phone unless there is some indication of the owner displayed somewhere.
Sure it would be bad to do in cases where you may be targeted (e.g. an executive traveling to China) but otherwise it provides a reasonable level of security for most people. And lets be honest, face unlock is more convenient than fingerprints.
Sony are reportedly close to offering laser Time-Of-Flight sensors to Apple and Android OEMs. These sensors allow a phone to build up a three dimensional map of a face or environment. The current iPhone system is also three dimensional, but uses distortions in a projected infrared grid instead of measuring distances directly.
My interest in a TOF sensor isn't security based; I'd like a handheld 3D scanner for use in the workshop.
Like "most" hack jobs rely on an insider, surely having a "high quality photo" is likely to be restricted to family and other close connections?
Not saying it isn't a problem or risk, just suggesting that the attack vector has limited scope. You don't tend to get pickpockets snapping pictures of their victims. Maybe if you're at risk of industrial or state sponsored espionage then you shouldn't use the risky devices, but then if you are an espionage risk you probably shouldn't be using those devices in the first place.
Facebook has reasonably high-quality images. Judging by the amount of idiots who make their photos public (and the fact that it seems to be really really trivial for the news media to grab photos for their bulletins and articles), this is not a problem for anyone who wants to get one.
Personally, I want security on my phone so if I lose it or someone swipes it, they can't access it. I'm happy that in the real world, the likelihood of a finder or opportunist thief taking or having access to a quality photo of my face is negligible. The only scenario in which a thief might potentially have the opportunity to take a photo would be a prolonged confrontation with a very confident mugger, but then they could just as easily demand I unlock my phone or tell them my PIN anyway.
And this is news, why ?
It's a given that the more we rely on our phones as a single point of failure, there will have to be a balancing act between pretend security, and convenience.
So far, all "security" measures start with the mandate: "Needs minimal human interaction". Because call centres and helpdesks rather cut into the bottom line.
I imagine such meetings must be a little like that scene from "A Few Good Men"
"What do you want from us ?"
"We want SECURITY !"
"You can't handle security !"
For left pondians...
The lawman believes and the courts agree that you have no reasonable expectation of privacy concerning your appearance or fingerprints, as you leave those exposed in public all the time. So you can be compelled to unlock with your mug or prints. I assume this means they can use your photo - its not that much of a legal stretch in an already elastic system.
A PIN on the other hand is stored in your brain, so they need your permission or a court order. YMMV, and I've no clue what the rules are for right pondians.
Now, contemplate the smudge pattern your PIN entry has left on your display and think about a new PIN...
Which is why tapping the power button of an iPhone five times causes the device to demand a passcode to unlock instead of a face or fingerprint. The same applies if the device has been turned off, restarted, too many incorrect biometric attempts have been made or if a period of time has elapsed since the phone was last unlocked.
I haven't looked into the equivilent system on my Samsung, other than to note that it requires a passcode instead of a finger print t or or iris scan after it has been restarted.
Nexus phones need the PIN after reboots and if it fails to read your finger print a certain number of times it needs the PIN.
In addition if you have only unlocked with a finger print enough times it asks for a PIN then.
I am not aware of the an equivalent to fitting the power button, but I am sure you can just use a finger that hasn't be enrolled a few times to lock it out and require a PIN.
No need. My PIN is _not_ a swipe pattern and it actually involves _all_ digits except one. Have fun with what you learn from my potential smudges over my non-randomized keys. Yes, I type it in every single time I take out my phone for any reason as it auto-locks in a couple of minutes, and using it hasn't killed me yet. Or the phone.
A photo, or a fingerprint, is an identifier. These are not suitable replacements for a password, they are, however, suitable replacements for a user identifier. By all means use these in addition to a password but they are not replacements for a password; They do not and can not adequately replace something that is secret.
But whatever... hollywood movies and all that can't be wrong can they?
Researchers have enjoyed a high success rate of determining phone passcodes by examining video footage of the legitimate user entering said code. The footage was taken from across a room with the phone screen hidden from the camera.
So, as you say, consider using biometrics in addition to a passcode. Also, consider ways of moving your fingers when entering a passphrase in such a way as to make it harder for attackers to extrapolate your phrase from your finger movement.
This isn't particularly new or surprising, and as others have already mentioned biometrics are just not a replacement for something like a decent password. What the complaints tend to miss, however, is that that's not really what they're intended for in many situations. I don't need my phone to be locked up well enough to keep out TLAs with the full resources of a large country behind them. I don't even need it to be locked up well enough to keep out someone with the time and dedication to specifically target me for fingerprinting. If someone swipes my phone in a pub or wherever, I just want it locked up well enough that it's not any use to them, or ideally to avoid having it swiped in the first place because they know that will be the case.
That's the situation the vast majority of people are in. Sure, my phone might be vulnerable to anyone with a decent photo of my face, but a casual thief doesn't even know whose phone it is so that simply doesn't matter. Trying to keep out specifically targetted attacks is certainly not something a cheap fingerprint sensor is good for, but that's just not something most people need to worry about. If all you want to do is stop your mate getting on your Facebook page while you're in the toilet, security on the average phone is more than good enough. If you're worried about more serious attacks than that, you'd be a fool to expect cheap consumer goods to have that level of security off the shelf. It's no different from noting that the front door of my house is not as secure as a bank vault; as long as you understand what job it's there to do the fact that some things are less secure than others is not inherently a problem.
"If all you want to do is stop your mate getting on your Facebook page while you're in the toilet," you have already failed. You're right that biometrics is most likely sufficient against opportunistic thieves (or someone who does not intend to return your lost phone) as they're likely not interested in investing _any_ effort whatsoever in accessing the data on the phone; they just want it wiped and shifted.
But anyone in your circles (family / mates / work colleagues) with even a weak motivation to access the phone is a completely different threat model altogether, and biometrics won't do almost anything against them. Even PINs can have the same problem but that depends on how observably you tend to input your PIN. But hey, if you've never even heard of anyone ever getting their phone's language set to Chinese while they were away for five minutes as a mere prank, you might just be ok...
The table shows that Photos can still trick, and unlock some (not all) Android mobes via facial recognition. Seems Samsung's been working on this a bit since their early attempts, at least. But it does currently seems that Apple's face id is way ahead of the competition in terms of how it works, what it recognises, what it rejects and and how little it can be fooled*, so they should get some respect for that.
* I know: twins - but twins can and do fool other humans regularly too.
Except for the phones with depth scanners, I think most of those "Can't unlock with a photo" attempts didn't work because they're using near-IR cameras. A photo taken with visible light would be unrecognizable to them. A B&W photo taken using the near-IR band should do the trick.
I just bought the cheapest phone I could find, hooked it up to a prepaid account and left it on swipe to unlock. I simply don't store anything on it that matters worth a tinker's damn. If I want security I'll use a proper computer locked with a decent password.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
