So the only move to win this game
is not to play? How about a nice game of face recognition? Or palm recognition?
Don't play biometrics seems the winning move. At least not alone.
Hardware security hackers have detailed how it's possible to bypass Windows Hello's fingerprint authentication and login as someone else – if you can steal or be left alone with their vulnerable device. The research was carried out by Blackwing Intelligence, primarily Jesse D'Aguanno and Timo Teräs, and was commissioned and …
This post has been deleted by its author
"Don't play biometrics seems the winning move"
Seems to me that it has nothing to do with biometrics themselves and more with the implementation. The way it's implemented, all the security is embedded in the sensor itself, so the sensor is not just a sensor (ie captures the fingerprint), but also does the processing on the fingerprint* and contains all the information matching fingerprint to user. The OS is only receiving a "yup, it's that user". This is equivalent to having the password somehow stored on the keyboard, and if the keyboard detects one of the stored passwords it sends a "yup, it's that user" to the OS (in other words a totally insane way of working it).
The way it should be done is that the fingerprint sensor sends only the raw scan to the OS, and the OS is internally doing the 'hashing', encryption and storage of user-fingerprint pairs.
*Fingerprints aren't matched 'raw', there is some processing to 'reduce' the actual pattern to a sort of 'hash' (not exact but close enough for this topic).
I mean, if your intention is to make it much much less secure, that is indeed the way it should be done.
The problem here isn't in the challenge/response style integration of the devices, that's the bit that's done right. It's unathenticated channel allowing MITM attacks that is the problem. All your solution does is make replay attacks trivial. (Quite apart from whether it's a security win to have actual scans of your fingerprint floating around in general purpose memory...)
The only winning move is not to allow physical access to devices while full disk encryption keys are present in RAM. Otherwise an attacker can just steal the laptop and replace the contents of utilman.exe with cmd.exe and reset your password or simply create a local administrator to login with instead from the cmd.exe now running as SYSTEM.
Sure, it takes more work, but that still lets them at anything local to the device, which in the case of OneDrive-toting folks is a lot of locally cached/synced data, as well as anything else testdisk can image off the moment BitLocker is turned off.
What a surprise. Especially since, if you've got physical access, why bother with booting the machine ? Take the drive out and hook it up to your miscreant PC via USB and all the software you need.
Job done, and Windows is none the wiser.
You don't have to reboot the machine into another OS - that's just one way to do it.
You can hotplug a MITM device while the laptop is still on to add a fingerprint and log in as the user. If you can keep the stolen PC powered up, you can log in using this method. That defeats any full disk encryption, including Bitlocker, we're told.
We're checking to what happens if you have Bitlocker and the machine is power cycled. Edit: comments from the researchers added.
C.
What about encrypted disks? I'm surprised every time I meet someone and they aren't typing in a bitlocker password when they boot their work laptop..... This should be a minimum level of security used for a business owned computer.
Fingerprint readers seem to be a big source of frustration for my users and myself, if I stop setting it up that'll solve this issue.
BTW, does fingerprint login work reliably for anyone? In my recent dell latitude 9430 it drives me nuts, occasionally it will work but much more likely to get 3 failed attempts then told to use my pin so this feature is just out to waste my time.
I naturally was cursing Microsoft for being shit again, however this article seems to indicate my problem must lie in the reader chip instead and I should be cursing Dell.
Cursing Dell is always a good idea. Not buying Dell is even better. Nuking Dell from orbit is overkill; there might be something useful (i.e., something not Dell) within the blast radius. A B-52 load of napalm should be sufficient.
Who, me, had one encounter too many with Dell crap? Whatever makes you think that?
When I worked as an SE in the naughties at a (large, 3-letters) IT vendor, one of our accounts was a (large, 4 letters) headphone/speaker manufacturer. We actually lost the account to Dell because Dell promised they could do a ton of primary logistics stuff we at the time couldn't do because we were too bureaucratic and slow, and our systems weren't joined-up enough.
Fast forward a year later and the client comes back to us. Because despite their shiny promises, Dell turned out to be too bureaucratic, slow and their systems weren't joined-up enough.
If you mean Dell, one dodgy laptop sale has lost them a new tower PC sale and a new laptop sale ( respectively a Chillblast and Lenovo Yoga). So maybe that guy made his target for the month. But Dell has lost two or three times what he achieved- not including future sales, and lots of dis-recommendations.(Might have invented a word there)
Agree. It might have been "better" for the Dell salesperson in the short term, but it certainly wasn't "better" for the client. Being lied to seldom works out well in the end.
Also - not sure if it still works like that but our sales people used to have to pay back commission if clients returned the products they bought.
Dell tower PC I had a while back was really good.
Dell laptop I bought because of that was seven kinds of crap. Starting from the point where I'd asked their sales guy whether there was room in the chassis (and connections) to add a second HDD and they said there was.- There isn't.
And the sound stopping working, but with no traceable fault. I assume the tiny thin wire has broken in some location that stops both speakers working. (I think I might have invalidated the warranty when I opened it up to fail to put in that second hdd, so didn't return it- maybe I should have)
The battery that can only be changed by stripping the whole bloody thing down to it's underwear.
The flap on the DVD cover that is so flimsy it falls off if you breath near it.
The back cover that needs a mixture of raw courage and brute force to remove.
I could go on.
BTW, does fingerprint login work reliably for anyone? - It works OK for passwords on websites etc., on my Apple iMac which requires a password for initial account login.
Just to clarify: MacOS requries you to use the password after every reboot or and then every 14 days.
Not quite right. MacOS will ask for a password MUCH more frequently. Change of network ssid, (its wifi only!), closing the lid and opening it quickly will do it too. As will opening and closing repeatedly. And then sometimes it doesn't! It's Apple, you don't need to know.......
I sometimes miss the little prompt box asking for a password and wonder why my finger has broken!
MacOS generally requires password at power-up, and for most admin tasks e.g. installing updates, changing security settings, accessing Password Manager and so on. As well as if you mis-scan your fingerprint a couple of times; then it asks for PW for verification.
It's reliable to the point of worry on my phones. If it's *that* reliable to log on, what does it take to get a rejection?
False positive is about as bad as having the customized wave through device.
Meanwhile, Microsoft gave a gift, use a pin to logon, rather than my old 15 character password. :/
Well, at least I can change that over on devices that I want secure, can't do that with crappily implemented booger picker readers.
My understanding is that they originally added the PIN to help out home users who were frustrated that the machine in their house was such a pain to log into.
Then their corporate customers in regulated industries said things like "it is literally against the law for us to use a 4-digit password, what the actual hell is this for", so MS just let the PIN be longer and more complex (and let sysadmins set sensible complexity rules).
> PIN can have letters in it. Why the idiots called it a PIN, I do not know.
I remember it being a "PIN" in early days of cash-machines which only had a TouchTone® derived 4x4 numeric keypad. Even 3x4, no ABCD.
I dunno if # and * could be in a "PIN"; being my money, in a bank, I would not mess with the rules.
It's reliable to the point of worry on my phones.
God, I wish. The old Nexus phones with the fingerprint sensor on the back were pretty reliable, but these newer ones with the sensor on the front are rubbish.
What was wrong with the sensor on the back, anyway? What's so damn good about the sensor on the front, which means you have to use two hands to unlock the phone - one to hold it and one to poke the sensor multiple times till it says "Please enter password..."
I naturally was cursing Microsoft for being shit again, however this article seems to indicate my problem must lie in the reader chip instead and I should be cursing Dell.
More like cursing Dell, Lenovo and Microsoft, as well as the hardware vendors behind them.
Works fine with my £30 gadget from Amazon - works fine on iPad and old iPhone 8. TBH Face rec is also a mixed bag - Surface is OK but fussy about being "in shot", iPhone is brilliant. Finding fingerprint is more natural for a PC setup, but face on phone is makes things like the MS authenticator, bank app etc much more usable.
So maybe just finger trouble?
To be fair, Apple did also buy the leading fingerprint sensor manufacturer. The TouchID stuff was at the time streets ahead of the competition.
To be fair again, this doesn’t seem to be about the quality of the sensor. It’s about someone completely different logging in. (I remember ages ok someone used a fingerprint scanner that would recognise about one in 20 random fingers, so a thief and his three mates would have a ninety percent chance of getting in).
But I’m quite sure that on iOS you need the device passcode to add a fingerprint, at the time it is added. So if I leave my phone lying around logged in, you can use it, but not add a fingerprint or faceID.
Sorry, I was replying to the comment 'fingerprint works <25% of time', not the article in general, just pointing out that the leading fingerprint sensor became vendor specific, and that is why the Apple stuff tends to be better. :)
Lets be fair, realistically, fingerprints aren't that secure if you're an 'important target'.
If I've nicked your device I've more than likely nicked a device covered in the fingerprints I need to unlock it.
Also, as this thread illustrates, consumer grade FP readers tend towards convenience rather than overall accuracy. I've worked with industrial applications of the technology for building access (slightly different as you're trying to identify someone from a fingerprint against a database of hundreds or thousands of people rather than trying to determine if a fingerprint is one person), and in order to be good enough to not have a shocking rate of false positives you often take a few goes to get a successful read.
It works nicely on my older Thinkpads. I use it in office scenarios where it's unlikely that my laptop would be stolen but very likely that a tasteless email would be sent from an unlocked machine. By having fingerprint sign in, I'm much more tolerant of a shorter lock time than if I had to enter a password.
Anecdotal as the system is different but yes my android phone regularly does not recognize me.
Though I do wear cloves in work and it is dusty, if I go straight from my.glove to the phone it will refuse due to dirt and or sweat, at home it has happened with clean but sweaty fingers.
Only if it is clean, wiped, and dry will it work.
That said we have a miterfinch clocking machine and it does a lot, lot better. Still messes up but almost always get it the second time with no changes just trying again.
Though like I said the phone is, as far as I can gather, just high detail capacitive touch sensing, where the clocking machine is a glass panel with a flash of light to read.
Often it's not so much the fingerprint reader, but your actual fingerprint. I find that my fingerprints fail to scan (across multiple devices) more often when my fingers are very cold and dry.
If I breathe on them to make them slightly more warm and damp, they scan fine.
I suspect the solution is to add one or two fingerprints whilst your hands are cold and dry, and then perhaps add some from the other hand when your hand is hot and sweaty.
"BTW, does fingerprint login work reliably for anyone?"
Works well enough for me on my MBP.
It uses a password for admin-related tasks e.g. initial logon, security, setup, updates and accessing the password manager, then uses TouchID after that for all the standard-user stuff, unless you mess it up a few times then it asks for the password again.
Firmware.
Fingerprint readers are small computers with their own built-in software. When software is effectively part of the hardware it is called firmware. Firmware is usually supplied without source code or documentation. Changing firmware is impractical for anyone but the manufacturer of the device. Replacing the firmware may be a simpler option - if you can get hardware documentation.
This attack could be addressed by a firmware update. Firstly that update must effectively be created by the manufacturer and secondly updating the firmware should not be easy. (If it were, secure devices could be made vulnerable by back dating the firmware.)
Secure communication is tricky. Clue bats have been applied sufficiently often that most programmers know to use a library created by specialists and not to roll their own. The more difficult stage is to get programmers to RTFM. A hint of blame should go to managers not allocating enough time to reading the manual. Another hint of blame should go to every defective use of secure communications libraries on the internet that programmers use as templates instead of understanding how authentication works.
The biggest problem is people thinking it is sane to use an authentication device where the key is a part of their body (hard to change) and a copy of the key is left on every door handle and keyboard they touch.
>>Something you have
And the "Something you have" shouldn't be immutable like a finger print or an Iris scan. It also should be revokable (unlike fingerprint or an iris scan)
Proper security is hard. I would prefer less security theatre and more acutal effort put in to making things properly secure... but that would lower profits, so will never happen.
However, Hollywood loves fingerprint, iris and face recognition for authentication purposes in films therefore idiots have to try and implement this in reality.
Replacing the secret and changeable component of authentication with something that is neither secret nor changeable is only ever going to reduce security.
could this be used, for example, a Chromebook with the same chips, or say Mac if it used the same readers
The issue here is that while Windows does require that devices should follow their SDCP specification, apparently there's no checks that a manufacturer actually is following the spec. (The Microsoft Surface using absolutely no encryption at all must have been particularly embarrassing for the Windows Hello team who sponsored the research). With the information from this research, Microsoft could crackdown on shoddy manufacturer's implementations, but if they're strict then that would result in fingerprint recognition being disabled for many people, just because the manufacturer couldn't/didn't fix their flaws.
I don't know enough about Chromebooks to say about them, but I'm pretty sure that as Apple control all of the hardware and software they use, they should be more secure. You'd hope so at least.
Windows is clearly under no illusions about its popularity...
As described, this does seem like a pretty obvious loophole. Without some cryptographically assured data to confirm the fingerprint was enrolled by the specific operating system instance at a known time, all bets are off,
Even a monotonically increasing counter associated with each print would allow you to detect that the fingerprint with the same label as one you'd previously approved wasn't the same print. Some sort of encryption is pretty much inevitable, though, if you want to avoid MITM attacks. You don't have to go as far as "blessing" the physical hardware if you're prepared to accept it functions as it claims.
YouTube subtitles seems unable to recognise the word "nonce" (Instead it comes up with "Nuns", "NS", etc).
Is that because it's on the official naughty list (I assume Youtube has a blacklist of forbidden words), or is it just not a known word in the USA?
There's still bits of the good ole US where the minimum age for marriage is 15, E.G. Kansas and there's a few where either there's no legal minimum or it can be ignored if a court and/or parents agree (Oklahoma for example).
There's one or two where it can be ignored if the girl is pregnant too.
Who needs pizza shops when paedophilia is legal...
It's an English word that's been used for an awful lot longer than the USofA has been such, since around 1200 in the civilised bit of the world and was used to mean something used only once so it's a perfect.
Still not convinced the USofAians speak English though.
Yell the proponents of biometrics and passwordless world. "Insecure they are!" they shout, "inconvenient be they!" they clamour.
Well, we did.
And what do we find? Oh, what a surprise; the methodologies used to replace all these passwords and all their flaws ... can themselves have flaws! No! Yes! Ohh! And yes a user can easily mess up by using a bad excuse instead of a password, but usually such blunder is limited in scope to the user and maybe his companies network (if things really go wrong). But when devices, services, and other EXTERNAL replacements for passwords are broken, at fundamental levels, they break for MANY people and organisations, everywhere, all at once, even if none of the users mess up anything.
And that, my fellow people around the globe, is why I shall continue to ignore the clamoring, the shouting, and the yelling, and will continue to use passwords (Possibly with MFA).
How many times need it be said?
A fingerprint (or any piece of biometric data) is equivalent to a login name, not a password. It's not secret, and it can't be changed if it becomes compromised.
It may not be feasible any longer just to lift a person's fingerprint, using graphite powder and adhesive tape, from something they touched and make a gelatin cast of it, using equipment anyone who does electronics is likely to have in their workshop -- I've not tried it lately -- but if there is something on a device protected by your fingerprint that someone is sufficiently desperate to get, probably the easiest way for them to get it is to use your finger. Whether or not it's attached to the rest of you.
But blunders in implementing this system have left at least the above named devices vulnerable to unlocking – provided one can nab the gear long enough to connect some electronics.
Anyone would be mad to use it to unlock anyway. What if your finger(s) are injured?
Umm, if I have, or am alone with someone's device, and I care (I have no reason to think I would ever want to do that to anyone), they are in trouble anyway.
I'm kind of the opposite. My motto was "confidential service" (I say was, because I have quit doing computer servicing for the foreseeable future... I hate the environment now).
When asked about it, I bluntly stated that I don't care what you do. I am not interested in your data, only to protect it for you. I'm not here to judge you and I won't rat you out to anyone, for anything (well, never say never, but under normal circumstances no). I won't blackmail you, it's not my style etc. I had one cop customer that said "hmm, I see" lol. It works in his favour too though, I won't compromise him if I get a hold of his emails (which I easily could) or find his porn or warez stash.
I did work for the "Assistant Crown Attorney" of the region. She trusted me and loved that I came over (to her home I mean) and stayed the course. Policy dictated that I not take the computers from her view, and I understood (I defended my honour though) but later she was trying to convince ME that it was OK if I did, she just wouldn't tell them. I declined, because I didn't want to be in that situation.