Category: Uncategorised

Fingerprint sensors have sought to replace password- and PIN-based authentication for years. The sensors are widely found in laptops, sometimes in payment terminals, and recently in several smartphones. The latest entrance to the field is Apple’s iPhone 5s. The sensors continue to fail their marketing claim of secure device unlocking.

Security level.

Using fingerprints as credentials for local user authentication has two shortcomings when compared to passwords:

A. Limited revocation. Once a fingerprint gets stolen, there is no way to change it. To offset this high compromise penalty, fingerprints would need to be very hard to steal. However:

B. Credential spread. Users leave copies of their fingerprints everywhere; including on the devices they protect. Fingerprints are not fit for secure local user authentication as long as spoofs (“fake fingers”) can be produced from these pervasive copies.

Fingerprint spoofs.

Spoofs have been produced time and time again from images of latent prints – even while camping – and most recently by Starbug from the CCC to overcome the protection of an iPhone 5s.

Other current devices with touch and swipe sensors are equally duped by spoofs. This video shows how an iPhone 4s-taken photo results in a fingerprint-spoof that unlocks a Thinkpad laptop, a Fujitsu smartphone, and an iPhone 5s:

ID theft risk.

The iPhone 5s’s fingerprint sensor does not only appear to provide no additional protection, its use even undermines other security mechanisms. This video demonstrates how other flaws in iOS and iCloud are exposed that – when combined with Touch ID’s vulnerability to fingerprint spoofing – allow for online identity theft:

Remote authentication.

Fingerprint sensors still have a strong protection proposition: To provide a second (and third) authentication factor in remotely-executed transactions, such as authorizing money transfers. Modern fingerprint sensors can compare templates and scans on-chip – that is: protected from malware on the device – and conduct a strong cryptographic authentication to a web service. Industry seems to be determined to standardize such transactions.

An attacker would need to get access to three credentials: the banking password, the fingerprint sensor that stores an authentication certificate, and a spoof of the fingerprint that activates this certificate. For the most common miscreant, remote attackers, the latter two should be out of reach.

Evolution path.

Defeating local attackers is still of value even when the fingerprint only provides an additional authentication factor.

The iPhone 5s already moved slightly beyond the capabilities of earlier touch sensors: It provides a higher resolution image and – as far as initial experiments can tell – uses this higher resolution to match based on finer structures:

Low resolution fingerprint image, sufficient to create spoofs for older sensors

High resolution fingerprint image with clear features along the ridges, which newer sensors detect

Even these finer structures can be spoofed, for example based on an equally high resolution smartphone camera image, showing that some defense strategies only improve at the pace of the corresponding attack technique.

Fingerprint spoof prevention would better be based on intrinsic errors in the spoof-creation process or on fingerprint features not present in latent prints (and become much harder to steal). Examples of such spoof-detection features are air bubbles contained in the glue often used for spoofs (white dots in left image) and minute details that are visible through a fingerprint sensor but not in a latent print (black dots in right image).

Sensor read of spoof finger with white air bubbles, but fewer minute details

Sensor read of real finger with minute details but no air bubbles

Even by just comparing the density of white vs. black dots, sensors would challenge hackers to improve their spoofing techniques. The iPhone 5s, on the other hand, was defeated by techniques widely published years ago.

Crux has introduced us to their newest iPad keyboard case called CruxSKUNK. Oh, SKUNK? Well, not that smelly black and white skunk. CruxSKUNK is actually the coolest stuff you want to own and be proud of it if you are Apple iPad fans. No smelly stuff, just a pure awesomeness which has been crafted with […]

Why buy portable battery charger that shaped like a nerdy items when you can get it in some kind of better form? If you are trying to get a new mobile charger for your mobile devices, you can free yourself from getting those unfashion flat squarish block of battery by getting this PowerFlask mobile charger […]

Have you evern experienced the madness of not getting your luggages when you are transiting to your destination and can’t find them when you’ve arrived? You know, experienced travelers often will face this kind of condition where their luggage in going to the opposite direction of their owner location because of some technical error in […]

For those who are buying with their business, it’s a rare sight for them the cook their meal 2/3 times a day. Usually, busy people will cook once in the morning and never cook ago. Medically speaking, it’s not healthy at all to eat cold meal, especially a supper. However, thanks to the advancement in […]

Recently discussed vulnerabilities enable remote SIM malware deployment and in some cases even remote SIM cloning. At this year’s hacker camp OHM 2013, the SRLabs team offered four SIM card security workshops.

The measurements taken at the OHM workshops confirmed that more than a quarter of European SIM cards still disclose signed error messages, of which about half can be cracked due to their use of DES. Each crack takes about two minutes with a complete set of rainbow tables on a standard computer. (At OHM, cards were tested with an incomplete set resulting in a discount in the number of actually cracked cards.)

Network operators are encouraged to upgrade their cards to AES (or 3DES) or disable the OTA functionality of vulnerable cards before criminals are able to infect SIM cards with viruses.

The OHM2013 presentation on Exploiting SIM Cards provides details on the method, test results, and mitigation options.

As a PlayStation fans, I certainly agree that Sony has made a great move this time in order to seize more buyers. Prior to E3, Sony planned to priced their PS4 for $500, which is equal to Xbox One offering. However, later Sony decided to excluded their PS Eye and slash the priced down to […]

If riding a unicycle sounds tough for you, you can ease your mind when you are with this new EcoBOOMER iGo. It’s also a unicycle, but it has a special motor that will help you balance the ride. It’s one of the coolest unicycle in this 21st century and one of the most eco-friendly vehicle […]

Summer is getting close, lots of people has started to prepare their summer beach stuffs so they can have fun when the time has come. We have seen a lot of cool stuff like the Aviva Iceberg where grown up could to play in the shore or river, but it’s not that child-friendly. If you […]

Yet another unique sticky note. Haven’t seen any in awhile, but this “Giving Tree” sticky pad pulled my attention. It’s small, rounded, tree trunk shaped sticky pad. I believe they call it Giving Tree with some hidden meaning. For me, the designer is trying to tell us that each sheet of the sticky note should […]