Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

FaceID – When Form Trumps Function

By

I’m an Apple guy – Mac, iPhone, iPad, and watch.  I switched my family and friends over years ago, which reduced my technical support immeasurably.  There’s a lot of good things to be said for their products, though recent trends have put form over function to the detriment of users.  The latest case in point is FaceID. I’ve been an Apple user since my ][+ in the early 80’s, and while I took a sojourn into the PC world, I’ve been back since the Intel mac was released in 2006.  They’ve made really cool products over the years, with great design, balancing form and function.  Since Steve Job’s passing however, the company has been relentlessly focusing on a single imperative – make things thin and light, and all other concerns – including utility and functionality – are secondary. My phone and mac now look like they’re being attacked by a swarm of albino squid.  The picture for this article is the box of dongles and adapters required for a single Mac computer.  It’s also resulted in underpowered machines and software doesn’t function well with local content or when offline as the company tries to force cloud and streaming services on their users.  As always with Apple, you either live the way they think you should, or you’re left stuggling. Now all this may be good business strategy.  They probably make a lot more money off people who walk around Cupertino, hang out in coffee shops, use their machines only for surfing and blogging, are always online, and only talk on the phone for an hour a day than people like me and other power/performance users.  But the latest design-driven decision is one that will impact everyone.  In the obsessive quest for a smooth and seamless glass display on the iPhone X, we’ve taken a step backwards on security, safety, ergonomics, and usability.  FaceID is a step backwards. TouchID, particularly the most recent version, is the best consumer fingerprint technology available.  It has a solid crossover point between false accepts and false rejects, is easy to setup, allows multiple users, is relatively hard to spoof (at least without triggering the lockout), and can be used eyes-free when driving.  But it requires a physical sensor that can be touched, and that’s where function ran headlong into form.  From media reports, Apple had been trying to get it to work under a seamless glass pane but without success.  Rather than preserving the functionality, they abandoned a proven security solution and moved to facial recognition – a technology that the majority of security professionals are skeptical of. First, let’s talk about privacy.  On this one, I’ve no worries, Apple got it right.  The recognition data is stored in a trusted computing module (aka secure enclave) on the device, and never sent to the mother ship – TouchID does the same thing.  It’s actually a really cool bit of tech.  Folks concerned about ‘being in a database’ should be much more worried about malls, airports, sporting events, roads, and schools, the driver’s license bureau, and passport agency – all those places collect facial data. Now on to security. There’s a lot of chatter about spoofing FaceID or triggering a false accept with a relative.  The attack in the story is similar to the one I’d try.  I’d start with a 3D scan of someone’s face using series of photographs and software like Strata Photo 3D to stitch them together into a full-color model.  Import that model into ZBrush, clean it up, and export the mesh for 3D printing.  While you’re in there, unwrap the ‘skin’ or texture map with the color information into a 2 dimensional layer.  Export that, print it onto a flexible skin, then wrap that skin back around the 3d print (the skin/transfer processes are covered in one of the books we wrote).  That’s a bit of work, but in the end, you end up with a pretty good full-color 3d model of someone’s head. Note that for a public figure, it’s far easier to get a good 3d model of their face than it is their fingerprint. Next, I’ve been wondering if the IR camera setup for FaceID has some FLIR like capabilities that measure the heat map of a face, and that’s why Wired’s masks didn’t work.  If so, we can use a heat gun to replicate human heat patterns on the model.  To be clear – I don’t (and won’t anytime soon) have an X, and haven’t tried this, but the techniques are all very straightforward.  In any case, I’m sure that eventually a similar attack will succeed. Now, how is that any different from a gummy finger and TouchID?  Effort and technique-wise they’re similar, and in the real world, probably about the same complexity.  With an aggressive lock-out on both, the odds of a false positive are pretty low. Of course, either Touch or Face ID is moot if your mugger wants you to unlock the phone while you’re still in the dark alley, though FaceID does protect you against having the device unlocked while you sleep. But unintentional false positives are starting to emerge, and of course, there were reports – denied by Apple – that they dumbed-down the sensor because of yield problems.  We’ll just have to see how it goes, but I give a slight edge to TouchID because it requires physical contact to obtain the biometric information. Last let’s talk about functionality.  FaceID supports only a single face.  That’s a software issue, and I suspect it’ll change in the future, but right now it’s a limitation.   The bigger issue is the false negative rate.  From media and personal anecdotal reports, it’s far higher than TouchID.  Apple’s done that to preserve the security of a system based on an inferior biometric (which is the right choice), but it has real-world implications. To be most secure, and in order to prevent drive-by unlocking, FaceID requires eye contact with the device.  Oops, it doesn’t work with dark sunglasses (I wear contacts, so my glacier glasses are my friend), which prevent recognition.  Hello passcode. I have my devices set to prevent Siri from leaking data from the lock screen (“hey siri” is at best, hit or miss anyway).   With TouchID, I can simply touch the phone where it rests in the cupholder, and then use voice commands to interact with it (assuming Siri isn’t brain dead that day).   FaceID requires that I lift the phone up in my hand, look away from the road, and make eye contact to unlock it. That’s both unsafe, and in many states, illegal.  Then when it fails to unlock because of the false deny rate, I’m left with having to pull off the side of the road and enter the passcode.  I suspect a lot of people will turn off the eye contact requirement as a result, which drastically reduces the security of the solution. Now to be fair, none of those issues are unique to FaceID.  As facial recognition goes, it’s a pretty good system.  But facial recognition as a technology for primary, single factor authentication is a really poor idea – doesn’t matter if it’s on an iPhone or Surface.  The error rates are simply too high, and the fallback (aggressive failure and lockout) means that the utility is severely hampered (animated poop emoji’s notwithstanding). So we’re left with a regression because the form (ultra-thin, light, seamless) trumped function.  That’s a real shame, because so far Apple’s been really good at finding a sweet spot between security and convenience.  TouchID was a brilliant biometric solution (at least on mobile), and the new two-factor system in iOS 11 and MacOS 13 is the best overall implementation I’ve seen.  It just works – good old days come again.  Unfortunately FaceID is a major step backwards – in the real world it may be roughly as secure as TouchID, but it’s far less usable.

The Problem of Android

By

(c) Depositphotos / @abidal

I’m an Apple guy, and have a love-hate relationship with their recent product strategy, and the tight control they keep over the ecosystem.  The downside is that we’re stuck with some bad decisions (like building apps that expect to be online all the time), but the upside is that everyone gets access to updates at the same time – Apple has the most up-to-date user base of any major computing platform.  Android, not so much.

Android took the opposite approach – open code base, licensed to manufacturers to customize, and then further customized by carriers.  The advantage to that is lower cost and wider adoption, but it comes at a significant price for security.  When Google releases a new version of Android, only their own devices immediately receive the patch.  Everyone else has to wait for 1) the manufacturer to test, certify, and release the patch, and then 2) the carrier to do the same.   That assumes of course, that both actually bother to do the work to make updates available.  The net is that the vast majority of Android devices are running known-insecure versions of the OS.

I’m seeing a broad movement among businesses to tighten controls over mobile OS versions, and to apply the same policies to both corporate owned and BYOD devices:  If you’re not N or N-1, you can’t use your device.  That means that those old iPhone 4’s get retired too, by the way.

So what to do?  Well, some would say ‘jailbreak’ and install your own code.  There may be something to that, but you run into serious risks there too.  Most jailbreaking tools are from the shady side of the internet, so you never really know what you get.  Most companies block jailbroken devices from business use (all really should).  It’s also technically beyond most users, so let’s leave that off the table.

The next option is to only purchase devices that get updates directly from Google.  That limits choices significantly, but as a side benefit, you don’t get the pre-installed spyware that comes with many of the dirt cheap android phones – that’s how those companies subsidize the phone.  Buyer beware.    This is a hard choice for businesses because it largely erases one of the advantages of Android over iOS (cost), but it’s one I’m seeing a number of organizations do.  For individuals who buy Android devices, it’s the one I’d recommend.

Next is to buy cheap devices, and simply dispose of them when the OS expires.  That’s all well and good, but it’s expensive, time consuming, and you have a window of vulnerability during the transition.  Of course, banning Android completely is an option too, and I do see some of that happening.

But the most common approach I see these days is some form of risk limiting via containerization, or other restrictions on what the devices are allowed to do.  Containers can be bypassed (e.g. compromise the underlying device with a keylogger), but do provide reasonable protection for moderate risk content.  Organizations should leverage their data classification projects to determine what information is suitable for mobile device access, and potentially change that based on how current the OS is.

I know this challenge is top of mind for Google’s Android team, and they’re starting to look at separating the Carrier bloatware layer from the underlying OS as well as other measures to speed up manufacturer release.  I hope they succeed – we need an alternative to keep Apple on their toes.  In parallel, consumers shouldn’t buy devices without clear statements of patch release timelines from vendors and carriers.  Until all that happens, and we have a better option, Android users beware.

Apple, Security, Threat Models and a Tightening Sandbox

By

Apple and logo are registered trademarks of Apple, Inc

I watched Apple’s iOS and MacOS keynote with a lot of interest.  Security, privacy, encryption, and two-factor all got some attention, either in the updates or on the main stage – it’s really cool to see a company build a product strategy around those capabilities.

At the same time, they’re removing granular decisions about how that security is implemented.   This dumbing down and forcing people into a very narrow configuration is getting annoying, and is becoming pervasive across their product line.  So when does it become a security risk?  When Apple’s threat model doesn’t match yours.

Let me share a few examples – like what is and isn’t sync’d to the cloud.  I ran into an annoying “feature” when reconfiguring my home network over the weekend – if you sync anything to iCloud keychain (to use HomeKit for example), you sync everything (which is why I don’t use it for passwords).  For example, it’s no longer possible to have a different set of wifi networks on each device.

Another example of this is the fingerprint reader – you can use the fingerprint, or a pin/passcode, but not both.  Now on a phone that’s probably ok, but on a Mac?  It’d be nice to see an option to use a simple PIN and a fingerprint, but Apple’s decided that the risk of fingerprint forgery is small.  Is that your threat model?  Maybe, and maybe not.

We can control application data access on cellular data, but not on wi-fi?  Apple’s threat model is about data usage.  Mine’s about monitoring and tracking (and to be fair, data usage too).    Evidently two-factor will be forced for AppleID logins in iOS 11.  That’s generally good, but I can come up with situations when you’d want to turn it off.  Will it be allowed?  Not sure.

They’re now going to store and sync all your messages via iCloud, not just device to device.  Sure it’s encrypted, but what if I want some data left on one, but not on others?  Again, it’s not hard to come up with some use cases where you’d want more granular control (and yet they still don’t have a “delete all chat’s option”, go figure).

They push their streaming content hard, to the point that the TV app doesn’t work reliably in airplane mode (I’ve had a case open with executive relations for months on this one), which they don’t view as a risk.  I do – to Availability, and I’ve suffered through multiple flights without media as a result.  I’ve been sorely tempted to buy an Android tablet just to have movies when I’m delayed for four hours during a thunderstorm.

Hopefully Siri will get a brain transplant and not just a face lift as HomePod comes out, but the idea of an-always on speaker listening in my house is, well, creepy.  And one with a camera?  I was amused recently when I saw someone with a sticker over their laptop camera….right next to an Echo look.  No thank you.

Apple Pay person to person is interesting, and I’ll be very curious to see how they deal with fraud – or fake allegations thereof.  The QR code integration into the camera is interesting, and I can see fun ways to leverage it – like taking someone to a malware site by posting one on a sign next to a scenic overlook, and titling it ‘Photographic Tips’.

I could go on, but I think I’ve made my point.  Apple’s a remarkable company, and I use many of their products, but their view of users, threat models, and use cases is growing steadily narrower.   It’s still the most secure computing and mobile platform for consumers, but let’s not kid ourselves – there’s tradeoffs to be had.