Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

FaceID – When Form Trumps Function

By

I’m an Apple guy – Mac, iPhone, iPad, and watch.  I switched my family and friends over years ago, which reduced my technical support immeasurably.  There’s a lot of good things to be said for their products, though recent trends have put form over function to the detriment of users.  The latest case in point is FaceID. I’ve been an Apple user since my ][+ in the early 80’s, and while I took a sojourn into the PC world, I’ve been back since the Intel mac was released in 2006.  They’ve made really cool products over the years, with great design, balancing form and function.  Since Steve Job’s passing however, the company has been relentlessly focusing on a single imperative – make things thin and light, and all other concerns – including utility and functionality – are secondary. My phone and mac now look like they’re being attacked by a swarm of albino squid.  The picture for this article is the box of dongles and adapters required for a single Mac computer.  It’s also resulted in underpowered machines and software doesn’t function well with local content or when offline as the company tries to force cloud and streaming services on their users.  As always with Apple, you either live the way they think you should, or you’re left stuggling. Now all this may be good business strategy.  They probably make a lot more money off people who walk around Cupertino, hang out in coffee shops, use their machines only for surfing and blogging, are always online, and only talk on the phone for an hour a day than people like me and other power/performance users.  But the latest design-driven decision is one that will impact everyone.  In the obsessive quest for a smooth and seamless glass display on the iPhone X, we’ve taken a step backwards on security, safety, ergonomics, and usability.  FaceID is a step backwards. TouchID, particularly the most recent version, is the best consumer fingerprint technology available.  It has a solid crossover point between false accepts and false rejects, is easy to setup, allows multiple users, is relatively hard to spoof (at least without triggering the lockout), and can be used eyes-free when driving.  But it requires a physical sensor that can be touched, and that’s where function ran headlong into form.  From media reports, Apple had been trying to get it to work under a seamless glass pane but without success.  Rather than preserving the functionality, they abandoned a proven security solution and moved to facial recognition – a technology that the majority of security professionals are skeptical of. First, let’s talk about privacy.  On this one, I’ve no worries, Apple got it right.  The recognition data is stored in a trusted computing module (aka secure enclave) on the device, and never sent to the mother ship – TouchID does the same thing.  It’s actually a really cool bit of tech.  Folks concerned about ‘being in a database’ should be much more worried about malls, airports, sporting events, roads, and schools, the driver’s license bureau, and passport agency – all those places collect facial data. Now on to security. There’s a lot of chatter about spoofing FaceID or triggering a false accept with a relative.  The attack in the story is similar to the one I’d try.  I’d start with a 3D scan of someone’s face using series of photographs and software like Strata Photo 3D to stitch them together into a full-color model.  Import that model into ZBrush, clean it up, and export the mesh for 3D printing.  While you’re in there, unwrap the ‘skin’ or texture map with the color information into a 2 dimensional layer.  Export that, print it onto a flexible skin, then wrap that skin back around the 3d print (the skin/transfer processes are covered in one of the books we wrote).  That’s a bit of work, but in the end, you end up with a pretty good full-color 3d model of someone’s head. Note that for a public figure, it’s far easier to get a good 3d model of their face than it is their fingerprint. Next, I’ve been wondering if the IR camera setup for FaceID has some FLIR like capabilities that measure the heat map of a face, and that’s why Wired’s masks didn’t work.  If so, we can use a heat gun to replicate human heat patterns on the model.  To be clear – I don’t (and won’t anytime soon) have an X, and haven’t tried this, but the techniques are all very straightforward.  In any case, I’m sure that eventually a similar attack will succeed. Now, how is that any different from a gummy finger and TouchID?  Effort and technique-wise they’re similar, and in the real world, probably about the same complexity.  With an aggressive lock-out on both, the odds of a false positive are pretty low. Of course, either Touch or Face ID is moot if your mugger wants you to unlock the phone while you’re still in the dark alley, though FaceID does protect you against having the device unlocked while you sleep. But unintentional false positives are starting to emerge, and of course, there were reports – denied by Apple – that they dumbed-down the sensor because of yield problems.  We’ll just have to see how it goes, but I give a slight edge to TouchID because it requires physical contact to obtain the biometric information. Last let’s talk about functionality.  FaceID supports only a single face.  That’s a software issue, and I suspect it’ll change in the future, but right now it’s a limitation.   The bigger issue is the false negative rate.  From media and personal anecdotal reports, it’s far higher than TouchID.  Apple’s done that to preserve the security of a system based on an inferior biometric (which is the right choice), but it has real-world implications. To be most secure, and in order to prevent drive-by unlocking, FaceID requires eye contact with the device.  Oops, it doesn’t work with dark sunglasses (I wear contacts, so my glacier glasses are my friend), which prevent recognition.  Hello passcode. I have my devices set to prevent Siri from leaking data from the lock screen (“hey siri” is at best, hit or miss anyway).   With TouchID, I can simply touch the phone where it rests in the cupholder, and then use voice commands to interact with it (assuming Siri isn’t brain dead that day).   FaceID requires that I lift the phone up in my hand, look away from the road, and make eye contact to unlock it. That’s both unsafe, and in many states, illegal.  Then when it fails to unlock because of the false deny rate, I’m left with having to pull off the side of the road and enter the passcode.  I suspect a lot of people will turn off the eye contact requirement as a result, which drastically reduces the security of the solution. Now to be fair, none of those issues are unique to FaceID.  As facial recognition goes, it’s a pretty good system.  But facial recognition as a technology for primary, single factor authentication is a really poor idea – doesn’t matter if it’s on an iPhone or Surface.  The error rates are simply too high, and the fallback (aggressive failure and lockout) means that the utility is severely hampered (animated poop emoji’s notwithstanding). So we’re left with a regression because the form (ultra-thin, light, seamless) trumped function.  That’s a real shame, because so far Apple’s been really good at finding a sweet spot between security and convenience.  TouchID was a brilliant biometric solution (at least on mobile), and the new two-factor system in iOS 11 and MacOS 13 is the best overall implementation I’ve seen.  It just works – good old days come again.  Unfortunately FaceID is a major step backwards – in the real world it may be roughly as secure as TouchID, but it’s far less usable.

Armor up! Personal Cyber Safety

By

A friend of mine recently lost their smart phone.  They did most of the right things – sent the wipe signal to it, and changed their passwords.  Unfortunately, they missed telling the cellular carrier, and it turns out that someone had simply moved the SIM card into another phone and used it to make hundreds of dollars in overseas calls (much like we used to see with calling card and conference call numbers).  It also meant that any inbound calls and SMS messages would have rung on that stolen phone – something to think about in the age of SMS-two factor authentication.

He asked me for an updated list of suggestions on how to get secure and stay safe online, and rather than doing a one-off, I thought I’d share here – feel free to add suggestions in the comments, and I’ll keep this current.  The first is the most important, and the rest are in no particular order.  Many of these are involved topics that deserve posts in their own right – this is just a quick summary.

[Updates at the end]

#1 – Keep Current

Make sure you’re on a current and supported operating system, and keep up with patches.  For Windows that means 7 or higher, for Mac El Capitan or higher, and for iOS it means 9 or higher.  For both Windows and Mac, that’ll change soon – Windows 10 and Sierra are better options.  Android is much harder unless you get updates directly from Google.  If you don’t, you’re behind – that’s one of the reasons I don’t recommend non-google Android devices.

This also means keeping your applications up to date.  If you still have Office 2003 because it’s all you need, unfortunately, you’ll have to pay the Microsoft tax and get a current version to get patches.  Ditto on the Adobe products, and pretty much everything else.

For both OS and apps, apply patches and updates on a regular basis.  For Windows machines, makes sure you watch for ‘Patch Tuesday’ and apply patches right away – often the bad guys release new malware shortly afterwards that attacks unpatched machines.   We all find it hard to keep up with patches (Window takes far more care than Mac), so when possible, turn on automatic updates.  Which brings us to the importance of the next item:

 

Backups

Things will go wrong.  Consumer cloud has no guarantee of backup or restoration of data, so don’t trust Google, Apple, Microsoft, DropBox, or any other service as the sole place your information lives: any critical information (i.e. family photos) should live in at least two physical places, one of which should be in your personal controls.  For example, one of the first things I disabled in Sierra was the ‘automatic migration of data to iCloud’.  Aside from not controlling what’s uploaded, the last thing I’d trust a consumer-grade service to do is delete anything off my machine automatically.

Backups should be encrypted (see below), and at least one stored offsite – either a cloud-based backup like CrashPlan, or a drive in a safety deposit box or at a friend’s house.  If you use cloud backup, remember that they don’t work for things like virtual machines, and can blow out your data charges.

So I backup my iOS devices to my local computer (not iCloud), then backup the Mac using Time Machine (for the oops I deleted it situations), and Carbon Copy Cloner (www.bombich.com) for my disaster backups.  CCC has saved my bacon more times than I can count, and I highly recommend it for Mac users.

I also strongly recommend that at least one of your backups be physically disconnected from your computer when not actively backing up.  That’s the single best defense against ransomware.

 

Securing the browser

Absolutely run a current browser version.  I recommend using uBlock Origin and Privacy Badger to cut down on the worst of the tracking and funky sites.  Don’t use shady extensions like video downloaders.  To be extra safe, use two browsers – one for general browsing, and one for sensitive sites.  Be careful of typo-squatting sites.  That’s one reason I like 1Password – it validates the URL before pasting in credentials.  Stick with one of the big three – Edge, Firefox, or Chrome.  Retire Internet Explorer.

 

Trust the cloud – sort of

There are three kinds of cloud services:  free/consumer, and enterprise.  Free services monetize you in some fashion (more below), usually by selling your data to advertising – and I recommend avoiding them.  This includes services like Gmail, Facebook, Twitter, and such – if you’re not paying for it, you’re the product, not the customer.

iCloud is paid for as part of buying Apple products, and while Apple uses the data for marketing and product development, they don’t sell it to third parties, so it’s somewhat better.  One thing that all consumer services have in common is that they disavow any responsibility for data loss or disclosure.

So, for backups and email, I recommend paying for the service.  You’ll get much better responsiveness and much less privacy compromise.  And make darn sure the data is encrypted before uploading.

 

Passwords & Password Managers

That’s especially true of Password Managers.    I’m not a fan of cloud-storage for my password vault – it’s too inviting a target.  That’s one of the reasons I use 1Password from www.agilebits.com – they offer a local sync option.  But using one with the cloud is far better than not using one, and I have a number of family and friends using the 1Password cloud options.  I’ve written recently about 1Passwords migration to the cloud, and while I have concerns, it’s still the best option out there.

Your password manager password needs to be a good one – a passphrase is best.   The new advice is to pick four or five words:  cheetah shark Saturn smiley mayonnaise.  You’ll remember it much easier than a random set of characters, and most good cracking tools now easily bypass backwards words, replacing letters with numbers, and all the other tricks.

All this implies, yes, use a password manager that generates unique random passwords for each site.  That way you only need to remember one single password (hence 1Password) that’s really good and strong, then it does the rest for you.

Note:  Do not use the web-version of a password manager.  Use the application on a device that you control.

 

Lie

That brings me to one of the toughest ones – lying to sites by intent.   This falls into two categories – lying for protection, and lying because it’s none of their business.  For the former, when a site asks you to create a secret question and answer, lie – use a random word, and then store that in your password manager.

More importantly, when a site asks you for information it doesn’t need – your birthday for a shopping site for example, make something up that’s completely random.  I started getting retirement spam after using a 1940’s date…interesting.

This is also true for sites or companies that ask for ‘mother’s maiden name’.  Go change all those and record the new random answers in your password manager.  For companies that continue to insist on the single worst authentication mechanism (last 4 of SSN), pester them to see if you can get it changed.  If not, then we should all shame them on social media.

 

Use two-factor

When offered, use two-factor authentication.  It’s not perfect, but it’s better than just a password.  Do not use just device-based authentication though, always use both factors.

 

Disk/device encryption – backup and machines

Turn on whole disk encryption on your system.  For mac: https://support.apple.com/en-us/HT204837 and for Windows: https://support.microsoft.com/en-us/instantanswers/e7d75dd2-29c2-16ac-f03d-20cfdf54202f/turn-on-device-encryption

 

Set mobile devices to lock and wipe

If you have options to disable biometrics, and force a passcode after a handful of attempts turn it on, and then turn on the options to wipe the device after 10 failed attempts.

And use something stronger than a 4 digit PIN – at least 6.  Alpha numeric is better.  Pick one that’s not your, your spouse, your kids or any other date, address, phone number, or anything else that’s easy to guess or on social media.

While you’re at it, set airdrop to ‘contacts only’.  Better to stay off the grid.

 

Biometrics

Biometrics are a mixed bag.  Right now there’s tons of snake oil out there.  The only one that I trust for regular use is the fingerprint reader on the iPhone – and that’s because of the lock/wipe options.  I do not use it on a computer – type the passphrase instead.  Facial recognition, swipe patterns, and such can be spoofed trivially, and many consumer grade fingerprint readers can be as well.
Stay off public (and other) computers.

Using a public computer is like licking the seat in an outhouse.  Just don’t.  Ever.  Your friend’s computer isn’t quite as bad, but unless you know that they have good hygiene, it’s best to only use your own devices.

 

Uninstall Flash and Java 

It’s time to get rid of these two applications from your personal machines.  Corporate machines should too, but that’s a whole more involved story.

Flash:

Mac: https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html

Windows: https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html

Java:

Mac: https://www.java.com/en/download/help/mac_uninstall_java.xml

Windows: https://www.java.com/en/download/help/uninstall_java.xml

If you have to use Flash, use Chrome (but disable all the tracking first).

 

Get accounts before the bad guys do

As Brian Krebs recommends, get accounts on https://www.ssa.gov/ and IRS.gov https://krebsonsecurity.com/2015/03/sign-up-at-irs-gov-before-crooks-do-it-for-you/ before someone does it first.

 

Credit Freeze

And again a shout-out to Brian, for his information on getting credit freezes from all four agencies.  Credit monitoring is useful for telling you it’s been compromised – a freeze protects it up front.  https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/

If your homeowners insurance offers identity theft protection as a rider, that’s not a bad investment for the price.

Note:  If you have kids, freeze their credit too.

 

eMail security

Email is not private.  If you have a standalone email application, using SSL only keeps it secure between your machine and the server.  If you do it in the browser, same situation – and you’re also exposed if the browser is compromised.  Never email any sensitive information like bank account numbers, social security number, credit card numbers, and so on.  If you’re emailed a new password after a reset, immediately go change it on the site itself.

Note:  Yes, there are ways to technically encrypt email end-to-end.  It’s not clean or easy, and pretty fiddly.  If you absolutely positively must email something sensitive, my recommendation is to encrypt the document itself then attach that to a regular email.  That’s beyond the scope of this post.

Because password resets are done via email, this is the most important account you have.  It must be used with a robust random password, and you should never login from any device that you don’t own and control.  If the bad guys get your email, they get all your other accounts.

 

Have a throwaway email

So that means having more than one might make sense.  Ever have a site that you might want to get information from, but don’t want them to have your details?  Get and use a throwaway email account – or a junk mail account to use for all of them.

 

Never click links

And never, ever, click on any link in anything on that junk account.  That’s good practice for all email and all links.  Go manually to their site, and login by hand.  Related – stop sending emails with links in them (internal corporate communications I’m looking at you).

 

Stay off the seedy side of the internet

It goes without saying, stay off the seedy side of the internet.  Get legal software and content, avoid torrents, and naughty sites.

 

VPN/Public Hotspots/Cellular Data

I avoid using any public hotspots – it’s far too easy for someone to sniff what you’re doing, Use your cellular hotspot when you can.  For better protection, use a personal VPN like www.getcloak.com to prevent traffic monitoring and cellular carrier supercookies.  This includes hotel internet.

 

Never respond to inbound phone calls

If you get a call allegedly from your credit card company, bank, insurance company, or similar company, don’t give any information or acknowledge that you even have an account.  Politely thank them, and call the number on your credit card or statement (not the one they give you over the phone).  Hiring a fake call center is trivial.

 

Firewalls & Antivirus

Turn on the Firewall on a Mac https://support.apple.com/en-us/HT201642 and Windows https://support.microsoft.com/en-us/instantanswers/c9955ad9-1239-4cb2-988c-982f851617ed/turn-windows-firewall-on-or-off

As a minimum, turn on Xprotect on the Mac https://support.apple.com/en-us/HT201940 and Windows Defender on Windows: https://support.microsoft.com/en-us/help/17464/windows-defender-help-protect-computer

On both Mac and Windows use www.malwarebytes.com to scan and remove malware, including adware.

On Windows, seriously consider paying for antimalware software.  At this point I’d probably recommend Symantec over the alternatives – the free solutions aren’t worth it.  If your bank offers Trusteer Rapport, download and install it.

Oh, and disable file sharing if you haven’t already.

Don’t tweak the bad guys

I know folks who will keep the ‘tech support’ spoofers on the line, or text with the thieves who stole a phone, or respond to phishing emails with ‘nice try’.  Don’t.  These folks are very good at what they do, and most of the time you’re just a drive by as they conduct a massive campaign.  But if you get them mad and they target you, it’s a whole different ball game.   Respect their skills.

In the end

Be skeptical, be wary, and be prepared to be hacked.  I had a bank ask me to send mortgage paperwork via email.  I said no.  I’ve had calls to my phone that spoof my own callerID.  I hung up.   I’ve also had really clever phishing emails that I almost clicked.  I did – to delete.  We’ve had our credit card stolen several times – caught it by watching my bills weekly.

As one of the characters in Harry Potter was fond of proclaiming, ‘Constant Vigilance’.

 

[Update]

Shred it

Shred anything and everything that has your information on it.  That includes envelopes from bills (they identify targets for the bad guys to hit), junk mail, receipts, boarding passes, hotel room cards, credit cards (unless metal – cut those with tin snips), conference badges (I punch out the RFID chip as soon as I get one), old business cards, and so on.  Bar codes are the most insidious as they can hide a lot of personal information, as Brian Krebs points out in the link about boarding passes.

iPhone repairs – scam or security?

By

Over the past few days, there have been a number of articles as people discover that their iPhones are bricked after undergoing third-party repairs.  Apple has a FAQ about it, and  iFixit has a good article with details, though I don’t necessarily agree with all their conclusions, and they do have a vested interest in third-party repair options.  Not that that’s a bad thing – I’ve been a customer in the past myself, but will full knowledge that I was voiding my warranty by doing so.

So a couple of specific points:

“As long as the device requires a PIN on boot, then the device would be just as secure as it was before the part swap.”

The secure paring between the sensor and the fingerprint reader (from published information), protects the biometric data in the secure enclave from compromise by a malicious sensor.  The PIN is a different subsystem, and may protect the device, but not necessarily the biometric data.

“repair professionals should be able to unlock devices—and that they should have access to the same parts and the same tools that “authorized” repair shops do”

This is a widespread practice:  witness key and lock manufacturers restricting secure blanks to licensed locksmiths, and the entire automotive industry requiring that new ‘smart’ keys be programmed at the dealership.  So the question is, should it be?  I’m annoyed at the hour’s time and $100-200 charge for a spare key to my car.  That “feels” like gouging.  But those keys have made a big impact on car theft, and my lower insurance rates reflect that.  It’s tough to know the difference between security and a scam without a lot of details.

And that’s rub.  Apple isn’t disclosing enough details about the paring process to understand if that’s possible.  What I do know is this – Apple got the security of their fingerprint reader right.  From storing the biometric data securely, to paring the sensor, to enforcing a maximum number of attempts before triggering a PIN.   If someone’s TouchID is compromised because of a malicious sensor, who will be blamed/sued/dragged through the media?  Apple.  I can’t blame them for locking down the secure subsystems to authorized repair agents.

You know,  demands that Apple ‘should be able to allow unauthorized repairs’ sound a lot like demands that Apple ‘should be able to implement a backdoor in their encryption’.    In the latter case, it can’t be done (math is hard after all).  In the former?  We need more details to know for sure.

But, in the end, my recommendation is to only use authorized repair services for secure components – for any product, not just Apple’s.  It’s more money, but it’s worth it.

2/18 Update:  Apple’s stopped bricking the device, but still won’t allow TouchID to be used until an authorized repair is completed.  That seems a lot more reasonable than bricking the device, and still maintains TouchID security.