I’m an Apple guy – Mac, iPhone, iPad, and watch. I switched my family and friends over years ago, which reduced my technical support immeasurably. There’s a lot of good things to be said for their products, though recent trends have put form over function to the detriment of users. The latest case in point is FaceID. I’ve been an Apple user since my ][+ in the early 80’s, and while I took a sojourn into the PC world, I’ve been back since the Intel mac was released in 2006. They’ve made really cool products over the years, with great design, balancing form and function. Since Steve Job’s passing however, the company has been relentlessly focusing on a single imperative – make things thin and light, and all other concerns – including utility and functionality – are secondary. My phone and mac now look like they’re being attacked by a swarm of albino squid. The picture for this article is the box of dongles and adapters required for a single Mac computer. It’s also resulted in underpowered machines and software doesn’t function well with local content or when offline as the company tries to force cloud and streaming services on their users. As always with Apple, you either live the way they think you should, or you’re left stuggling. Now all this may be good business strategy. They probably make a lot more money off people who walk around Cupertino, hang out in coffee shops, use their machines only for surfing and blogging, are always online, and only talk on the phone for an hour a day than people like me and other power/performance users. But the latest design-driven decision is one that will impact everyone. In the obsessive quest for a smooth and seamless glass display on the iPhone X, we’ve taken a step backwards on security, safety, ergonomics, and usability. FaceID is a step backwards. TouchID, particularly the most recent version, is the best consumer fingerprint technology available. It has a solid crossover point between false accepts and false rejects, is easy to setup, allows multiple users, is relatively hard to spoof (at least without triggering the lockout), and can be used eyes-free when driving. But it requires a physical sensor that can be touched, and that’s where function ran headlong into form. From media reports, Apple had been trying to get it to work under a seamless glass pane but without success. Rather than preserving the functionality, they abandoned a proven security solution and moved to facial recognition – a technology that the majority of security professionals are skeptical of. First, let’s talk about privacy. On this one, I’ve no worries, Apple got it right. The recognition data is stored in a trusted computing module (aka secure enclave) on the device, and never sent to the mother ship – TouchID does the same thing. It’s actually a really cool bit of tech. Folks concerned about ‘being in a database’ should be much more worried about malls, airports, sporting events, roads, and schools, the driver’s license bureau, and passport agency – all those places collect facial data. Now on to security. There’s a lot of chatter about spoofing FaceID or triggering a false accept with a relative. The attack in the story is similar to the one I’d try. I’d start with a 3D scan of someone’s face using series of photographs and software like Strata Photo 3D to stitch them together into a full-color model. Import that model into ZBrush, clean it up, and export the mesh for 3D printing. While you’re in there, unwrap the ‘skin’ or texture map with the color information into a 2 dimensional layer. Export that, print it onto a flexible skin, then wrap that skin back around the 3d print (the skin/transfer processes are covered in one of the books we wrote). That’s a bit of work, but in the end, you end up with a pretty good full-color 3d model of someone’s head. Note that for a public figure, it’s far easier to get a good 3d model of their face than it is their fingerprint. Next, I’ve been wondering if the IR camera setup for FaceID has some FLIR like capabilities that measure the heat map of a face, and that’s why Wired’s masks didn’t work. If so, we can use a heat gun to replicate human heat patterns on the model. To be clear – I don’t (and won’t anytime soon) have an X, and haven’t tried this, but the techniques are all very straightforward. In any case, I’m sure that eventually a similar attack will succeed. Now, how is that any different from a gummy finger and TouchID? Effort and technique-wise they’re similar, and in the real world, probably about the same complexity. With an aggressive lock-out on both, the odds of a false positive are pretty low. Of course, either Touch or Face ID is moot if your mugger wants you to unlock the phone while you’re still in the dark alley, though FaceID does protect you against having the device unlocked while you sleep. But unintentional false positives are starting to emerge, and of course, there were reports – denied by Apple – that they dumbed-down the sensor because of yield problems. We’ll just have to see how it goes, but I give a slight edge to TouchID because it requires physical contact to obtain the biometric information. Last let’s talk about functionality. FaceID supports only a single face. That’s a software issue, and I suspect it’ll change in the future, but right now it’s a limitation. The bigger issue is the false negative rate. From media and personal anecdotal reports, it’s far higher than TouchID. Apple’s done that to preserve the security of a system based on an inferior biometric (which is the right choice), but it has real-world implications. To be most secure, and in order to prevent drive-by unlocking, FaceID requires eye contact with the device. Oops, it doesn’t work with dark sunglasses (I wear contacts, so my glacier glasses are my friend), which prevent recognition. Hello passcode. I have my devices set to prevent Siri from leaking data from the lock screen (“hey siri” is at best, hit or miss anyway). With TouchID, I can simply touch the phone where it rests in the cupholder, and then use voice commands to interact with it (assuming Siri isn’t brain dead that day). FaceID requires that I lift the phone up in my hand, look away from the road, and make eye contact to unlock it. That’s both unsafe, and in many states, illegal. Then when it fails to unlock because of the false deny rate, I’m left with having to pull off the side of the road and enter the passcode. I suspect a lot of people will turn off the eye contact requirement as a result, which drastically reduces the security of the solution. Now to be fair, none of those issues are unique to FaceID. As facial recognition goes, it’s a pretty good system. But facial recognition as a technology for primary, single factor authentication is a really poor idea – doesn’t matter if it’s on an iPhone or Surface. The error rates are simply too high, and the fallback (aggressive failure and lockout) means that the utility is severely hampered (animated poop emoji’s notwithstanding). So we’re left with a regression because the form (ultra-thin, light, seamless) trumped function. That’s a real shame, because so far Apple’s been really good at finding a sweet spot between security and convenience. TouchID was a brilliant biometric solution (at least on mobile), and the new two-factor system in iOS 11 and MacOS 13 is the best overall implementation I’ve seen. It just works – good old days come again. Unfortunately FaceID is a major step backwards – in the real world it may be roughly as secure as TouchID, but it’s far less usable.
I’m an Apple guy, and have a love-hate relationship with their recent product strategy, and the tight control they keep over the ecosystem. The downside is that we’re stuck with some bad decisions (like building apps that expect to be online all the time), but the upside is that everyone gets access to updates at the same time – Apple has the most up-to-date user base of any major computing platform. Android, not so much.
Android took the opposite approach – open code base, licensed to manufacturers to customize, and then further customized by carriers. The advantage to that is lower cost and wider adoption, but it comes at a significant price for security. When Google releases a new version of Android, only their own devices immediately receive the patch. Everyone else has to wait for 1) the manufacturer to test, certify, and release the patch, and then 2) the carrier to do the same. That assumes of course, that both actually bother to do the work to make updates available. The net is that the vast majority of Android devices are running known-insecure versions of the OS.
I’m seeing a broad movement among businesses to tighten controls over mobile OS versions, and to apply the same policies to both corporate owned and BYOD devices: If you’re not N or N-1, you can’t use your device. That means that those old iPhone 4’s get retired too, by the way.
So what to do? Well, some would say ‘jailbreak’ and install your own code. There may be something to that, but you run into serious risks there too. Most jailbreaking tools are from the shady side of the internet, so you never really know what you get. Most companies block jailbroken devices from business use (all really should). It’s also technically beyond most users, so let’s leave that off the table.
The next option is to only purchase devices that get updates directly from Google. That limits choices significantly, but as a side benefit, you don’t get the pre-installed spyware that comes with many of the dirt cheap android phones – that’s how those companies subsidize the phone. Buyer beware. This is a hard choice for businesses because it largely erases one of the advantages of Android over iOS (cost), but it’s one I’m seeing a number of organizations do. For individuals who buy Android devices, it’s the one I’d recommend.
Next is to buy cheap devices, and simply dispose of them when the OS expires. That’s all well and good, but it’s expensive, time consuming, and you have a window of vulnerability during the transition. Of course, banning Android completely is an option too, and I do see some of that happening.
But the most common approach I see these days is some form of risk limiting via containerization, or other restrictions on what the devices are allowed to do. Containers can be bypassed (e.g. compromise the underlying device with a keylogger), but do provide reasonable protection for moderate risk content. Organizations should leverage their data classification projects to determine what information is suitable for mobile device access, and potentially change that based on how current the OS is.
I know this challenge is top of mind for Google’s Android team, and they’re starting to look at separating the Carrier bloatware layer from the underlying OS as well as other measures to speed up manufacturer release. I hope they succeed – we need an alternative to keep Apple on their toes. In parallel, consumers shouldn’t buy devices without clear statements of patch release timelines from vendors and carriers. Until all that happens, and we have a better option, Android users beware.
I often speak on ‘Secure Thinking’ to a variety of audiences, and share some suggestions on how to keep themselves safer in their online lives. Here’s those tips:
- Patch your systems regularly (patch Tuesday is a great start)
- Run Anti-Malware, but don’t pay too much for it.
- Uninstall flash completely. If you need it, run it inside Google Chrome (and only use Chrome for flash sites). Likewise with Java in your web browser.
- Stay off the seedy side of the net
- Only install software from trusted sources
- Don’t click links in emails.
- Avoid wi-fi hotspots, or use a personal VPN if you need to use them. I use getcloak.com
- Never, ever use a public computer, for anything. It’s like swimming in a sewer.
- If you find a USB thumb drive, destroy it – never plug it in.
- Encrypt your data – FileVault or BitLocker
- Backup your data to a trusted repository
- Use robust, unique passwords for every site. I use 1Password from agilebits.com to manage mine (and store a copy of the file with another family member)
- Enable two factor authentication when it’s offered
- Enable a passcode on your phone. If it’s iOS or a Google Nexus running Marshmallow or newer, consider using the fingerprint reader to make it more usable.
- Only use Google Nexus android devices to ensure you can stay current
- When asked for secret questions, lie – and record those lies in 1Password.
- Lie to websites that ask for information they don’t need – why does a game company need my real birthday?
- If you receive an inbound phone call, don’t assume it’s real. Hang up without sharing any information and call the bank/insurance company/etc back from the number on your card or statement.
- Get a credit freeze – not credit monitoring. Brian Krebs has a great article on this. Store your PIN in 1Password, and keep a backup copy of the vault In a safe place.
In the end, it boils down to simply being aware.
Think about security!