Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

FaceID – When Form Trumps Function

By

I’m an Apple guy – Mac, iPhone, iPad, and watch.  I switched my family and friends over years ago, which reduced my technical support immeasurably.  There’s a lot of good things to be said for their products, though recent trends have put form over function to the detriment of users.  The latest case in point is FaceID. I’ve been an Apple user since my ][+ in the early 80’s, and while I took a sojourn into the PC world, I’ve been back since the Intel mac was released in 2006.  They’ve made really cool products over the years, with great design, balancing form and function.  Since Steve Job’s passing however, the company has been relentlessly focusing on a single imperative – make things thin and light, and all other concerns – including utility and functionality – are secondary. My phone and mac now look like they’re being attacked by a swarm of albino squid.  The picture for this article is the box of dongles and adapters required for a single Mac computer.  It’s also resulted in underpowered machines and software doesn’t function well with local content or when offline as the company tries to force cloud and streaming services on their users.  As always with Apple, you either live the way they think you should, or you’re left stuggling. Now all this may be good business strategy.  They probably make a lot more money off people who walk around Cupertino, hang out in coffee shops, use their machines only for surfing and blogging, are always online, and only talk on the phone for an hour a day than people like me and other power/performance users.  But the latest design-driven decision is one that will impact everyone.  In the obsessive quest for a smooth and seamless glass display on the iPhone X, we’ve taken a step backwards on security, safety, ergonomics, and usability.  FaceID is a step backwards. TouchID, particularly the most recent version, is the best consumer fingerprint technology available.  It has a solid crossover point between false accepts and false rejects, is easy to setup, allows multiple users, is relatively hard to spoof (at least without triggering the lockout), and can be used eyes-free when driving.  But it requires a physical sensor that can be touched, and that’s where function ran headlong into form.  From media reports, Apple had been trying to get it to work under a seamless glass pane but without success.  Rather than preserving the functionality, they abandoned a proven security solution and moved to facial recognition – a technology that the majority of security professionals are skeptical of. First, let’s talk about privacy.  On this one, I’ve no worries, Apple got it right.  The recognition data is stored in a trusted computing module (aka secure enclave) on the device, and never sent to the mother ship – TouchID does the same thing.  It’s actually a really cool bit of tech.  Folks concerned about ‘being in a database’ should be much more worried about malls, airports, sporting events, roads, and schools, the driver’s license bureau, and passport agency – all those places collect facial data. Now on to security. There’s a lot of chatter about spoofing FaceID or triggering a false accept with a relative.  The attack in the story is similar to the one I’d try.  I’d start with a 3D scan of someone’s face using series of photographs and software like Strata Photo 3D to stitch them together into a full-color model.  Import that model into ZBrush, clean it up, and export the mesh for 3D printing.  While you’re in there, unwrap the ‘skin’ or texture map with the color information into a 2 dimensional layer.  Export that, print it onto a flexible skin, then wrap that skin back around the 3d print (the skin/transfer processes are covered in one of the books we wrote).  That’s a bit of work, but in the end, you end up with a pretty good full-color 3d model of someone’s head. Note that for a public figure, it’s far easier to get a good 3d model of their face than it is their fingerprint. Next, I’ve been wondering if the IR camera setup for FaceID has some FLIR like capabilities that measure the heat map of a face, and that’s why Wired’s masks didn’t work.  If so, we can use a heat gun to replicate human heat patterns on the model.  To be clear – I don’t (and won’t anytime soon) have an X, and haven’t tried this, but the techniques are all very straightforward.  In any case, I’m sure that eventually a similar attack will succeed. Now, how is that any different from a gummy finger and TouchID?  Effort and technique-wise they’re similar, and in the real world, probably about the same complexity.  With an aggressive lock-out on both, the odds of a false positive are pretty low. Of course, either Touch or Face ID is moot if your mugger wants you to unlock the phone while you’re still in the dark alley, though FaceID does protect you against having the device unlocked while you sleep. But unintentional false positives are starting to emerge, and of course, there were reports – denied by Apple – that they dumbed-down the sensor because of yield problems.  We’ll just have to see how it goes, but I give a slight edge to TouchID because it requires physical contact to obtain the biometric information. Last let’s talk about functionality.  FaceID supports only a single face.  That’s a software issue, and I suspect it’ll change in the future, but right now it’s a limitation.   The bigger issue is the false negative rate.  From media and personal anecdotal reports, it’s far higher than TouchID.  Apple’s done that to preserve the security of a system based on an inferior biometric (which is the right choice), but it has real-world implications. To be most secure, and in order to prevent drive-by unlocking, FaceID requires eye contact with the device.  Oops, it doesn’t work with dark sunglasses (I wear contacts, so my glacier glasses are my friend), which prevent recognition.  Hello passcode. I have my devices set to prevent Siri from leaking data from the lock screen (“hey siri” is at best, hit or miss anyway).   With TouchID, I can simply touch the phone where it rests in the cupholder, and then use voice commands to interact with it (assuming Siri isn’t brain dead that day).   FaceID requires that I lift the phone up in my hand, look away from the road, and make eye contact to unlock it. That’s both unsafe, and in many states, illegal.  Then when it fails to unlock because of the false deny rate, I’m left with having to pull off the side of the road and enter the passcode.  I suspect a lot of people will turn off the eye contact requirement as a result, which drastically reduces the security of the solution. Now to be fair, none of those issues are unique to FaceID.  As facial recognition goes, it’s a pretty good system.  But facial recognition as a technology for primary, single factor authentication is a really poor idea – doesn’t matter if it’s on an iPhone or Surface.  The error rates are simply too high, and the fallback (aggressive failure and lockout) means that the utility is severely hampered (animated poop emoji’s notwithstanding). So we’re left with a regression because the form (ultra-thin, light, seamless) trumped function.  That’s a real shame, because so far Apple’s been really good at finding a sweet spot between security and convenience.  TouchID was a brilliant biometric solution (at least on mobile), and the new two-factor system in iOS 11 and MacOS 13 is the best overall implementation I’ve seen.  It just works – good old days come again.  Unfortunately FaceID is a major step backwards – in the real world it may be roughly as secure as TouchID, but it’s far less usable.

Enough already – get rid of default passwords

By

(c) 2017 Doug Lhotka

There’s been chatter about yet another botnet starting to form using insecure IOT devices.  Many of these are hacked because users never bother to change the default password, which is definitely bad behavior, but it’s also a cop-out by the vendors. The real problem is faulty design.

Simply put there is no reason to ship a device with a common (or easily derived) default password.  Better vendors generate a unique password for each device prior to shipping.  As long as it’s not directly derivable from the device ID) that’s not too bad, though it can cause support issues when, after a factory reset, the consumer has lost the removable sticker and is locked out of their device.  Support can sometimes tell them what the password is, which means they’re all stored in a database somewhere, and kind of renders the whole system moot.

The best option is to ship a device in an inactive/nonfunctional/setup state and require the user to create a password during the initial configuration.  After a factory reset, they’re again prompted to enter a new password – just like we have to do after wiping a smartphone.  So why so vendors still ship with common default passwords?  Maybe it’s cost cutting or lazy programmers & designers, or who knows what else, but in the end, it reflects a lack of secure thinking at the vendor.

So here’s something to ponder as you go into the holiday shopping season and start looking for new gadgets.  If the manufacturer can’t be troubled to provide a system for secure setup, they probably don’t have a system for secure updates either.  And if they can’t do either of those, just how secure do you think the rest of the device is?  Do you really want that on your home network?

Adopting an industrial mindset: Cyber Safety

By

We’ve always said that there’s two kinds of organizations, those that have been hacked, and those that don’t know they’ve been hacked.  Yet security teams are still having problems getting resources and attention from our business stakeholders, particularly in industrial companies that consider IT and technology a back office problem.

Over my career I’ve worked in manufacturing, energy, utilities, oil and gas, and other similar industries.  One thing they all have in common is a focus on accident avoidance and safety – that is, how to fail gracefully.  That’s why they have a safety briefing before every meeting on where to evacuate to in case of a fire, or a safety minute with a thought of the day, or even those ubiquitous signs about ‘100 days since our last injury’.  The constant focus on safety has had amazing results:  business can now do dangerous things with much lower risk.   Yet many CISO’s in those industries are challenged in having cyber security made a high priority.

Often the OT folks won’t let IT touch the environment, which is unfortunate because it’s often riddled with insecure IOT devices, outdated and unpatched machines, and even modems still hanging off industrial equipment running PC Anywhere for dial-up maintenance by third party providers.  Discussions of hacking and cyber risk just don’t resonate much with someone running an offshore platform, or a manufacturing line.  So how do we get their attention?  Change our vocabulary.

We need to talk not about cyber security, but rather cyber safety.  To speak in the industrial language and talk about risk, not as ransomware or data exfiltration, but as plant downtime, risk to life and safety, generator outages, line stoppages, and so forth.  It’s getting traction, and in the process, we’re learning from our peers.  For example, we were talking with a line operator about the risk of someone hacking in and changing the computer to speed up the line (theoretical risk) in an attempt to crash it.  He shared that there are multiple control points (aka defense in depth) against it, including a purely mechanical control that will rate govern the equipment to get an operator time to intervene manually.

Then he turned and asked me why we didn’t have a rate governor around our critical data (e.g. on the database itself), so if someone does hack in, they can’t get the information out all at once…to give the SOC time to intervene.

Hmmmm.  He’s on the cutting edge with that – there’s some early stage architecture work being done but it’s hardly widespread.  Yet to him, it’s pretty obvious.

Because a system isn’t safe unless it can fail gracefully.  That’s just one example of where the safety mindset can help our security programs, as much as we can help theirs.   We just need to start speaking the same language.  Cyber Safety has a nice ring to it.