Older Andriod versions had more vulnerabilities

Is Samsung’s Galaxy S5 ‘leaking’ YOUR fingerprints? Flaw means hackers can intercept and steal biometric data (Daily Mail); Forbes piece, here.

The pair told Thomas Fox-Brewster from Forbes that the flaw lies in older versions of the Android operating system, up to and including Android 4.4.

Subsequently, anyone running Android 5.0 or above are not at risk and the security experts are advising people on older models to update as soon as possible.

The semi-technical press seizes upon biometrics as a proxy for personal data. This is old news, but here’s a great example.

A close reading of the article reveals that earlier releases of Google’s version of the Android mobile OS weren’t as secure as they are now. This will come as news to few. The article points out that, “Once inside they can monitor all data sent to and from the phone, as well as data recorded by the handset’s built-in sensors, including the fingerprint scanner.”

Get it? Exploiting the security flaw means that the whole device is compromised: Email apps, microphone, location information, and possibly even the contents of phone calls themselves, but according to the author and editor(s), the news value is in the possibility of capturing a fingerprint image. Of course, it’s their outfit; it’s their call.

For readers here, instead of “OMG fingerprinst[!],” I’d emphasize that:

Not all mobile operating systems are created equal.
Different mobile applications offer a different mix of privacy costs and benefits.
Installing OS updates and patches is very important.
If the OS is compromised, the applications it runs are vulnerable.

Left out of the information readily available online about this hack is how the people at FireEye got their malware onto the hardware in the first place. Past “hacks” of biometric systems have been executed on a playing field that is far more favorable than the real world to the the hackers, where all the other layers of the security regime are stripped away from the one security link they want to test. Here’s a particularly striking example. If FireEye rooted the phone, side-loaded their malware onto the device, and went from there, this isn’t a hack in any real sense — it’s a malware test.

That hypothetical scenario would mimic a real world example where a user lost their phone and bad guys got it, loaded software on it and then returned the mobile device to the user who continued as if nothing had happened. In the security world, if you lose control of the hardware, all bets are off for anything that isn’t encrypted (with a strong key).

So, without more information, it’s hard to say how big a deal this is, or in many (most?) cases, was. In the bigger picture, this is a Google Android OS story. The subtext is that users who care about mobile device security should be thoughtful about what device/OS/app combinations they adopt, keep their device’s software up to date, and be careful about malware.

As automated and convenient security including biometrics becomes better and more common, the highway robbers of the 21st Century are increasingly forced to turn to social engineering techniques rather than frontal assaults on security technology.

See: The Con is Mightier than the Hack

Deep learning for better face-rec

Google: Our new system for recognizing faces is the best one ever (Fortune)

At first we’ll see systems like Google’s FaceNet and Facebook’s aforementioned system (dubbed “DeepFace”) make their way onto those company’s web platforms. They will make it easier, or more automatic, for users to tag photos and search for people, because the algorithms will know who’s in a picture even when they’re not labeled. These types of systems will also make it easier for web companies to analyze their users’ social networks and to assess global trends and celebrity popularity based on who’s appearing in pictures.

…yet (continued)

Google Glass Will Not Be Offering Facial Recognition (States Chronicle)

This is an appropriate time to repost what we had to say the last time Google felt compelled to disavow facial recognition technology in relation to Glass.



June 3, 2013

If it’s a camera, it can be used for facial recognition

Google outlaws facial recognition apps on Glass for now (CSO)

Google announced late Friday that it will outlaw facial recognition and other biometric identification apps on Glass, its networked eyewear still in prototype phase that’s expected to be commercially released later this year.

“As Google has said for several years, we won’t add facial recognition features to our products without having strong privacy protections in place,” Google’s Project Glass team said in on its Google Plus page.

Google may have publicly said this, however until now its developer policy did not explicitly rule out apps that can do facial recognition.

If it’s a camera, it can be used for facial recognition. Facial recognition is really just a specific type of image analysis. It doesn’t matter where the image comes from. It could be a 19th Century daguerreotype or a picture taken from space. The software doesn’t care. Presumably running the open source Android operating system, as a head-mounted sensor array with a camera, there is little or nothing preventing application developers from passing images collected via the headset through facial recognition applications not developed by Google.

Google’s announcement should be taken to mean that Google isn’t going to integrate facial recognition into Google Glass. Facial recognition apps won’t be on the Google Play store. And, at least for now, they won’t be facilitating face rec. in other Google services such as YouTube, search, Gmail, and Google+. [end repost]

In a twitter exchange, John at M2SYS nails exactly why every Google Glass face rec denial sounds so silly: The device screams for facial recognition applications and everybody knows it.

Terrible with names? Suffer from prosopagnosia? Wonder where you’ve seen that person before? There’s an app for that.

Read these two together…

Read this…

Emotient and iMotions partner for integrated facial expression recognition, bio sensor and eye-tracking solution (Biometric Update)

Emotient, which specializes in facial expression analysis, and iMotions, an eye-tracking and biometric software platform company, have announced that Procter and Gamble, The United States Air Force and Yale University are its first customers for a newly integrated platform that combines facial expressions recognition and analysis, eye-tracking, EEG and GSR technologies.

According to the companies, the new cobmbined solution is designed for usability research, market research, neurogaming as well as academic and scientific research.

Then this…

Google facial password patent aims to boost Android security (BBC)

Google has filed a patent suggesting users stick out their tongue or wrinkle their nose in place of a password.

It says requiring specific gestures could prevent the existing Face Unlock facility being fooled by photos.

…and then think about Google Glass (or something similar offered by another brand) and the things that become knowable as these technologies are combined and others are added. Iris and face for backward-facing and front-facing ID, knowing precisely what (or whom) someone is looking at when a certain change in neurological activity is noted. Or, precise targeting of weaponry controlled by the eye’s movement along with detailed observations of the neurological states of combatants.

Right now, all of it seems like a long way off, and it is. Significant scientific, technological, and organizational barriers exist. The technology of measurement; the science of interpretation; the fact that a lot of small players own small pieces of the puzzle; integrating the pieces: each present significant challenges. But…

“Most people overestimate what they can do in one year and underestimate what they can do in ten years.”

Stay tuned. Ubiquitous multi-modal sensors and the real-time ability to interpret and act on the data they collect would have profound effects.

If it’s a camera, it can be used for facial recognition

Google outlaws facial recognition apps on Glass for now (CSO)

Google announced late Friday that it will outlaw facial recognition and other biometric identification apps on Glass, its networked eyewear still in prototype phase that’s expected to be commercially released later this year.

“As Google has said for several years, we won’t add facial recognition features to our products without having strong privacy protections in place,” Google’s Project Glass team said in on its Google Plus page.

Google may have publicly said this, however until now its developer policy did not explicitly rule out apps that can do facial recognition.

If it’s a camera, it can be used for facial recognition. Facial recognition is really just a specific type of image analysis. It doesn’t matter where the image comes from. It could be a 19th Century daguerreotype or a picture taken from space. The software doesn’t care. Presumably running the open source Android operating system, as a head-mounted sensor array with a camera, there is little or nothing preventing application developers from passing images collected via the headset through facial recognition applications not developed by Google.

Google’s announcement should be taken to mean that Google isn’t going to integrate facial recognition into Google Glass. Facial recognition apps won’t be on the Google Play store. And, at least for now, they won’t be facilitating face rec. in other Google services such as YouTube, search, Gmail, and Google+.

The Hamdroid

…or maybe it’s the Andster. At any rate, the Android Hamster or Hamster for Android is on it’s way and whatever the marketers decide to go with, the combination of a reliable, affordable, off-the-shelf, USB fingerprint reader and reliable, affordable, off-the-shelf, tablet devices could be a real game changer.

Artwork not endorsed/approved by Google or SecuGen

Now, for around than $150 all in, tinkerers can purchase a staggering array of hardware and operate it on an open platform. I can’t wait to see what people do with that power. Even before this, folks were applying biometrics to more things than any one person could possibly imagine.

The SecuGen Hamster sells for as low as $79.00.
Android tablets are available for as low as $70.00. I saw some sales circulars in the Sunday paper (Wal-Mart & Best Buy) advertising 7 in. tablets with front-facing cameras and Wi-Fi for $69.99.

Secugen releases fingerprint authentication SDK for Android (Biometric Update)

SecuGen has just announced the release of its FDx SDK Pro for Android.

According to the company, this new SDK will allow developers to add fingerprint authentication to their Android-based software on ARM tablets and smart phones using SecuGen’s Hamster IV and Hamster Plus fingerprint readers. This SDK also incorporates SecuGen’s MINEX tested, FIPS 201/PIV complicate template extraction and matching algorithms.

“We are very excited to be able to offer Android compatibility for our fingerprint readers,” Dan Riley, VP of engineering at SecuGen said. “Our partners have been asking for this and our role, as always, is to provide them with the tools that they need. The FDx SDK Pro for Android is one of several exciting new products that we will be bringing to market in 2013.”

UPDATE: Minor edits, added links to hardware, and bumped.

It’s all ID nowadays

If the one word for the 60’s was plastics and in the 80’s it was all ball bearings, the technology touchstone for the 2010’s figures to be identity.

The “i” in the next iPhone will stand for “identity.” (Cult of Mac)

When people hear rumors and read about Apple’s patents for NFC, they think: “Oh, good, the iPhone will be a digital wallet.” When they hear rumors about fingerprint scanning and remember that Apple bought the leading maker of such scanners, they think: “Oh, good, the iPhone will be more secure.”

But nobody is thinking different about this combination. Everybody is thinking way too small. I believe Apple sees the NFC chip and fingerprint scanner as part of a Grand Strategy: To use the iPhone as the solution to the digital identity problem.

NFC plus biometric security plus bullet-proof encryption deployed at iPhone-scale adds up to the death of passwords, credit cards, security badges, identity theft and waiting in line.

Apple loves to solve huge, hitherto unsolved problems. And there is no problem bigger from a lost-opportunity perspective than digital identity.

The Boston Consulting Group estimates that the total value created through real digital identity is $1 trillion by 2020 in Europe alone.

Read the whole thing. Stripped of the Apple-worship, it’s an astute post.

The link inside the quote above is in the original and the pdf it links to is highly worth a look, as well. From the executive summary…

Increasingly, we are living double lives. There is our physical, everyday existence – and there is our digital identity. Most of us are likely more familiar with that first life than with the second, but as the bits of data about us grow and combine in the digital world – data on who we are, our history, our interests – a surprisingly complete picture of us emerges. What might also be surprising for most consumers is just how accurate and traceable that picture is.

Views on digital identity tend to take one of two extremes: Let organisations do what they need to in order to realise the economic potential of “Big Data,“ or create powerful safeguards to keep private information private. But digital identity can‘t be cast in such black-and-white terms. While consumers voice concern about the use of their data, their behaviours – and their responses to a survey conducted specifically for this report – demonstrate that they are willing, even eager, to share information when they get an appropriate benefit in return. Indeed, as European Commissioner for Justice Viviane Reding remarked, “Personal data is in today‘s world the currency of the digital market. And like any currency it has to be stable and it has to be trustworthy.“ 1 This is a crucial point. Consumers will “spend“ their personal data when the deals – and the conditions – are right. The biggest challenge for all stakeholders is how to establish a trusted flow of this data.

A new type of ID is needed to bind our physical and online selves, payments and hardware. If the tech giants are going to finish off the post office and assume the role of credit card companies, they’re going to have to solve the ID problem. If they solve the ID problem, there’s really no telling how many other business models they can disrupt.

Can respect for privacy be a competitive differentiator?

Though biometrics get quite a lot of attention from people interested in privacy, the real action is in the internet browser and online services. Just remember — If you are not paying for it, you’re not the customer; you’re the product being sold*.

The Microsoft “Scroogled” ad campaign against Google is interesting because it indicates that the high-level marketing types at Microsoft believe the public is open to the message that some web services are taking too much information from users compared to the value the users receive in “free” services. Whether respect for privacy is a competitive differentiator among web services remains to be seen, but the fact that Microsoft has spent real time and money on the assumption that it is should not go unnoticed.

Google Privacy Chief Blasts Microsoft’s “Scroogled” Campaign at RSA Conference (CIO)

The bulk of the article linked above is devoted to privacy standards, privacy policy and corporate management. While that’s not nearly as eye-catching as a slug fest between Information Age titans, it is a much more substantial issue and one worth of serious attention.

In search of a post-password world

Google wants to ditch the password – sounds lovely (Singularity Hub)

Memorizing numerous passwords is inconvenient. This is known. To counteract said inconvenience, many people use memorable (read: hackable) passwords on multiple sites. Which is a shame because security experts advise that, at a minimum, we use different, random, alpha-numeric strings for every website and switch them out every few months. Kind of the opposite of convenient. And even this method provides but a fig leaf of security.

Google isn’t suggesting biometrics, at least not yet, but the article does cover biometrics as a possible solution.

EU Urges Google on Transparency

EU regulators say Google must revise its privacy policy (The Verge)

The EU is fine with Google’s unified privacy policy acting as a “general guideline” about its operations, but it wants the search giant to return to its old system, which provided specific privacy notices for each Google product. It says these product-specific privacy policies must include “simple and clear explanations” on when, why, and how location, credit card, unique device identifiers (UDIDs), and telephony data is collected, along with information on how users can opt out. It asks that Google adds a specific clause for biometric data where necessary as there is currently no mention of facial recognition in its privacy policy.

Google, Apple, Mobile, Money (& Biometrics)

The article isn’t even mostly about biometrics, but as we readily acknowledge here all the time, biometrics are only ever a means to an end. What the article does provide is a coherent view of where future profits will come from for Apple and Google well supported with charts, graphs and other visual aids, which I love.

The key biometrics bit is here but the rest is very interesting as well.

How Android gets Google to $2000 by 2020 (Marketwatch)

The most exciting thing I see on the horizon isn’t the ad sales that will almost certainly materialize, but the network effects of a billion Android users and the ways Google can leverage that scale. If one billion people are on the same mobile OS and you know where they are precisely and they have a biometric scanner on their phone, do you really need Mastercard and Visa to take their 3% to verify the funds and identity? That’s why Google is working on Google Wallet. If one billion people are constantly sharing their location by virtue of having their phone switched on, could you sell them stuff based on where they are? That’s why Google is working on Google Offers. And if one billion people care more about the device than the network and will pick the service based on who has the cool new Android phone, couldn’t you launch your own data service? That’s Google Fiber.

This also seems to be of a piece with growing recognition among financial types that biometrics are going to have a role in how authentication works and add significant value to the process.

Translate »