Older Andriod versions had more vulnerabilities

Is Samsung’s Galaxy S5 ‘leaking’ YOUR fingerprints? Flaw means hackers can intercept and steal biometric data (Daily Mail); Forbes piece, here.

The pair told Thomas Fox-Brewster from Forbes that the flaw lies in older versions of the Android operating system, up to and including Android 4.4.

Subsequently, anyone running Android 5.0 or above are not at risk and the security experts are advising people on older models to update as soon as possible.

The semi-technical press seizes upon biometrics as a proxy for personal data. This is old news, but here’s a great example.

A close reading of the article reveals that earlier releases of Google’s version of the Android mobile OS weren’t as secure as they are now. This will come as news to few. The article points out that, “Once inside they can monitor all data sent to and from the phone, as well as data recorded by the handset’s built-in sensors, including the fingerprint scanner.”

Get it? Exploiting the security flaw means that the whole device is compromised: Email apps, microphone, location information, and possibly even the contents of phone calls themselves, but according to the author and editor(s), the news value is in the possibility of capturing a fingerprint image. Of course, it’s their outfit; it’s their call.

For readers here, instead of “OMG fingerprinst[!],” I’d emphasize that:

Not all mobile operating systems are created equal.
Different mobile applications offer a different mix of privacy costs and benefits.
Installing OS updates and patches is very important.
If the OS is compromised, the applications it runs are vulnerable.

Left out of the information readily available online about this hack is how the people at FireEye got their malware onto the hardware in the first place. Past “hacks” of biometric systems have been executed on a playing field that is far more favorable than the real world to the the hackers, where all the other layers of the security regime are stripped away from the one security link they want to test. Here’s a particularly striking example. If FireEye rooted the phone, side-loaded their malware onto the device, and went from there, this isn’t a hack in any real sense — it’s a malware test.

That hypothetical scenario would mimic a real world example where a user lost their phone and bad guys got it, loaded software on it and then returned the mobile device to the user who continued as if nothing had happened. In the security world, if you lose control of the hardware, all bets are off for anything that isn’t encrypted (with a strong key).

So, without more information, it’s hard to say how big a deal this is, or in many (most?) cases, was. In the bigger picture, this is a Google Android OS story. The subtext is that users who care about mobile device security should be thoughtful about what device/OS/app combinations they adopt, keep their device’s software up to date, and be careful about malware.

As automated and convenient security including biometrics becomes better and more common, the highway robbers of the 21st Century are increasingly forced to turn to social engineering techniques rather than frontal assaults on security technology.

See: The Con is Mightier than the Hack

Face rec for quality assurance

Edinburgh Airport installs biometric system to track passenger movements (Computerworld UK)

An anonymous facial image is taken of each passenger as they check in and the time it takes each to reach certain waypoints plotted over time. If this time breaches a pre-set parameter for enough passengers, alerts can be generated.

The principle is that moving passengers from check in to the terminal increases their satisfaction with that airport and boosts the amount of time they have to spend money in the retail outlets that generate profit for airports.

The system can also be used to track the movement of passengers through the airport as a whole.

This is another really interesting application for facial recognition technology and, unlike other uses of face technology better described as demographic detection, this one actually is a true face recognition application.

Although it is a true face recognition application, it isn’t really an ID application so long as the facial image taken at the time of passenger is not linked to other personal information and it is deleted after the person reaches the “finish line.”

The item of interest to airports in this case is the length of time it takes real individuals to travel through various points between check in and the jetway. It’s a more sophisticated measure than a simple count and real-world measurement wasn’t easily automated before face recognition technology.

Airports in the UK have been early adopters of face recognition for this application because they are held to certain performance metrics (and subject to fines) for airport throughput. Having accurate real-time information on passenger flows can inform on-the-fly staffing decisions. For example, additional security screeners can be dispatched in the event a slow-down is detected, saving passenger time and the airport money.

Though airports have been early adopters, this basic application has obvious utility in shopping malls, department stores, planning for emergency evacuations, and large facility scheduling.

SecurLinx has experience in the design and deployment of this type of system. Our FaceTrac system is readily adapted to the challenge of on-the-fly enrollment, finish-line matching, reporting, and automatically purging image data.

Start with the applications

10 Big Data Trends From the GigaOM Structure Data Conference (eweek)Good observations having broad applicability in understanding how the recipe for organizational success is being rewritten. Read the whole thing.

Money quote:

While big data might be getting ahead of itself in enterprise promises, it is real in bringing new capabilities to business. You need to think about the skills you have in your company and developing the data skills to adapt to this new model. Open source, which often has a bit of a fringe reputation in the enterprise, will be part of your technology future. Established vendors are going to promise they can give you all the capabilities of the startups with added stability, but I haven’t seen any evidence so far. Think about your applications from the outside in, instead of inside out.

The application, not the technology, is everything.

Translate »