Schneier on Security
A blog covering security and security technology.
« Anti-Cheating Security in Casinos |
| Guessing Smart Phone PINs by Monitoring the Accelerometer »
February 14, 2013
Using the iWatch for Authentication
Usability engineer Bruce Tognazzini talks about how an iWatch -- which seems to be either a mythical Apple product or one actually in development -- can make authentication easier.
Passcodes. The watch can and should, for most of us, eliminate passcodes altogether on iPhones, and Macs and, if Apple's smart, PCs: As long as my watch is in range, let me in! That, to me, would be the single-most compelling feature a smartwatch could offer: If the watch did nothing but release me from having to enter my passcode/password 10 to 20 times a day, I would buy it. If the watch would just free me from having to enter pass codes, I would buy it even if it couldn't tell the right time! I would happily strap it to my opposite wrist! This one is a must. Yes, Apple is working on adding fingerprint reading for iDevices, and that's just wonderful, but it will still take time and trouble for the device to get an accurate read from the user. I want in now! Instantly! Let me in, let me in, let me in!
Apple must ensure, however, that, if you remove the watch, you must reestablish authenticity. (Reauthorizing would be an excellent place for biometrics.) Otherwise, we'll have a spate of violent "watchjackings" replacing the non-violent iPhone-grabs going on today.
Posted on February 14, 2013 at 11:42 AM
• 40 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Is "iPhone-grabbing" a thing that actually happens, or just fear-mongering?
I don't understand. Proximity-based authentication systems have been available for years in the form of dongles you clip on your key chain (or somewhere else hidden about you). Is the watch form factor that revolutionary of an additional concept here? Or is this more Apple fanboy-ism?
Cool. So I can access all your stuff if I'm on the other side of the wall from you?
I wonder how prostitutes will feel about working for 10x the pay and no physical contact just for getting you into position so I can access your watch from the other side of the wall... "Excuse me, I no speak English well. Can you help with directions? Oh, this is so confusing..."
I wonder if we will need (ongoing) forwarding/relay attacks, or if we can just hit the watch once and be good (validated) from there.
The latest data from the New York City Police Department shows that iPhone and iPad thefts have soared 40 percent this year so far, compared with the same period last year.
The story on CNET
does not indicate how many thefts were "grabs" and how many iPads were pilfered from, say, a backpack. There might be more info elsewhere.
@Bembaru: At least one recent New York Times article indicates that "Apple picking" (iPhone grabbing) is extremely common. It said there were 16,000 of those last year alone.
Thanks for the info. I do like the "Apple picking" term.
(And I want my proximity-based authenticator to look like a Green Lantern ring, btw)
Cops in the UK did an iphone bait sting where they left phones around bars hoping ppl would take them. Nobody did http://nakedsecurity.sophos.com/2012/07/20/...
Police like to hype mobile theft so they can convince lawmakers of the urgency for tracking and spying ability. They also like to keep imei changing illegal for said tracking reasons. Its all based on a lie.
As for a physical bluetooth or nfc authenticator I would hack that in a day to spoof authentication because no corp designing these will use secure key based auth.
There's been various device concepts similiar to this before, and as said above there is a few existing systems like it, but as far as I know there are no watch versions of it.
There's already devices that can take advantage of our bodies' weak electrical fields to carry signals that only can be read by other devices touching you (personal area networks). There are lock systems that actually use this, you only have to touch the door handle.
So how do we make it secure? First of all we have the same proxying issue as NFC/RFID has, so let's only activate it explicitly. Let's say you are carrying a bunch of bags after shopping, so how about a swipe over the capacitive screen with your other arm? Maybe in a certain angle, or whatever.
Maybe it should detect when the wearer are sleeping? (Pulse measurements.) Then we could stop somebody from unlocking things with it while we are asleep.
Passwords, PIN:s, etc... Some things should require password unlock, and the PIN/password should only remain "cached" for a few minutes in most cases. That way you can unlock a few gadgets pretty easily, and not have to worry that somebody might forcefully unlock some other random thing, at least not without having to ask for your password too.
Also, I still like my smartcard based idea, where you fold one edge in a Z shape so you have a flat USB connector sticking out. And with RFID, and an e-ink screen and capactitive touch input. Maybe you could have both of these devices? Unlock the extra features on that card with the watch? That would at least simplify the input methods on the watch.
@Bembaru That's not actually a bad idea. Induction coil embedded in the ring portion so you can charge it via induction. Make it look however you want, as long as it's big enough to hold the BT chip.
I work at a Medical School that is more like a collection of hospitals and office buildings on city streets that has a train stop nearby with all kinds of different people running around here. One of my coworkers had a phone grabbed out of her hand down on the train platform.
I know of another incident in which the person had the phone up to her ear right out in front of my building. Someone came by and hit her elbow knocking the phone out of her hand. The punk grabbed the phone and took off.
So yes, phone grabbing is real. People are always walking around with their heads down looking at their phones and not paying attention to their surroundings.
Weird. So many people responded to improvements in flash drives and other gadgetry with remarks about how they didn't want a gadget at all anymore - they just, apparently, put everything in the cloud. So, is a wristband the secret sauce? I don't get it, overlapping hype makes for confusion.
@uk "As for a physical bluetooth or nfc authenticator I would hack that in a day to spoof authentication because no corp designing these will use secure key based auth. "
Good news for you - secure key based auth is exactly what we've done at Hoverkey. Do check us out (and get in touch if you'd like to test it out).
I do really like the idea of a proximity smart token, which may or may not be in the wristwatch form factor. Don't forget the integration requirements though. At the minimum, an proximity-token-enabled OS should:
1. Support automatic locking (optionally with encryption) when the token goes out of range.
2. For finer level protection, allow the user to designate an app as token-protected, which when launching requires a user to e.g. push the authorise button on the token.
3. Expose API for app level integration. The app should be able to use the token to manage keys, perform encryption, generate one time passcodes or signatures. These functions should be provided at a fairly high level so that a non-crypto developer is unlikely to get it wrong.
@AY: I just see one problem with your Hoverkey: PIN/password input is not guaranteed to be done on a secured device. I want to enter my details on the secure token device. That is why I have suggested things like a smartcard with capacitive input.
Because otherwise, simple spyware could interfere. It has already been proven that all you need is accelerometer readings during PIN/pass input to figure out what it is (any Android app could gather this in the background), and targeted social engineering to make you install the spyware followed by stealing the token would mean you're now screwed.
Thanks for your comment and I understand your point to an extent. I agree that there are advantages to be able to interact with the token directly.
However, it's not very obvious to me that it's easier for an attacker to social engineer his victim into installing the spyware than to shoulder surf the PIN.
Also remember that PIN interception via accelerometer isn't 100% accurate, and the smart card is blocked after 3 wrong guesses.
And if the attacker can convince someone to install some spyware, it might as well be some even more sinister than simply intercepting the PIN.
So I think while on screen PIN entry isn't perfect, it's not really a signficant security concern. I welcome any further comments but I suggest take it offline.
Yeah, lets route all one's pw/un's thru a single device, good idea bud b/c I want in now! Instantly! Let me in, let me in, let me in!. I'm not buying into the "feudal lordship" thing. He even called old watches "dumb". Fuhk you FanBoi, go work for FoxConn; they aren't dumb, they're exquisite pieces of technology. Go build your own watch w/o software & tell me it's dumb.
Why would I look at my watch when someone's calling me? More unnecessary complication.
Of course they also have a design such that the likes of Apollo Robbins could distract & block your line of sight & steal right in your face.
What if you held a patent on a charger that could charge an object that is several feet away through the air wirelessly? Apple holds such a patent.
--And does the FanBoi care to think how many security vulnerabilities that opens up? The only way I could "like" this is if it becomes part of Tesla's dream of free power for all at any location/time; but that is such a naive dream.
I think you should switch to decaf ;-)
Anyway he's a 'usability engineer' not a 'security engineer' so we know where his sympathies lie...
Why does it need to be a smart watch to do this? RFID's are all over the place.
Theoretically someone could extract an RFID sew it into their jacket pocket, or their watch strap and program their phone to unlock either through a conventional passcode / phrase or by waving it close to the RFID or a combination of both at the same time.
Most phones read RFIDs so it'd just be a case of programming the RFID in the first instance and then it's all done.
Operating systems like Android could be modified to support this, and of course apps which have password protected apps could incorporate it also.
Re phone theft: it's a real thing. In a central London coffee shop about a month ago there was a guy: his MO was to offer you a free magazine, and if you took it and while you were distracted he would grab the phone you had lying out on the table next to you (there was a long table with a line of people working at various things, each with a phone out lying ready) and make off with it. He tried it on me, but being from NYC when he got pushy I shoved the magazine and him out of the way. Only afterwards someone told me that he'd had someone else's phone about 20 minutes earlier. The manager of the shop told me that five phones a day get stolen there.
(Though I do not now and never have owned an iPhone.)
Re biometrics: an additional problem is that fingerprints work great for younger people, but many older people have very worn fingerprints (out of ten fingers, all but one of mine is almost completely smooth, and I'm only 59), and many have very dry skin, which makes it even harder to produce anything usable for authentication. Older people (boomers and up) are also more likely to be used to and not mind wearing watches.
@AY: "However, it's not very obvious to me that it's easier for an attacker to social engineer his victim into installing the spyware than to shoulder surf the PIN"
The social engineering is not the only way to break into a smartphone, there are evil apps, ...
@AY: "I welcome any further comments but I suggest take it offline."
Do you mean out of public sight ?
Anyway he's a 'usability engineer' not a 'security engineer' so we know where his sympathies lie..
I'll be honest and say I don't even think he cuts the mustard as a "usability engineer" just a person who has failed to realise their limitations when it comes to practical matters.
Why because for something to be acceptable for the many to use it has to be Safely usable, and his flight of fantasy clearly is not.
What he is proposing is almost the same as logging into your bank and having that as the only authentication thus phoney transactions and all sorts of other harmfull activities can happen out of sight behind the users back. As we have seen over and over again with banks not doing the job properly there are issues.
As a general rule of thumb any authentication system that the user cannot properly control reliably and simply is very bad news. And this applies to just about every Near Field Communications system currently out there.
I think you should switch to decaf ;-)
Whilst I apreciate it's a light hearted comment on why Figueritout might appear to be raving like a person possessed by Devil's Brew (or other caffein rich drink).
You have to remember that sometimes you have to behave like that to get the message through to those who's self anointed position is such they belive they are the one and only one eyed person in what they perceive as the kingdom of the blind.
This self anointing is an attitude you find in many FanBois where they rule that the practicalities of life should not interfere with their idil of self deception and thus you have to perform shock treatment to prevent their anointment falling upon the ground to the anoyance of superior beings (See Onan's fate, for failing to do a job properly http://en.wikipedia.org/wiki/Onan ;-)
@offline: "Do you mean out of public sight ?"
Yes. Only because I don't want to hijack the discussion on off-topic subjects.
@Figureitout: Regarding "dumb" watches, he did put it in quotes, which would seem to most of us to indicate "antithesis to smart-watch", not that non-smart watches are actually stupid. That was the only use of the word I could find with a quick read and a ctrl-F. Poor choice of words, but not a deliberate attack by any means.
That said, it's definitely way too much of a fanboi piece to be taken seriously. The notion that "because only Apple can do it in a consumer-pleasing way, only Apple can do it RIGHT" is disgusting.
And do we seriously think that the "biometric re-authentication" will keep this $300-400 watch from being stolen? Hah! (Or that Apple would sell it for less than that so as to make it actually "worth losing"? Double hah!)
@Clive: I never would have put Onan together with fanbois. That's great. :)
If you're going to make dongles for authentication, they should be dumb rather than smart. Smart means they have a display that leaks information, and they have an operating system that can be hacked and host other apps that can play malicious tricks from spoofing to timing analysis.
Now you've got me thinking I should build a bluetooth-enabled Human Interface Device thingy.
@AY: "Only because I don't want to hijack the discussion on off-topic subjects."
I think *you* are trying to hijack the discussion to make advertisment for your product, and that your product is not off-topic.
You have admitted that in your first message.
So, your second message was only asking people not to critisize your product.
Shame on you.
Not for me, I haven't worn a watch in 15+ years. On very rare occasion I've left my iPhone at home, but I normally don't as I listen to podcasts constantly thus am unlikely to forget it.
I would consider an NFC component plus a passphrase to be acceptable, but if you're typing a passphrase, there's no perceptible benefit for logging on to a system. It could serve as a part of a two-factor authentication, but I wouldn't use any form of an NFC-ish authentication as a sole-login as I'm usually a sysadmin and there's no way I'd accept that sort of security risk for my network and servers.
Taking things further, say the iWatch needs biometric re-authorizing whenever it's been taken off. Perhaps by fingerprint.
So thieves will just cut off your hand and keep it.
Kinda poetic, in a horrible sense, since that's Middle Eastern punishment for theft.
"replacing the non-violent iPhone-grabs going on today"
The preferred approach in the US on local transit is to punch the iphone holder in the head and exit the vehicle just as the vehicle leaves the stop. I consider that violent. The violence will continue until the stolen cell phone database is set up as some first, second, and third-world countries have done.
A watch like that should only have biometric DE-authentication. When it's taken off, it locks down. When you put it on, it allows you to enter your PIN/pass. That makes it secure against theft.
@paul: We have that already. I have a token like that from my bank. And they are incapable of general multipurpose use and only works with one entity, my bank. That makes them useless for anything generalized. We simply HAVE to make it smart somehow if we want something the public can use securely, and therefore we better make sure the software is secure.
What if I just cut your wrist off from your arm. Then it will still open your phone, right ? Let's not encourage the crazies, OK.
You can place a pulse sensor in the wristband to detect when the watch has been removed, or the arm removed from the person.
There are already startups working on NFC watches, locked with biometrics. Mostly for NFC purchases, not for proximity unlocking of smartphones/laptops.
@offline: Sorry my comment was taken the wrong way. I'm genuinely open to constructive criticism from anyone.
The company formally known as RIM had a work-type ID badge holder that would interract with the person's BlackBerry. If it still exists you could have a set-up that would behave like a work phone at work and a home phone when you took your badge off.
With the (welcome) difference of "removal requires re-authentication", this is "Java rings all over again".
There's also the matter of the duress problem, which appears to be not so much an increasing issue, as a reason for people to not do security-sensitive things such as banking, in the mobile world. Addressing the duress problem would be *much* easier, in a password-based world.
What strikes me here is that for biometric identification people are talking about methods that are designed for pretty much the opposite set of of conditions from what a watch or other personal item is exposed to. A watch and watchband see the same patch of skin, underlain by the same blood vessels, tendons etc, for hours at a time. There must be something (fractal dimension of heartrate, follicle pattern, characteristic tendon sounds, whatever) that could be used as a biometric, even if it takes entire minutes to gather and analyze the data.
Proximity conditional access has been available for quite some time. Hell, even my office's PBX is smart enough to see who is in the office (by looking for their smartphone on Wifi and/or Bluetooth) and determine whether or not to forward the call to a cell.
I'm using the same module to help me with authentication on my laptop. The first time I authenticate, I have to manually type in my password. If it sees my phone present at the same time, it'll autocomplete passwords from that point forward. If my phone goes out of range, everything locks back up again. Simple. Using ancient (5+ year old) technology.
Just because some company is going to put it inside a slickly-marketed container and put an "i" in front of it doesn't change the fundamentals.
We have NFC/Google Wallet/Paywave systems already in place. Nothing new to see here, move along.
The iwatch will be your wallet, keys, phone and authentication to networks. It will unlock your house (there are bluetooth devices that do this with your phone already), start your car (again already exists with phones), pay for your coffee with nfc (already exists as well) and log you into your computer with nfc or wifi. all this already exists. it will biomatch via heartbeat and pulse, which is uniques for each person and will disable if taken off. all this will be in one place and available all the time on your wrist. no more carrying keys wallet and phone around. no more remembering passwords. it will be revolutionary.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.