It was easy:
The hackers took a medium range photo of their subject with a digital camera’s night mode, and printed the infrared image. Then, presumably to give the image some depth, the hackers placed a contact lens on top of the printed picture.
Robert Wood • May 26, 2017 1:41 PM
Well, that being said it’s probably not a good idea for any dissidents or any subversive minds to carry an s8, especially when traveling.
Terry • May 26, 2017 1:46 PM
@ As Bruce has noted more than once being able to build things and being able to break things are not the same skill set.
Except that the adage you’re referring to can be equally interpreted to mean that no one build anything that works.
And then this crap get’s repeated a billion times until everyone is brain dead. Like “you must drink 20 glasses of water a day”
Martin • May 26, 2017 1:53 PM
Perhaps each serious project should hire hackers to test the product in addition the usual rubber stamp product testers.
Hauke • May 26, 2017 4:46 PM
And strangely and yet unexplained, it worked best when the iris image was printed with a Samsung printer.
Jonathan Wilson • May 26, 2017 6:50 PM
Yet another reason not to use bio-metrics but to stick with a good old password or code instead (one that your adversaries can’t easily guess and that is backed up by strong encryption on the device itself)
blue eyed • May 27, 2017 4:06 PM
When your password gets compromised you can easily change it. With your eyes it’s not that easy. 😎
Someone • May 28, 2017 4:19 AM
Totally unrelated to this post (not sure if this is allowed here, but I will take my chances):
Hacked in Translation – from Subtitles to Complete Takeover:
http://blog.checkpoint.com/2017/05/23/hacked-in-translation/
No real details regarding the software flaws are given. 🙁
Clive Robinson • May 28, 2017 5:54 AM
@ Someone,
not sure if this is allowed here, but I will take my chances
Normally the current “Friday Squid” page is where you would put it.
As for the atteck vector, yes I would kind of expect it. Subtitles ar not just “text files” they often contain other information such as position on the screen, background and foreground colours, time marks, and links off to other files etc.
Some subtitle formats may alow not just for compression but actually small programs to interact with the UI, or as happens in PostScript files actually generate images for display in a “Device Independent” format. As is known Adobe PDF files and various image file formats have been used to hide malicious code in the past.
I guess we are going to have to wait for the gory technical details, but I suspect that where there is one sort of attack vector found and patched, there will be others just waiting to be found and exploited now the idea has been made public.
David Alexander • May 30, 2017 10:53 AM
As with so many security controls, the attack shows that:
1) a badly implemented biometric control can usually be exploited.
2) knowing how to securely implement biometrics is essential for the design team
The iris oscillates in size at about 0.5 Hz, and a good iris scanner can detect this movement, it’s not somersetting that a printed picture can do. In addition, a good infra-red scanner will work in the 700-900 nM range. A live iris containing oxygenated haemoglobin has a different IR absorption spectra to a dead eyeball (defeating the ‘Minority Report’ attack) or a printed image. If one or both of these controls were implemented correctly in the phone (and I accept that cost, space and processing power are limiting factors in a smart phone) then the attack would have failed.
Martin E. • June 3, 2017 5:05 AM
Any use of any biometrics for identification and/or authentication (face, iris, fingerprints, veins, etc. – all of them!) should be immediately stopped. Using biometrics is inherently insecure, period. Unlike logins and passwords – you cannot change your biometric characteristics. Moreover, you leave your fingerprints and your DNA samples on every thing you touch. And collection of face photos or iris images enables mass surveillance: entities that operate CCTV cameras can then follow people and monitor automatically their movements.
Biometrics shouldn’t be collected at borders, it shouldn’t be stored in ID documents. It shouldn’t be collected or stored at all.
The only exception are people suspected of serious crimes – their fingerprints may be collected, but should be stored only until such person is acquitted or his/her conviction becomes spent. Any other collection of fingerprints should be outlawed.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Bob Dylan's Masterful Foot • May 26, 2017 1:27 PM
It is easy if one is creative like that but to be perfectly honest that solution would not occur to me in a thousand years. Those rascals (shakes tiny fist)…
As Bruce has noted more than once being able to build things and being able to break things are not the same skill set.