Entries Tagged "scanners"

Page 2 of 3

Government Policy on Cell Phone Interception Technology

New paper: “Your Secret Stingray’s No Secret Anymore: The Vanishing Government Monopoly Over Cell Phone Surveillance and its Impact on National Security and Consumer Privacy,” by Christopher Soghoian and Stephanie K. Pell:

Abstract: In the early 1990s, off-the-shelf radio scanners allowed any snoop or criminal to eavesdrop on the calls of nearby cell phone users. These radio scanners could intercept calls due to a significant security vulnerability inherent in then widely used analog cellular phone networks: calls were not encrypted as they traveled over the air. In response to this problem, Congress, rather than exploring options for improving the security of cellular networks, merely outlawed the sale of new radio scanners capable of intercepting cellular signals, which did nothing to prevent the potential use of millions of existing interception-capable radio scanners. Now, nearly two decades after Congress passed legislation intended to protect analog phones from interception by radio scanners, we are rapidly approaching a future with a widespread interception threat to cellular communications very reminiscent of the one scanner posed in the 1990s, but with a much larger range of public and private actors with access to a much more powerful cellular interception technology that exploits security vulnerabilities in our digital cellular networks.

This Article illustrates how cellular interception capabilities and technology have become, for better or worse, globalized and democratized, placing Americans’ cellular communications at risk of interception from foreign governments, criminals, the tabloid press and virtually anyone else with sufficient motive to capture cellular content in transmission. Notwithstanding this risk, US government agencies continue to treat practically everything about this cellular interception technology, as a closely guarded, necessarily secret “source and method,” shrouding the technical capabilities and limitations of the equipment from public discussion, even keeping its very name from public disclosure. This “source and method” argument, although questionable in its efficacy, is invoked to protect law enforcement agencies’ own use of this technology while allegedly preventing criminal suspects from learning how to evade surveillance.

This Article argues that current policy makers should not follow the worn path of attempting to outlaw technology while ignoring, and thus perpetuating, the significant vulnerabilities in cellular communications networks on which it depends. Moreover, lawmakers must resist the reflexive temptation to elevate the sustainability of a particular surveillance technology over the need to curtail the general threat that technology poses to the security of cellular networks. Instead, with regard to this destabilizing, unmediated technology and its increasing general availability at decreasing prices, Congress and appropriate regulators should address these network vulnerabilities directly and thoroughly as part of the larger cyber security policy debates and solutions now under consideration. This Article concludes by offering the beginnings of a way forward for legislators to address digital cellular network vulnerabilities with a new sense of urgency appropriate to the current communications security environment.

Posted on May 21, 2014 at 9:51 AMView Comments

iPhone Fingerprint Authentication

When Apple bought AuthenTec for its biometrics technology — reported as one of its most expensive purchases — there was a lot of speculation about how the company would incorporate biometrics in its product line. Many speculate that the new Apple iPhone to be announced tomorrow will come with a fingerprint authentication system, and there are several ways it could work, such as swiping your finger over a slit-sized reader to have the phone recognize you.

Apple would be smart to add biometric technology to the iPhone. Fingerprint authentication is a good balance between convenience and security for a mobile device.

Biometric systems are seductive, but the reality isn’t that simple. They have complicated security properties. For example, they are not keys. Your fingerprint isn’t a secret; you leave it everywhere you touch.

And fingerprint readers have a long history of vulnerabilities as well. Some are better than others. The simplest ones just check the ridges of a finger; some of those can be fooled with a good photocopy. Others check for pores as well. The better ones verify pulse, or finger temperature. Fooling them with rubber fingers is harder, but often possible. A Japanese researcher had good luck doing this over a decade ago with the gelatin mixture that’s used to make Gummi bears.

The best system I’ve ever seen was at the entry gates of a secure government facility. Maybe you could have fooled it with a fake finger, but a Marine guard with a big gun was making sure you didn’t get the opportunity to try. Disney World uses a similar system at its park gates—but without the Marine guards.

A biometric system that authenticates you and you alone is easier to design than a biometric system that is supposed to identify unknown people. That is, the question “Is this the finger belonging to the owner of this iPhone?” is a much easier question for the system to answer than “Whose finger is this?”

There are two ways an authentication system can fail. It can mistakenly allow an unauthorized person access, or it can mistakenly deny access to an authorized person. In any consumer system, the second failure is far worse than the first. Yes, it can be problematic if an iPhone fingerprint system occasionally allows someone else access to your phone. But it’s much worse if you can’t reliably access your own phone — you’d junk the system after a week.

If it’s true that Apple’s new iPhone will have biometric security, the designers have presumably erred on the side of ensuring that the user can always get in. Failures will be more common in cold weather, when your shriveled fingers just got out of the shower, and so on. But there will certainly still be the traditional PIN system to fall back on.

So…can biometric authentication be hacked?

Almost certainly. I’m sure that someone with a good enough copy of your fingerprint and some rudimentary materials engineering capability — or maybe just a good enough printer — can authenticate his way into your iPhone. But, honestly, if some bad guy has your iPhone and your fingerprint, you’ve probably got bigger problems to worry about.

The final problem with biometric systems is the database. If the system is centralized, there will be a large database of biometric information that’s vulnerable to hacking. A system by Apple will almost certainly be local — you authenticate yourself to the phone, not to any network — so there’s no requirement for a centralized fingerprint database.

Apple’s move is likely to bring fingerprint readers into the mainstream. But all applications are not equal. It’s fine if your fingers unlock your phone. It’s a different matter entirely if your fingerprint is used to authenticate your iCloud account. The centralized database required for that application would create an enormous security risk.

This essay previously appeared on Wired.com.

EDITED TO ADD: The new iPhone does have a fingerprint reader.

Posted on September 11, 2013 at 6:43 AMView Comments

Hiding PETN from Full-Body Scanners

From the Journal of Transporation Security, “An evaluation of airport x-ray backscatter units based on image characteristics,” by Leon Kaufman and Joseph W. Carlson:


Little information exists on the performance of x-ray backscatter machines now being deployed through UK, US and other airports. We implement a Monte Carlo simulation using as input what is known about the x-ray spectra used for imaging, device specifications and available images to estimate penetration and exposure to the body from the x-ray beam, and sensitivity to dangerous contraband materials. We show that the body is exposed throughout to the incident x-rays, and that although images can be made at the exposure levels claimed (under 100 nanoGrey per view), detection of contraband can be foiled in these systems. Because front and back views are obtained, low Z materials can only be reliable detected if they are packed outside the sides of the body or with hard edges, while high Z materials are well seen when placed in front or back of the body, but not to the sides. Even if exposure were to be increased significantly, normal anatomy would make a dangerous amount of plastic explosive with tapered edges difficult if not impossible to detect.

From the paper:

It is very likely that a large (15-20 cm in diameter), irregularly-shaped, cm-thick pancake with beveled edges, taped to the abdomen, would be invisible to this technology, ironically, because of its large volume, since it is easily confused with normal anatomy. Thus, a third of a kilo of PETN, easily picked up in a competent pat down, would be missed by backscatter “high technology”. Forty grams of PETN, a purportedly dangerous amount, would fit in a 1.25 mm-thick pancake of the dimensions simulated here and be virtually invisible. Packed in a compact mode, say, a 1 cm×4 cm×5 cm brick, it would be detected.

EDITED TO ADD (1/12): Stephen Colbert on the issue.

Posted on December 17, 2010 at 2:13 PMView Comments

Skeletal Identification

And you thought fingerprints were intrusive.

The Wright State Research Institute is developing a ground-breaking system that would scan the skeletal structures of people at airports, sports stadiums, theme parks and other public places that could be vulnerable to terrorist attacks, child abductions or other crimes. The images would then quickly be matched with potential suspects using a database of previously scanned skeletons.

Because every country has a database of terrorist skeletons just waiting to be used.

Posted on August 24, 2010 at 6:56 AMView Comments

Scanning Cargo for Nuclear Material and Conventional Explosives

Still experimental:

The team propose using a particle accelerator to alternately smash ionised hydrogen molecules and deuterium ions into targets of carbon and boron respectively. The collisions produce beams of gamma rays of various energies as well as neutrons. These beams are then passed through the cargo.

By measuring the way the beams are absorbed, Goldberg and company say they can work out whether the cargo contains explosives or nuclear materials. And they say they can do it at the rate of 20 containers per hour.

That’s an ambitious goal that presents numerous challenges.

For example, the beam currents will provide relatively sparse data so the team will have to employ a technique called few-view tomography to fill in the gaps. It will also mean that each container will have to be zapped several times. That may not be entirely desirable for certain types of goods such as food and equipment with delicate electronics.

Just how beams of gamma rays and neutrons affect these kinds of goods is something that will have to be determined

Then there is the question of false positives. One advantage of a machine like this is that it has several scanning modes is that if one reveals something suspicious, it can switch to another to look in more detail. That should build up a decent picture of the cargo’s contents and reduce false positives.

Posted on January 27, 2010 at 6:53 AMView Comments

Body Cavity Scanners

At least one company is touting its technology:

Nesch, a company based in Crown Point, Indiana, may have a solution. It’s called diffraction-enhanced X-ray imaging or DEXI, which employs proprietary diffraction enhanced imaging and multiple image radiography

Rather than simply shining X-rays through the subject and looking at the amount that passes through (like a conventional X-ray machine), DEXI analyzes the X-rays that are scattered or refracted by soft tissue or other low-density material. Conventional X-rays show little more than the skeleton, but the new technique can reveal far more, which makes it useful for both medical and security applications.

Posted on January 14, 2010 at 6:00 AMView Comments

Scanning People's Intentions

Here’s an article on a brain scanning technique that reads people’s intentions.

There’s not a lot of detail, but my guess is that it doesn’t work very well. But that’s not really the point. If it doesn’t work today, it will in five, ten, twenty years; it will work eventually.

What we need to do, today, is debate the legality and ethics of these sorts of interrogations:

“These techniques are emerging and we need an ethical debate about the implications, so that one day we’re not surprised and overwhelmed and caught on the wrong foot by what they can do. These things are going to come to us in the next few years and we should really be prepared,” Professor Haynes told the Guardian.

The use of brain scanners to judge whether people are likely to commit crimes is a contentious issue that society should tackle now, according to Prof Haynes. “We see the danger that this might become compulsory one day, but we have to be aware that if we prohibit it, we are also denying people who aren’t going to commit any crime the possibility of proving their innocence.”

More discussion along these lines is in the article. And I wrote about this sort of thing in 2005, in the context of Judge Roberts’ confirmation hearings.

Posted on February 15, 2007 at 6:32 AMView Comments

Wholesale Surveillance

I had an op-ed published in the Arizona Star today:

Technology is fundamentally changing the nature of surveillance. Years ago, surveillance meant trench-coated detectives following people down streets. It was laborious and expensive and was used only when there was reasonable suspicion of a crime. Modern surveillance is the policeman with a license-plate scanner, or even a remote license-plate scanner mounted on a traffic light and a policeman sitting at a computer in the station.

It’s the same, but it’s completely different. It’s wholesale surveillance. And it disrupts the balance between the powers of the police and the rights of the people.

The news hook I used was this article, about the police testing a vehicle-mounted automatic license plate scanner. Unfortunately, I got the police department wrong. It’s the Arizona State Police, not the Tucson Police.

Posted on January 11, 2007 at 1:00 PMView Comments

UK Car Rentals to Require Fingerprints

Welcome to a surveillance society:

If you want to hire a car at Stansted Airport, you now need to give a fingerprint.

The scheme being tested by Essex police and car hire firms, is not voluntary. Every car rental customer must take part.

No fingerprint, no car hire at Stansted airport.

These are stored by the hire firms — and will be handed over to the police if the car is stolen or used for another crime.

This is the most amusing bit:

“It’s not intrusive really. It’s different — and people need to adjust to it. It’s not Big Brother, it’s about protecting people’s identities. The police will never see these thumbprints unless a crime is committed.”

What are the odds that no crime will ever be committed?

Fingerprints are becoming more common in the UK:

But regardless of any ideological arguments, the use of biometric technology — where someone is identified by a physical characteristic — is already entering the mainstream.

Biometric UK passports were introduced this year, using facial mapping information stored on a microchip, and more than a million have already been issued.

A shop in the Bluewater centre in Kent has used a fingerprint checking scheme to tackle credit card fraud. And in Yeovil, Somerset, fingerprinting has been used to cut town-centre violence, with scanners helping pick out troublemakers.

It’s not just about crime. Biometric recognition is also being pitched as more convenient for shoppers.

Pay By Touch allows customers to settle their supermarket bill with a fingerprint rather than a credit card. With three million customers in the United States, this payment system is now being tested in the UK, in three Co-op supermarkets in Oxfordshire.

Posted on November 14, 2006 at 7:37 AMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.