Smartphones not so smart

[Visual]

The new apple phone with fingerprint technology was hacked before the first weekend of the release. The problem is that when you unlock it it stays unlocked to include the phone's ability to buy items with your accounts. They designed it so you don't think about the next purchase. If you had to verify for every purchase they believe you wouldn't buy as much. Any signal that is transmitted through the air can be copied, hacked and abused.

 

That tells me they are more worried about sales and not your security. Would like your thoughts.

[david.atwell]

A lot of user experience is balancing the user's desire for convenience with the user's need for security.  I think they need to solve the hacking problem, but I don't see "one-click" purchases as ever going away.

 

Besides, there's no "perfect" security, and Apple products will always be targets due to their high visibility.

[Visual]

A lot of user experience is balancing the user's desire for convenience with the user's need for security.  I think they need to solve the hacking problem, but I don't see "one-click" purchases as ever going away.

 

Besides, there's no "perfect" security, and Apple products will always be targets due to their high visibility.

I will take a shot. Perfect security is going to a store and putting cash on the counter. That cannot be hacked.

It is more than apple products. People around the world are learning more about code writing and may become more adept at it than the big players.

Actually, it is likely. People want to claim to think positive. Some on the titanic probably thought positive thinking that another ship will soon be there to rescue them. When police finally arrive, it is usually to do the paperwork since the act is over. Waiting does not work anymore. I know this will gain me some scorn, but polluting the information stream as it has been going on is worse. I wait for another thing to buy, like apple protect app.

You do not need to buy something to protect yourselves, unless the people who have your information are sloppy and sell it, or lose it. Why pay for another service? Now, go ahead and berate me. I only try to expose the flaws.

[Daniels]

I don't have a smart phone, and it's mostly because of security reasons. That whole fingerprint thing was a big debacle from the start. Just another way to unknowingly give your personal information to other people. I don't trust any of that stuff. And if that makes me sound paranoid, so be it

[Ego Eram Reputo]

My fingerprints are mine alone.  If our police want 'em they can arrest and charge me with something.

 

That someone would willingly submit this kind of personal data to a phone is, to me, quite astonishing.

 

Steal a smartphone.  Grab the fingerprint data.  Print it off on a 3D printer and hey presto! your fingerprints at the latest heinous crime scene.

 

(No - I don't think I'm paranoid.  Just very careful.)

[david.atwell]

Visual, cash can definitely be hacked.  Your wallet can be stolen on the bus, bills and coins can be forged, quick-change artists can scam you out of your money.  Digital currency is not necessarily more or less secure, just differently so. 

 

(No - I don't think I'm paranoid.  Just very careful.)

 

That's what a paranoid person would say!  :-)

 

But in all seriousness, your fingerprints are not actually stored on the phone.  The data describing features thereof are stored; it's like a hashed password on a website.  Your fingerprints would be safe; no one could get an image of your fingerprint off of it.

 

Keep in mind, I am far from an Apple fan.  I think the iPhone 5S is just the latest in a long line of completely uninspiring Apple releases.  They're iterating like Google is, but instead of admitting it, they're making it sound like the most amazing and revolutionary development since the printing press.

 

Also, I'm far from a fingerprint authentication fan.  It is not a secure method of authentication.

[david.atwell]

Here's the source for my statement, by the way:

 

Touch ID does not store any images of your fingerprint. It stores only a mathematical representation of your fingerprint. It isn't possible for your actual fingerprint image to be reverse-engineered from this mathematical representation...Only Touch ID uses it and it can't be used to match against other fingerprint databases.

[Kemaru]

Also, you can opt not to use the Finger ID feature and use a traditional PIN instead.

[Visual]

My fingerprints are mine alone.  If our police want 'em they can arrest and charge me with something.

 

That someone would willingly submit this kind of personal data to a phone is, to me, quite astonishing.

 

Steal a smartphone.  Grab the fingerprint data.  Print it off on a 3D printer and hey presto! your fingerprints at the latest heinous crime scene.

 

(No - I don't think I'm paranoid.  Just very careful.)

That is my perspective. Show evidence of a crime before a judge and get a warrant for search. That is not what is going on, and it has not been going on for longer than you have been led to believe.

 

Here's the source for my statement, by the way:

The stored information is a quick damage control way to calm the public. The phone is unlocked and now you do not need to verify for everything done with it until it is locked again. They have the ability to clone your phone also. Now, they can copy the unlock signal and do damage on another phone to you. Hence the problem. Criminals intercepted garage door remote signals a long time ago. They copied and stored the code in a purchased remote. When they saw you go to work, they entered your garage and robbed you blind without being noticed. The same thing is on the way. Every day i see a new must have thing to unlock your house, car and turn off the alarm from anywhere. How long before that is copied and used against you? Trying to make things easy isn't always the best way.

 

I do not want to sound like an apple hater, just worried for users. It goes well beyond just them.

 

That seacrest guy has a new show. I just found out their angle. They had people download an app and filled out incredibly sensitive information to try to become a contestant. If you see the form you will be amazed that people gave them the information.

That was the scam for them. Now, they have detailed personal information on millions of contestant wannabes to sell away. It appears the game show was just invented to create another user database to sell.

Edited September 24, 2013 by Visual

[david.atwell]

Not that your conclusion is wrong, but your premise is.  They can't get that information out of the phone and use it on another because the data is "hashed" - check out the Wikipedia article on cryptographic hashing algorithm SHA-3 for more info on the concept of hashing and the algorithm they're probably using.  Once you put your finger down to register a fingerprint, the data about your fingerprint is "salted" - using a device-unique identifier - and then hashed before being registered in the database.  At that point, even Apple can't get your data.  From then on, your fingerprint data is put through the same process every time you unlock the device and the results are compared.

 

So that's not what any nefarious people would do.  No, the real worry is that they would get your phone unlocked and then use any of the myriads of secret data you have on it to ruin you: you probably have a bank app, an email app, a Facebook app, maybe even an Ebay or Amazon app connected to your credit card or one that will let you unlock your house or car.  Just as now, that's the true issue you should worry about.

 

But the process of cloning your phone, trying to reverse-engineer your fingerprint...honestly, it's unlikely to be tried in the first place, and even more unlikely to succeed.

[doughty]

Probably easier to dust your phone for your fingerprint and then use that for their dirty deeds. Looks pretty easy to do on some TV crime shows.

[Visual]

Probably easier to dust your phone for your fingerprint and then use that for their dirty deeds. Looks pretty easy to do on some TV crime shows.

No. They actually did something that was better. It must be a live warm finger. But, after it is unlocked..?

[Visual]

So that's not what any nefarious people would do.  No, the real worry is that they would get your phone unlocked and then use any of the myriads of secret data you have on it to ruin you: you probably have a bank app, an email app, a Facebook app, maybe even an Ebay or Amazon app connected to your credit card or one that will let you unlock your house or car.  Just as now, that's the true issue you should worry about.

 

But the process of cloning your phone, trying to reverse-engineer your fingerprint...honestly, it's unlikely to be tried in the first place, and even more unlikely to succeed.

I have seen the proof of cloning a phone with my own eyes. All they need after that is to intercept the unlock verification signal. Your other points are the very reason that i took away the phones that i gave to my own children. They have flip-phones now. I am ashamed i didn't learn before giving them to them. They will not get them unless they become of age, or a good resolution to spying on phone users and other security issues are resolved to my satisfation. I can listen to complaining at home, if i know it's the right thing to protect their future. The phone and internet people don't care about my or your children. They want information to make a profit with. It's creepy thinking that in a way they are walking behind them and looking at everything you do on it, just that they are in the device unseen watching and recording everything you do with it.

 

Forgot a point. My information comes from a friend who knows far more than i. He claims they are working to defeat all tracking on the smartphones. It will hopefully work. It will be unseen with the internal gps and all other spying ways. I will tell you when they are confident it works, and how to do it yourself.

Edited September 25, 2013 by Visual

[david.atwell]

Sorry.  I didn't realize I was unclear.  I know you can clone a phone, but my point is that the fingerprint information cannot be reverse-engineered from a cloned phone.

[Ego Eram Reputo]

I think the reverse engineering is just a matter of time.

[david.atwell]

I'll admit there's always a possibility, but really, from the way I understand it, the information simply isn't there to get.  When you hash the data, you're destroying it and replacing it with a representative.  Not that I haven't been wrong about blurring before.

 

I still say that the real security risk isn't the fingerprint, it's the smartphone itself.  Doesn't stop me from having one, but maybe that just makes me foolish.  :-)

[Visual]

Visual, cash can definitely be hacked.  Your wallet can be stolen on the bus, bills and coins can be forged, quick-change artists can scam you out of your money.  Digital currency is not necessarily more or less secure, just differently so. 

 

You got me on this until i had time to think about what was bothering me. The main difference is that if they steal my wallet, that is my fault. With the new phones, they control all of your sensitive personal information. Many are actually selling it for profits. In america they are tryinf to launch a new health coverage system. They intend to sell everyones information to health providers. Employers will also pay to see any issues in your past, and can use it to fire or not hire you. It may be illegal, but can you afford the money to sue them?

 

I'll admit there's always a possibility, but really, from the way I understand it, the information simply isn't there to get.  When you hash the data, you're destroying it and replacing it with a representative.  Not that I haven't been wrong about blurring before.

 

I still say that the real security risk isn't the fingerprint, it's the smartphone itself.  Doesn't stop me from having one, but maybe that just makes me foolish.  :-)

I think their eyes were as big as dinner plates when they realised how much money they could make with them. They forgot to lock them down security wise, because of thinking about the profits too much. Now, they are all doing damage patches and are fighting what is looking like a losing battle to unseen foes in countries where they have nothing to lose. They will get better and keep trying. Use it with constraint. I will wait to see if my contact will be able to lock it down. I see i can't trust the makers of the phones. Who cares more about your data, them or you? Will it affect their future if you lose your credit history?

 

It will only let them sell you something else to protect the data that they already have compiled. They want to sell you another plan just in case they make more mistakes of your data? It's freaky logic. The lifelock person thumbed his nose at hackers when they first starting selling id protection. It wasn't widely reported that the hackers got the last laugh on him.

Edited September 26, 2013 by Visual

[david.atwell]

Good point.  But think about this: if it's widely reported that unpatched iPhones are causing identity theft all around the world, and 10% of people who use iPhones have their identities stolen and their bank accounts drained, then one of two things will happen:

 

1. People might stop buying iPhones.  It's less likely, but always possible.

2. Insurance companies will stop insuring iPhone users, citing too much risk.

 

Both of those things will seriously hurt Apple's bottom line, and they'll fix the problem.  It's in manufacturers' best interests to make sure our information is safe, though admittedly not as much as it is in our interests.

 

My solution is to not put anything on my devices that I don't mind losing, because my phone and tablet are both "booby-trapped."  If stolen, I'll just go on to Android Device Manager and lock the devices, then wipe them if I can't find them in a reasonable time.  Boom- no more data to collect.

 

EDIT: EER and Visual, I'm VERY impressed by your insights to this matter.  I'm loving this conversation.

[Visual]

 

My solution is to not put anything on my devices that I don't mind losing, because my phone and tablet are both "booby-trapped."  If stolen, I'll just go on to Android Device Manager and lock the devices, then wipe them if I can't find them in a reasonable time.  Boom- no more data to collect.

 

EDIT: EER and Visual, I'm VERY impressed by your insights to this matter.  I'm loving this conversation.

 

I have the highest respect with you two gentlemen. Intelligent conversations can usually resolve problems. Just because someone calls themself smart or a type A person, it doesn't make it so. I like some of the new items on them, and agree you should not have any financial information on them at all. No quick buying apps or credit/banking information. That unfotunately is not what they want. They want you to see and buy. Never have the time to think. I always look before i leap. I took them away from my children because they have not completely learned constraint, and how to deal with peer pressure.

[Visual]

Not that your conclusion is wrong, but your premise is.  They can't get that information out of the phone and use it on another because the data is "hashed" - check out the Wikipedia article on cryptographic hashing algorithm SHA-3 for more info on the concept of hashing and the algorithm they're probably using.  Once you put your finger down to register a fingerprint, the data about your fingerprint is "salted" - using a device-unique identifier - and then hashed before being registered in the database.  At that point, even Apple can't get your data.  From then on, your fingerprint data is put through the same process every time you unlock the device and the results are compared.

My tech geek says to ask you why you believe this? He says computers have a bad way of not being able to be random. A report is out saying that the NSA has broken many encryption programs. They can hack any of your passwords and log into any of your accounts. He says that this is why the public is in greater danger than they know.

 

He says this should be some good reading for you. It's similar in theory.

https://en.wikipedia.org/wiki/Rainbow_table

http://www.infoworld.com/d/security/stop-pass-the-hash-attacks-they-begin-167997

 

Now my brain is frying.

 

"Everything on the web exists in the world of math. 20 yrs ago they couldn't do in years, what they can do in 60 seconds. All you need to do is be able to understand math. Everything on your favorite websites is math. Songs, art, texting and everything is nothing more than a math problem with your computer, phone, tablet or whatever else is on the way. You see a website in colors and icons, but it actually exists as 1's and 0's. If a human can design it on a computer, another human can use a better computer to break down your computations and figure out how you did it."

Edited September 26, 2013 by Visual

[david.atwell]

Well, tell your tech geek that I believe it because I know how it works.  :-)  I'm not talking about encryption, which is the conversion of plain text into an encrypted form that is meant to be recovered; I'm talking about cryptographic hashing, which is the replacement of one dataset with another completely- a dataset that represents the original but cannot be converted back to the original.  With SHA-3, currently the strongest cryptographic hashing (or "message digest") algorithm, you can have an example of the hashing process and even know how it works and still not be able to reverse-engineer the original from the hash.  Each character inserted into the hash changes its value dramatically.  For instance, this is the hash of my name as it is rendered on this forum, "david.atwell":

 

813f3630a40bad7abc2b21442781d28efdf9723098992f6e16e80466193597e7

 

If I capitalize just one letter (sending "david.Atwell"), it instead renders as:

 

cc5eeba35e7ca65ad5c59650a1f556d389f4c30d2889a3e643afa11dd6093f6d

 

As you can see, it isn't just the first few characters that change, but ALL of the characters.  And if I double the length:

 

cf69d14c4eceeab3b039531b6335eced1e47d8612ae94b305536ece4e2cae4b2

 

notice that the hashed message stays the exact same length.  And therein lies one of the greatest strengths of the hash: you not only can't tell what the message is with a hash, you can't tell how long it is or even what kind of characters it's made of.

 

As of right now, the only way to take the first hash and recover my name from it is to start with the character null, hash it with this method, then compare the results with the hash you have.  Then try it with the character "1", then "2" and so on.  Once you've reached the last of the 1,112,064 characters in UTF-8 and still haven't discovered the correct message that leads to that hash, start over with null null, then null 1, and so on.  Continue until you've matched the original message.  This is called a brute-force attack, and if a computer were looking for a 12-character message (my name) using only A-Z, numbers, and minor punctuation (just one sixteen-thousandth of the full UTF-8 character space) it would take almost 2,218,434,939 (2 BILLION) YEARS for the computer to get through all the combinations.

 

If you break my password 2 billion years from now, I honestly don't care.  :-)

[Ego Eram Reputo]

I take your point about hashing and the relative security of it.  I say relative because I still believe that, given time, it will be compromised.  As processing power and techniques increase, the time reduces.  Still 2 billion years is a while

 

I guess I'm just not at ease with any biometric or anthropometric data being stored on a device that is so portable.  Like you David, I store very little on my phone and even created a completely bogus gmail account to use just with the phone.  This way there are no cross-overs into my personal/real life.

 

Once these devices are integrated into the human body I'll relax!

[pyrochild]

You leave your fingerprint on things you touch every day. There is no point to trying to reverse a hash of it (infeasibly time consuming) when it can just be lifted off the back of the phone (easy peasy lemon squeezy)

[david.atwell]

Pyrochild, once again proving his wisdom with rhyme. :-)

EER, you're not being unwise. And I agree, time will inevitably decrease, and perhaps an exploit will be found- but security increases along with it. I still feel like the real danger is social engineering.

I guess my real worry is, if we place too much trust in the security measures we establish for ourselves, we might become more lax about the possibility of being fooled by a clever con man. Not that I worry it will happen to you; I find you to be a wise and prescient person. But the bulk of people are not prone to such wisdom.

[Ego Eram Reputo]

You mean they don't share my paranoia!  There's a reason THX1138 is my sig/avatar