Researchers unlock phones with a VR headset and Facebook photos

Fingerprint readers and iris scanners are just a few of the biometric security mechanisms that manufacturers have been putting in smartphones, tablets, and laptops lately. But while slick and futuristic, these new and unique methods for securing mobile devices inevitably have new and unique vulnerabilities.

Source

The right to liberty and security of person is becoming less of a personal endeavor and more of a reliance upon those we believe will faithfully provide it to us. This leads to many conflicts of interest, while companies that control access to our “private” information are selling it to the highest bidder and allowing the government to access and take what they feel is worth knowing about you.

Take face authentication, for example. To ensure a stranger can't access someone's phone just by holding a picture of the owner's face in front of its camera, devices that offer face-unlock features have recently implemented ways of detecting motion and “liveness” in a face—essentially, looking for facial movement patterns like blinking in order to tell a “live” face from a flat picture or video.

Spoofing this technology is “virtually” made possible with computers and some photos of the individual. A paper presented earlier this month at the USENIX Security Symposium showed that researchers were able to circumvent the face-unlock feature found on today’s high-end smartphones by using a virtual reality model of the person’s head recreated from a handful of photos taken from their social media accounts.

Download: PDF

The researchers show it's possible to defeat modern face authentication systems by creating a virtual model derived from high-resolution photos of the device's owner.

Essentially, they were able to convince the device it was looking at a live face by attaching it to a VR headset and loading the 3D head model, whose movements are realistically motion-tracked by the device's accelerometers and gyroscopes.

The researchers could then further manipulate the 3D head model within the headset to make realistic facial movements like smiling or raising an eyebrow, which face authentication systems often prompt a user to do.

If that wasn’t bad enough, all five face authentication systems tested were successfully fooled with 3D models made with high-res photos and models made with low-res photos fooled all but one of the systems. In the future, if face-authentication is going to grant or deny me access to my bank account or entrance into a stadium, why implement the system when it can clearly be exploited?

They may be manufacturing the need to "improve our security" when it comes to digital authentication and surveillance. It starts as a "convenience" feature that companies sell to us and later down the road, they "discover" that there are safety issues, forcing us to beg to become safe again.

“We argue that such VR-based spoofing attacks constitute a fundamentally new class of attacks that point to a serious weaknesses in camera-based authentication systems: Unless they incorporate other sources of verifiable data, systems relying on color image data and camera motion are prone to attacks via virtual realism,” the researchers write, suggesting that a robust face authentication system would need to incorporate some kind of non-public imagery of the user, like a skin heat map.

Which I’m guessing will ultimately be fooled as well. I'm predicting that biometric scanners will become widespread after the next election, disguised as a solution to the lingering immigration issue. Any wall going up will be a wall of sensors and monitoring equipment.

Anyway, be careful what you decide to share on the internet and more importantly, exercise caution when relying on security measures that incorporate images and information about you and your loved ones.

Safety is never guaranteed...

I feel the need to point out one thing. The more hoops people need to jump through to do something, the fewer people willing to do it.

So even if the identity theft arms race keeps being back and fourth, with each new hurdle someone out there says, # it.

Get off the grid and stop paying those high cell phone fees...write a letter...they have forgotten how to hack letters?
Cheers

a reply to: eisegesis

My phone, SIM and SD card are fully encrypted with an eight character password. Just to boot the OS requires a complex non-dictionary password.

Once booted, to unlock the 'phone requires a thumbprint scan (or the secure password).

To open any apps that may have personal information requires a pattern. For passworded apps with their own security (like banking apps), the password is additional to the pattern unlock, you have to do both. This is after the thumbprint scan.

On e-mail, scedule & calendar I have two factor authentication usually with a secure app but I also have option of an e-mail or a text message as the second factor should that fail.

Notifications appear on the lock screen so I don't have to unlock to see what a notification is.

I have an "In Case of Emergency" application that runs from the lock screen displaying emergency and contact information without the need to unlock the 'phone.

All my devices must be registered to use a 'cloud' type app, I must first register the device before proceeding. All the usual steps in authentication apply to the registration process, too.

Since I have previously had someone (unsuccesfully) attempt identity theft against me, I have implemented all this and find that I can usually get through the security procedures in less than half a second, making the inconvenience minimal.

My 'phone is not 'rooted' and I have used only free security options.

Security can be nearly unbreakable with just a bit of effort and is worth it (however, I'm fairly sure the NSA or GCSE could probably blast right through).

There are also several companies offering all sorts of security extras for free or for low cost. Every option you add can compound the difficulty of penetration.

A google search is worth your while if you are concerned about security.

a reply to: Puppylove
The other way around, it is.
With each new hurdle, someone out there will say, let´s do it!
Because if it was easy, where would the fun be.
If that was the case, like you write it, we´d still be using cleartext comparisions from 1980 and earlier.

With a fingerprint on a glas, some tape and glue, the ccc got some politicans very upset 10+ years ago.

originally posted by: chr0naut
a reply to: eisegesis

My phone, SIM and SD card are fully encrypted with an eight character password. Just to boot the OS requires a complex non-dictionary password.
...
My 'phone is not 'rooted' and I have used only free security options.
...

You´re living in a false sense of security.
Nothing is encrypted except maybe for parts your SD card, if there is a way now without rooting it.
The 'phone' and 'sim' can never be encrypted like you imagine it. Maybe the entrys to the sim, yes you can garble them up and decypher them everytime the app pulls data from the sim. But there is not enough chars to each field to get propper and secure encryption. Instead it´s much better to save the contacts in a encrypted file on the phone (not the SD).
If your phone is not rooted and you use android (I guess)...
The 8 digit code you use is just a simple passphrase.

Your fingerprint sensor can be tricked very simple. Swipe pattern will be visible on your screen with the right liquid, if you use it so often and don´t clean the screen after swiping. The best way is still a passphrase or several ones.

Encryption != passphrase
And if you use free apps, I would not trust one of those either, unless it´s open source and I can have a look at it. And even then, it does not gurantee it´s safe.

so they're not that smart after all

originally posted by: verschickter

originally posted by: chr0naut
a reply to: eisegesis

My phone, SIM and SD card are fully encrypted with an eight character password. Just to boot the OS requires a complex non-dictionary password.
...
My 'phone is not 'rooted' and I have used only free security options.
...

You´re living in a false sense of security.
Nothing is encrypted except maybe for parts your SD card, if there is a way now without rooting it.
The 'phone' and 'sim' can never be encrypted like you imagine it. Maybe the entrys to the sim, yes you can garble them up and decypher them everytime the app pulls data from the sim. But there is not enough chars to each field to get propper and secure encryption. Instead it´s much better to save the contacts in a encrypted file on the phone (not the SD).
If your phone is not rooted and you use android (I guess)...
The 8 digit code you use is just a simple passphrase.

Your fingerprint sensor can be tricked very simple. Swipe pattern will be visible on your screen with the right liquid, if you use it so often and don´t clean the screen after swiping. The best way is still a passphrase or several ones.

Encryption != passphrase
And if you use free apps, I would not trust one of those either, unless it´s open source and I can have a look at it. And even then, it does not gurantee it´s safe.

Device encryption has been in Android since 2010. Here's a link to the Android source website with details.

The SIM card is encrypted with A5 symmetrical encryption - crackable (as revealed by Snowden about the Gemalto hack where the master keys were stolen) but with difficulty.

I don't save my contacts to SD, just non essential apps, music and some document files. I actually leave a partition on my SD card unencrypted as I sometimes use it to move large data to/from other devices.

I prefer open source apps where possible. Most Google code is open source. However, having access to source code doesn't neccesarily mean that compiled executables were built with ONLY that source.

As indicated by the FBI's recent issues with decrypting an iPhone, Apple device encryption appears to be secure against unsophisticated hacking. I suspect that the Android encryption is superior to that used on iOS, but as iOS is proprietary, I could not say for sure.

Although, as I said, government agencies can probably bypass the security on my 'phone, very few others have the resources to do so.

If someone did attempt to bypass the security, they would have to expend a lot of time and compute resources and what they would ultimately find would hardly be worth it.

I am fairly confident that my 'phone is safe against all but the most sophisticated hacking.

Sorry I was a bit unclear, I see you have knowledge

A5. google osmoc**
The reason why I said, your phone is not encrypted... Of course it´s encrypted, but the second you unlock it and installed third party apps on it... ;-)

Yes, the problem with open source is also, one might be able to read the code. Question is, who takes time (personally, since you can´t trust anyone) to go all through it. And then there could be an (intentional?) exploit hidden, one has to find it first. Like you wrote it, knowing the source, does not guarantee it´s the exact one compiled. There are methods to check this, too. Problem are the signatures.

If someone did attempt to bypass the security, they would have to expend a lot of time and compute resources and what they would ultimately find would hardly be worth it. I am fairly confident that my 'phone is safe against all but the most sophisticated hacking.

I think that, too. Just wanted you to know nothing is really safe. My fault, I forgot you´re into the field.