Smashing Security #022: Walk this way... to defeat biometrics

Three security industry veterans, chatting about computer security and online privacy.

Smashing Security #22: Walk this way... to defeat biometrics

The Samsung Galaxy S8 claims that its iris recognition technology provides "airtight security", but the Chaos Computer Club knows better and shows how it can be easily bypassed. Australian researchers create a wearable gizmo that authenticates you through your walk, but is it ever going to be practical? Mac malware reportedly wastes no time stealing information from a software developer. And the boss of the Bank of England is smart enough not to fall for an email prankster.

All this and more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by special guest Paul "Duck" Ducklin.

Show notes:

Subscribe: Apple Podcasts | Google Play | Overcast | Stitcher | RSS for you nerds.

Hosts:

Graham Cluley - @gcluley
Carole Theriault - @caroletheriault

Guest:

Paul Ducklin - @duckblog

Thanks to our sponsor:

This episode of Smashing Security is made possible by the generous support of Iovation.

iovation is offering Smashing Security listeners a free demonstration of its mobile multifactor solution product, LaunchKey, which can be built into your mobile apps, websites and online services to provide a simple, streamlined remote login function.

Visit demos.launchkey.com, and thanks to iovation for their support.

Follow the show:

Follow the show on Twitter at @SmashinSecurity, or visit our website for more episodes.

Remember: Subscribe on iTunes or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

6 Responses

  1. Bob

    May 25, 2017 at 1:01 pm #

    Paul Ducklin is wrong when he says he can still make emergency calls from a SIM-less telephone. He's unknowingly perpetrating an internet hoax.

    OFCOM specifically prohibit the making of 999/112 calls from mobile handsets without a SIM because of the difficulties in immediately barring repeated hoax callers.

    Therefore you *must* have a SIM in your handset in order to make a 999/112 call.

    • Bob in reply to Bob.

      May 25, 2017 at 1:09 pm #

      Proof; if anybody needs it:

      "Consumers must also ensure that the mobile handset from which they wish to make the emergency call contains a SIM card."* Paragraph 11.6

      They don't explain the rationale behind blocking SIM-less calls in this document but I can confirm that calls to 999/112 *do not* connect if no SIM card is present.

      *https://www.ofcom.org.uk/__data/assets/pdf_file/0016/43063/ai_statement.pdf

    • Paul Ducklin in reply to Bob.

      May 25, 2017 at 2:47 pm #

      I wasn't aware of that – I have been outside the UK for many years until recently. AFAIK that SIMless emergency call restriction doesn't apply in every country – I am pretty sure that the place where I bought the phone doesn't have such a limitation. Fortunately, I have had to make an emergency call only once in recent memory (to report a bush fire that turned out to be controlled burning, but thanks for your call anyway, Sir) and I had a SIM in the phone at the time, so I do accept I don't have any evidence either way on the issue. So I will take your word for it.

      Sad comment on UK society that OFCOM felt the need to react that way, isn't it?

      (I'd be inclined to block the IMEI to suppress hoaxers of this sort, considering that in the UK you don't need ID to buy a SIM, and you can buy new SIMs much more easily than new handsets. As an aside, given current moods about surveillance, how long do you reckon before you'll need proof of identity, maybe even proof of address, to activate a new SIM in the UK?)

      • Bob in reply to Paul Ducklin.

        May 25, 2017 at 5:49 pm #

        Thanks for replying. I wasn't sure if you were UK-based and I did notice on your Twitter that you're down under.

        It's complicated how it started. Originally you couldn't use it SIM-less, then you could and now you can't.

        OFCOM stopped it after a substantial increase in hoax calls to 999. It is possible to block the handset by the IMEI but that can be easily changed although doing so is a criminal offence.

        Normally the exchange operator, who answers the 999 call, transfers the call to the relevant emergency service (fire, police, ambulance, coastguard, mountain rescue) and they relay the CLI to the emergency service orally. Nowadays CLI details are relayed electronically along with name and address and a precise/approximate location.

        To bar a SIM is trivial for the emergency services but to bar an IMEI is much more difficult because there's no single UK registry of IMEI numbers (apart from lost or stolen) which can be used to prevent calls from being made.

        Imagine if a high-profile VIP somehow had their IMEI captured using a stingray and a number of hoax 999 calls made by a miscreant using that same IMEI – spoofed on another handset. The emergency services would bar that IMEI. Then, the bad guys kidnap the VIP and leave him/her unable to call for help. It'd require a determined attacker but for a VIP target it'd be worth it for the bad guys.

        Being unable to call 999 without a SIM is a non issue because everybody I know has a SIM in their phone. Even if they are pre-paid you can still make a 999 call without any credit so there's no real advantage in allowing calls without a SIM.

        The SIM-less restriction doesn't apply to every country because every national telecommunications regulator makes their own decision.

        How long before you need to produce ID to buy a SIM? I'm not sure although the way things are going this may be introduced. However many calls are being made over modern technologies like VOIP services (like Signal or WhatsApp) or even TOX which can make tracing somebody virtually impossible. The metadata can be useful so that's one argument for requiring ID although Signal retain almost nothing.

  2. Michael Ponzani

    May 25, 2017 at 9:16 pm #

    That's Monty Python's "Minister of Silly Walks"; probably John Cleese! (in silhouette). NB: I typed this BEFORE listening to the show. Bring back Benny Hill!! or someone like him. Hurray fro MR. Bean!! Or others like him; The Python, Hill of Beans Liberation Army announces a massive takeover of the Internet. We have gone underground to keep up production so we may defeat the capitalist roaders who run the world. (That was from an old VC agit-prop film in the early stages of the Vietnamese War.) I'd say more. It would not be PC.

    Wack-a-Doo, Wack-a-Doo,
    BEBBEBBE, that's all folks.

  3. Jim

    May 28, 2017 at 9:12 am #

    About the Mark Carney email hoax, why doesn't IT departments setup their own internal email testing, a memo warning staff that they would be tested at certain times could be issued so they would be more aware of their own security.

Leave a Reply