Latest News

09May 2014

S5scan-582_size_blog_post

When Samsung unveiled the latest in its Galaxy series of Android smartphones, gadget reviewers focused on the Galaxy S5’s fingerprint scanner, a feature that the rival iPhone 5s has done much to popularize.

Samsung’s positive buzz over the Galaxy S5 didn’t last long – security researchers from SRLabs soon posted a video on YouTube demonstrating how they were able to trick the scanner with a fake fingerprint made of wood glue.

Indeed, the same approach allowed a similar and well-publicised hack of the iPhone 5s Touch ID last year, the researchers from SRLabs said in their video.

To use SRLabs’s fake fingerprint, an attacker simply places the wood glue replica over the tip of his finger and swipes as usual over the scanner, which is embedded in the Galaxy S5’s home button.

The wood glue is poured into a mold made out of a laser printout created from a photo of the victim’s fingerprint.

With the right image contrast and printer settings, the buildup of toner on the printout creates a 3D representation of the fingerprint that is accurate enough to “cast” a replica that will fool the phone.

According to the researchers, a latent fingerprint left behind by the owner on a stolen phone can be snapped with another phone’s camera, giving an image of sufficient quality to print out a usable mold.

“Despite being one of the premium phone’s flagship features, Samsung’s implementation of fingerprint authentication leaves much to be desired,” one of the researchers said in the video.

What’s worse, Samsung’s implementation is even less secure than Touch ID that Apple unveiled in September 2013, which is ironic given the former Samsung CEO’s contention that “beating Apple is no longer merely an objective, [but] our survival strategy.”

SRLabs claimed in its video:

Samsung does not seem to have learned from what others have done less poorly. Not only is it possible to spoof the fingerprint authentication, even after the device has been turned off, but the implementation also allows for seemingly unlimited authentication attempts without ever requiring a password.

It’s not just Samsung that has egg on its screen due to the ease of the Galaxy S5’s fingerprint scanner hack – electronic payments company PayPal partnered with Samsung to make the PayPal app accessible “with the swipe of a finger,” as Samsung boasted on its website.

PayPal responded to the video in a statement:

PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5.

The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one.

PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, your eligible transactions are covered by our buyer protection policy.

Is a fingerprint more secure than a password?

The fingerprint scanner is not a new concept – think back to laptops that offered the supposed convenience of a fingerprint scanner instead of typing a password.

But Apple and Samsung have fine-tuned fingerprint authentication to the point that it’s super-fast and simple – just what smartphone users want.

If we ignore the speed and convenience, however, is this kind of biometric technology really more secure than passwords, as Apple and Samsung claim?

Security folks often talk about the limitations of passwords.

People can’t be relied upon to use hard-to-guess, unique passwords, and also leave their passwords written down to remember them.

Worse still, even passwords you might have relied on a service provider to store securely for you can be stolen and recovered electronically due to data breaches.

Yet stealing fingerprints is pretty easy – we leave our prints on almost anything we touch.

What’s especially inconvenient about fingerprint authentication is that we’re pretty much stuck with the fingerprints we have.

If someone steals a photo of your fingerprint to use for identity theft, you can’t change it like you can your password.

In fact, in the SRLabs video showing the Galaxy S5 being tricked, the researchers say that the wood glue replica they used was left over from last October when they were having a crack at the iPhone 5s.

Given these well-known drawbacks, one wonders why Samsung and Apple went through such enormous expense to add this flawed technology to their “phones of the future”?

09May 2014

Viber-Free-Phone-CallsLarge

Viber, a mobile messenger app that allows users to make phone calls and send text messages and images for free, also gives up plenty of free user data to anyone who wants to listen.

According to researchers from the University of New Haven (UNH) in Connecticut, US, Viber’s app sends user messages in unencrypted form – including photos, videos, doodles, and location images.

All of that rich data from users is also stored unencrypted on Viber’s servers, rather than being deleted immediately, and is accessible without credentials, just a link, the UNH researchers said.

It’s the second cryptographic blunder exposed by UNH researchers in as many weeks – the UNH Cyber Forensics Research & Education Group disclosed on 13 April 2014 that the WhatsApp messenger app also gives away user location data in unencrypted form.

Using a Windows PC as a Wi-Fi access point, the UNH team was able to capture data sent by an Android smartphone with regular traffic sniffing tools, the same approach taken by UNH in their experiments with WhatsApp.

In a video posted on the UNH website and YouTube, the researchers demonstrated capturing messages sent between two test Android phones.

Data can be intercepted by poisoned access points, by malicious users on the same Wi-Fi network, or elsewhere in the network between you and Viber.

In the video, one of the researchers said the unencrypted messages can also be retrieved from Viber’s servers by anyone who knows the message URL:

The data is stored on Viber’s server in an unencrypted manner. There is also no authentication method used, so anybody who has access to these links can look at this data, retrieve this data, and do whatever they want with it.

The researchers, Dr Ibrahim Baggili and Jason Moore, said in a blog post that they reported the security flaw directly to Viber before publishing their results but did “not receive a response from them.”

In a statement to CNET, Viber said it would be releasing a fix soon for Android and iOS, and said the issue has been “resolved.”

This issue has already been resolved. It is currently in QA and the fix will be released for Android and submitted to Apple on Monday. As of today we aren’t aware of a single user who has been affected by this.

The fact is that an modern online messaging app shouldn’t really be “fixing” this sort of blunder – encryption should have been baked in from the start.

And for all that Viber may have “fixed” its apps to exchange data securely now, it hasn’t said anything about addressing the insecurities that UNH found in Viber’s cloud, where your messages are stored.

The company also lists only Android and iOS as getting updates, leaving users of its numerous other supported platforms in the dark.

That includes users of Viber on the desktop, via Samsung’s Bada ecosystem, on Microsoft’s various mobile operating systems, and on Blackberry and Nokia phones.

09May 2014

facebook-app

Facebook’s the company that’s always been about keeping it real. Real identity. Real names. Real people.

Well, now that anonymity is all the rage – just ask Snapchat, Whisper and Secret how much users like to keep their identities or content hush-hush – Facebook’s going to serve it up.

To that end, at the F8 developers conference on Wednesday, Facebook unveiled Anonymous Login: a way to use your Facebook account to anonymously log in to other sites and apps.

Mind you, this does not mean you can anonymously log in to Facebook itself.

Facebook will still suck up all the information about you that it always has, plus a running tab of all the sites and services you fancy.

But what about the soon-to-be-famished developers, whom Facebook will be depriving of the data its users once spread throughout the land?

They’re just going to have to deal with it, Zuckerberg told Wired’s Steven Levy:

Our philosophy is that we care about people first. In the case of login, some of the things that we’re doing may add a little bit of friction to the experience by giving people the opportunity to not share certain things with apps.

That will mean that developers will have to adjust. Over time, making it so that people trust the blue button to log in to Facebook will ultimately be good for developers, too.

Facebook cares about people first, Zuckerberg said, which means they should be able to refuse apps’ requests for information. Unless, of course, you’re talking about the app that is Facebook, in which case it’s a continuing data bacchanalia.

Anonymous Login is just one change in the new Facebook Login, which will also let mobile users edit the information they provide, feature a redesign that highlights the audience that apps will post to when they request permission to post back to Facebook, and will let people decide what information they want to share about themselves, including their friend list.

Facebook says it’s testing Anonymous Login with a few developers, and it will be opened up to more developers in the coming months.

Undeniably, users like the “blue button” when it comes to fast and easy login to sites and apps, without having to remember separate usernames and passwords.

People don’t like it a little. They like it a lot – to the tune of using it over 10 billion times last year, Facebook said in its announcement.

We can expect many, many people to choose to hide their identities behind Facebook, I’m sure.

And expect Facebook to be all the more data-rich because of it.

Is Anonymous Login a good thing, security-wise? We often tell you to be careful of what information you share with apps, be they mobile apps or third-party Facebook apps. So yes, feeding apps less information seems like a good thing.

Of course, you should still be careful about the information you share with Facebook itself.

And of course, you can always stay up to date on privacy leakage and other internet threats by liking the Naked Security page on Facebook.