Security Bits Logo

Security Bits – 26 November 2017 – FaceID Isn’t Broken, USB Bugs in Linux Kernel, Vulnerability in Intel Chips

Security Medium 1 — No, FaceID isn’t Broken, but it Does Have Limits

A snazzy demo to the press had headlines all over the press screaming about how FaceID had been broken. But as is so often the case with stories like this, the devil is very much in the detail.

What the hackers really found was that it’s bloody difficult to trick FaceID — it takes a lot of time and effort, and even after you put all that investment in, your spoof only works in very carefully controlled circumstances.

The hackers started by creating a detailed 3D scan of a person’s face, then 3D printing that scan, replacing the eyes, nose, and mouth with latex, and then setting everything up on a jig so they could get the distances and angles just right so they could fool FaceID.

This is an even less practical attack that the fake fingers that got similar press in the early days of TouchID. These attacks are just not practical in the real world, and while they make good headlines, they don’t actually break the security of FaceID. Apple never claimed it was perfect, probably because nothing is. We use locks on our houses that are not perfect, but we know they are a heck of a lot better than nothing. We use TouchID despite knowing it’s not perfect, because we know that a strong passphrase made tolerable by TouchID is a much more secure alternative to a PIN.

Also — note that no one is claiming to have hacked FaceID, just to have spoofed it. What’s the difference? A hack would extract data from the secure element, exfiltrating private keys and/or biometric data. Nothing like that has even been claimed here.

Now, while intentional spoofing is proving very difficult, Apple’s warnings that the statistical probability of a false positive is much lower between close family members is proving to be true, with specific examples making the news, including British brothers, and perhaps a little more surprisingly, a mother an son.

If you share a house with close relatives who look like you, and, who you absolutely don’t want accessing your phone, you might want to consider giving FaceID a miss, or, at the very least, testing it on your family members to see whether or not your phone trusts them!


Security Medium 2 — 79 USB Bugs in the Linux Kernel

A Google researcher released details of another 14 bugs in the Linux kernel’s USB implementation recently, bringing his total since last December to 79.

These bugs are getting patched, so our usual advice applies — stay patched!

Many IoT devices use Linux, and many will never see updates, so something else to bear in mind is that these exploits all require physical access to the device — to trigger these vulnerabilities you need to plug some kind of booby-trapped device into the USB port of the device you’re attacking. That simple fact alone means these bugs can’t turn into an internet-destroying worm.

To attack someones device remotely you’d need to trick them into plugging some random USB thingy into their devices. Sadly, its been shown time and again that that’s easy to do — just hand out free booby-trapped USB thumb drives or power banks, or, throw some thumb drives around the car park. This leads to a second take-away — don’t do that!!! Don’t plug stuff you find lying around into you computers!


Security Medium 3 — More Problems with Intel Chips

Security researchers have promised to unveil an attack against the so-called Management Engine inside Intel’s CPUs. They say the attack they will demonstrate will give god mode control over affected computers.

Intel have acknowledged the problem, released a tester app, and patches which will be making their way out to users as firmware updates from their hardware manufacturers. Since there are so many vendors involved, it’s impossible to give useful generic instructions or advice.

This affects just about every CPU from Intel in the last two years, covering their Core, Xeon, Atom, Celeron, and Pentium product lines.


Security Medium 4 — Meet Quad9

The Domain Name System, DNS, use used to convert human-friendly domain names into the IP addresses computers actually use to communicate with each other over the internet. This means that the first step in getting infected with all sorts of malware is a DNS query to resolve an malicious domain name to an IP address. This provides an obvious opportunity for nipping a whole bunch of attacks in the bud before they can really get going — a DNS service that’s aware of current cyber threats could simply reply to all requests for known-malicious domains with an error response (an nxdomain response for all you DNS nerds out there).

That’s exactly what Quad9 was set up to do. They are providing a free DNS service that responds with nxdomain errors to all request for know-bad domain names. To use the services you simply have to configure your computer or your router to use as your DNS server (hence the name).

This sounds great, but before we get too excited we need to follow the money!

Thankfully, when we do we find good news — Quad9 is a not-for-profit organisation, and their privacy policy clearly states that they do not track individual users. IP addresses are never stored. The only data collected is global counts of attempts to access each malicious domain. This data will be used to help security companies track the effectiveness of individual pieces of malware.


Notable Security Updates

  • Patch Tuesday has been and gone with updates from Microsoft and Adobe for Windows, Office, Flash, Photoshop, Reader, and more —…
  • Amazon’s Echo & Google Home have been patched against the so-called BlueBorne vulnerabilities —…

Notable News

  • Now is a good time to give FireFox another go – with release 57 Mozilla completely re-invented the UI, making it much faster and leaner, and, added new tracking protections (black-list based) —…
  • The German government has banned smart watches aimed at kids that include the ability to eves-drop on kids —…
  • WhatsApp’s Delete for Everyone feature turns out not to actually delete the messages from people’s devices after all —…
  • Twitter have updated the policies behind their blue verified badges – users who incite hate are no longer eligible for such badges —…
  • Security researches find a way to jam Amazon’s smart lock system for letting delivery people into our house – Amazon have promised that a fix is on the way —…

Suggested Reading

Palate Cleansers

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top