A snazzy demo to the press had headlines all over the press screaming about how FaceID had been broken. But as is so often the case with stories like this, the devil is very much in the detail.<\/p>\n
What the hackers really found was that it’s bloody difficult to trick FaceID \u2014 it takes a lot of time and effort, and even after you put all that investment in, your spoof only works in very carefully controlled circumstances.<\/p>\n
<\/p>\n
The hackers started by creating a detailed 3D scan of a person’s face, then 3D printing that scan, replacing the eyes, nose, and mouth with latex, and then setting everything up on a jig so they could get the distances and angles just right so they could fool FaceID.<\/p>\n
This is an even less practical attack that the fake fingers that got similar press in the early days of TouchID. These attacks are just not practical in the real world, and while they make good headlines, they don’t actually break the security of FaceID. Apple never claimed it was perfect, probably because nothing is. We use locks on our houses that are not perfect, but we know they are a heck of a lot better than nothing. We use TouchID despite knowing it’s not perfect, because we know that a strong passphrase made tolerable by TouchID is a much more secure alternative to a PIN.<\/p>\n
Also \u2014 note that no one is claiming to have hacked FaceID, just to have spoofed it. What’s the difference? A hack would extract data from the secure element, exfiltrating private keys and\/or biometric data. Nothing like that has even been claimed here.<\/p>\n
Now, while intentional spoofing is proving very difficult, Apple’s warnings that the statistical probability of a false positive is much lower between close family members is proving to be true, with specific examples making the news, including British brothers, and perhaps a little more surprisingly, a mother an son.<\/p>\n
If you share a house with close relatives who look like you, and, who you absolutely don’t want accessing your phone, you might want to consider giving FaceID a miss, or, at the very least, testing it on your family members to see whether or not your phone trusts them!<\/p>\n
A Google researcher released details of another 14 bugs in the Linux kernel’s USB implementation recently, bringing his total since last December to 79.<\/p>\n
These bugs are getting patched, so our usual advice applies \u2014 stay patched!<\/p>\n
Many IoT devices use Linux, and many will never see updates, so something else to bear in mind is that these exploits all require physical access to the device \u2014 to trigger these vulnerabilities you need to plug some kind of booby-trapped device into the USB port of the device you’re attacking. That simple fact alone means these bugs can’t turn into an internet-destroying worm.<\/p>\n
To attack someones device remotely you’d need to trick them into plugging some random USB thingy into their devices. Sadly, its been shown time and again that that’s easy to do \u2014 just hand out free booby-trapped USB thumb drives or power banks, or, throw some thumb drives around the car park. This leads to a second take-away \u2014 don’t do that!!! Don’t plug stuff you find lying around into you computers!<\/p>\n
Security researchers have promised to unveil an attack against the so-called Management Engine<\/em> inside Intel’s CPUs. They say the attack they will demonstrate will give god mode<\/em> control over affected computers.<\/p>\n Intel have acknowledged the problem, released a tester app, and patches which will be making their way out to users as firmware updates from their hardware manufacturers. Since there are so many vendors involved, it’s impossible to give useful generic instructions or advice.<\/p>\n This affects just about every CPU from Intel in the last two years, covering their Core, Xeon, Atom, Celeron, and Pentium product lines.<\/p>\n The Domain Name System, DNS, use used to convert human-friendly domain names into the IP addresses computers actually use to communicate with each other over the internet. This means that the first step in getting infected with all sorts of malware is a DNS query to resolve an malicious domain name to an IP address. This provides an obvious opportunity for nipping a whole bunch of attacks in the bud before they can really get going \u2014 a DNS service that’s aware of current cyber threats could simply reply to all requests for known-malicious domains with an error response (an That’s exactly what Quad9 was set up to do. They are providing a free DNS service that responds with This sounds great, but before we get too excited we need to follow the money!<\/p>\n Thankfully, when we do we find good news \u2014 Quad9 is a not-for-profit organisation, and their privacy policy clearly states that they do not track individual users. IP addresses are never stored. The only data collected is global counts of attempts to access each malicious domain. This data will be used to help security companies track the effectiveness of individual pieces of malware.<\/p>\n Security Medium 1 \u2014 No, FaceID isn’t Broken, but it Does Have Limits A snazzy demo to the press had headlines all over the press screaming about how FaceID had been broken. But as is so often the case with stories like this, the devil is very much in the detail. What the hackers really […]<\/p>\n","protected":false},"author":4,"featured_media":13191,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[1872,2002,201,50,569,1626,2003],"class_list":["post-13586","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-face-id","tag-intel","tag-linux","tag-security","tag-security-bits","tag-usb","tag-vulnerabilities"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2017\/10\/security_bits_logo_300px.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/13586","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=13586"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/13586\/revisions"}],"predecessor-version":[{"id":13588,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/13586\/revisions\/13588"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/13191"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=13586"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=13586"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=13586"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Links<\/h4>\n
\n
Security Medium 4 \u2014 Meet Quad9<\/h3>\n
nxdomain<\/code> response for all you DNS nerds out there).<\/p>\nnxdomain<\/code> errors to all request for know-bad domain names. To use the services you simply have to configure your computer or your router to use 9.9.9.9<\/code> as your DNS server (hence the name).<\/p>\nLinks<\/h4>\n
\n
Notable Security Updates<\/h3>\n
\n
Notable News<\/h3>\n
\n
\n
Suggested Reading<\/h3>\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
Palate Cleansers<\/h3>\n
\n
\n