Smartphones' security enhancements just make them more dangerous

Is that incriminating data in your pocket or are you just pleased to see me?


Over the holidays I bought Apple’s newest, shiniest face scanner. For the first fortnight - and periodically since then, that constant lift-and-scan felt weird. As though my smartphone had suddenly become too intimate, too familiar.

This is hardly the thin end of the wedge. It started with passcodes - which many people didn’t even use, to begin with. Then, as it became clear that an unlocked smartphone could leak dangerous data, we began locking them behind PINs.

Even that basic layer of safety proved too hard for many people - either unable to remember the PIN or unwilling to spend time typing it in, over and over and over - so a few years back the devices added fingerprint readers.

That marked a Rubicon of sorts, because crossing it subtly changed the balance of power between user and device. As the device acquired the necessary sensing and computational capacities, designers could raise the bar on access control. The smartphone, now seen as safe and secure, became the home for a range of data that had formerly only lived in highly-protected data centres: medical and financial (and sexual) datasets freely commingle within our devices. Suddenly the accidental loss or unlocking of a smartphone became a very serious matter, far beyond the loss of a wallet or keys - or anything else we’ve ever carried around with us everywhere.

It’s as if each of us bears our crown jewels in our pockets, relying on the big padlock we’ve placed upon the device to protect us from thieves.

A few months back, as I queued for a flight, I handed the check-in staff my smartphone, expecting they’d scan the QR code representing my boarding pass. They waved it away. “We’d prefer you scan your code yourself - just in case we drop it. People get very upset. They lose their whole lives.”

Smartphones have enormous utility value, but that’s created a kind of gravitational warp around them. They’re too dense with value, requiring increasingly careful handling and ever-stronger locks.

So to FaceID™, because Apple claims fingerprints aren’t nearly unique enough. It may be that my mug is more unique than my thumb, but maybe we should be asking ourselves how much safety we need? Where does this end? Already we know that a clever 3D print job can fool FaceID some of the time. That will only grow easier as the technology becomes better understood. The arms race of security ratcheting ever upward, will continue to demand ever more invasive scans to determine our authenticity.

In about a decade or so - advances in microfluidics will allow Apple to embed a rapid DNA analyser - a la GATTACA - inside iPhone XX. I can already imagine Tim Cook’s keynote, touting the “one in a billion” uniqueness of DNA. A thousand times better than that silly and so-easily-spoofed FaceID! You’re gonna love it!

Will we love it? Or will we be so afraid of our digital selves falling into the wrong hands (particularly those closest to us) that we’ll simply submit to any indignity to protect ourselves?

We’ve always had to be careful when transporting objects of great value. It may be that we decide the wiser course is simply not to transport them at all. At some point the danger of ubiquity overwhelms the usability of the device. My new iPhone feels as though it sits right on this side of that abyss, asking us how far we’re willing to go - and how much we’re willing to surrender - to be secure.

Benjamin Franklin famously said, “Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.” With every scan of our faces and our fingerprints, we need to ask ourselves whether we really feel any safer. ®


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • To cut off all nearby phones with these Chinese chips, this is the bug to exploit
    Android patches incoming for NAS-ty memory overwrite flaw

    A critical flaw in the LTE firmware of the fourth-largest smartphone chip biz in the world could be exploited over the air to block people's communications and deny services.

    The vulnerability in the baseband – or radio modem – of UNISOC's chipset was found by folks at Check Point Research who were looking for ways the silicon could be used to remotely attack devices. It turns out the flaw doesn't just apply to lower-end smartphones but some smart TVs, too.

    Check Point found attackers could transmit a specially designed radio packet to a nearby device to crash the firmware, ending that equipment's cellular connectivity, at least, presumably until it's rebooted. This would be achieved by broadcasting non-access stratum (NAS) messages over the air that when picked up and processed by UNISOC's firmware would end in a heap memory overwrite.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022