SXSW 2015 Slides and Audio from Fingerprints are Usernames, Not Passwords

This morning, I led a "core conversation" session in the Security and Privacy track at SXSW Interactive festival.  With 60 seats in the room, it was standing room only, and unfortunately, some people were turned away from the session due to a lack of space.  Amazingly, that was a packed house at 9:30am on a Sunday morning, merely stumbling distance from the late night party that is 6th Street in Austin, Texas!

I'm pleased to share with you both the slides, as well as a rudimentary audio recording from the mic on my laptop.  The format of a "core conversation" at SXSW is not your typical conference lecture.  Rather, it's an interactive, dynamic, social exchange of ideas and thoughts.  I hope you enjoy!

Slides:


Audio:


Have a great South-by!
Dustin

Security and Biometrics: SXSW Preview Q&A

Rebecca: Can you give me a brief overview of why you see it as a problem that our personal biometrics, at this point mostly fingerprints, are being used to authenticate our actions rather than identify us?

Dustin: How many emails have you received, to date, from some online service or another saying, "We're sorry, but our site was attacked, and while we don't think your password was compromised, we think you should change it anyway, for good measure"?

Surely you've seen this once or twice, right?  And if you're like me, you kind of take a deep breath, and think, "Oh man, that's inconvenient..."

Now, what if that site used some form of biometrics, instead.  Let's say your fingerprint.  Or your eyeball.  How would that email read? You want me to change my fingerprints!?!  My eyeballs!?!

That's ridiculous, of course, but it perfectly shows the problem. Biometrics are not changeable.  You couldn't alter them if you tried. Being able to change, rotate, and strengthen passwords is one of the
most fundamental properties of authentication tokens -- and completely missing from all forms of biometrics!

That's just one of a number of problems with biometrics.  I'll cover more in my talk ;-)

Rebecca: Is biometrics something you've worked with professionally or what has piqued your interest in the area?  What made you want to do a panel on the issue?

Dustin: Sort of.  I've long maintained and developed an encrypted filesystem for Linux, called eCryptfs.  In 2008, I was asked to add eCryptfs support for Thinkpad's fingerprint reader.  After thinking about it
for a while, I refused to do so, with the core arguments being much of what I described above.  With that refusal to support fingerprint readers in 2009, I seemed to have picked a few fights and arguments with various users.

All was pretty quiet on the home front, until Apple released an iPhone with a built-in fingerprint reader in late 2013, and I blogged this piece that criticized the idea accordingly: http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-not.html

That blog post in October 2013 sort of did the viral thing on social media, I guess, seeing almost a million unique views in about a month.

Rebecca: I feel embarrassed to admit that I had simply never thought of this issue until seeing your panel synopsis.  Then, it seemed incredibly obvious and I found myself looking at my phone's fingerprint scanner suspiciously.  Why do you think the public has had so little response to biometrics in technology, other than seeing it as a neat feature of a particular gadget?

Dustin: On the surface, it seems like such a good idea.  We've all seen Mission Impossible or 007 or countless other spy movies where Hollywood portrays biometrics as the authentication mechanism of the future.  But it's just that...  Bad pulp fiction.

There are plenty of ideas that probably seemed like a good idea at first, right?  Examples: Clippy, The Hindenburg, New Coke, Tanning beds, The Shake Weight, Subprime Mortgages, Leaded Gasoline.  Think about for just a minute, though.  A passenger blimp filled with Hydrogen?  An annoying cartoon character that always knows more than you?  Massive scale lending to high-risk individuals packed into mortgage-backed securities?  Dig a little deeper and these were actually misapplications from the beginning.  We'll be in the same place with Biometrics, I have no doubt.

Rebecca: Have there been any instances that you're aware of where the technology has been compromised?

Dustin: The Chaos Computer Club have demonstrated compromised Apple TouchID: http://arstechnica.com/apple/2013/09/chaos-computer-club-hackers-trick-apples-touchid-security-feature/

TouchID is actually pretty high resolution.  The Thinkpad fingerprint readers, until recently, could be fooled with a piece of scotch tape: https://pacsec.jp/psj06/psj06krissler-e.pdf

Rebecca: In the future, if we continue down the current path do you see identity theft including the hacking of our fingerprints and voice patterns in addition to our credit card info?

Dustin: I certainly hope we can curtail this doomed path of technology before we get to that point...

But if we don't, then yes, absolutely.  All of your biometrics are easily collected in public places, with your knowledge.

• Your fingerprints are on your coffee mug and every beer bottle you've ever picked up with your bare hands.
• Your hair, dandruff, and dead skin contain your DNA.
• High resolution digital cameras can pick up your iris in incredible detail (less so for the retina currently)
• Facial recognition -- seriously, unless you've taken exorbitant steps, your face is all over Facebook, Google, LinkedIn, etc., and everywhere you go in public today, there are security monitors.
• The same goes for vocal recognition.  Surely you've heard, "This call may be recorded for training purposes".  Sure, that's fine.  But do you go spilling your master password to all of your accounts to that phone support?  Well, if you use voice recognition for your authentication, then that's exactly what you've done.

Rebecca: Beyond crime, what are the civil liberties issues you see being entwined with biometrics technology?  Could the government theoretically access this information in much the same way they have our email and phone records in the past?

Dustin: Theoretically, yes.  That that "theoretically, yes" is enough for me to be very concerned.

Is Apple colluding with the NSA/FBI/CIA/etc?  I am most certainly NOT making that accusation.

Could they, or anyone else in this biometrics?  Most certainly.  They could even be coerced or forced to do so.  And they could so unknowingly.  And it might not even be "the good guys".  Anyone of this magnitude is a target for attacks, by less than savory governments or crime organizations.

Moreover, I strongly recommend that everyone consider their biometrics compromised.  As I said above, you leave a trail of your fingerprints, DNA, face, voice, etc. everywhere you go.  Just accept that they're not secret, and don't pretend that they are :-)

Rebecca: What are some places where you see biometrics as appropriate and useful?

Dustin: Back to the title of the presentation, I think biometrics are decent as a "username", just not as a "password".

Is your name secret?  No, not really.  Is your email address secret? No, not really, either.

That's what biometrics are -- they're another expression of your "identity".  It can be used to replace, or rather, look up your name, username, or email address from a list, as it's just another expression of that information.

Now, a password is something entirely different.  A password is how you "prove" your identity.  This is something entirely different.  It must be long, and very hard to guess.  You have to be able to change it.  And you have to keep your passwords separate from different accounts, so that no one account could share that with another account and compromise you.

Rebecca: What are your thoughts on SXSW Interactive as a venue for such discussion?

Dustin: I think it's a fantastic venue!  I attended SXSW Interactive in 2014, and was very impressed with the quality of speakers and discussion around security, privacy, identity, and civil liberties.  I immediately regretted that I didn't submit this talk for the 2014 conference, and resolved to definitely do so for 2015.  Unfortunately, this subject is still important and topical in 2015 :-(  Which means we still have some work to do!

Rebecca: Finally, are there any other panels you're especially looking forward to?

Dustin: All of the Open Source ones (of which there are a lot!), as that's really my passion.  If I have to pick three right now I'm definitely attending, it would be:

• http://schedule.sxsw.com/2015/events/event_IAP35935
• http://schedule.sxsw.com/2015/events/event_IAP36290
• http://schedule.sxsw.com/2015/events/event_IAP40528

Cheers,
Dustin

Fingerprints are Usernames, not Passwords

As one of the maintainers of eCryptfs, and a long time Thinkpad owner, I have been asked many times to add support to eCryptfs for Thinkpad's fingerprint readers.

I actually captured this as a wishlist bug in Launchpad in August 2008, but upon thinking about it a bit more, I later closed the bug "won't fix" in February 2009, and discussed in a blog post, saying:

Hi, thanks so much for the bug report.I've been thinking about this quite a bit lately. I'm going to have to mark this "won't fix" for now. The prevailing opinion from security professionals is that fingerprints are perhaps a good replacement for usernames. However, they're really not a good replacement for passwords. Consider your laptop... How many fingerprints of yours are there on your laptop right now? As such, it's about as secret as your username. You don't leave your password on your spacebar, or on your beer bottle :-) This wikipedia entry (although it's about Microsoft Fingerprint Readers) is pretty accurate: * http://en.wikipedia.org/wiki/Microsoft_Fingerprint_ReaderSo, I'm sorry, but I don't think we'll be fixing this for now.

I'm bringing this up again to highlight the work released last week by The Chaos Computer Club, which has demonstrated how truly insecure Apple's TouchID is.

There may be civil liberties at issue as well.  While this piece is satire, and Apple says that it is not sharing your fingerprints with the government, we've been kept in the dark about such things before.  I'll leave you to draw your own conclusions on that one.

But let's just say you're okay with Apple sharing your fingerprints with the NSA, as I've already told you, they're not private at all.  You leave them on everything you touch.  And let's say you're insistent on using fingerprint (biometric) technology because you can.  In that case, your fingerprints might identify you, much as a your email address or username identifies you, perhaps from a list.

I could see some value, perhaps, in a tablet that I share with my wife, where each of us have our own accounts, with independent configurations, apps, and settings.  We could each conveniently identify ourselves by our fingerprint.  But biometrics cannot, and absolutely must not, be used to authenticate an identity.  For authentication, you need a password or passphrase.  Something that can be independently chosen, changed, and rotated.  I will continue to advocate this within the Ubuntu development community, as I have since 2009.

Once your fingerprint is compromised (and, yes, it almost certainly already is, if you've crossed an international border or registered for a driver's license in some US states and countries), how do you change it?  Are you starting to see why this is a really bad idea?

There are plenty of inventions that exist, but turned out to be bad ideas.  And I think fingerprint readers are another one of those.

This isn't a knock on Apple, as Thinkpad have embedded fingerprint readers for nearly a decade.  My intention is to help stop and think about the place of biometrics in security.  Biometrics can be use used as a lightweight, convenient mechanism to establish identity, but they cannot authenticate a person or a thing alone.

So please, if you have any  respect for the privacy your data, or your contacts' information, please don't use fingerprints (or biometrics, in general) for authentication.

kthxbye,

:-Dustin