{"id":5958,"date":"2017-03-03T02:19:57","date_gmt":"2017-03-03T07:19:57","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=5958"},"modified":"2017-09-24T18:36:07","modified_gmt":"2017-09-24T14:36:07","slug":"biometrcis-mwc-2017","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/biometrcis-mwc-2017\/5958\/","title":{"rendered":"Fingers and eyes at MWC 2017"},"content":{"rendered":"

We\u2019ve written about\u00a0insecure fingerprint sensors<\/a>\u00a0and other\u00a0biometric technologies<\/a>\u00a0a lot. We were\u00a0not alone<\/a>, of course.<\/p>\n

It looks like the fuss did some good. At Mobile World Congress (MWC) 2017 in Barcelona, many smart-sensor developers presented devices that are more secure than we might have expected.<\/p>\n

\"\"<\/p>\n

Fingerprint sensor evolution<\/h3>\n

IDEX, a Norwegian company that ships fingerprint sensors for LG and other companies, claims that the majority of its partner smartphone developers enable access to fingerprint sensors\u2019 data only within a secure environment.<\/p>\n

I talked to several fingerprint sensor makers at MWC, and all of them use a fully protected scheme for handling such data. In the beginning, \u201craw\u201d data from a fingerprint sensor is encrypted, then the system detects distinctive ridges, encrypts them as well, and sends to secure storage. All of these operations take place in a\u00a0trusted execution environment<\/a>\u00a0\u2014 an isolated space that cannot be accessed by any outer process.<\/p>\n

Yet, several sensor makers still let gadget companies decide if they want to use the protection mechanism. Regardless, data is always securely encrypted on the way from sensor to processor, and that\u2019s good: Previously, the main vulnerability of fingerprint reading technologies was right here.<\/p>\n

A sensor maker called CrucialTec decided to make biometrics even more \u2026 well, biometric, adding heart-rate sensors to fingerprint scanners. It\u2019s a protective measure: 3D-printed finger copies, plaster fingers, and even real fingers cut off of their owners will not work. The same holds true for simple copies of finger ridges created with a common printer.<\/p>\n

\"\"<\/p>\n

This system checks ridges to confirm that they are similar but doesn\u2019t unlock the smartphone until it detects a proper heartbeat. This is a serious step ahead in fingerprint authentication security. Resourceful criminals will no doubt find a way to trick this protection as well \u2014 for example, with a copy of a finger\u2019s ridges pressed to the scanner using the real, live finger of a different person \u2014 but it will be much harder.<\/p>\n

One Chinese company presented an unusual implementation: a fingerprint scanner built directly into the glass of a smartphone display. There were a few limitations: first, the only sample remained in China, and so the company could not show it. In addition they are not completely sure how users will understand which part of the display they should tap to get in \u2014 the sensor is not clearly visible! Last year\u00a0IDEX presented a similar idea<\/a>, but it seems that it didn\u2019t go further than a concept.<\/p>\n

By the way, developers say fingerprint sensors are not limited to gadgets; they can be built into door locks or car keys. Several companies offer flexible and very thin sensors that can be used as a part of banking card.<\/p>\n

\"\"<\/p>\n

The technology is implemented in various ways: For example, IDEX offers a scheme that does not require an additional supply of electricity, whereas CrucialTec builds a battery and a simple display into the card to show if the user is successfully authorized or not. The fingerprint sensor can be a good alternative to PIN codes: easier to use and harder to fake \u2014 it\u2019s very easy to spy a PIN when a person enters it.<\/p>\n

A little more biometry<\/h3>\n

Two years ago,\u00a0Qualcomm presented SenseID<\/a>\u00a0\u2014 more secure and quick ultrasonic fingerprints scanners. This time, the company offered another authentication method that scans your iris. Every person has unique irises, so this authentication method is quite reliable.<\/p>\n

Qualcomm\u2019s system is new, so it\u2019s built only into prototypes for now, but it works surprisingly well: quickly and without mistakes. In case you\u2019re wondering why this technology is so late in coming to the smartphone market, the reason is simple: Earlier cameras were too slow, and imaging processors were less powerful.<\/p>\n

By the way, Qualcomm\u2019s iris recognition system can distinguish a fake copy of an iris from a real eye. There was a surprisingly realistic 3D-printed face at the Qualcomm booth, and the software did not mistake it for a real one. As far as I understand, the system takes into account that eyes move a little all the time.<\/p>\n

\"\"<\/p>\n

It\u2019s noteworthy that the system can recognize irises even through big, black sunglasses. Unfortunately, Qualcomm refuses to explain how it achieved this result. All in all, iris recognition is much more secure than, for example, face recognition.<\/p>\n

However, it suffers from the same problem as the rest of biometric technologies do: Once criminals\u00a0find a way to steal and use biometric data<\/a>\u00a0(and they will surely try, if biometric ATMs become widespread), users will be stuck, not being able to change their faces, irises, or fingerprints. PINs and passwords can be changed in seconds.<\/p>\n

Several other interesting concepts from MWC 2017<\/h3>\n

We saw quite a lot of interesting innovations related to information security in Barcelona this year. For example, Qualcomm presented on-device machine-learning technology. This means that Snapdragon mobile processors have become so powerful that they can train neural nets. Qualcomm showed first steps in this direction last year, when it presented a solution that tried to recognize objects in pictures. Now this technology has developed into a universal engine that is compatible with many popular frameworks and given to developers.<\/p>\n

This is a step ahead: On-device machine learning can free users from having to send data to the cloud. And that brings privacy concepts to fields where privacy had become unimaginable, because usually machine learning requires cloud technologies \u2014 i.e., giving up our data. It\u2019s currently just an engine, not a consumer-ready solution.<\/p>\n

Well, one technology already uses it \u2014 a technology developed by (you guessed it) Qualcomm. It\u2019s called App Protect, and it enables implementation of heuristic algorithms for the detection of malicious applications at the hardware\u2013software level. Qualcomm considers an app malicious if it tries to do anything secretly \u2014 gathers users\u2019 location and contacts information, sends or intercepts SMSs, that sort of thing. App Protect helps to detect such apps and prohibit access to sensitive data. The technology is not a ready-to-use solution; it must be integrated into a security app. All in all, our\u00a0Kaspersky Antivirus and Security for Android<\/a>\u00a0does it efficiently at the software level.<\/p>\n

MWC 2017 more focused on security than in previous years. Today, you see the word \u201csecure\u201d at almost every booth. Even if things aren\u2019t really secure, the optics show that developers are starting to care more about protection.<\/p>\n

As for biometric authentication alone, this technology may overcome the many downsides it has now. It will never become fully secure \u2014 there\u2019s no such thing. But the steps we see are moving in the right direction, which gladdens us a lot.<\/p>\n","protected":false},"excerpt":{"rendered":"

We\u2019ve written about\u00a0insecure fingerprint sensors\u00a0and other\u00a0biometric technologies\u00a0a lot. We were\u00a0not alone, of course. It looks like the fuss did some good. At Mobile World Congress (MWC) 2017 in Barcelona, many<\/p>\n","protected":false},"author":696,"featured_media":5959,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[1295,1136,1137,1253,1296,1297,45],"class_list":{"0":"post-5958","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-banking-cards","9":"tag-biometrics","10":"tag-fingerprint-sensors","11":"tag-fingerprinting","12":"tag-gadgets","13":"tag-mwc-2017","14":"tag-smartphones"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/biometrcis-mwc-2017\/5958\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/biometrcis-mwc-2017\/8463\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/biometrcis-mwc-2017\/8973\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/biometrcis-mwc-2017\/10145\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/biometrcis-mwc-2017\/9874\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/biometrcis-mwc-2017\/14246\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/biometrcis-mwc-2017\/2999\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/biometrcis-mwc-2017\/14169\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/biometrcis-mwc-2017\/6772\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/biometrcis-mwc-2017\/6332\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/biometrcis-mwc-2017\/9854\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/biometrcis-mwc-2017\/14740\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/biometrcis-mwc-2017\/14246\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/biometrcis-mwc-2017\/14169\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/biometrcis-mwc-2017\/14169\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/banking-cards\/","name":"banking cards"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5958","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/696"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=5958"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5958\/revisions"}],"predecessor-version":[{"id":6182,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5958\/revisions\/6182"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/5959"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=5958"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=5958"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=5958"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}