h a l f b a k e r yIt's the thought that counts.
add, search, annotate, link, view, overview, recent, by name, random
news, help, about, links, report a problem
browse anonymously,
or get an account
and write.
register,
|
|
|
Tested the security of Android's Face Unlock feature today on my
Nexus 7 by holding up my phone with a photo of myself displayed
on
the screen. It unlocked immediately. I'm posting this as a warning
to any Android users on the HB who might be using this feature to
secure your device. Anyone
who
has a photo of you (or can snap
one as you walk by) can access your device.
[link]
|
|
Wow, did they seriously not think that through at all? |
|
|
That's what I was wondering. |
|
|
What you obviously need is a photo of someone else at the beginning, say Buster Keaton.
|
|
|
You then use that as "your face", and no matter how hard thieves try when they show a photo of you, it'll never unlock. |
|
|
That's brilliant... then even a clone couldn't get in. |
|
|
Not that I'm suggesting trying it but <link> |
|
|
Thanks for the heads up, but nobody uses Android
phones except for you. |
|
|
Ah, the perils of early adoption.
|
|
|
I think it'll be quite some time before face recognition software is able to tell the difference between a face and a picture of a face. |
|
|
this is clearly more for convenience than for security.
Can you do a mustache test or sunglasses test, [21]?
|
|
|
Also -- this is clearly not sufficient for denying your
kidnappers access -- but if you lose your phone,
unless you left your wallet with your driver's license
right next to it, how is someone getting that photo? |
|
|
Or a second, infrared picture -- would be a cool
feature on a phone, anyway.
|
|
|
I wonder if the cameras have enough zoom to look at
your iris |
|
|
// unless you left your wallet with your driver's license right next to it,
how is someone getting that photo?//
|
|
|
They might just have to wait until you call the phone looking for it,
but once they get your name all they have to do is find you on
Facebook/MySpace/Twitter and hold it up to your profile pic. But
you're overlooking the fact that pickpockets target smartphones a lot
these days because of the huge resell value (I've seen a Samsung
Galaxy S4 on Craigslist for over $300.00, $500.00 with accessories
and rooting included). A pickpocket will have plenty of opportunity,
as he stalks his mark, to snap a pic with his own phone's camera. |
|
|
that picture would be hard to use, I would think, [21] |
|
|
For you, maybe. A lot of folks have their own photo set as their profile
pic. And if your Facebook profile isn't set to 'private', I'm sure they
can find a photo of you in your albums, or in the albums of one of
your friends. |
|
|
ok, but the list of people who can make the connection between my face and my locked cell phone is pretty small, and frankly I think the chances are better than even that they also aren't going to steal it. |
|
|
yes, my point was that if it is locked, they don't
know whose picture they would need. |
|
|
Don't quote me on this, but I'm pretty sure that you can just do what they do with bricked phones at the store, force it to boot via the USB as a mass storage device and disable the boot lock. I imagine the dedicated thief, interested in the value of the content and not the hardware or potential exploitation of the phone itself would just do that. The ability to use the cellular network is tied to the SIM card which is not locked by any means, the overall phone can be wiped then cloned, so in the wrong hands this is virtually worthless. Frankly we are talking about preventing your acquaintances from becoming familiar with your private bizness and from the schlub who might instagram all your naughty photoz before smashing your phone on the railroad tracks. If it makes you feel good, do it, but don't put anything on your phone that you would really object to seeing made pubic because it is fundamentally insecure. |
|
|
// yes, my point was that if it is locked, they don't know whose
picture they would need//
|
|
|
Again, all they have to do is wait for someone to call the phone
looking for it and ask for your name on the pretense that they're
going to call the carrier to verify that you're the legitimate owner.
Once they have your name, they know within a pretty good statistical
likelihood who's picture they will need. |
|
|
This security flaw has been at least somewhat corrected on the Moto
X. It has an option for a 'liveness' check which requires you to blink
during the facial recognition process. |
|
|
//It has an option for a 'liveness' check
|
|
|
Can't help feeling that's unfair on ventriloquists in some way..cuts to Chuck and Bob's mind reading act.
|
|
|
Well, one obvious one would be to have the user gurn, then use that as the face...of course I'm aware that gurn control can be a contentious issue in some countries on the other side of the Atlantic. Or, in fact, the Pacific, remembering where I am now. |
|
| |