Root Causes 382: Mobile Phone Malware Steals Faces for Access
New malware photographs users' faces to defeat authentication mechanisms. We explain the that biometrics are not "secrets" and discuss the continuing progression of attacks to steal biometrics.
- Original Broadcast Date: April 29, 2024
Episode Transcript
Lightly edited for flow and brevity.
-
Tim Callan
Okay. So we are talking about a new malware for mobile phones, iOS and Android, named Gold Pickaxe. I think you can read about this a bunch of places. I'm looking at a Bleeping Computer article from February 15, 2024. Headline reads: New Gold Pickaxe Android, Ios Malware Steals Your Face for Fraud. Written by Bill Toulas. And what's the deal here, Jason?
-
Jason Soroko
Tim, this malware, it does a bunch of things. I think what's most interesting is that it will take a picture of your face and send it back to the bad guys. And what are they using that for? Well, as you can imagine, there are a lot of places where your facial biometric is used as a form of authenticator, Tim.
-
Tim Callan
Yeah. Absolutely.
-
Jason Soroko
And so the bad guys need a picture of your face. Pause and I am going to talk about something I talked about a long time ago with you, Tim. And that is - your face, your voice, your fingerprints, they are not secrets.
Authentication should be based on secrets. Whether they're symmetric secrets, username and password, right, or something you know as a secret, right? Which would be like a one-time password which is generated by some sort of a computing system. Or Tim, good old-fashioned PKI.
Right? Private key, public key secrets that are broken in half. Great. Your face is not a secret. And so any form of authentication that uses it is weak. And this malware proves it.
-
Tim Callan
Yeah. So there's this old adage that you hear where it's the thing you know, the thing you have, right, and that's the idea behind like, I use my phone plus my PIN or my laptop plus my PIN or my password. Those are the thing you know, the thing you have, but sometimes they say the thing you know, the thing you have, the thing you are. Right? And the idea there is they’ll substitute the thing you are usually for the thing you know. So you say, I don't need to put in a password if I use a fingerprint. I don't need to use a password if I have a picture of my face. But as you point out, those things aren't secrets.
-
Jason Soroko
They’re not secrets and that's why thing you know, thing you are, thing you have - I think that - - look, shoot me. I'm sure the security community would love to hang me from a high tree for saying it. I think that that old adage, Tim, is a little too simplistic. Because it leaves out what is a secret? And I can tell you what's not a secret. Your face. Your voice. Your fingerprints. They're not secrets.
-
Tim Callan
Yeah. So I, you know, I unlock my phone with my fingerprint.
-
Jason Soroko
Yep.
-
Tim Callan
And if someone could get my fingerprint, they could unlock my phone.
-
Jason Soroko
It's been proven many times. Here's why your fingerprint is used. And here's why it probably should be used in that case, Tim. It's because what are you actually protecting with the biometric on your phone? You're protecting that physical access use case. The old favorite, of course, is you forget your phone at the bar, you go into the bathroom, your phone's sitting on the bar, right? And what can be done to that phone? Well, unless somebody can very quickly come up with your biometric before you get back to have physical proximity to that device again, well, it basically keeps away that that from a bad guy.
And in that case, it's kind of a perfect form of weak authentication because it's just good enough. It's just good enough to keep out people in a short proximity to the device.
And that's why it's used. But the problem, Tim, is it's overused. Biometrics are overused for other forms of authentication and that's the problem.
-
Tim Callan
Yeah. And this is actually very similar to something not quite in these terms that we've discussed in the past. When you and I had our series where we went through MFA options and talked about the ways they could be defeated, one of the things we kept saying over and over again is now this is better than nothing. Right? And then we would rattle off the ways it was better. It's going to help you with a password stuffing attack, right? And so you go, okay, if it's going to help you with, you know, a password reuse credential stuffing attack, that's better than nothing, but don't be confused to saying that's perfect lockdown security. I think you're saying the same thing here. Right? I accidentally leave my phone on the bar. It can't be unlocked by some stranger who's walking by. Right? But that isn't same as saying that's a truly robust authentication method.
-
Jason Soroko
And that's why this malware is taking photos of you. That is why it's doing it. It's because there has been - - your face will be used in other places for forms of authentication. And the bad guy knows it. And it is harvesting that. So isn't it? Isn't it just crazy, Tim, that - - think about all, you know, we've had biometric conversations on this podcast before and we've talked about what are the chances of somebody taking a high enough resolution image of your face or your eye or whatever and have it used? And in this case, well, rather than having to send out - - I think one of the conclusions to that was well, that's very targeted. That's very, very targeted. Right. And so therefore, and I think that was the conclusion was, yes, your face is not a secret, but would somebody come along and actually take a photo of your face purposefully right, physically come around with a camera and photographing.
-
Tim Callan
And you start imagining Mission Impossible kind of scenarios.
-
Jason Soroko
And so I think you were the one who made a very good point, which was, Jay, that sounds very targeted. This would be a difficult attack to scale. And I had to agree with you. Well, guess what, Tim? They’re scaling it.
-
Tim Callan
Not anymore. Yeah, absolutely. They’re scaling it. And by the way, I don't know why this has to be limited to my face. I know this particular malware app is limited to my face, but you can equally easily steal fingerprints. Exact same way.
-
Jason Soroko
You know what? I think actually that may not be true, Tim. That may not be true because let's say the malware asks for you to do a biometric of your fingerprint. Did you know, a little known fact, both Android and iOS, actually only include a statistical version of your fingerprint in storage? And secondly, so in other words, and the access to it goes into a secure element?
-
Tim Callan
Sure. I was thinking I would socially engineer you. I'd give you an app that gave you an interface that made it look like you're biometrically authenticating your fingerprint but what you're really doing is allowing me to capture an image of it.
-
Jason Soroko
Well, I'll tell you what - if you were able to socially engineer somebody to hold their thumb up to the camera and get it perfectly focused, that's a heck of a social engineering, but I bet you it's happened.
-
Tim Callan
Yeah. Yeah. Or just, you know, imagine a fake fingerprint entry that's not the actual operating system. Right. So it's probably not that important to this conversation but, you know, I think those secrets are, you could imagine a scenario where they could steal those secrets. I've heard about biometrics, which are things like how you type in a specific phrase, because everybody's, you know, typing is unique. I don't know if that's really in use, but you could socially engineer someone to do that, right? All of these things, you could build an attack once you've got malware on the system where you ought to be able to steal these things.
-
Jason Soroko
That is very true. That is very true. So social engineering with apps like this can probably harvest all sorts of those behavioral biometrics and you're absolutely right to say that, Tim.
-
Tim Callan
So, what do we do?
-
Jason Soroko
So, the article that you pointed out in Bleeping Computer, and as you say, there are other ways to read it? I would say the interesting part of the story that we want to cover here, yes, yes, the article is warning people that this kind of malware exists. So be careful of what you're asked to do by fake apps. I'm going to say the only advice I have for people on this is if you read down to paragraph 9 million, right, the part of the article or article you'll probably never get to it might not ever say, yes it does, say iOS and Android malware but keep in mind, for iOS, you actually have to be jailbroken for this for this malware to exist, right. And therefore it is predominantly Android malware. That's number one. And I know the Android lovers out there, they think I'm the demon for saying that. It's just a fact. It's just a fact.
So number two is alright, this is the main message and boy are we ever good at burying the lead. But here's the main message.
I don't think the article should be most interesting to the average user of a phone. I think, security architects, you are enamored with biometrics, and I know why. It's because it's dead easy for the user. The user experience is just cheap as chips, right?
-
Tim Callan
No forgotten passwords, no helpdesk tickets, no people locked out of their systems and they can’t be productive. How wonderful.
-
Jason Soroko
Oh, how wonderful for you as the architect to not have any headaches. Except for the fact that, you know, it used to be difficult to scale facial biometrics. Well, today, we are now reporting on how the bad guy is scaling the solution to that problem. So as a security architect, here's my challenge to you. If you're authenticating a user, if you can't make something that's just as easy, if not easier than, say, WebAuthn, Fido passkeys, right, how difficult is that to use? Not difficult. How difficult is the usage of leaf certificates for certificate-based authentication in the enterprise when you're able to provision those things with an MDM or some other means? Well, that's not difficult either. So why are we persisting, Tim, on using authentication methods that are maybe as good, if not less good of an authenticator than PKI-based authenticators that are vastly, vastly and I'll say it one more time, vastly superior. Answer that question.
-
Tim Callan
Yeah. That’s exactly right. That's the gist of it.
-
Jason Soroko
So, you know, when we talk about root causes, this is what we mean by this podcast. We are getting to the root cause. What is the problem? And the problem is, unfortunately, security architects using, you know, early 2000s methods of authentication just because it seems to be the thing to do and seems to be easy. Trust me folks. These forms of authentication should be deprecated. This malware proves why.
-
Tim Callan
Okay. Very much. Okay. Thank you, Jason.
-
Jason Soroko
Thank you.
-
Tim Callan
This has been Root Causes.