September 8, 2015

IFA 2015: security all the go


The new trend on IFA 2015 — a trade show for consumer electronics — is all about innovations in technological integrity. Developers chase after hardware superiority no more; instead they are making connections between our everyday life and technology.

IFA 2015 main trend is all about secured mobile technologies

For example, during a presentation from Kaspersky Lab, a man had a chip installed in his body. Now we carry gadgets on our wrists or in pockets, but in a few years, you’ll see that under-skin chips being widespread.

The Internet of Everything will take place of the Internet of Things (which is still very young though). In the global net every living being will have equal rights, as will a freezer or an iron.

This description can sound creepy, especially for fans of the ‘Matrix’ movie trilogy or for those who are familiar with the anti-utopia literature genre. And not without a reason: existing solutions are not secure enough. The pioneering software has numerous holes, which can be exploited by hackers for many reasons, including identity theft.

IFA 2015 main trend is all about secured mobile technologies

Rainer Bock — the third BionicMan in Kaspersky Lab

The data stored in current chips are protected by a 4-digit PIN, which means that it is very easy to hack it. Implanted chips have a humble performance (e.g., you can store only about 880 bytes of data). This also makes it significantly harder to protect them.

Of course, the best security is enabled by the action radius – roughly about 5 cm. A hacker would need to get really close to you to steal your data. But that’s a temporary limitation: when chips spread further, a criminal will be able go to a subway and harvest an upscale number of people’s’ IDS.

In the mean time smartphone manufacturers have adopted fingerprint sensor technology: this idea clearly sparks the imagination of market players, as now even B-level devices (such as Chinese ZTE) are equipped with biometric sensors.

New ways of using sensors are emerging. Earlier they did not work as an alternative for password-free authentication. When you failed to unlock your phone after a dozen tries, you had to enter your password any way — a commonplace situation, because first-generation sensors work was far from flawless.

So we had a non-working toy, used for nothing but dubious additional protection. Then Apple rattled up the morass: the company presented the Apple Pay system (which is yet to gain popularity) together with an acceptable sensor, which enabled authentication for the new payment system.

Now manufacturers compete inventing how to exploit a fingerprint image sensor innovatively. Huawei uses this technology in the Mate S model touch panels designed for image scrolling and call response. Sony implemented fingerprint authentication with the help of new ultrasound sensor Qualcomm SenseID (we’ve already written about it in the MWC post), and supported Fido services as well.

No, not the FidoNet, but FIDO Alliance — group of companies, which develop an integral network for password-free authentication. It can be implied for payments, website authentication and all other actions which require your digital ID.

FIDO uses the password-free UAF protocol (Universal Authentification Framework), which has a simple mechanism of work. While logging on, the system makes a link, which lets you use a gadget instead of a password; it also enables biometric authentication on a device, via a fingerprint, face or voice recognition, etc. You can also have mixed combinations of different factors for better security, because it would be hard for a criminal to fraud all biometric elements.

FIDO also uses the two-factor authentication solution U2X. It let’s you use a simple four-digit PIN together with a hardware encryption module. No more you need to be linked to one device; instead you can use different devices with the help of a key, e.g., enabled as a USB-token or as an NFC-tag for mobile devices. And an implanted chip can be used as such tag.

Then everything works as usual: two keys, private and public, are created. The first one is stored on a smartphone locally and is not sent to any third-party resource; the second key is used at authorization request. No passwords at al!

It doesn’t look like an innovation, but FIDO Alliance develops a common standard, which will be supported by all developers. Now this alliance includes more than 200 companies, including Visa, Mastercard, PayPal, Google, and Microsoft — so chances are high that this standard is the thing of the future.