Otti Csaba: Security in our hands (?)
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Alternative Title |
| |
| Title of Series | ||
| Part Number | 8 | |
| Number of Parts | 29 | |
| Author | ||
| License | CC Attribution 3.0 Germany: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/18857 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
Hacktivity 20158 / 29
1
4
6
17
00:00
System identificationInformation securityBiostatisticsMessage passingInformation securityVulnerability (computing)Functional (mathematics)ImplementationDivisorBackdoor (computing)VideoconferencingMalwareFingerprintRaw image formatIntegrated development environmentQuicksortRing (mathematics)UsabilityEvent horizonMereologyInformationConnected spacePhysical systemUniverse (mathematics)Source codeCodeSoftware developerGroup actionPattern recognitionLevel (video gaming)View (database)Type theoryMedical imagingPurchasingSinc functionGame theorySoftwareOnline helpRoundingPresentation of a groupMultiplication signWordLaptopSystem identificationMetric systemSound effectForm (programming)Matrix (mathematics)Set (mathematics)Observational studyResultantEntire functionExecution unitData storage deviceFirewall (computing)Sampling (statistics)Order (biology)Shape (magazine)Fitness functionVector space
09:48
System identificationInformation securityMedical imagingQuicksortUniqueness quantificationSoftwareAreaTable (information)Product (business)Semiconductor memoryMathematicsService (economics)Message passingData storage deviceEuler anglesStudent's t-testInformationSelf-organizationPhysical systemInformation securityGodDifferent (Kate Ryan album)Hacker (term)Integrated development environmentType theoryResultantView (database)Single-precision floating-point formatFingerprintVulnerability (computing)System identificationCausalityContext awareness1 (number)Video gameSoftware testingMaxima and minimaPublic key certificateSmartphoneMassForm (programming)Real numberWeb pageNP-hardGeometryTask (computing)Process (computing)WordBasis <Mathematik>Modal logicMeasurementMultiplication signState of matterMetropolitan area networkStandard deviationLevel (video gaming)Procedural programmingAttribute grammarDimensional analysisLatent heatArithmetic meanStress (mechanics)CodePlastikkarteCASE <Informatik>PurchasingObject (grammar)Core dump
19:35
System identificationInformation securityLocal area networkHacker (term)Physical systemPresentation of a groupMusical ensembleElectronic mailing listMatrix (mathematics)Derivation (linguistics)Identity managementMedical imagingExtension (kinesiology)DatabaseVideo gameFunctional (mathematics)Information securityVelocityAnalogySystem identificationType theoryInternetworkingBiostatisticsQuicksortRight angleDialectReal numberSoftware developerPersonal digital assistantArithmetic meanContent (media)SoftwareData structureCASE <Informatik>ThumbnailCharacteristic polynomialPower (physics)Order (biology)Data managementNatural languageCartesian coordinate systemLogicNatural numberSoftware testingEvent horizonDivision (mathematics)Parametrische ErregungGame controllerInformationNumberSource codeWater vaporLine (geometry)Point (geometry)Representation (politics)Clique-widthTheoryLengthArithmetic progressionPlotterMultiplication signSound effectImage resolutionComputer programmingResultantMereologySampling (statistics)HistologyDistanceAreaTerm (mathematics)FingerprintConcentricValidity (statistics)Control systemDegree (graph theory)Slide ruleOnline helpGeometryLogic gateSymmetric matrixCodeParameter (computer programming)IRIS-TOperator (mathematics)Uniform boundedness principleBoundary value problemRule of inferenceIdentifiabilityVulnerability (computing)Personal identification numberWordShape (magazine)Different (Kate Ryan album)Computer animationLecture/Conference
29:23
Information securitySystem identificationLikelihood functionDegree (graph theory)Set (mathematics)CodeEquivalence relationScaling (geometry)Multiplication signCASE <Informatik>Right anglePresentation of a groupClient (computing)Line (geometry)Sensitivity analysisWordEndliche ModelltheoriePersonal identification numberMoment (mathematics)IdentifiabilityCodecComputer animationLecture/Conference
32:07
Information securitySystem identificationDatabasePhysical systemCodeCodeAlgorithmMedical imagingSampling (statistics)Standard deviationCore dumpExecution unitLetterpress printingBitBiostatisticsBoundary value problemMereologyIdentity managementWater vaporInternetworkingSoftwareFunctional (mathematics)Musical ensembleEvent horizonLevel (video gaming)Data managementLatent heatTelecommunicationSoftware testingDigital photographyMultiplication signNumberTable (information)PasswordEquivalence relationRevision controlDifferent (Kate Ryan album)Point (geometry)IdentifiabilityArithmetic meanPosition operatorRight angleSequenceSurvival analysisSet (mathematics)Codierung <Programmierung>Category of beingCASE <Informatik>System identificationPunched cardHacker (term)SurfaceWordAirfoilTextsystemProcess (computing)Personal identification numberSubsetComputer animation
40:18
System identificationInformation securityWater vaporMultiplication signLecture/ConferenceComputer animation
40:52
System identificationInformation securityMorphingMultiplication signVirtual machineDatabaseLevel (video gaming)TelecommunicationDefault (computer science)SoftwareMachine visionUniverse (mathematics)AreaMereologyEvent horizonGoodness of fitClosed setNumberVulnerability (computing)LogicCASE <Informatik>GradientInformation securityEndliche ModelltheorieSystem callVideo gamePhysical systemAddress spaceInstance (computer science)Context awarenessCodePearson product-moment correlation coefficientLecture/Conference
Transcript: English(auto-generated)
00:00
Let me first introduce myself. We represent the university and even more back at the school where we have an institute for applied biometrics institute where we primarily deal with the biometrics and
00:28
all security devices where we actually certify them and look at their vulnerabilities. This presentation would not have been possible had our colleagues you see here not helped
00:41
us. Out of these six people, four of us are on stage. My friend in his wonderful hat and Sandra and Daniel, I myself and Daniel and all of you. A couple of words about today's presentation and why we are here and for how many times
01:03
we have been here. We have been at activity for five years now. It seems sort of a round number. Let's look back what happened in the past four years and you may perhaps understand why we think this event is important. What is our message to the world?
01:21
Why are we doing what we are doing? Every year we present devices and there is vulnerabilities because we think they might be of interest, sometimes even spectacular, but what is the connection between the topics and again, what is our message with all of this?
01:42
First of all, the message is that systems are vulnerable and vulnerabilities are risks. An increased risk is constituted by the false sense of security that users may have when they trust devices and technologies.
02:03
I'm not only thinking of biometric devices and technologies, but even a simple mobile phone or a vehicle or whatever devices are around you, we have a false sense of security because we believe that those who designed it, those who implemented it, manufactured
02:23
it, held data as dear to their heart as we do our data. And what is the solution? This is also part of the message. You need to involve specialists to find the risks and then decrease that level of risk
02:43
to an acceptable level. And this is very much true and it's easy to prove because the past few weeks have had events that support these views that we have. We have picked four of the scandals, perhaps the loudest scandals of the past month and
03:04
we checked the security backgrounds and risks of these events and what our comments were beforehand.
03:50
It's not images that we store from the biometric samples, instead we store minutiae that are then used to create a code which is always irreversible.
04:07
You cannot get the fingerprint back from the minutiae. Hi. We did something but it doesn't seem to work from the laptop. My name is Shabbati and I was there on the small image.
04:27
What we have here is four years ago was the first time we were on stage for the first time in Milanese Park where we first talked about fingerprint identification systems
04:43
and we showed that the fingerprint as a biometric identification method, we showed the risks and security of this approach. Let me invite you to a small game. I'll tell you what the video is about and the question is whether you remember any
05:05
event that rings a, so does the video ring a bell? In the first one, five and a half million fingerprints have been stolen from the American
05:21
federal government. We believe it was more like 21 million but we don't have any confirmed information on that. The problem is that on these documents, these documents have the entire full fingerprint. It was not just minutiae that were on the paper, they were full fingerprints. Now, if somebody steals them, it's bad enough but even if you only have minutiae,
05:48
you can with roughly $300 purchase restore the initial fingerprint. That was the situation four years ago. The next one, okay.
06:04
This is a sensor sold in itself, a USB cable provides the data. You get an SDK for development work and this is a patent. It's easy to imagine that it's not the sensor but the software that is problematic.
06:23
Obviously if you don't have a firewall, then it's your fault. What do we see on this video? We see that the activity T-shirt does not show well on me so I was allowed to use a different shirt but a white hat. We showed a hand vein system.
06:46
This is currently the most secure technology worldwide. Fujitsu is developing it. It is perhaps the only security technology, at least the one in biometrics which has common criteria and what have we found as problems, we investigated three vendors.
07:06
Two of them did not implement security functionality which means that you could cheat with these devices. In the past couple of weeks, there was a problem with a pretty big manufacturer where
07:26
why did they not implement that function because it slowed the device down so they just, anybody remembers a device being slow and then security being not implemented?
07:41
We needed two things, two factors for the problem to occur. A malicious attack was one. A malicious code was hidden in the development environment and something else was needed, the human factor. We talk a lot about human factor because whenever we use any type of system, the human
08:01
factor plays a role since people are using it and as Csaba just mentioned, ease of use was the reason that this lack in security and this was needed for an otherwise normal
08:21
code to become a danger, a threat, a source of danger due to human action. Two years before, we checked face recognition systems, we presented several of them and one of them was a Chinese system so you get the biometrics image which then is used
08:53
to generate a biometric code that cannot be then restored into the image and also as an added functionality, it also saved the initial, the raw image and that was a beautiful
09:07
backdoor in it. I don't know whether you remember any backdoor issues in the recent past but let me help you go away, phones were the culprit.
09:20
I don't know why I wasn't that surprised about this. This is a very important thought that yes, these systems can contain backdoors and they must be investigated and last year, as András said, that's me, so if you start developing
09:59
based on the methodology and if you have solutions that decrease consumption, fewer
10:08
consumption, then some methods work better if you use the specific methodology than in real life. I don't want to go into what this actually means, let me stress just one thing.
10:24
If you have any technical device, you only get realistic data if you do the testing in realistic circumstances. You might have guessed that I was thinking about the Volkswagen problem.
10:42
Yes, we talked about this a year ago and this whole escalation, this current problem was based on that. We are also doing testing and certification and we must talk about what we minimally need to be able to talk about actual testing or investigation.
11:03
First of all, the measurement needs to have a goal and it needs to have some sort of methodology to achieve it and it must be reducible but above all things, if we must reflect reality as well as possible.
11:24
We are talking about in this example a methodology that is 20 years old that wasn't even developed for the task it was being used for recently and it was not meant to be used on diesel engines at all.
11:40
This was then used as a basis and its escalation resulted in the horrific problem that Volkswagen currently faces. Let me now get into the main message that we want to talk about. This is one of the main core areas of our activities. In the background of all activities and problems that we have experienced in the
12:04
past months, so in the background was always some sort of software, software that was written with malicious intent or software that was not written with malicious intent but that contained vulnerabilities that malicious people used for malicious purposes and it's
12:24
important to talk about reasons here, causes. There are a couple of causes that I'd like to stress. One is that everybody is developing software, which is not a problem because this is the type of world we are living but these developed software will then access the most
12:48
different various types of data and they actually invade our lives. It couldn't be a vehicle, it can be a smartphone, it can be state-run systems, et cetera.
13:00
Also, there are no standards, procedures are lacking that should be adhered to and also the appropriate sanctioning, punishment is also missing, so we as users cannot be sure that what we get is up to specific requirements and a safety conscious attitude was behind designing them.
13:28
We think about, in a case, a lot of things that they are okay but they are oftentimes not. What is the solution? If we take the information security of an object or an organization to our heart, then yes,
13:43
we must involve organizations that have in-depth knowledge about the risks of that area and also about how they can be made more secure. If we do not do this, then the only party that will talk about the security of the product will be
14:01
the vendor but we are sure better off if you don't believe it. What can these scandals lead to? If we are not severely affected, then we must say that such scandals actually often catalyze changes.
14:23
Security awareness will seep into our everyday lives, into education, et cetera, et cetera, and will result probably in appropriate legislation as well. So we are the ones who need to build these systems and if we call ourselves white hat hackers,
14:43
then we must be leading this activity. We'd like to support this activity and once again, we'll show you one of our recent results, which is a biometrical technology that we hacked.
15:06
This is a hand map identification technology that we also attacked in software. Welcome everybody. My name is Chadar Kapitanya and after the introduction, it is hard to say anything
15:23
because obviously we said something four years ago, it happened. We said something three years ago, it happened. We said it last year, it happened. So I don't even dare to say anything this year but you heard that. We represent Oberlin University and Baki Donat High School. So we were thinking hard about introducing actually soothsaying into next year's curriculum.
15:51
Obviously, we would be successful. Andres, as promised, you have been accustomed to we will produce a live show here. A live show which will not turn away from this fortune telling or soothsaying
16:09
and will actually have something about the hand geometry. So we might say we'll tell the future from your hand but that might not be exactly the case. But for that, we need two volunteers to come here so as we can tell their future
16:26
from their hands or do something other magical. Is there anyone among you who for a very short time, three or four minutes, yes, you please come up here, use one of the stairs. Anyone else?
16:41
There they are, come on please, you're very welcome. You can also jump up on stage if you want. And while we prepare everything necessary for telling your fortune from your palm, Chaba will tell you in a few words what will happen here and what you actually see over there.
17:03
What is taking place here on stage now? This piece of equipment works in a way that the three dimension, it stores the three dimension image of the hand and it provides identification. Unique code has to be provided and if the image matches, you can go in.
17:21
If not, then not. In 1998, we came up with the first purchase I ever. This was placed in my table when I dropped out from college and started working and we have been working with this piece of equipment ever since. We might not recommend it for security purposes instantly, but there are areas
17:44
where we can achieve the best results with this piece of equipment, usually in an industrial circumstance to identify workers. Why isn't it a problem that you can actually go around these devices?
18:03
First of all, we can make them more secure, we're not sure that. But if anyone's interested, we can share with them. There are security systems where these devices have a place. If we're talking about a company with a couple thousand of employees and I want to guarantee more or less, that's only those who work there
18:23
because I don't know if you know that's a problem. The worker goes home, has a lot to drink and then hands his card over to his brother-in-law saying, oh, please go and take my place because I had too much to drink last night, which causes a lot of legal and other problems.
18:43
So if we have a device like this, a system like this that operates in a not so clean environment with lots of people, this can be very handy. While my colleagues are getting everything ready, I do have one more comment. We have unveiled the fingerprint and I must actually mention that this technology has its own place as well
19:05
because if I say this iPhone has introduced fingerprint identification and I ask the question, well, fine, I would not suggest that for a security chief to use as a single form of identification, but a 14, 15-year-old girl who takes selfies of herself loses the phone
19:25
and these phones can be put instantly on pages where they will be impossible to remove, therefore ruining the girl's life. I will say this, if a very simple means of identification like fingerprint identification
19:42
is placed on the phone, no one will have access to the content. And yes, this does carry an immense amount of significance in this application. Sandor, yes, I'm ready, although I do have some more stories.
20:02
In that case, I'll go to the pub and we can listen to your stories. I'd just like to share a few words on the technology that was introduced by Chabo as a device and as a logical device. And I'd like to share with you why this is capable of identification of biometric functioning. As a first thought, people just look at their palm, their hand,
20:22
and look at the hand of the individual next to them. And if they are most of the different sex, then the hand shape will be more or less similar, but it's only more or less. In fact, so more or less that it's absolutely not true because if we observe, if we examine the hand at an adequate resolution,
20:44
it has unique features which are capable of identification purposes. As you can see on this drawing, according to this drawing, 30 parameters can be defined on the hand length and width of the fingers,
21:03
size of the palm area, in the case of five fingers, as we do have four fingers on the thumb. This obviously multiplies. And if it provides these unique features, then we can have a similar unique image as in the case of an iris identification or fingerprint identification.
21:24
So this technology is capable of some sort of identification. If you've ever touched the hand of a strange lady instead of your girlfriend, you know it can have consequences. This device will not slap you on the face like your girlfriend would if she noticed this
21:42
or the other girl whose hand you held. But nonetheless, it will have consequences. Another question is that there are very many mirror symmetrical items in nature, one of these being the palms of our hands. There are situations when we put our palms together.
22:01
We actually perform such activities as well when the technology reviews to work. But if anyone tests this, you will see that the two hands are mirror symmetrical in a way that they can actually be substituted,
22:21
which means that if there's a problem with one of our hands, these are actually set for identification of the right hand, if you place the other hand in, they will be able to identify the hand as well, almost to the same extent. This is also included as a security function, as you will see or not see by the end of the presentation.
22:47
This was the theory, the biology behind our story, but let us see what identification methodology is lined up behind the device. Now we're going to go to the device itself more specifically.
23:01
Identification is not in fact real identification. In biometry, we differentiate between two types of identification. One is one compared to N. This is real identification from a given database. We can select which one it stands closest to.
23:24
This is excellent. If you have a huge database, it can cause a problem, or if the samples are not very different in the database, then it can perform misidentification. We've seen possibilities for that to happen.
23:44
In this case, we apply an identification of one-to-one, where we identify ourselves with a pin code, and rendered to that, the device finds out if there's biometrical validation present here.
24:03
The real identification purpose is what you have heard so far. An image is created in an infra image. The parameters are made into a code by the system,
24:24
and during the identification, it compares the stored code and the code that was read. Based upon that, it decides whether identification was positive or negative.
24:41
The technology from that aspect is not exactly complicated, but even non-complicated technologies can face difficulties. Let us now look at the operation of the system. Those who visit our presentations regularly have probably seen a very similar slide in previous presentations.
25:03
What does all this look like? We have a technology, a device, a fingerprint identifier, a palm identifier. In this case, it's a hand geometry identifier. This device has characteristics, obviously, which can lead to various vulnerabilities. This communicates with some sort of control device.
25:22
The control device is not always physically separated from the device itself. Sometimes it's an incorporated device, similar to the way it is now. But it works according to a different line of thought. The biometrical part identifies, and the control device provides the information required based upon the identification, and controls the devices, sub-devices
25:43
that are also attached to the main device. This is operated from a software side, so it can be connected to a given network, and very many bad things can happen through this. It's true that the network and the software is good, or not good, or even less good.
26:01
And behind the software, there is something, in this case, a database, with which the software communicates, and with which it does something. In this case, it contains the user's event, this is what constitutes the soul of the whole story.
26:22
What we're going to deal with today is the following. On the one hand, we're going to deal with what takes place with the characteristic that the biometric identifier identifies, what's going on with the device, how vulnerable the device is,
26:42
to what extent it can be fooled, and unlike we usually do, we're going to deal with the database as well. We're going to examine what takes place in this situation. What we would like to know, what we would like to know of the whole system,
27:02
we ask three questions to ourselves, and others to ourselves. We'll say everyone number one, and can the boundaries of the biometry be overstepped? Can we do anything outside of biometrics? Can biometrical identity be stolen, and if so, how easily?
27:22
And can we circumvent this sort of control mechanism, and if so, how? Those with experience know what's our answer as well, but if you still might find our presentation interesting, now let's just turn to the presentation itself.
27:41
First, a few technical leads. Can the boundary biometrics be passed, be stepped over? What do you do when you ask yourself a question? Well, we first drank a beer, and then another one, and then another one, and then one more, and the end result of this was that we lay down underneath the starlit sky
28:01
and looked at the stars, whereupon we realized that if you think about Orsa Major, or Pegasus, you require a large amount of creativity to establish a constellation from these stars,
28:21
which are at a relatively large distance from each other. We had some help in our creativity, and we discovered, so far, undiscovered constellations, and this is the Great Right Hand constellation.
28:41
The constellation of the Great Right Hand has a very serious rule. We mapped it, and we established an answer that might suit our question. Well, before I turn to the answer,
29:01
let's just turn to the slide. What we see now is the device that we formulated from the constellation of the Great Right Hand. This is what I'm holding here in my hand. As you can see, it has something to do with the human hand, but you don't require a certain amount of creativity to be able to notice that this is indeed a hand.
29:21
Let's just turn to the other device and see what I can do through the camera. What we see now is a very simple biometrical identifier. Thank you very much for dimming the lights. This only serves the purposes of identifying in the infrared.
29:48
And this is when I have to keep on telling stories in the dark.
30:03
I'd like to ask for some more lights, and I'll do my best to narrate what's taking place. Even without the camera, we'll be able to see the main essence. What we'll try to do now is to record this constellation of the Great Right Hand into the device.
30:29
For that, you require a person without a good authorization, who is none other than myself at this given moment. I'll give it an adequate pin code,
30:42
and then I'll like this one. I'll give it an even more beautiful pin code then. And it asks me to place this constellation of Great Right Hands on the device. You do require some amount of skills.
31:11
I placed it for the third time on the device, and what you could not see without the camera was that the device said that the hand is acceptable.
31:23
So it's not to keep it this simple. You'll be able to see better when I identify this hand. I have to press the pin code. And as I place the Great Right Hand in place, you'll see a green light, which means the device has given the goal forward for this piece of paper.
31:47
I know it doesn't look as spectacular as it's supposed to, but this constellation of the Great Right Hand is actually adequate for the device to interpret it as a hand.
32:04
Thank you very much. We can now turn back to the presentation. The question was can we actually go beyond the boundaries of biometrics? And the simple answer is yes.
32:24
Next question. Can identity be stolen? How can we steal identity very simply? All you need is a bit of scissors, a thicker piece of sponge, a device that can create an image.
32:41
This was actually a telephone originally, but here for the test we're going to use a better device and camera. You need a very simple word processing software, and that's all you need, practically. And what else you need to see at the edge of the picture is a very similar identifying surface
33:00
that is incorporated in these devices. Is it working? The hand? No, our hand cable was hacked. Okay, well, while we're waiting, I'll explain how we did it. We took a photograph of someone's hand who was in the device.
33:23
We took a scaled photograph from the top. Printing is the only risky part of the whole process because we had to make sure that the image printed is the exact equivalent in size of the original hand.
33:41
We applied certain tricks for that, expanding on the image, on the word processing software. We cut this out with the scissors, and as it does require some width, we placed this protective foil or sponge on top,
34:00
and this is what we placed in the device. This was identity theft. Whose code was 1990? This is your hand here, and we can see it's in 3D.
34:21
What we see here... No, sorry, what I'll tell you is a story that's very similar to what I previously told you. My colleague Daniel will punch in the pink code, 1990. We'll place the hand in. We'll carefully place it in position,
34:40
and with the pink code 1990, our colleague could enter. What does this mean? In any given identification situation, he has this. It will seem as if the original individual went in. And if I go in with my colleague's paper hand,
35:01
it seems that he is present. So the second question is whether identity can be stolen. The answer, in brief, is yes. And how difficult is it? As we presented, it wasn't told that it would need a camera, a pair of scissors, paper, and a printer.
35:23
Let me ask if we can demo with the database. Yes, we can do it. I'll tell you what's going to happen. The colleague will try to enter with his own code, with the 1990 code, and we'll see what will happen. We don't need a camera to do this.
35:41
The audience will be able to see it. What we want to achieve is the following. Everything that we did here, even the paper hand stuff,
36:00
should be replaced with something simpler. How can we do that? Surprisingly, behind the entire system, on the software side, there is the vendor's own software, plus there is a very old access database.
36:21
And this old access database is very easy to hack. What do we need? We need one password cracker that you can download from the Internet. The password is roughly 10 to 12 characters long. This is what we need to crack. It takes roughly 26.
36:40
Also, we need a database management version that is still able to normally handle this old database, and we need some little knowledge. This is what we provide. All we need to do is to
37:00
crack the password, export one table from the database into an existing empty database that we created. There we can actually access the table. We can open it. We can change properties. We can replace samples belonging to the individual users.
37:23
We can modify access rights, particularly everything. Once we did this, we send it back into the original database, into the so-called protected database, and we did it.
37:41
Let me show you that my colleague can access this device. Enter your code. Put your hand on it, please. Big green light, which means that he was accepted. He entered the system.
38:01
I'll show you that I, with my hand, cannot use his code to get into the system. Or anybody else can prove that. Okay, code has been already entered. Put your hand on it any way you want. So nothing happens. Andras cannot access the system with his hand.
38:24
Let me tell you about a specific system function, which is the special enrollment, which means that if somebody's hand is, there's a wound on it or something, a scar, a scab,
38:40
happens when you're a wood chucker, wood feller, then you can still add these colleagues to the system, which means that it does not do real biometric identification. You still have to enter the PIN code,
39:01
but then you put your hand on the device, then something happens and will then say, okay, person accepted. So that person cannot be accepted, but this means that with this code, anybody who knows about this fact can enter.
39:21
Instead of that person, if you know a special enrollment PIN code, which was this case, then you can access the system. What are we going to do now? We use this special enrollment
39:41
to use it as an identifier. This is also a template. You don't have to actually fight it too hard. You can put it into the database without any problem. Also, we will swap two samples. Andras's sample will be swapped for my colleague's sample.
40:05
And from now on, Andras will be able to get into the system as if he was the colleague.
40:31
Okay, so it was a reboot. There might be a cable problem.
40:44
Some more clicks and we'll get to the end of it. I'm sure that by the time the technology will be okay again and we can present what we wanted to. If anybody has one and a half hours spare time afterwards, then we can show it to him again.
41:03
Okay, what is the last step of this database trick? The last step is the following. Whatever we have on the machine in the database, that must be conveyed to the device. There is a base level communication between the two devices anyway.
41:21
We will actually do this actively, but it would happen also by default. It has not happened, so you will see what it shows. You will see whether Andras can enter the system with the 1990 code. Okay, I'm writing 1990.
41:44
If you read aloud, you can see. And lo and behold, it was green. So this was the cathartic event. I was missing the R's and the R's.
42:06
Okay, it might be good news that somebody can use my hand to enter a place without him hacking my hand off. I believe that and hope that we could convincingly demonstrate
42:25
the number of ways you can attack these technologies and devices and do believe us that it not only applies to this specific device, but to most of them. We have heard about the Huawei case, the Apple case,
42:47
the Volkswagen case, etc. The greatest names were dragged into the mud. What is the lesson from all of this? It is that vulnerabilities are all around us in our devices, in our software.
43:04
The only question is whether we know about them or not. What will be the outcome? It will be that we as plain users will also have to learn the basics of security,
43:22
just as we do in other areas of life. For instance, protection against car theft. 30 or 40 years ago we didn't have various anti-theft devices in our cars. We do now and this applies to a lot of other scenarios like this one.
43:41
This also should be part of the new curriculum and I believe that teaching this should begin in grade school. These children already use social networks
44:01
and we have no idea what they do with the data they access there. We, at our university and our institute, the mission to make the world more secure, more security aware
44:22
and this knowledge is spreading within and outside the walls of the university. So in closing let me repeat our vision. A more security-cautious world is the goal. Thank you for listening to us and enjoy your meal.