Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Sound-Based Device Authentication Has Many Possibilities (Video)

Roblimo posted about a year ago | from the it's-so-secret-we-don't-even-want-the-government-to-know-about-it dept.

Security 56

Imagine a short (audio) squawk, less than one second long, as a secure authentication method for cell phones or other mobile devices. A company called illiri has developed (and has a patent pending on) a method to do exactly that. The company is so new that its website has only been up for a month, and this interview is their first real public announcement of what they're up to. They envision data sent as sound as a way to facilitate social media, mobile payments (initially with Bitcoin), gaming, and secure logins. Couldn't it also be used for "rebel" communications, possibly by a group of insurgents who want to overthrow the Iranian theocracy? Or even by dissidents in Russia, the country our interviewee, illiri co-founder Vadim Sokolovsky, escaped from? (And yes, "escaped" is his word.) And, considering the way illiri hopes to profit from their work, should they think about open sourcing their work and making their money with services based on their software, along with selling private servers that run it, much the way Sourcefire does in its industry niche? Their APIs are already open, so moving entirely to open source is not a great mental leap for illiri's management. In any case: Is their idea worthwhile? Are there already ways to achieve the same results? Is illliri's way enough better than existing mobile device security systems that it's worth exploring? And would it be better, not just for the world in general, but as a way to help illiri's founders make a living if their software was open source? (Transcript included)

cancel ×

56 comments

Sorry! There are no comments related to the filter you selected.

Imagine (2)

Russ1642 (1087959) | about a year ago | (#44364001)

Ok, I'm imagining how stupid this is.

Re:Imagine (1)

rullywowr (1831632) | about a year ago | (#44364477)

You are not imagining. This is complete buffoonery.

Although it would be cool maybe one day if we could send authentications over say a phone line in the form of 1s and 0s...............NO CARRIER

Re:Imagine (2)

Russ1642 (1087959) | about a year ago | (#44364503)

These boneheads would probably implement it as a voice that actually says "one" "zero" "zero" "zero" "one" "one" "zero" "one" "zero" "one" "one" "one"

Re:Imagine (0)

Anonymous Coward | about a year ago | (#44364931)

I have the same combination on my luggage!

Re:Imagine (2)

Marxist Hacker 42 (638312) | about a year ago | (#44365165)

Sadly, so does a quarter of the human race [guardian.co.uk]

Re:Imagine (1)

jez9999 (618189) | about a year ago | (#44368687)

Hah, I kind of assumed banks would at least ban people from using the most obvious combinations like 1234 or 1111!

Re:Imagine (1)

Marxist Hacker 42 (638312) | about a year ago | (#44370459)

The thing that gets me is this- he was using computer passwords as a proxy, gathering from a variety of sources. And still, 2580 came up frequently. Which makes sense on an ATM or phone numeric keypad, but NOT on a standard keyboard numeric 10 key.

Worse yet, the 1234 think extended on to 5 and 6 digit numeric passwords.

My Voice is My Passport (1)

Anonymous Coward | about a year ago | (#44364009)

Those who do not learn from Hollywood movies are doomed to repeat them.

Re:My Voice is My Passport (1)

rullywowr (1831632) | about a year ago | (#44364543)

Shit, it's the 90's all over again!

56k modem technology, dot-com wannabee companies, and getting "ill"iri. Pass me a Zima and tell mom to order another 60 minutes of AOL online! I'm off to play Doom now.

Flatulence (0)

Anonymous Coward | about a year ago | (#44364061)

I would authenticate with a fart, but, there's so many apps out there... I'm afraid it would be cracked too easily.

OK (0)

Anonymous Coward | about a year ago | (#44364069)

Sounds like Blue Box 2.0 to me :)

PATENTED? HA! (4, Funny)

dmitrygr (736758) | about a year ago | (#44364073)

using sound to send data....sort of like a modem?

Re:PATENTED? HA! (0)

Anonymous Coward | about a year ago | (#44364163)

access key... like in the movie Prometheus where a flute
is used?!

Re:PATENTED? HA! (2)

steveb3210 (962811) | about a year ago | (#44364923)

Computer, Lieutenant Commander Worf. Confirm auto-destruct sequence, authorization Worf 3-7 Gamma Echo.

Re:PATENTED? HA! (0)

Anonymous Coward | about a year ago | (#44364175)

You seem to be implying that prior art or conflict with other patents matters at all in a money-spending contest.

Re:PATENTED? HA! (1)

girlintraining (1395911) | about a year ago | (#44364229)

using sound to send data....sort of like a modem?

No no, this is totally different... instead of a modem connected to the phone, the phone is now the modem! See! Totally different! Somebody bring me my pile of gold now. kthxbai!

Re:PATENTED? HA! (1)

icebike (68054) | about a year ago | (#44364283)

using sound to send data....sort of like a modem?

Except far easier to eavesdrop on.
It was intended that you could add data transmission to any phone call, skype chat, or phone call or simply device to device (audio NFC).

Without heavy encryption, it provides no security.

Without some form of bi-directional exchange of public keys, you have no way to add encryption.

But unless, or until it includes same fairly strong encryption and an authentication mechanism nobody is going to trust it because
man in the middle / eavesdropping on both ends of the conversation becomes child's-play.

Re:PATENTED? HA! (0)

Anonymous Coward | about a year ago | (#44372665)

It might be not that easy - the sound transmits a session id that changes with each transmission, recording it is useless. And the data is transmitted via TLS/SSL.

Re:PATENTED? HA! (0)

Anonymous Coward | about a year ago | (#44364425)

Nice joke. What I think is funny is how this algorithm, is described as a method, despite being just an algorithm, because it needs to be patented.

Nice slashvertisement though

Prior Art (3, Interesting)

nullchar (446050) | about a year ago | (#44364663)

Near_sound_data_transfer [wikipedia.org] is already implemented and sold by TagAttitude [tagattitude.fr] .

Audio data transfer in Android is discussed in this stackoverflow [stackoverflow.com] post which mentions this slideshow [slideshare.net] .

This dude [ideawide.com] posted his same idea over a year ago.

Modem-style data transfer between smartphones is a cool idea - but the software and protocol would need to be ubiquitous (read: open). If only a few apps or devices support this tech, it's no different from requiring hardware like NFC or software to support a bluetooth data sharing connection.

Re:Prior Art (1)

icebike (68054) | about a year ago | (#44365095)

Well he already has an api available so that eliminates your last paragraph entirely.

And your NFC does not allow you to send data over skype or a telephone, nor does it allow you to send it to a desktop computer with no NFC chip.
Audio encoded data solves all of those problems with nothing but common speakers and microphones.

To the extent it is do-able and can be encrypted it may be quite useful as would any of the other methods you cited. There is nothing new about sending data as audio. Fax machines and dial up modems do this every day. It can't be patented, no matter what the french say.

What is new here is the totally cross platform implementation, requiring nothing more than a commonly available speaker and a mic.

If you add Public/Private key encryption you could send data over any ad hoc voice capable channel.
But without encryption, you got worth implementing. And with only server side encryption, you get pwed.

Re: Prior Art (0)

Anonymous Coward | about a year ago | (#44365763)

The 2008 game Bangai-O Spirits used the speakers and microphone of the Nintendo DS to transfer custom level designs. You could post an audio clip to eg. Youtube, hold your DS up to the PC's speakers and download the level to your game. That sounds like cross-platform audio-based data transfer to me.

Re:Prior Art (1)

nullchar (446050) | about a year ago | (#44367445)

Public Key Infrastructure (PKI) needs to be built into the APIs from day one. There shouldn't be a non-encrypted version available to developers or users.

Of course, anything using cryptography must be open source (and in a library available to my app, not only as a "cloud-based" API unless it only accepts encrypted data, no way can it have access to my private key).

There are lots of APIs available, but developers need to implement applications with them.

More Prior Art (1)

az1324 (458137) | about a year ago | (#44366961)

Re:More Prior Art (1)

nullchar (446050) | about a year ago | (#44367317)

I knew there was a slashdot story about this! I failed in my quick search. Thanks for the link.

Wow. (1)

Dzimas (547818) | about a year ago | (#44364117)

So instead of initiating a digital handshake between two devices, I encode the digital handshake information onto an audio carrier, play it through a speaker, capture it with a microphone, and finally re-encode it back into its original form. Why on earth would I opt for this bizarre technology instead of WiFi, Bluetooth or other low power NFC techniques?

Re:Wow. (2)

ultrasawblade (2105922) | about a year ago | (#44364271)

Because this would not use any traceable/loggable data network and may work in a situation where there is the cover of noise.

Re:Wow. (1)

ultrasawblade (2105922) | about a year ago | (#44364281)

Or I guess it would not use any data network if it didn't contact a server. In the Slashdot tradition I haven't RTFI.

Re:Wow. (2)

fisted (2295862) | about a year ago | (#44365249)

RTFW?

Re:Wow. (1)

Dzimas (547818) | about a year ago | (#44364389)

But short-range peer-to-peer radio between two devices would be at least as secure as an audio squawk between those same two units - either technique can be bugged or spooked.

Re:Wow. (1)

Em Adespoton (792954) | about a year ago | (#44365091)

But short-range peer-to-peer radio between two devices would be at least as secure as an audio squawk between those same two units - either technique can be bugged or spooked.

Ah; but used as a broadcast method, it's actually pretty interesting, as it will be picked up by video cameras etc. and can be replayed in a different location at another time. Useful steganographic method, as long as the transmission uses a secure key.

This made me think of another data transfer method though -- since pretty much all smartphones have a vibrate mode and an accelerometer now, why not transfer data via vibration? Stick one phone on top of the other to communicate. Very difficult to intercept; you could even hide one of the phones under a table and leave it broadcasting, and likely nobody would notice.

Re:Wow. (0)

Anonymous Coward | about a year ago | (#44366685)

Yeah that sounds fun, until 2 $500 phones fall off a table.

Re:Wow. (0)

Anonymous Coward | about a year ago | (#44364325)

Because those require specific hardware to use.

Re:Wow. (1)

profplump (309017) | about a year ago | (#44364745)

So does this. You're just assuming people already have that hardware.

punctuation (1)

fche (36607) | about a year ago | (#44364193)

How many question marks is too many in the posting teaser? One? Two? Three? How about seven?

Wolf Howls (0)

Anonymous Coward | about a year ago | (#44364221)

Now that we can identify a wolf howl with 100% accuracy, why not use those instead?

That would make for an awesome login sound for everyone everyday.

On flags of the colour "red" (3, Insightful)

HeckRuler (1369601) | about a year ago | (#44364335)

I think it's interesting how many alarm bells this post sets off in my head.

First off, it's a long format Slashdot article, and it's not an "ask slashdot" nor a book review. Slashdot TV? is that still a thing? Why are they selling this company?
It reads like an ad and uses the language thereof: "Imagine", "envision", "a way to facilitate", "Initially with Bitcoin",
And.... is that trying to spin the shoddy website as a good thing?
And the format of the video and interview is also just... cheap.

Is their idea worthwhile? Are there already ways to achieve the same results? Is illliri's way enough better than existing mobile device security systems that it's worth exploring? And would it be better, not just for the world in general, but as a way to help illiri's founders make a living if their software was open source?

See Betteridge law of headlines. [wikipedia.org]

Then there's the obvious problem with the basic fundamental gimmick: Anyone with a recorder nearby now has you password. The thing about secrets that are supposed to stay between you and the authenticator is that the transfer point is REALLY important. Pin numbers, passwords and all that jazz are a pain in the ass, but a noise? Anyone with a audio recorder now has your password. If you can put a device up next to their mic, then there are much more secure ways to have your device hand it some information.

This is just so.... so... this is a joke right? Some sort of meta-humor on slashdot?

Re:On flags of the colour "red" (0)

Anonymous Coward | about a year ago | (#44364517)

it should be fairly easy to do a public key exchange to encode the handshake. This is nothing new, like, nothing, except perhaps a higher bitrate. However, that too is sketchy. I'd guess 5-7 seconds would be the minimum in a noise environment, assuming any sort of "security", much less robust security.

Re:On flags of the colour "red" (1)

Em Adespoton (792954) | about a year ago | (#44365209)

it should be fairly easy to do a public key exchange to encode the handshake. This is nothing new, like, nothing, except perhaps a higher bitrate. However, that too is sketchy. I'd guess 5-7 seconds would be the minimum in a noise environment, assuming any sort of "security", much less robust security.

Don't worry... even though the first version will only be 300 baud, they'll get a new version up to 1200 baud in a few months, followed a year later by 2400 baud. Each of these bitrates will need to add on to the initial handshake of the previous one so that the receiver and sender will know which frequency they're transmitting at of course.

And yes, I always used to set my modem to have the speaker on during handshake :)

I just got an idea for a new set of ringtones.... thanks slashdot!

Re:On flags of the colour "red" (0)

Anonymous Coward | about a year ago | (#44364619)

Disclaimer: I haven't studied this particular system at all.
Your claim that "Anyone with a recorder nearby now has you password" and "the transfer point is REALLY important" are not correct in general. Secure authentication is made over insecure channels all the time using public key cryptography. Audio could work just as well as TCP/IP as a channel for a normal HTTPS handshakes, by using a private key to sign data. Again, I don't know if they're planning on just broadcasting a password, but what they should do is cryptographic signing.

Re:On flags of the colour "red" (1)

HeckRuler (1369601) | about a year ago | (#44365053)

. . . right. Yeah, I didn't think about that too hard did I?
Ignore that part about secrets and authenticators.

Sorry, I had it in my head that it was a one-way communication of their program to... whatever it is they plan on having. I think they want both ends to send and receive audio. So two people have their cell phones kiss for a while.

Re:On flags of the colour "red" (1)

mjwx (966435) | about a year ago | (#44367903)

See Betteridge law of headlines. [wikipedia.org]

One day I'm going to publish an article title "Does This Article Prove Betteridge's Law Of Headlines?" just to mess with people who quote Bettteridge's law of headlines.

Re:On flags of the colour "red" (1)

wonkey_monkey (2592601) | about a year ago | (#44368337)

Does This Headline Conform to Betteridge's Law Of Headlines?

Re:On flags of the colour "red" (1)

mjwx (966435) | about a year ago | (#44368413)

Does This Headline Conform to Betteridge's Law Of Headlines?

At this point I'd write it as "Does This Headline Conform to Betteridges Law Of Headlines." just to annoy Grammar Nazi's as well.

How does it cope with transcoding? (0)

Anonymous Coward | about a year ago | (#44364341)

Since most networks are VoIP now, and a lot of international traffic goes with g729a / 20ms ptime codec, how well would it cope with lossy transcoding and or jitter / packet loss? On the one hand this kind of tech could be really useful for developing countries which aren't very well connected, 3G / Wifi wise (Madagascar, RDC, etc). But on the other hand these countries have _big_ audio issues sometimes so I wonder if some kind of redundancy is built in the protocol to cope with hostiles conditions.

Reminds me of a two-factor authentication system.. (1)

mlts (1038732) | about a year ago | (#44364431)

A while back, someone made a system that could go on a credit card that would play what sounded like a brief burst of static. This was used similar to a one-way car remote as a way to have a second authentication factor.

Of course, this might work and needs no additional hardware other than an ADC and DAC that are fairly accurate.

The downside is additional noise pollution. Maybe frequencies that are out of the normal human range can be used, but that narrows the amount of bandwidth the device can use to transmit/receive data with.

Ideally, we should just move to NFC. Using sound is a lowest common denominator type of way to do authentication and key exchanges. It does work, but so does Kermit over a 300 baud modem... we have better protocols and technology at our disposal.

Re:Reminds me of a two-factor authentication syste (1)

Em Adespoton (792954) | about a year ago | (#44365243)

A while back, someone made a system that could go on a credit card that would play what sounded like a brief burst of static. This was used similar to a one-way car remote as a way to have a second authentication factor.

Of course, this might work and needs no additional hardware other than an ADC and DAC that are fairly accurate.

The downside is additional noise pollution. Maybe frequencies that are out of the normal human range can be used, but that narrows the amount of bandwidth the device can use to transmit/receive data with.

Ideally, we should just move to NFC. Using sound is a lowest common denominator type of way to do authentication and key exchanges. It does work, but so does Kermit over a 300 baud modem... we have better protocols and technology at our disposal.

Here's my idea: set the tone at a pitch that causes dogs to howl... then encode the information in the dog's howl (after calibration of course), not the original sound. Using a canine as a second factor sounds interesting to me....

I'm clearly missing something... (1)

MrLizard (95131) | about a year ago | (#44364433)

So, it's sound? What's sound, to a computer? A pattern of bytes. What makes this pattern of bytes harder to duplicate/hack than any other pattern of bytes? If I'm following this right, you record a sound, and it's a file on your phone. Someone can steal that file if they could steal any other file. Even more, they can steal it easily when you use it, since the sound will be audible. Isn't this like having to speak your password out loud where anyone can hear it?

If multiple people are using this in a crowded area, how do the audio inputs sort out which sound is the one for the current, active, transaction? Looking for a single sound that fits a given pattern amongst background noise that doesn't seems like a reasonable algorithm to write. Guessing which sound, out of *many* that fit the pattern, is the one you're listening for... that seems a lot harder to me. But i have never written pattern recognition algorithms, or studied them, so I could be way off.

I want to give everyone involved the benefit of the doubt and assume I'll be emitting a "D'oh!" when someone explains to me why this is the best idea since the sliced light bulb. Until someone explains my ignorance to me, I can't shake the feeling that the goal is to excite investors who just see "ground floor buzzword of hot new buzzword with buzzword and also buzzword which buzzwords the buzzword!". Tell me why this isn't the case. Use small words, please. What does this offer no existing technology does? How is it faster, safer, more flexible? Given the long time from announcement to commercial product, how will it compete with other methods that will use that time to be come even more entrenched and leapfrog any improvements this may offer?

Re:I'm clearly missing something... (0)

Anonymous Coward | about a year ago | (#44364661)

You're exactly right when it comes to figuring out who should transmit and competing signals. Wifi has all this built in. If you are having trouble with the signal move to another channel. Only one person can either transmit or receive at a time on a channel. Else you have errors, so there are random timers built into the protocol. So essentially if they want this to be popular, it's just going to be wifi that you can hear.

Can we say, "Prior Art"? I knew we could! (0)

Anonymous Coward | about a year ago | (#44364605)

Umm...

Remember books? Those heavy, blocky things made up of hundreds of layers of thin sheets of cellulose fibre? With markings, symbols and images on each sheet?

Books have so much information preserved within their covers. That information spans quite a bit of time-space.

Referencing just a couple books...

It looks like all the claims are covered by prior art from all over the world going back at least 100 years.

This had better be some novel, unique integration that no one has ever imagined before or it will be challenged.

Re:Can we say, "Prior Art"? I knew we could! (1)

kermidge (2221646) | about a year ago | (#44372895)

If there is any advantage whatsoever in being dim-witted, stupid, and ill-informed it's that I can find what Illiri does to be interesting. (And yes, the first thing I thought of was listening to my old Zoom modem initiate handshake.)

Google: Sound based data transmission (1)

Maximum Prophet (716608) | about a year ago | (#44364643)

gets About 7,290,000 results

I think there is prior art.

Watch me whistle into this phone... (1)

Gavin Scott (15916) | about a year ago | (#44364825)

...and post on Facebook!

G.

(though it was more fun to light up the carrier detect indicator on old 300 baud modems this way)

Re:Watch me whistle into this phone... (0)

Anonymous Coward | about a year ago | (#44365323)

...and post on Facebook!

G.

(though it was more fun to light up the carrier detect indicator on old 300 baud modems this way)

Reminds me of sending +++ath in the TCP wrapper of a ping request many moons ago.... easy way to tell who /was/ on dialup on IRC.

I have an copy of Werner Brandes login. (1)

Joe_Dragon (2206452) | about a year ago | (#44366141)

Hi, my name is Werner Brandes. My voice is my passport. Verify Me.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?