Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sound-Based Device Authentication Has Many Possibilities (Video)

Posted by Roblimo on from the it's-so-secret-we-don't-even-want-the-government-to-know-about-it dept.

Imagine a short (audio) squawk, less than one second long, as a secure authentication method for cell phones or other mobile devices. A company called illiri has developed (and has a patent pending on) a method to do exactly that. The company is so new that its website has only been up for a month, and this interview is their first real public announcement of what they're up to. They envision data sent as sound as a way to facilitate social media, mobile payments (initially with Bitcoin), gaming, and secure logins. Couldn't it also be used for "rebel" communications, possibly by a group of insurgents who want to overthrow the Iranian theocracy? Or even by dissidents in Russia, the country our interviewee, illiri co-founder Vadim Sokolovsky, escaped from? (And yes, "escaped" is his word.) And, considering the way illiri hopes to profit from their work, should they think about open sourcing their work and making their money with services based on their software, along with selling private servers that run it, much the way Sourcefire does in its industry niche? Their APIs are already open, so moving entirely to open source is not a great mental leap for illiri's management. In any case: Is their idea worthwhile? Are there already ways to achieve the same results? Is illliri's way enough better than existing mobile device security systems that it's worth exploring? And would it be better, not just for the world in general, but as a way to help illiri's founders make a living if their software was open source? (Transcript included)

56 comments

  1. Imagine by Russ1642 · · Score: 2

    Ok, I'm imagining how stupid this is.

    1. Re:Imagine by rullywowr · · Score: 1
      You are not imagining. This is complete buffoonery.

      Although it would be cool maybe one day if we could send authentications over say a phone line in the form of 1s and 0s...............NO CARRIER

    2. Re:Imagine by Russ1642 · · Score: 2

      These boneheads would probably implement it as a voice that actually says "one" "zero" "zero" "zero" "one" "one" "zero" "one" "zero" "one" "one" "one"

    3. Re:Imagine by Anonymous Coward · · Score: 0

      I have the same combination on my luggage!

    4. Re:Imagine by Marxist+Hacker+42 · · Score: 2

      Sadly, so does a quarter of the human race

      --
      SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
    5. Re:Imagine by jez9999 · · Score: 1

      Hah, I kind of assumed banks would at least ban people from using the most obvious combinations like 1234 or 1111!

      --
      == Jez ==
      Do you miss Firefox? Try Pale Moon.
    6. Re:Imagine by Marxist+Hacker+42 · · Score: 1

      The thing that gets me is this- he was using computer passwords as a proxy, gathering from a variety of sources. And still, 2580 came up frequently. Which makes sense on an ATM or phone numeric keypad, but NOT on a standard keyboard numeric 10 key.

      Worse yet, the 1234 think extended on to 5 and 6 digit numeric passwords.

      --
      SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
  2. My Voice is My Passport by Anonymous Coward · · Score: 1

    Those who do not learn from Hollywood movies are doomed to repeat them.

    1. Re:My Voice is My Passport by rullywowr · · Score: 1
      Shit, it's the 90's all over again!

      56k modem technology, dot-com wannabee companies, and getting "ill"iri. Pass me a Zima and tell mom to order another 60 minutes of AOL online! I'm off to play Doom now.

  3. Flatulence by Anonymous Coward · · Score: 0

    I would authenticate with a fart, but, there's so many apps out there... I'm afraid it would be cracked too easily.

  4. OK by Anonymous Coward · · Score: 0

    Sounds like Blue Box 2.0 to me :)

  5. PATENTED? HA! by dmitrygr · · Score: 4, Funny

    using sound to send data....sort of like a modem?

    --
    -------
    1. Enjoy your job
    2. Make lots of money
    3. Work within the law

    Choose any two.
    1. Re:PATENTED? HA! by Anonymous Coward · · Score: 0

      access key... like in the movie Prometheus where a flute
      is used?!

    2. Re:PATENTED? HA! by Anonymous Coward · · Score: 0

      You seem to be implying that prior art or conflict with other patents matters at all in a money-spending contest.

    3. Re:PATENTED? HA! by girlintraining · · Score: 1

      using sound to send data....sort of like a modem?

      No no, this is totally different... instead of a modem connected to the phone, the phone is now the modem! See! Totally different! Somebody bring me my pile of gold now. kthxbai!

      --
      #fuckbeta #iamslashdot #dicemustdie
    4. Re:PATENTED? HA! by icebike · · Score: 1

      using sound to send data....sort of like a modem?

      Except far easier to eavesdrop on.
      It was intended that you could add data transmission to any phone call, skype chat, or phone call or simply device to device (audio NFC).

      Without heavy encryption, it provides no security.

      Without some form of bi-directional exchange of public keys, you have no way to add encryption.

      But unless, or until it includes same fairly strong encryption and an authentication mechanism nobody is going to trust it because
      man in the middle / eavesdropping on both ends of the conversation becomes child's-play.

      --
      Sig Battery depleted. Reverting to safe mode.
    5. Re:PATENTED? HA! by Anonymous Coward · · Score: 0

      Nice joke. What I think is funny is how this algorithm, is described as a method, despite being just an algorithm, because it needs to be patented.

      Nice slashvertisement though

    6. Re:PATENTED? HA! by steveb3210 · · Score: 2

      Computer, Lieutenant Commander Worf. Confirm auto-destruct sequence, authorization Worf 3-7 Gamma Echo.

    7. Re:PATENTED? HA! by Anonymous Coward · · Score: 0

      It might be not that easy - the sound transmits a session id that changes with each transmission, recording it is useless. And the data is transmitted via TLS/SSL.

  6. Wow. by Dzimas · · Score: 1

    So instead of initiating a digital handshake between two devices, I encode the digital handshake information onto an audio carrier, play it through a speaker, capture it with a microphone, and finally re-encode it back into its original form. Why on earth would I opt for this bizarre technology instead of WiFi, Bluetooth or other low power NFC techniques?

    1. Re:Wow. by ultrasawblade · · Score: 2

      Because this would not use any traceable/loggable data network and may work in a situation where there is the cover of noise.

    2. Re:Wow. by ultrasawblade · · Score: 1

      Or I guess it would not use any data network if it didn't contact a server. In the Slashdot tradition I haven't RTFI.

    3. Re:Wow. by Anonymous Coward · · Score: 0

      Because those require specific hardware to use.

    4. Re:Wow. by Dzimas · · Score: 1

      But short-range peer-to-peer radio between two devices would be at least as secure as an audio squawk between those same two units - either technique can be bugged or spooked.

    5. Re:Wow. by profplump · · Score: 1

      So does this. You're just assuming people already have that hardware.

    6. Re:Wow. by Em+Adespoton · · Score: 1

      But short-range peer-to-peer radio between two devices would be at least as secure as an audio squawk between those same two units - either technique can be bugged or spooked.

      Ah; but used as a broadcast method, it's actually pretty interesting, as it will be picked up by video cameras etc. and can be replayed in a different location at another time. Useful steganographic method, as long as the transmission uses a secure key.

      This made me think of another data transfer method though -- since pretty much all smartphones have a vibrate mode and an accelerometer now, why not transfer data via vibration? Stick one phone on top of the other to communicate. Very difficult to intercept; you could even hide one of the phones under a table and leave it broadcasting, and likely nobody would notice.

    7. Re:Wow. by fisted · · Score: 2

      RTFW?

      --
      CLI paste? paste.pr0.tips!
    8. Re:Wow. by Anonymous Coward · · Score: 0

      Yeah that sounds fun, until 2 $500 phones fall off a table.

  7. punctuation by fche · · Score: 1

    How many question marks is too many in the posting teaser? One? Two? Three? How about seven?

  8. Wolf Howls by Anonymous Coward · · Score: 0

    Now that we can identify a wolf howl with 100% accuracy, why not use those instead?

    That would make for an awesome login sound for everyone everyday.

  9. On flags of the colour "red" by HeckRuler · · Score: 3, Insightful

    I think it's interesting how many alarm bells this post sets off in my head.

    First off, it's a long format Slashdot article, and it's not an "ask slashdot" nor a book review. Slashdot TV? is that still a thing? Why are they selling this company?
    It reads like an ad and uses the language thereof: "Imagine", "envision", "a way to facilitate", "Initially with Bitcoin",
    And.... is that trying to spin the shoddy website as a good thing?
    And the format of the video and interview is also just... cheap.

    Is their idea worthwhile? Are there already ways to achieve the same results? Is illliri's way enough better than existing mobile device security systems that it's worth exploring? And would it be better, not just for the world in general, but as a way to help illiri's founders make a living if their software was open source?

    See Betteridge law of headlines.

    Then there's the obvious problem with the basic fundamental gimmick: Anyone with a recorder nearby now has you password. The thing about secrets that are supposed to stay between you and the authenticator is that the transfer point is REALLY important. Pin numbers, passwords and all that jazz are a pain in the ass, but a noise? Anyone with a audio recorder now has your password. If you can put a device up next to their mic, then there are much more secure ways to have your device hand it some information.

    This is just so.... so... this is a joke right? Some sort of meta-humor on slashdot?

    1. Re:On flags of the colour "red" by Anonymous Coward · · Score: 0

      it should be fairly easy to do a public key exchange to encode the handshake. This is nothing new, like, nothing, except perhaps a higher bitrate. However, that too is sketchy. I'd guess 5-7 seconds would be the minimum in a noise environment, assuming any sort of "security", much less robust security.

    2. Re:On flags of the colour "red" by Anonymous Coward · · Score: 0

      Disclaimer: I haven't studied this particular system at all.
      Your claim that "Anyone with a recorder nearby now has you password" and "the transfer point is REALLY important" are not correct in general. Secure authentication is made over insecure channels all the time using public key cryptography. Audio could work just as well as TCP/IP as a channel for a normal HTTPS handshakes, by using a private key to sign data. Again, I don't know if they're planning on just broadcasting a password, but what they should do is cryptographic signing.

    3. Re:On flags of the colour "red" by HeckRuler · · Score: 1

      . . . right. Yeah, I didn't think about that too hard did I?
      Ignore that part about secrets and authenticators.

      Sorry, I had it in my head that it was a one-way communication of their program to... whatever it is they plan on having. I think they want both ends to send and receive audio. So two people have their cell phones kiss for a while.

    4. Re:On flags of the colour "red" by Em+Adespoton · · Score: 1

      it should be fairly easy to do a public key exchange to encode the handshake. This is nothing new, like, nothing, except perhaps a higher bitrate. However, that too is sketchy. I'd guess 5-7 seconds would be the minimum in a noise environment, assuming any sort of "security", much less robust security.

      Don't worry... even though the first version will only be 300 baud, they'll get a new version up to 1200 baud in a few months, followed a year later by 2400 baud. Each of these bitrates will need to add on to the initial handshake of the previous one so that the receiver and sender will know which frequency they're transmitting at of course.

      And yes, I always used to set my modem to have the speaker on during handshake :)

      I just got an idea for a new set of ringtones.... thanks slashdot!

    5. Re:On flags of the colour "red" by mjwx · · Score: 1

      See Betteridge law of headlines.

      One day I'm going to publish an article title "Does This Article Prove Betteridge's Law Of Headlines?" just to mess with people who quote Bettteridge's law of headlines.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    6. Re:On flags of the colour "red" by wonkey_monkey · · Score: 1

      Does This Headline Conform to Betteridge's Law Of Headlines?

      --
      systemd is Roko's Basilisk.
    7. Re:On flags of the colour "red" by mjwx · · Score: 1

      Does This Headline Conform to Betteridge's Law Of Headlines?

      At this point I'd write it as "Does This Headline Conform to Betteridges Law Of Headlines." just to annoy Grammar Nazi's as well.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
  10. How does it cope with transcoding? by Anonymous Coward · · Score: 0

    Since most networks are VoIP now, and a lot of international traffic goes with g729a / 20ms ptime codec, how well would it cope with lossy transcoding and or jitter / packet loss? On the one hand this kind of tech could be really useful for developing countries which aren't very well connected, 3G / Wifi wise (Madagascar, RDC, etc). But on the other hand these countries have _big_ audio issues sometimes so I wonder if some kind of redundancy is built in the protocol to cope with hostiles conditions.

  11. Reminds me of a two-factor authentication system.. by mlts · · Score: 1

    A while back, someone made a system that could go on a credit card that would play what sounded like a brief burst of static. This was used similar to a one-way car remote as a way to have a second authentication factor.

    Of course, this might work and needs no additional hardware other than an ADC and DAC that are fairly accurate.

    The downside is additional noise pollution. Maybe frequencies that are out of the normal human range can be used, but that narrows the amount of bandwidth the device can use to transmit/receive data with.

    Ideally, we should just move to NFC. Using sound is a lowest common denominator type of way to do authentication and key exchanges. It does work, but so does Kermit over a 300 baud modem... we have better protocols and technology at our disposal.

  12. I'm clearly missing something... by MrLizard · · Score: 1

    So, it's sound? What's sound, to a computer? A pattern of bytes. What makes this pattern of bytes harder to duplicate/hack than any other pattern of bytes? If I'm following this right, you record a sound, and it's a file on your phone. Someone can steal that file if they could steal any other file. Even more, they can steal it easily when you use it, since the sound will be audible. Isn't this like having to speak your password out loud where anyone can hear it?

    If multiple people are using this in a crowded area, how do the audio inputs sort out which sound is the one for the current, active, transaction? Looking for a single sound that fits a given pattern amongst background noise that doesn't seems like a reasonable algorithm to write. Guessing which sound, out of *many* that fit the pattern, is the one you're listening for... that seems a lot harder to me. But i have never written pattern recognition algorithms, or studied them, so I could be way off.

    I want to give everyone involved the benefit of the doubt and assume I'll be emitting a "D'oh!" when someone explains to me why this is the best idea since the sliced light bulb. Until someone explains my ignorance to me, I can't shake the feeling that the goal is to excite investors who just see "ground floor buzzword of hot new buzzword with buzzword and also buzzword which buzzwords the buzzword!". Tell me why this isn't the case. Use small words, please. What does this offer no existing technology does? How is it faster, safer, more flexible? Given the long time from announcement to commercial product, how will it compete with other methods that will use that time to be come even more entrenched and leapfrog any improvements this may offer?

    1. Re:I'm clearly missing something... by Anonymous Coward · · Score: 0

      You're exactly right when it comes to figuring out who should transmit and competing signals. Wifi has all this built in. If you are having trouble with the signal move to another channel. Only one person can either transmit or receive at a time on a channel. Else you have errors, so there are random timers built into the protocol. So essentially if they want this to be popular, it's just going to be wifi that you can hear.

  13. Can we say, "Prior Art"? I knew we could! by Anonymous Coward · · Score: 0

    Umm...

    Remember books? Those heavy, blocky things made up of hundreds of layers of thin sheets of cellulose fibre? With markings, symbols and images on each sheet?

    Books have so much information preserved within their covers. That information spans quite a bit of time-space.

    Referencing just a couple books...

    It looks like all the claims are covered by prior art from all over the world going back at least 100 years.

    This had better be some novel, unique integration that no one has ever imagined before or it will be challenged.

    1. Re:Can we say, "Prior Art"? I knew we could! by kermidge · · Score: 1

      If there is any advantage whatsoever in being dim-witted, stupid, and ill-informed it's that I can find what Illiri does to be interesting. (And yes, the first thing I thought of was listening to my old Zoom modem initiate handshake.)

  14. Google: Sound based data transmission by Maximum+Prophet · · Score: 1

    gets About 7,290,000 results

    I think there is prior art.

    --
    All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
  15. Prior Art by nullchar · · Score: 3, Interesting

    Near_sound_data_transfer is already implemented and sold by TagAttitude.

    Audio data transfer in Android is discussed in this stackoverflow post which mentions this slideshow.

    This dude posted his same idea over a year ago.

    Modem-style data transfer between smartphones is a cool idea - but the software and protocol would need to be ubiquitous (read: open). If only a few apps or devices support this tech, it's no different from requiring hardware like NFC or software to support a bluetooth data sharing connection.

    1. Re:Prior Art by icebike · · Score: 1

      Well he already has an api available so that eliminates your last paragraph entirely.

      And your NFC does not allow you to send data over skype or a telephone, nor does it allow you to send it to a desktop computer with no NFC chip.
      Audio encoded data solves all of those problems with nothing but common speakers and microphones.

      To the extent it is do-able and can be encrypted it may be quite useful as would any of the other methods you cited. There is nothing new about sending data as audio. Fax machines and dial up modems do this every day. It can't be patented, no matter what the french say.

      What is new here is the totally cross platform implementation, requiring nothing more than a commonly available speaker and a mic.

      If you add Public/Private key encryption you could send data over any ad hoc voice capable channel.
      But without encryption, you got worth implementing. And with only server side encryption, you get pwed.

      --
      Sig Battery depleted. Reverting to safe mode.
    2. Re: Prior Art by Anonymous Coward · · Score: 0

      The 2008 game Bangai-O Spirits used the speakers and microphone of the Nintendo DS to transfer custom level designs. You could post an audio clip to eg. Youtube, hold your DS up to the PC's speakers and download the level to your game. That sounds like cross-platform audio-based data transfer to me.

    3. Re:Prior Art by nullchar · · Score: 1

      Public Key Infrastructure (PKI) needs to be built into the APIs from day one. There shouldn't be a non-encrypted version available to developers or users.

      Of course, anything using cryptography must be open source (and in a library available to my app, not only as a "cloud-based" API unless it only accepts encrypted data, no way can it have access to my private key).

      There are lots of APIs available, but developers need to implement applications with them.

  16. Watch me whistle into this phone... by Gavin+Scott · · Score: 1

    ...and post on Facebook!

    G.

    (though it was more fun to light up the carrier detect indicator on old 300 baud modems this way)

    1. Re:Watch me whistle into this phone... by Anonymous Coward · · Score: 0

      ...and post on Facebook!

      G.

      (though it was more fun to light up the carrier detect indicator on old 300 baud modems this way)

      Reminds me of sending +++ath in the TCP wrapper of a ping request many moons ago.... easy way to tell who /was/ on dialup on IRC.

  17. there's (already) an app for that by diaz · · Score: 1

    Sounds like this: http://www.gizmodo.in/software/NearBytes-is-a-Sound-Based-NFC-like-Data-Transfer-Tech-that-Works-on-Any-Old-or-New-Phone/articleshow/21165630.cms or this: https://itunes.apple.com/us/app/chirp/id529469280?mt=8

  18. Re:Reminds me of a two-factor authentication syste by Em+Adespoton · · Score: 1

    A while back, someone made a system that could go on a credit card that would play what sounded like a brief burst of static. This was used similar to a one-way car remote as a way to have a second authentication factor.

    Of course, this might work and needs no additional hardware other than an ADC and DAC that are fairly accurate.

    The downside is additional noise pollution. Maybe frequencies that are out of the normal human range can be used, but that narrows the amount of bandwidth the device can use to transmit/receive data with.

    Ideally, we should just move to NFC. Using sound is a lowest common denominator type of way to do authentication and key exchanges. It does work, but so does Kermit over a 300 baud modem... we have better protocols and technology at our disposal.

    Here's my idea: set the tone at a pitch that causes dogs to howl... then encode the information in the dog's howl (after calibration of course), not the original sound. Using a canine as a second factor sounds interesting to me....

  19. I have an copy of Werner Brandes login. by Joe_Dragon · · Score: 1

    Hi, my name is Werner Brandes. My voice is my passport. Verify Me.

  20. More Prior Art by az1324 · · Score: 1

    http://mobile.slashdot.org/story/11/06/21/003220/sound-based-system-promises-chipless-phone-payment

    1. Re:More Prior Art by nullchar · · Score: 1

      I knew there was a slashdot story about this! I failed in my quick search. Thanks for the link.