In multi-factor authentication systems, you typically are dealing with three data categories to establish uniqueness: something you know, something you have or something you are.

While you can create knowledge, create a thing to hold in memory, it is that third category of “being” that often raises the most concern.

There’s an inherent contradiction in treating a thing you expose everywhere (one that in theory never changes because it is “what you are”), as some kind of uniqueness that can’t be replayed or impersonated by someone else.

Think of it as fingerprints left all over the things in public you have been touching.

This state of “being” tends to be the opposite of secrecy, inherently observable as a function of being, else you would cease to exist.

You’ll be hard pressed to avoid leaving your fingerprints all over the place while at the same time using your fingerprints all over the place to prove you do exist and uniquely.

And lately researchers have been putting into practice a machine version of the very thing seen in Lincoln’s print. For example https://thispersondoesnotexist.com/ will dump out a face that mashes up photos into a “fake” one.

Although here again, for example, you can easily see an error in the lower right corner of an artificially generated image (just like Lincoln’s mole being backwards).

On top of these exposure contradictions in biometric secrecy, there also is a complexity and cost consideration in the biometric business.

Challenge quality is intentionally lowered (look for a couple spots that match instead of every detail and thousands of points) to maintain higher profit/margin. Those economic decisions usually are why we see decades of simple bypasses — a low bar has meant easy impersonation of “what you are”.

Nonetheless, despite the contradictions of exposure and the economics of bypasses, stark warnings still do appear about the lack of security in biometrics.

Consider the “lasting damage” about privacy violations claimed in an analysis of Digital ID applications:

In Zimbabwe, we spoke to people who did not know why the government was transitioning from the old metal ID to a biometric ID. There were theories about the ID system’s connection to national security and surveillance but little knowledge of the government’s intentions or the purpose of collecting biometric data (i.e., unique physical measurements such as fingerprints and iris scans)–which isn’t essential for providing legal identity. This type of data is forever associated with a person’s body, meaning that these systems can lead to privacy violations that cause lasting damage.

Meanwhile in RPI research news, we see the march of science challenging our sense of reality by printing “complete” skin:

Scientists have created 3D-printed skin complete with blood vessels, in an advancement which they hope could one day prevent the body rejecting grafted tissue. The team of researchers at Rensselaer Polytechnic Institute in New York and Yale School of Medicine combined cells found in human blood vessels with other ingredients including animal collagen, and printed a skin-like material. After a few weeks, the cells started to form into vasculature. The skin was then grafted onto a mouse, and was found to connect with the animal’s vessels.

In related news, scientists also now can “knit” an artificial skin.

“We can sew pouches, create tubes, valves and perforated membranes,” says Nicholas L’Heureux, who led the work at the French National Institute of Health and Medical Research in Bordeaux. “With the yarn, any textile approach is feasible: knitting, braiding, weaving, even crocheting.”

This suggests we are entering an entirely new level of impersonation possibilities, which both are bad (unwanted) and good (wanted). You could knit a new set of fingerprints that even have blood-flowing in them when you’re tired of “being” the old set, or the old set has failed (e.g. too much hand wringing over privacy concerns).

Somehow I doubt the scientists considered as part of their research the impact of medicine bypassing biometric authentication systems, yet we’re clearly approaching a time when you can really do an about face. If I ran marketing I’d sell new skin as giving the finger to biometric authentication vendors.

It all begs the ancient philosophical questions of whether modern quaint notions of authenticity really are something to hold a hard line on (e.g. authorize authenticity policing), or instead we should go back to the focus on harms and virtue ethics.

For a simple quiz I give my CS graduate students studying ethics, would you sooner criminalize actors doing modern voice impersonations or appearance impersonations? Here’s an example of someone doing both, but is it even criminal?

This is a timeline of proprietary and centralized end-to-end encryption technology (yes that is a contradiction, and yes it uses an open source protocol) for secret delivery of malicious content to targets (apps and people) that seems to have led to massive privacy loss as well as targeted killings.

January 2018:
Facebook’s CSO campaigned on Twitter to restore trust in WhatsApp after researchers alleged privacy flaws.

…clear notifications and multiple ways of checking who is in your group prevents silent eavesdropping. The content of messages sent in WhatsApp groups remain protected by end-to-end encryption.

March 2018:
Amazon CEO is invited to have dinner with the Saudi Crown Prince Mohammed bin Salman.

April 2018:
Amazon CEO and Crown Prince have dinner, exchange phone numbers linked to WhatsApp accounts.

May 2018:
WhatsApp message from the Crown Prince (believed to have included a malicious video file) is sent end-to-end encrypted to the Amazon CEO’s phone.

A huge amount of data (130MB) suddenly is uploaded from the CEO’s phone (29,000% jump), and then about 100MB/day is uploaded in the months following (compared to under 0.5MB/day in months prior). (Full Report by “FTI Consulting” via Vice News story).

June 2018:
Amazon’s WashPo journalist Jamal Khashoggi’s contacts (who use WhatsApp) also receive malicious links.

July 2018:
NYT reports spread of harmful videos on WhatsApp is leading directly to dozens of violent deaths: “How WhatsApp Leads Mobs to Murder in India“.

WhatsApp’s design makes it easy to spread false information. Many messages are shared in groups, and when they are forwarded, [despite CSO promoting “multiple ways of checking who is in your group”] there is no indication of their origin.

August 2018:
Facebook CSO leaves to take position at Stanford doing research for Facebook, pushing for greater use of WhatsApp (see Oct 2019 Stanford tweet).

…companies like to say things like ‘we follow local law’, but in reality, they resist orders every day by saying ‘sorry…

His statements promoting WhatsApp usage completely contradict his infamously bizarre 2015 argument with the NSA (just before being hired by Facebook), which suggested he saw moral equivalence in all lawful orders from everywhere.

…if we’re going to build defects/backdoors or golden master keys for the US government, do you believe we should do so — we have about 1.3 billion users around the world — should we do for the Chinese government, the Russian government, the Saudi Arabian government, the Israeli government, the French government? Which of those countries should we give backdoors to?

Facebook CSO publishes his own Wikipedia page full of uncritical self-promotion and demands it be locked to prevent the public from editing or commenting.

I’ll try to keep an eye on this page for any questions.

September 2018:
Amazon CEO’s phone uploads 500MB.

October 2018:
Khashoggi is murdered at the Saudi consulate in Istanbul.

Slate reports on spread of harmful content on WhatsApp, describing it as dangerous tool for mob rule and abuse of power: “How False News Haunted the Brazilian Elections…it was worse than ever.”

And it coincided with the rise of Brazil’s far-right president-elect…political communication is completely vulnerable, especially on WhatsApp because it’s not monitorable… Just 8 percent of the most-shared information in groups was correct… WhatsApp, which she described as “the biggest misinformation engine during elections this year”, was unwilling to take action against fake news on its platform. …the company “at no point showed itself willing to sit down and talk with fact-checkers to think about solutions.”

November 2018:
US White House occupant reportedly in a “bizarre, inaccurate and rambling” manner “issued a statement in which he said the U.S. would maintain a ‘steadfast’ alliance with Saudi Arabia, refusing to blame Saudi Crown Prince Mohammed bin Salman for Khashoggi’s killing even though the CIA has reportedly concluded that the crown prince ordered his assassination.”

March 2019:
US Congress sends letter criticizing WhatsApp being used in White House for communications with foreign leaders during September and October of 2018 (murder of WashPo journalist).

April 2019:
Ex-Facebook CSO gives talk with huge privacy claims (without any evidence) while Amazon CEO’s phone is uploading GB of extremely sensitive data due to security flaw in WhatsApp; self-congratulatory boasts of the ex-CSO go unchallenged.

CISOs comment about Stamos in private executive forums (sorry can’t disclose sources): “That boy loves a microphone and a camera, but those can’t keep your systems from crashing.”

April/May 2019:
Amazon CEO’s phone completes 9GB of data uploaded in three large bursts.

12 days after last burst, a full forensics investigation begins by FTI. While unable to find malware FTI writes report showing bursts of suspicious traffic.

November 2019:
Facebook announces CVE-2019-11931, which explains sending a malicious video file to a WhatsApp user has been a serious open vulnerability allowing spyware to be installed. May 2018 to November 2019 is 1.5 year response time to a critical exploit in the wild.

Description: A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274 [OCT 3, 2019], iOS versions prior to 2.19.100 [OCT 17, 2019]….

January 2020:
Guardian breaks the story of Amazon CEO and Whatsapp breach, barely hinting at a US White House role.

[In high-profile and long-standing “challenge” to Amazon CEO] Trump and his son-in-law Jared Kushner have maintained close ties with the crown prince…

Further stories roll like NYT “Beware WhatsApp accounts…”, which bring us full circle to the Facebook CSO making a provably false claim in public that “clear notifications and multiple ways of checking who is in your group prevents silent eavesdropping”.

To be clear the phrase “prevents silent eavesdropping” was a very tall claim that deceptively lured victims to false sense of trust in WhatsApp. Eavesdropping wasn’t prevented entirely, and harmful content wasn’t even attempted to be prevented, so many people died as a result of overconfidence from WhatsApp marketing coupled with its critical security flaws.

Related:

WhatsApp CVE-2021-24026 allowed complete system compromise due to a missing bounds check within the audio decoding pipeline for calls.

WhatsApp CVE-2019-18426 allowed attackers to read files from users’ local file systems.

WhatsApp CVE-2018-6344 allowed attackers to fully compromise the app when a target answered a call.

November 1997, Microsoft IE 4.0 browser buffer overflow allowed attackers to “execute arbitrary precompiled native code” (i.e. F00F of concept would denial-of-service the Intel CPU).