Forgot your password?
typodupeerror
Security Cellphones

Sound-Based Device Authentication Has Many Possibilities (Video) 56

Posted by Roblimo
from the it's-so-secret-we-don't-even-want-the-government-to-know-about-it dept.
Imagine a short (audio) squawk, less than one second long, as a secure authentication method for cell phones or other mobile devices. A company called illiri has developed (and has a patent pending on) a method to do exactly that. The company is so new that its website has only been up for a month, and this interview is their first real public announcement of what they're up to. They envision data sent as sound as a way to facilitate social media, mobile payments (initially with Bitcoin), gaming, and secure logins. Couldn't it also be used for "rebel" communications, possibly by a group of insurgents who want to overthrow the Iranian theocracy? Or even by dissidents in Russia, the country our interviewee, illiri co-founder Vadim Sokolovsky, escaped from? (And yes, "escaped" is his word.) And, considering the way illiri hopes to profit from their work, should they think about open sourcing their work and making their money with services based on their software, along with selling private servers that run it, much the way Sourcefire does in its industry niche? Their APIs are already open, so moving entirely to open source is not a great mental leap for illiri's management. In any case: Is their idea worthwhile? Are there already ways to achieve the same results? Is illliri's way enough better than existing mobile device security systems that it's worth exploring? And would it be better, not just for the world in general, but as a way to help illiri's founders make a living if their software was open source? (Transcript included)

Vadim: I am Vadim Sokolovsky and I am one of the cofounders of Illiri, a company that provides technology for pairing mobile devices and connecting mobile devices to websites.

Robin: Okay, since I can do that without your program or anything special, why do I need Illiri?

Vadim: Well, of course, there are different technologies that exist on the market right now that allow you to pair devices including NFC, Apple’s Airport, WiFi Intersense, Bluetooth; we use sound to initiate the connection. It is a very short, less than a second modulated packet that transmits session ID from one device to another device. So it works cross platform, you don’t have to worry what device your counterpart is using. And it works with websites, of course. So you can connect actually to the website not through the computer itself but through the website servers and, let’s say, make a payment to the website from your phone or let’s say just straight from the website. In addition, this sound initiation allows us to exchange information during video Skype conferencing or any other type of conferencing because this sound will go as the human voice through their communication channel as well.

Robin: It is sound?

Vadim: It is just sound, yes.

Robin: Okay, so the privacy, the ability to stay private with this sounds fascinating, in light of current revelations that governments and such are all snooping on us, aside from the payments and at other places, is anybody talking about using this as a medical device to device security measure?

Vadim: We see a lot of applications for this technology, we didn’t particularly think about medical devices but it is also possible. Any ad hoc connectivity can be provided by our product. So if you have two devices and the idea of ad hoc what’s important about ad hoc here is that, you do have a lot of different software solutions that can pair devices; if you know the phone number of another person, or if you know the email of another person. But this is the only pretty much solution right now that allows you to pair across platform devices when you don’t know anything about a person – you just met this person right now, in this bar, in the restaurant, at the conference, or you called to store via Skype, you don’t know about the person, who he is, but with this you can transact with him.

Robin: Okay, so all they really need to do is to have it on their phone, I guess, or whatever device, and then all they have to do is go like this.

Vadim: Right. Robin, this is our demo application right. It is not the product by itself. This is just a demo of what can be done with the technology. So one of the ideas you can use this technology to exchange contact information. So we created a free demo product that is available for iPhone and it is available for Android – you can download it and play with it.

Robin: I have done so and I have been.

Vadim: Right, so, but this is just a demo product. So our plans include developing a digital wallet, probably using bitcoin for transactions. Essentially merging bitcoin technology with this would allow me to pay to you directly right now, let’s say, one bitcoin, or our Skype communication. When this product, when the program will be ready, but what you are looking at is just the CardXchange that allows you to exchange contact information. That’s pretty much what we are looking at, what you are looking at, CardXchange program. It is a technology demo.

Robin: Right. So all I am seeing is just the tiniest scrape of the surface without but there is way more behind it.

Vadim: Hopefully.

Robin: Hopefully.

Vadim: We hope that people will see the potential and will start developing applications.

Robin: Okay. We are talking with you. Your PR person, your person reached out to me, and I’d never heard of you, obviously, but what kind of marketing or sales or PR strategy are you using? How will people find out about you?

Vadim: Robin, we are releasing our first press release this week. And we are planning to participate in the conferences, we are planning to give interviews, we are planning to do presentations at user groups meetings at least in New York for sure originally both for Android and iOS and we will be trying to give people our product to our API to play with and to come up with ideas.

Robin: How are you pricing? How do people pay you for this?

Vadim: Well, what I am going to say might sound very strange. But right now, you got to understand we got paid API right, we are just free, completely free. But we also got servers, the server piece, because the sound is used only to initiate the connection. But the actual data transfer goes through standard HTTPS connection to our server. And the server is also free. The servers are free, all public servers are free, anybody can use them. But they don’t provide the whole picture.

So if you are a big company and you want to have your own private server, so that let’s say, you are surethat this server is 24/7 up, there are no problems with this, probably you want to create your own server, right? Then you can license a server from us. And the pricing greatly depends upon the licensing agreement, and I wouldn’t even want to throw in any numbers right now, because as you understand there is a huge difference between a small company that licenses its server for a small application, maybe a small gaming application and the bigger company that licenses many servers to be deployed in the cloud for processing high volume data.

Robin: And also let’s face it, you are so new that you probably don’t have a good handle on your costs, yet in real life.

Vadim: That’s true enough.

Robin: And one question. You mentioned bitcoin. That’s great. What about the nearly six billion people on this planet including me who don’t use bitcoin? How about us? We can still work with money, right, real money?

Vadim: Yes, we, originally part of the idea was to develop a payment solution. Bitcoin of course came to our attention probably half a year ago. We have plans to develop what we call digital wallet using our technology, using payment providers such as probably Stripe, Dwolla, or PayPal, companies that provide payment of API using credit cards. But right now, we simply don’t have enough resources to implement both track protocols and bitcoin protocols so we decided to do a demo of a bitcoin wallet. Again what we are doing right now, we are investing money into a number of applications that we distribute for free to people just for them to try them and to give us feedback. We want to see people’s feedback. Yes, definitely it is very easy to write an app using this API to put in Stripe API key and then you will be able to pay using your credit card against Stripe or same thing with Dwolla, I am not sure about PayPal, but I am sure there is probably some sort of API.

Robin: Oh yeah, they have open APIs too. Yeah.

Vadim: So that is the idea, to have multiple applications using different providers that allow you to use exchange money. Bitcoin sounded to us a little bit more sexy and bit more cocky. There is also another thing. This is a new technology and bitcoin is a new technology, and we kind of thought that maybe coming up with just prototype/demo should involve something new.

Robin: And of course, today we are talking to the Slashdot audience, and Slashdot users are probably the biggest hotbed of bitcoin-ness on the planet so

Vadim: That sounds good.

Robin: So it dovetails. But here is another question. I am not sure in what order, but things are bubbling up. Now half of Africa is right now making all their payments and doing their banking with cell phones. They don’t have your product, they don’t have your servers, what about that? They are just doing it ad hoc. And they have been doing it for years.

Vadim: How do they do payments to each other?

Robin: I don’t know if they do, but they do.

Vadim: I am not sure if they do right now to each other, but yes again, the idea here is that you can deploy this API on the cheapest Android, we specifically bought Androids for $60 with virtual processors, tested the software and it works, so what I am saying is, anybody in Africa can set up a small store, get an Android tablet $60 and then they register. And now they can take turns they can get payments from other people, all the other people have to do is just click the button and they are paid.

Robin: And the other people have to have the phone, they have to have the phone to pay.

Vadim: Some kind of a phone, some kind of an Android phone, we tested the software on old iPhones and we did it on cheap Androids on purpose and it worked flawlessly.

Robin: Well in low cost parts of the world, they don’t have iPhones. They don’t.

Vadim: They don’t have iPhones today, but in another five years, they will have big iPhones, all their phones.

Robin: Again back on your pricing scheme, for the small person, you could use a little, the servers at no charge for low volume? How does that work?

Vadim: Well, without limitations we have our servers available for public but with a few limitations. Our public servers first of all don’t support secure transmissions, okay?

Robin: Oh?

Vadim: Okay. So no HTTPS, no SSL/TLS but it is a public server, you can use it for this.

Robin: Yeah.

Vadim: CardXchange of course. Don’t expect

Robin: I am asking... here I am and I want to overthrow the government of Badistan, the horrible country, and it is run by a Dr. Horror, it is a terrible regime. We need to have secure transmission back and forth. We are the revolutionaries, we are the good guys, and our flag is and we need secure transmission, you have the ability to provide that phone to phone, right?

Vadim: Yes, we support both secure and unsecure transmissions but right now our public servers are configured are not simply configured to accept secure connections. It is very simple for us, so the choice of this organization if they want to overthrow government, (I am not sure we want to be in this business) but nevertheless, they can call us, and ask for a private server, and we will give them a quote and maybe it will be a very small quote or maybe it will be free, because we also don’t like this government. Or we have some ideas about. But at least at this moment, our public servers do not support secure transactions.

Robin: I just think that if they did it would be wonderful, even if it was a small charge thing, that I could sign up and it was $25 a year or something, and then, I could, we could be having this conversation cell phone to cell phone as secure and the Badistan National Security Agency would have trouble listening in on us. They obviously can if they want to badly enough. But is it something that people are going to look at what you are doing, and think of that instantly.

Vadim: You know, Robin, I am going to promise you one thing, we will think about it, and probably we will change our policy, and maybe we will even change it within the next week. At this moment, our concern was with secure connections that it takes a much heavier load on the servers that really what you want to do in case of public servers serving secure connections, you want to establish so called SSL uploading servers, so there is a code in the code SSL connectivity and then they pass the information to some central server. So it would simply require a larger web front processor to deploy right now. Since we are in a very early stage for offering the product, we didn’t set up a large enough web front alright, right now, at this very moment. But we can probably add it and we probably should consider it adding it to the public server. Again, you can get our demo and get our private server you can run it locally on your machine, and it will support everything.

Robin: Okay, the only reason I was asking because I think there is a market for it. The serious people, I mean right now, there are Egyptians in the streets, and of course people doing this in Syria and other places....

Vadim: Don’t forget Russia.

Robin: [sarcasm] Well, I wasn’t going to say anything about Russia. Russia is a freedom loving country and our ally, isn’t it? [/sarcasm]

Vadim: To say a few words about public servers is that, so right now, we don’t provide secure connectivity to the public servers and we don’t provide so called web API for public servers. If you want to be able to connect your phone to the website, make payments to the website, or do any other stuff with the website itself, you need to have a private server. At least, that is our model right now. And again, we will besides public servers, also have dedicated servers which means we will install a server for you. Just a dedicated machine. Which will be dedicated only to your company, and it will be serving only your company and it will have all the features. It will have security, it will have web connectivity, it is really your machine.

Robin: Okay, so basically your thing is sound verification, right, sound identification, using the sound. Which is very smart. But can’t somebody else go out and do the same thing, now that we know it could be done?

Vadim: I think that there is always a person who can do whatever the other person did. Definitely it is possible. And it is possible just because you see it working so it means somebody else can do it, and somebody else can probably do it even better. I am not going to claim here that it is not possible. However, we spent a large amount of time, devising algorithms for recognizing sound, it was quite a challenging job, because it is a very short sound stage, less than a second, and you have to decode it, and you have to detect it and decode it within less than a second as well.

Robin: Without a lot of processor power?

Vadim: Right, so I am talking about very efficient code and some algorithms to detect this sound. The problem is that air is a very noisy medium. I am talking about the way they use radios, or they use in cell phones, it is still electricity, there is reasonably less noise there. With air, there is a lot of noise; there can be a song going in the background, using the same frequencies, and you have to be able to detect the sound through this and decode it. So it was complex. We did firewalls patterns for it, but again if you ask me a question: Can somebody else do it? The answer is definitely yes, given time and resources. It can be .

Robin: But you have a patent pending situation here right now?

Vadim: Right. But of course somebody with resources and desire can devise a different algorithm.

Robin: Of course, but why in a way, why don’t you just open source it and then sell the servers, as you are doing anyway, the world’s masters, I mean this is how Red Hat works, and they are a billion dollar company, it is being done. SugarCRM there is a whole bunch of security companies and so why not?

Vadim: It is something we are considering and we are still considering. The problem right now is that we don’t have really enough resources, you have to understand we are talking about a lot of different pieces of software - you have Android code, you have iOS code, you have client side sound recognition code, and you have server code, so we have four distinct code bases, concerns that by open sourcing it, you see, you will have some people working on iOS and some people working on Android and at some point, the code can just go apart and this is some concern of ours with it was, and we want to be able to have control at least at the original implementation so it is done clearly and it is done the same way across all of products.

Robin: Then you become -- even it is open source, you become the standards keeper, you see... that’s what you have, your code must be approved by us, to work with our servers, or to work with our public servers or our private servers in the rest of the system, so you can open source it safely, I believe, you know, from a business standpoint, because you have standards control.

Vadim: I understand. Again we just released the product pretty much a month ago, and we are considering multiple options right now including what you are saying, go in open source.

Robin: Are people using it?

Vadim: We got some downloads, we didn’t do any advertisement yet, we are planning to start advertisement in fall, so at this point, we have a small number of beta testers that play with the product, plus we are trying to release as I said bitcoin wallet.

Robin: Okay. So anybody who is seeing this now, they can download, they can start messing with it, and I think to bitcoin people especially in dense population areas in San Francisco and New York I think they are going to jump on this, don’t you?

Vadim: We hope so.

This discussion has been archived. No new comments can be posted.

Sound-Based Device Authentication Has Many Possibilities (Video)

Comments Filter:
  • by Russ1642 (1087959) on Tuesday July 23, 2013 @03:08PM (#44364001)

    Ok, I'm imagining how stupid this is.

    • You are not imagining. This is complete buffoonery.

      Although it would be cool maybe one day if we could send authentications over say a phone line in the form of 1s and 0s...............NO CARRIER

      • by Russ1642 (1087959)

        These boneheads would probably implement it as a voice that actually says "one" "zero" "zero" "zero" "one" "one" "zero" "one" "zero" "one" "one" "one"

  • by Anonymous Coward

    Those who do not learn from Hollywood movies are doomed to repeat them.

    • Shit, it's the 90's all over again!

      56k modem technology, dot-com wannabee companies, and getting "ill"iri. Pass me a Zima and tell mom to order another 60 minutes of AOL online! I'm off to play Doom now.

  • by dmitrygr (736758) <dmitrygr@gmail.com> on Tuesday July 23, 2013 @03:15PM (#44364073) Homepage
    using sound to send data....sort of like a modem?
    • using sound to send data....sort of like a modem?

      No no, this is totally different... instead of a modem connected to the phone, the phone is now the modem! See! Totally different! Somebody bring me my pile of gold now. kthxbai!

    • by icebike (68054)

      using sound to send data....sort of like a modem?

      Except far easier to eavesdrop on.
      It was intended that you could add data transmission to any phone call, skype chat, or phone call or simply device to device (audio NFC).

      Without heavy encryption, it provides no security.

      Without some form of bi-directional exchange of public keys, you have no way to add encryption.

      But unless, or until it includes same fairly strong encryption and an authentication mechanism nobody is going to trust it because
      man in the middle / eavesdropping on both ends of the conversation

    • Prior Art (Score:4, Interesting)

      by nullchar (446050) on Tuesday July 23, 2013 @04:08PM (#44364663)

      Near_sound_data_transfer [wikipedia.org] is already implemented and sold by TagAttitude [tagattitude.fr].

      Audio data transfer in Android is discussed in this stackoverflow [stackoverflow.com] post which mentions this slideshow [slideshare.net].

      This dude [ideawide.com] posted his same idea over a year ago.

      Modem-style data transfer between smartphones is a cool idea - but the software and protocol would need to be ubiquitous (read: open). If only a few apps or devices support this tech, it's no different from requiring hardware like NFC or software to support a bluetooth data sharing connection.

      • by icebike (68054)

        Well he already has an api available so that eliminates your last paragraph entirely.

        And your NFC does not allow you to send data over skype or a telephone, nor does it allow you to send it to a desktop computer with no NFC chip.
        Audio encoded data solves all of those problems with nothing but common speakers and microphones.

        To the extent it is do-able and can be encrypted it may be quite useful as would any of the other methods you cited. There is nothing new about sending data as audio. Fax machines and

        • by nullchar (446050)

          Public Key Infrastructure (PKI) needs to be built into the APIs from day one. There shouldn't be a non-encrypted version available to developers or users.

          Of course, anything using cryptography must be open source (and in a library available to my app, not only as a "cloud-based" API unless it only accepts encrypted data, no way can it have access to my private key).

          There are lots of APIs available, but developers need to implement applications with them.

        • by nullchar (446050)

          I knew there was a slashdot story about this! I failed in my quick search. Thanks for the link.

  • by Dzimas (547818)
    So instead of initiating a digital handshake between two devices, I encode the digital handshake information onto an audio carrier, play it through a speaker, capture it with a microphone, and finally re-encode it back into its original form. Why on earth would I opt for this bizarre technology instead of WiFi, Bluetooth or other low power NFC techniques?
    • Because this would not use any traceable/loggable data network and may work in a situation where there is the cover of noise.

      • Or I guess it would not use any data network if it didn't contact a server. In the Slashdot tradition I haven't RTFI.

      • by Dzimas (547818)
        But short-range peer-to-peer radio between two devices would be at least as secure as an audio squawk between those same two units - either technique can be bugged or spooked.
        • But short-range peer-to-peer radio between two devices would be at least as secure as an audio squawk between those same two units - either technique can be bugged or spooked.

          Ah; but used as a broadcast method, it's actually pretty interesting, as it will be picked up by video cameras etc. and can be replayed in a different location at another time. Useful steganographic method, as long as the transmission uses a secure key.

          This made me think of another data transfer method though -- since pretty much all smartphones have a vibrate mode and an accelerometer now, why not transfer data via vibration? Stick one phone on top of the other to communicate. Very difficult to intercept

  • How many question marks is too many in the posting teaser? One? Two? Three? How about seven?

  • by HeckRuler (1369601) on Tuesday July 23, 2013 @03:40PM (#44364335)

    I think it's interesting how many alarm bells this post sets off in my head.

    First off, it's a long format Slashdot article, and it's not an "ask slashdot" nor a book review. Slashdot TV? is that still a thing? Why are they selling this company?
    It reads like an ad and uses the language thereof: "Imagine", "envision", "a way to facilitate", "Initially with Bitcoin",
    And.... is that trying to spin the shoddy website as a good thing?
    And the format of the video and interview is also just... cheap.

    Is their idea worthwhile? Are there already ways to achieve the same results? Is illliri's way enough better than existing mobile device security systems that it's worth exploring? And would it be better, not just for the world in general, but as a way to help illiri's founders make a living if their software was open source?

    See Betteridge law of headlines. [wikipedia.org]

    Then there's the obvious problem with the basic fundamental gimmick: Anyone with a recorder nearby now has you password. The thing about secrets that are supposed to stay between you and the authenticator is that the transfer point is REALLY important. Pin numbers, passwords and all that jazz are a pain in the ass, but a noise? Anyone with a audio recorder now has your password. If you can put a device up next to their mic, then there are much more secure ways to have your device hand it some information.

    This is just so.... so... this is a joke right? Some sort of meta-humor on slashdot?

    • by mjwx (966435)

      See Betteridge law of headlines. [wikipedia.org]

      One day I'm going to publish an article title "Does This Article Prove Betteridge's Law Of Headlines?" just to mess with people who quote Bettteridge's law of headlines.

      • Does This Headline Conform to Betteridge's Law Of Headlines?
        • by mjwx (966435)

          Does This Headline Conform to Betteridge's Law Of Headlines?

          At this point I'd write it as "Does This Headline Conform to Betteridges Law Of Headlines." just to annoy Grammar Nazi's as well.

  • A while back, someone made a system that could go on a credit card that would play what sounded like a brief burst of static. This was used similar to a one-way car remote as a way to have a second authentication factor.

    Of course, this might work and needs no additional hardware other than an ADC and DAC that are fairly accurate.

    The downside is additional noise pollution. Maybe frequencies that are out of the normal human range can be used, but that narrows the amount of bandwidth the device can use to tr

    • A while back, someone made a system that could go on a credit card that would play what sounded like a brief burst of static. This was used similar to a one-way car remote as a way to have a second authentication factor.

      Of course, this might work and needs no additional hardware other than an ADC and DAC that are fairly accurate.

      The downside is additional noise pollution. Maybe frequencies that are out of the normal human range can be used, but that narrows the amount of bandwidth the device can use to transmit/receive data with.

      Ideally, we should just move to NFC. Using sound is a lowest common denominator type of way to do authentication and key exchanges. It does work, but so does Kermit over a 300 baud modem... we have better protocols and technology at our disposal.

      Here's my idea: set the tone at a pitch that causes dogs to howl... then encode the information in the dog's howl (after calibration of course), not the original sound. Using a canine as a second factor sounds interesting to me....

  • So, it's sound? What's sound, to a computer? A pattern of bytes. What makes this pattern of bytes harder to duplicate/hack than any other pattern of bytes? If I'm following this right, you record a sound, and it's a file on your phone. Someone can steal that file if they could steal any other file. Even more, they can steal it easily when you use it, since the sound will be audible. Isn't this like having to speak your password out loud where anyone can hear it?

    If multiple people are using this in a crowded

  • gets About 7,290,000 results

    I think there is prior art.
  • ...and post on Facebook!

    G.

    (though it was more fun to light up the carrier detect indicator on old 300 baud modems this way)

  • Hi, my name is Werner Brandes. My voice is my passport. Verify Me.

It's time to boot, do your boot ROMs know where your disk controllers are?

Working...