Forgot your password?
Security Cellphones

Sound-Based Device Authentication Has Many Possibilities (Video) 56

Posted by Roblimo
from the it's-so-secret-we-don't-even-want-the-government-to-know-about-it dept.
Imagine a short (audio) squawk, less than one second long, as a secure authentication method for cell phones or other mobile devices. A company called illiri has developed (and has a patent pending on) a method to do exactly that. The company is so new that its website has only been up for a month, and this interview is their first real public announcement of what they're up to. They envision data sent as sound as a way to facilitate social media, mobile payments (initially with Bitcoin), gaming, and secure logins. Couldn't it also be used for "rebel" communications, possibly by a group of insurgents who want to overthrow the Iranian theocracy? Or even by dissidents in Russia, the country our interviewee, illiri co-founder Vadim Sokolovsky, escaped from? (And yes, "escaped" is his word.) And, considering the way illiri hopes to profit from their work, should they think about open sourcing their work and making their money with services based on their software, along with selling private servers that run it, much the way Sourcefire does in its industry niche? Their APIs are already open, so moving entirely to open source is not a great mental leap for illiri's management. In any case: Is their idea worthwhile? Are there already ways to achieve the same results? Is illliri's way enough better than existing mobile device security systems that it's worth exploring? And would it be better, not just for the world in general, but as a way to help illiri's founders make a living if their software was open source? (Transcript included)

Vadim: I am Vadim Sokolovsky and I am one of the cofounders of Illiri, a company that provides technology for pairing mobile devices and connecting mobile devices to websites.

Robin: Okay, since I can do that without your program or anything special, why do I need Illiri?

Vadim: Well, of course, there are different technologies that exist on the market right now that allow you to pair devices including NFC, Apple’s Airport, WiFi Intersense, Bluetooth; we use sound to initiate the connection. It is a very short, less than a second modulated packet that transmits session ID from one device to another device. So it works cross platform, you don’t have to worry what device your counterpart is using. And it works with websites, of course. So you can connect actually to the website not through the computer itself but through the website servers and, let’s say, make a payment to the website from your phone or let’s say just straight from the website. In addition, this sound initiation allows us to exchange information during video Skype conferencing or any other type of conferencing because this sound will go as the human voice through their communication channel as well.

Robin: It is sound?

Vadim: It is just sound, yes.

Robin: Okay, so the privacy, the ability to stay private with this sounds fascinating, in light of current revelations that governments and such are all snooping on us, aside from the payments and at other places, is anybody talking about using this as a medical device to device security measure?

Vadim: We see a lot of applications for this technology, we didn’t particularly think about medical devices but it is also possible. Any ad hoc connectivity can be provided by our product. So if you have two devices and the idea of ad hoc what’s important about ad hoc here is that, you do have a lot of different software solutions that can pair devices; if you know the phone number of another person, or if you know the email of another person. But this is the only pretty much solution right now that allows you to pair across platform devices when you don’t know anything about a person – you just met this person right now, in this bar, in the restaurant, at the conference, or you called to store via Skype, you don’t know about the person, who he is, but with this you can transact with him.

Robin: Okay, so all they really need to do is to have it on their phone, I guess, or whatever device, and then all they have to do is go like this.

Vadim: Right. Robin, this is our demo application right. It is not the product by itself. This is just a demo of what can be done with the technology. So one of the ideas you can use this technology to exchange contact information. So we created a free demo product that is available for iPhone and it is available for Android – you can download it and play with it.

Robin: I have done so and I have been.

Vadim: Right, so, but this is just a demo product. So our plans include developing a digital wallet, probably using bitcoin for transactions. Essentially merging bitcoin technology with this would allow me to pay to you directly right now, let’s say, one bitcoin, or our Skype communication. When this product, when the program will be ready, but what you are looking at is just the CardXchange that allows you to exchange contact information. That’s pretty much what we are looking at, what you are looking at, CardXchange program. It is a technology demo.

Robin: Right. So all I am seeing is just the tiniest scrape of the surface without but there is way more behind it.

Vadim: Hopefully.

Robin: Hopefully.

Vadim: We hope that people will see the potential and will start developing applications.

Robin: Okay. We are talking with you. Your PR person, your person reached out to me, and I’d never heard of you, obviously, but what kind of marketing or sales or PR strategy are you using? How will people find out about you?

Vadim: Robin, we are releasing our first press release this week. And we are planning to participate in the conferences, we are planning to give interviews, we are planning to do presentations at user groups meetings at least in New York for sure originally both for Android and iOS and we will be trying to give people our product to our API to play with and to come up with ideas.

Robin: How are you pricing? How do people pay you for this?

Vadim: Well, what I am going to say might sound very strange. But right now, you got to understand we got paid API right, we are just free, completely free. But we also got servers, the server piece, because the sound is used only to initiate the connection. But the actual data transfer goes through standard HTTPS connection to our server. And the server is also free. The servers are free, all public servers are free, anybody can use them. But they don’t provide the whole picture.

So if you are a big company and you want to have your own private server, so that let’s say, you are surethat this server is 24/7 up, there are no problems with this, probably you want to create your own server, right? Then you can license a server from us. And the pricing greatly depends upon the licensing agreement, and I wouldn’t even want to throw in any numbers right now, because as you understand there is a huge difference between a small company that licenses its server for a small application, maybe a small gaming application and the bigger company that licenses many servers to be deployed in the cloud for processing high volume data.

Robin: And also let’s face it, you are so new that you probably don’t have a good handle on your costs, yet in real life.

Vadim: That’s true enough.

Robin: And one question. You mentioned bitcoin. That’s great. What about the nearly six billion people on this planet including me who don’t use bitcoin? How about us? We can still work with money, right, real money?

Vadim: Yes, we, originally part of the idea was to develop a payment solution. Bitcoin of course came to our attention probably half a year ago. We have plans to develop what we call digital wallet using our technology, using payment providers such as probably Stripe, Dwolla, or PayPal, companies that provide payment of API using credit cards. But right now, we simply don’t have enough resources to implement both track protocols and bitcoin protocols so we decided to do a demo of a bitcoin wallet. Again what we are doing right now, we are investing money into a number of applications that we distribute for free to people just for them to try them and to give us feedback. We want to see people’s feedback. Yes, definitely it is very easy to write an app using this API to put in Stripe API key and then you will be able to pay using your credit card against Stripe or same thing with Dwolla, I am not sure about PayPal, but I am sure there is probably some sort of API.

Robin: Oh yeah, they have open APIs too. Yeah.

Vadim: So that is the idea, to have multiple applications using different providers that allow you to use exchange money. Bitcoin sounded to us a little bit more sexy and bit more cocky. There is also another thing. This is a new technology and bitcoin is a new technology, and we kind of thought that maybe coming up with just prototype/demo should involve something new.

Robin: And of course, today we are talking to the Slashdot audience, and Slashdot users are probably the biggest hotbed of bitcoin-ness on the planet so

Vadim: That sounds good.

Robin: So it dovetails. But here is another question. I am not sure in what order, but things are bubbling up. Now half of Africa is right now making all their payments and doing their banking with cell phones. They don’t have your product, they don’t have your servers, what about that? They are just doing it ad hoc. And they have been doing it for years.

Vadim: How do they do payments to each other?

Robin: I don’t know if they do, but they do.

Vadim: I am not sure if they do right now to each other, but yes again, the idea here is that you can deploy this API on the cheapest Android, we specifically bought Androids for $60 with virtual processors, tested the software and it works, so what I am saying is, anybody in Africa can set up a small store, get an Android tablet $60 and then they register. And now they can take turns they can get payments from other people, all the other people have to do is just click the button and they are paid.

Robin: And the other people have to have the phone, they have to have the phone to pay.

Vadim: Some kind of a phone, some kind of an Android phone, we tested the software on old iPhones and we did it on cheap Androids on purpose and it worked flawlessly.

Robin: Well in low cost parts of the world, they don’t have iPhones. They don’t.

Vadim: They don’t have iPhones today, but in another five years, they will have big iPhones, all their phones.

Robin: Again back on your pricing scheme, for the small person, you could use a little, the servers at no charge for low volume? How does that work?

Vadim: Well, without limitations we have our servers available for public but with a few limitations. Our public servers first of all don’t support secure transmissions, okay?

Robin: Oh?

Vadim: Okay. So no HTTPS, no SSL/TLS but it is a public server, you can use it for this.

Robin: Yeah.

Vadim: CardXchange of course. Don’t expect

Robin: I am asking... here I am and I want to overthrow the government of Badistan, the horrible country, and it is run by a Dr. Horror, it is a terrible regime. We need to have secure transmission back and forth. We are the revolutionaries, we are the good guys, and our flag is and we need secure transmission, you have the ability to provide that phone to phone, right?

Vadim: Yes, we support both secure and unsecure transmissions but right now our public servers are configured are not simply configured to accept secure connections. It is very simple for us, so the choice of this organization if they want to overthrow government, (I am not sure we want to be in this business) but nevertheless, they can call us, and ask for a private server, and we will give them a quote and maybe it will be a very small quote or maybe it will be free, because we also don’t like this government. Or we have some ideas about. But at least at this moment, our public servers do not support secure transactions.

Robin: I just think that if they did it would be wonderful, even if it was a small charge thing, that I could sign up and it was $25 a year or something, and then, I could, we could be having this conversation cell phone to cell phone as secure and the Badistan National Security Agency would have trouble listening in on us. They obviously can if they want to badly enough. But is it something that people are going to look at what you are doing, and think of that instantly.

Vadim: You know, Robin, I am going to promise you one thing, we will think about it, and probably we will change our policy, and maybe we will even change it within the next week. At this moment, our concern was with secure connections that it takes a much heavier load on the servers that really what you want to do in case of public servers serving secure connections, you want to establish so called SSL uploading servers, so there is a code in the code SSL connectivity and then they pass the information to some central server. So it would simply require a larger web front processor to deploy right now. Since we are in a very early stage for offering the product, we didn’t set up a large enough web front alright, right now, at this very moment. But we can probably add it and we probably should consider it adding it to the public server. Again, you can get our demo and get our private server you can run it locally on your machine, and it will support everything.

Robin: Okay, the only reason I was asking because I think there is a market for it. The serious people, I mean right now, there are Egyptians in the streets, and of course people doing this in Syria and other places....

Vadim: Don’t forget Russia.

Robin: [sarcasm] Well, I wasn’t going to say anything about Russia. Russia is a freedom loving country and our ally, isn’t it? [/sarcasm]

Vadim: To say a few words about public servers is that, so right now, we don’t provide secure connectivity to the public servers and we don’t provide so called web API for public servers. If you want to be able to connect your phone to the website, make payments to the website, or do any other stuff with the website itself, you need to have a private server. At least, that is our model right now. And again, we will besides public servers, also have dedicated servers which means we will install a server for you. Just a dedicated machine. Which will be dedicated only to your company, and it will be serving only your company and it will have all the features. It will have security, it will have web connectivity, it is really your machine.

Robin: Okay, so basically your thing is sound verification, right, sound identification, using the sound. Which is very smart. But can’t somebody else go out and do the same thing, now that we know it could be done?

Vadim: I think that there is always a person who can do whatever the other person did. Definitely it is possible. And it is possible just because you see it working so it means somebody else can do it, and somebody else can probably do it even better. I am not going to claim here that it is not possible. However, we spent a large amount of time, devising algorithms for recognizing sound, it was quite a challenging job, because it is a very short sound stage, less than a second, and you have to decode it, and you have to detect it and decode it within less than a second as well.

Robin: Without a lot of processor power?

Vadim: Right, so I am talking about very efficient code and some algorithms to detect this sound. The problem is that air is a very noisy medium. I am talking about the way they use radios, or they use in cell phones, it is still electricity, there is reasonably less noise there. With air, there is a lot of noise; there can be a song going in the background, using the same frequencies, and you have to be able to detect the sound through this and decode it. So it was complex. We did firewalls patterns for it, but again if you ask me a question: Can somebody else do it? The answer is definitely yes, given time and resources. It can be .

Robin: But you have a patent pending situation here right now?

Vadim: Right. But of course somebody with resources and desire can devise a different algorithm.

Robin: Of course, but why in a way, why don’t you just open source it and then sell the servers, as you are doing anyway, the world’s masters, I mean this is how Red Hat works, and they are a billion dollar company, it is being done. SugarCRM there is a whole bunch of security companies and so why not?

Vadim: It is something we are considering and we are still considering. The problem right now is that we don’t have really enough resources, you have to understand we are talking about a lot of different pieces of software - you have Android code, you have iOS code, you have client side sound recognition code, and you have server code, so we have four distinct code bases, concerns that by open sourcing it, you see, you will have some people working on iOS and some people working on Android and at some point, the code can just go apart and this is some concern of ours with it was, and we want to be able to have control at least at the original implementation so it is done clearly and it is done the same way across all of products.

Robin: Then you become -- even it is open source, you become the standards keeper, you see... that’s what you have, your code must be approved by us, to work with our servers, or to work with our public servers or our private servers in the rest of the system, so you can open source it safely, I believe, you know, from a business standpoint, because you have standards control.

Vadim: I understand. Again we just released the product pretty much a month ago, and we are considering multiple options right now including what you are saying, go in open source.

Robin: Are people using it?

Vadim: We got some downloads, we didn’t do any advertisement yet, we are planning to start advertisement in fall, so at this point, we have a small number of beta testers that play with the product, plus we are trying to release as I said bitcoin wallet.

Robin: Okay. So anybody who is seeing this now, they can download, they can start messing with it, and I think to bitcoin people especially in dense population areas in San Francisco and New York I think they are going to jump on this, don’t you?

Vadim: We hope so.

This discussion has been archived. No new comments can be posted.

Sound-Based Device Authentication Has Many Possibilities (Video)

Comments Filter:
  • by HeckRuler (1369601) on Tuesday July 23, 2013 @03:40PM (#44364335)

    I think it's interesting how many alarm bells this post sets off in my head.

    First off, it's a long format Slashdot article, and it's not an "ask slashdot" nor a book review. Slashdot TV? is that still a thing? Why are they selling this company?
    It reads like an ad and uses the language thereof: "Imagine", "envision", "a way to facilitate", "Initially with Bitcoin",
    And.... is that trying to spin the shoddy website as a good thing?
    And the format of the video and interview is also just... cheap.

    Is their idea worthwhile? Are there already ways to achieve the same results? Is illliri's way enough better than existing mobile device security systems that it's worth exploring? And would it be better, not just for the world in general, but as a way to help illiri's founders make a living if their software was open source?

    See Betteridge law of headlines. []

    Then there's the obvious problem with the basic fundamental gimmick: Anyone with a recorder nearby now has you password. The thing about secrets that are supposed to stay between you and the authenticator is that the transfer point is REALLY important. Pin numbers, passwords and all that jazz are a pain in the ass, but a noise? Anyone with a audio recorder now has your password. If you can put a device up next to their mic, then there are much more secure ways to have your device hand it some information.

    This is just so.... so... this is a joke right? Some sort of meta-humor on slashdot?

"There is no distinctly American criminal class except Congress." -- Mark Twain