• chevron_right

      How Huawei made a cutting-edge chip in China and surprised the US

      news.movim.eu / ArsTechnica · Thursday, 30 November, 2023 - 14:37

    montage of logos and chips

    Enlarge (credit: FT)

    In late 2020, Huawei was fighting for its survival as a mobile phone maker.

    A few months earlier, the Trump administration had hit the Chinese company with crippling sanctions, cutting it off from global semiconductor supply chains.

    The sanctions prevented anyone without a permit from making the chips Huawei designed, and the company was struggling to procure new chips to launch more advanced handsets.

    Read 65 remaining paragraphs | Comments

    • chevron_right

      Brute-Forcing a Fingerprint Reader

      news.movim.eu / Schneier · Friday, 26 May, 2023 - 18:41 · 1 minute

    It’s neither hard nor expensive :

    Unlike password authentication, which requires a direct match between what is inputted and what’s stored in a database, fingerprint authentication determines a match using a reference threshold. As a result, a successful fingerprint brute-force attack requires only that an inputted image provides an acceptable approximation of an image in the fingerprint database. BrutePrint manipulates the false acceptance rate (FAR) to increase the threshold so fewer approximate images are accepted.

    BrutePrint acts as an adversary in the middle between the fingerprint sensor and the trusted execution environment and exploits vulnerabilities that allow for unlimited guesses.

    In a BrutePrint attack, the adversary removes the back cover of the device and attaches the $15 circuit board that has the fingerprint database loaded in the flash storage. The adversary then must convert the database into a fingerprint dictionary that’s formatted to work with the specific sensor used by the targeted phone. The process uses a neural-style transfer when converting the database into the usable dictionary. This process increases the chances of a match.

    With the fingerprint dictionary in place, the adversary device is now in a position to input each entry into the targeted phone. Normally, a protection known as attempt limiting effectively locks a phone after a set number of failed login attempts are reached. BrutePrint can fully bypass this limit in the eight tested Android models, meaning the adversary device can try an infinite number of guesses. (On the two iPhones, the attack can expand the number of guesses to 15, three times higher than the five permitted.)

    The bypasses result from exploiting what the researchers said are two zero-day vulnerabilities in the smartphone fingerprint authentication framework of virtually all smartphones. The vulnerabilities—­one known as CAMF (cancel-after-match fail) and the other MAL (match-after-lock)—result from logic bugs in the authentication framework. CAMF exploits invalidate the checksum of transmitted fingerprint data, and MAL exploits infer matching results through side-channel attacks.

    Depending on the model, the attack takes between 40 minutes and 14 hours.

    Also:

    The ability of BrutePrint to successfully hijack fingerprints stored on Android devices but not iPhones is the result of one simple design difference: iOS encrypts the data, and Android does not.

    Other news articles . Research paper .

    Smartphones With Popular Qualcomm Chip Secretly Share Private Information With US Chip-Maker

    This data is sent without user consent, unencrypted, and even when using a Google-free #Android distribution. This is possible because of proprietary Qualcomm #software which provides hardware support also sends the #data. #USA

    • chevron_right

      Huawei’s foldable is thinner, lighter, and has more battery than Samsung

      news.movim.eu / ArsTechnica · Tuesday, 28 March, 2023 - 21:56 · 1 minute

    Giant Huawei logo onstage.

    Enlarge (credit: Huawei )

    Huawei is still making phones, even if the US-China trade war puts most of the stalwart Android component vendors in a complicated relationship with the Chinese tech company. Huawei's new phones are the flagship Huawei P60 Pro slab phone and a flagship foldable, the Huawei Mate X3 .

    The trade war makes these phones unique in the world of Android. First, it has a Qualcomm chip, but Huawei isn't allowed to use the latest technology from Qualcomm, so the chip in both of these phones is the "Snapdragon 8+ Gen 1 4G Mobile Platform." Besides being last year's chip, this is a special, Huawei-only version of the chip that is branded as "4G." It has had the 5G bands stripped out of it—both mmWave and sub 6 GHz.

    The other oddity is the lack of Google Play apps internationally. Huawei isn't allowed to ship the Google apps due to the export ban. While that's normal in China (where Google Play isn't available), internationally it means the phone is missing standard Google apps like YouTube, Gmail, Google Maps, the Google Assistant, Docs, Search, Photos, and other apps that make Android a competitive consumer OS. Instead of the Google ecosystem, you'll be getting the OS with Huawei Mobile Services , which includes the Huawei AppGallery, Huawei Petal Maps , the Huawei Assistant (which appears just to be a search tool and some widgets, not a voice assistant), Huawei Pay, and Huawei apps for books, music, and video.

    Read 10 remaining paragraphs | Comments

    • chevron_right

      Tech makers must provide repairs for up to 10 years under proposed EU law

      news.movim.eu / ArsTechnica · Thursday, 23 March, 2023 - 18:37

    DIY repair mobile phone at home. Woman repairing mobile phone at home, changing damaged part.

    Enlarge / Smartphone repairs could be required for up to five years, while other products, like washing machines, may require up to a decade of vendor repairs. (credit: Getty )

    Makers of numerous product categories, including TVs, vacuums, smartphones, and tablets, could be required to enable repairs for their products for up to 10 years after purchase, depending on the device type. The European Commission on Wednesday announced a proposal it has adopted that would implement long-term repair requirements on electronics makers, if the European Parliament and Council approve it.

    The regulation would apply to any devices with repairability requirements in the EU, including vacuum cleaners, washer-dryers, welding equipment, servers, and data-storage devices. The EU is currently hammering out right to repair requirements for smartphones and tablets.

    Already, the EU requires vendors to repair or replace products within two years of purchase for free if the product is defective. The new regulation would require companies to provide a free repair (instead of replacing the product) if doing so would be the same price or cheaper than replacing it.

    Read 17 remaining paragraphs | Comments

    • chevron_right

      Ukraine Intercepting Russian Soldiers’ Cell Phone Calls

      news.movim.eu / Schneier · Tuesday, 20 December, 2022 - 23:04

    They’re using commercial phones, which go through the Ukrainian telecom network :

    “You still have a lot of soldiers bringing cellphones to the frontline who want to talk to their families and they are either being intercepted as they go through a Ukrainian telecommunications provider or intercepted over the air,” said Alperovitch. “That doesn’t pose too much difficulty for the Ukrainian security services.”

    […]

    “Security has always been a mess, both in the army and among defence officials,” the source said. “For example, in 2013 they tried to get all the staff at the ministry of defence to replace our iPhones with Russian-made Yoto smartphones.

    “But everyone just kept using the iPhone as a second mobile because it was much better. We would just keep the iPhone in the car’s glove compartment for when we got back from work. In the end, the ministry gave up and stopped caring. If the top doesn’t take security very seriously, how can you expect any discipline in the regular army?”

    This isn’t a new problem and it isn’t a Russian problem. Here’s a more general article on the problem from 2020.

    • chevron_right

      Using Pupil Reflection in Smartphone Camera Selfies

      news.movim.eu / Schneier · Tuesday, 3 May, 2022 - 16:17

    Researchers are using the reflection of the smartphone in the pupils of faces taken as selfies to infer information about how the phone is being used:

    For now, the research is focusing on six different ways a user can hold a device like a smartphone: with both hands, just the left, or just the right in portrait mode, and the same options in horizontal mode.

    It’s not a lot of information, but it’s a start. (It’ll be a while before we can reproduce these results from Blade Runner .)

    Research paper .