After I wrote an article on Bitdefender’s Hot for Security blog about whether your voice should be enough to unlock your Android phone, a number of people got in touch telling me that Hollywood definitively proved voice recognition security was a flawed idea 23 years ago!
Here, for your nostalgic pleasure, is a clip of Robert Redford in the 1992 movie “Sneakers”.
My suspicion is that something similar would probably work against Trusted Voice, the new “smart lock” being rolled out to some Android 5.0 Lollipop users. Perhaps without needing to carry a dictaphone around with you.
Okay, so now I have an admission to make.
Deep breath. Here goes…
I’ve never seen “Sneakers”.
Or “War Games”.
Or “Princess Bride” (although I understand there’s not much computer stuff in that).
Yeah, I know. Embarrassing. There go my geek credentials. I guess I better go see if they’re on Netflix.
I only saw “Top Gun” for the first time last year at my wife’s insistence (and boy! I can’t begin to tell you how hilarious that movie was… you should watch it again now with 21st century eyes.)
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
6 comments on “Robert Redford showed us in 1992 why you shouldn’t trust Android’s voice password”
Sneakers is in my all time top 10 movies – It was hilarious back then, even better now. Can't believe you've never seen it – Although, as with all movies the science bits were far fetched.
Yes, but *Tomcats*.
"My suspicion is that something similar would probably work against Trusted Voice"
It is – at least to me – ironic that Google would introduce such a thing, named in such a way, given that they're not exactly trustworthy – specifically, it is questionable whether much of what they claim/say/etc. can be trusted. Of course, they aren't the only entity that cannot be trusted (and I suppose no one can be trusted 100% of the time – I'm definitely not an exception) but they're certainly one with a large footprint, and one that has a phishy (not that I think they phish others, but semantics…) record.
Even assuming that the voice password could somehow stand such faking, it still has a huge weakness. It is the presence of a backup password registered in case of false rejection.
Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.
Sneakers is alright. The original Wargames is pretty good. One that I watched recently that I really enjoyed was Takedown, the film about Kevin Mitnick, though apparently he says it's quite inaccurate. The social engineering scenes are pretty good.
Blackhat was disappointing.
"though apparently he says it's quite inaccurate."
(Warning: somewhat long message – includes a quote of his as well as quite some facts of his years past [there's a lot!] … and I tend to write a lot anyway!)
Yes, well Mitnick has an affinity for SE (social engineering), doesn't he? Which means his main method is lying. It is his special and he admits it; he actually made a profit on a course that – upon completion – you would obtain a certificate of the art of BS. I don't think he offers that any more, but I do remember it at the time (I've just not bothered trying to find it on The Wayback Machine but this is not a made up story… if it wasn't for the way he has acted, I would wish this was made up!). That was after his second arrest and release (so sometime in or after 2001; he's lucky his arrests came before 9/11, isn't he ?). He tends to picture himself as someone he isn't (with a certain amount of irony in that he has stated that the government was trying to paint him as a fictional character). He is misunderstood, he didn't do anything wrong or otherwise he didn't do as much wrong as claimed (but certainly is wronged), it isn't his fault, and whatever else. But for a notorious hacker as he is sometimes called, it is rather interesting that:
1. The server of his corporation was rooted not once, but twice (for all I know it has happened since this time). I know this because it was publicised in an e-zine. I have it somewhere in an old archive. They also made public his excuse – it was the fault of his host and not his (question: why more than once ?). What with how he was able to evade (sort of) arrest for as long as he did, you'd think he would be able to run his own server, wouldn't you?
2. He has an affinity to SE above all else. Wonder why he doesn't run his own server(s). True, he succeeded in this, and he did hit rather well known corporations. True also that IT IS an effective tactic, but see the other points.
3. He was foolish enough to get in trouble with the law more than once. Of course it wasn't his fault. Funnily enough, he has comments about War Games and his treatment from the US federal government, which can be found here:
I like this quote a lot:
"Mitnick: That movie had a significant effect on my treatment by the federal government. I was held in solitary confinement for nearly a year because a prosecutor told a judge that if I got near a phone, I could dial up Norad and launch a nuclear missile. I never hacked into Norad. And when the prosecutor said that, I laughed — in open court. I thought, "This guy just burned all his credibility." But the court believed it. I think the movie convinced people that this stuff was real. They tried to make me into a fictional character."
It is rather ironic (as I gave a summary of earlier) that he puts it the way he seems to paint himself as (maybe not deliberately but he still does) – a fictional character – if you consider how he acts (or if nothing else, acted). He was in solitary confinement, he was denied access to evidence. Yes, it is true but yet it also shows him shifting blame. It was his fault for being in trouble with the law the first time, and it was also his fault the second time. He didn't learn. But of course it was the movie that affected his treatment, not his own actions (and not learning from the first time). Yes, the US government made an example of him in many ways, but he was asking for it. While being called the most notorious hacker (at least at the time) he was evading capture (or had). That is, until he was foolish enough to attack the wrong person; the name doesn't come to mind (I would recognise it if I saw/heard it), but after they were compromised, they decided to track him down, and they did. Well he should have learnt from his mistake the last time. No it wasn't fair treatment but given the circumstances of the time (some of this is vague enough where I don't feel it right to say specifics but I do remember it happening, at that time, absolutely; I also remember his time in prison and his treatment. 2600 magazine and the 'FREE KEVIN' movement comes to mind as rather significant parts), it isn't entirely surprising: he was evading capture (or did), it was his second time, and they wanted to make it more likely (however impossible it is) that others don't do the same and also to make him realise that he did not have impunity. He was lucky that he was only in prison for five years. That is quite light yet they were definitely making an example of him; everyone knew it then (FREE KEVIN! movement). Well he seemed to learn the second time but of course he isn't beyond making a profit where the government allows (there were some restrictions left, whether forever or not I don't recall).
In summary it is just like you can't believe someone who lives 'on screen' (so to speak). That isn't to say he lies about everything; I certainly wouldn't make that claim. But anyone who teaches and offers a certificate on the art of BS should – if nothing else – not expect to be believed in things about themselves (and since the content is about his arrest/etc., it is rather relevant).
Edit: Okay, fairly long was an understatement; it is a very long message.