The old joke was that putting fingerprint readers on devices meant people would get their hands cut off, or at least they’d be drugged to use their hands without consent.

Of course we haven’t heard much about such “rubber hose” attacks, even as fingerprint readers have been put into practice everywhere on everything. The best real world threat so far, perhaps, has been “gummy bear” integrity attacks a decade ago.

A new research paper tries to bring sensor security back into focus by demonstrating a simple brute force method, which only seems to work on Android phones due to… Google’s infamously low security bar.

An attacker is meant to take a fingerprint database — given open research or centralized collection resulting in inevitable giant leaks — with about $20 in hardware, to quickly brute force any Android device.

Because fingerprints are generally low integrity to start with, researchers point out how they benefited from using a simple manipulation of “false acceptance rate” (FAR). That’s as bad as it sounds. Your safety depends on an adjustable acceptance rate of bad authentication. How many bad attempts would you like to treat as good ones? In addition, they mention how the serial peripheral interface (SPI) on Android can be compromised to leak fingerprints (while iOS by comparison reasonably encrypts the SPI).

When just one fingerprint is enrolled the researchers estimate 3-14 hours to brute force their way through. When more than one fingerprint is in the SPI, their estimate is only 1/2 to 3 hours to force a collision!

∀F(Fx ↔ Fy) → x=y

The big question becomes whether fingerprint gathering methods to produce a specialized database (e.g. things thrown into the trash by targets), instead of generalized prints, would reduce times even more dramatically. Then again with this 1/2 hour rating given $20 tools, why bother?

TRIGGER WARNING: This post has important ideas and may cause the reader to think deeply about the Sherman-like doctrine of property destruction to save lives. Those easily offended by concepts like human rights should perhaps instead read the American Edition.

Let us say, hypothetically, that Tesla tells everyone they want to improve safety while secretly they aim to make roads far less safe.

Here is further food for thought. Researchers have proven that AI developed under a pretense of safety improvement can easily be flipped to do the opposite and cause massive harms. They called their report “dual-use discovery”, as if any common tool like a chef knife or a hammer are “dual-use” when someone can figure out how to weapanize things. Is that really a second discovery, the only other use option… being that it’s the worst one?

According to The Verge, these researchers took AI models intended to predict toxicity, which is billed usually as a helpful risk prevention step, and then instead trained them to increase toxicity.

It took less than six hours for drug-developing AI to invent 40,000 potentially lethal molecules. Researchers put AI normally used to search for helpful drugs into a kind of “bad actor” mode to show how easily it could be abused at a biological arms control conference.

Potentially lethal. Theoretically dead.

The use-case dilemma of hacking “intelligence” (processed data) is a lot more complicated than the usual debate about how hunting rifles are different from military assault rifles, or that flame throwers have no practical purposes at all.

One reason it is more complicated is America generally has been desensitized to high fatality rates from harmful application of automation machines (e.g. after her IP was stolen the cotton engine service model — or ‘gin — went from being Caty Greene’s abolitionist invention to a bogus justification for expansion of slavery all the way to Civil War). Car crashes often are treated as “individual” decisions given unique risk conditions, rather than seen as a systemic failure of a society rotating around profit from criminalization of poverty.

Imagine asking things like what is the purpose of the data related to use of a tool, measuring how is it being operated/purposed, and can a systemic failure be proven by examining it from origin to application (e.g. lawn darts or the infamous “Audi pedal“)? Is there any proof of failsafe or safety?

Lots of logic puzzles come up in threat models, which most people are nowhere near prepared to answer at the tree let alone forest level… perhaps putting us all in immediate fire danger without much warning.

Despite complexity, such problems actually are increasingly easily expressed in real terms. Ten years ago when I talked about it, audiences didn’t seem to digest my warnings. Today, people right away understand exactly what I mean by a single algorithm that controls millions of cars all simultaneously turned into a geographically dispersed “bad actor” swarm.

Tesla.

Where is this notoriously bad actor with regard to transparency and even proof on such issues? Can they prove cars are not, and can not be, trained as a country-wide loitering munition to cause mass casualties?

What if their uniquely bad death tolls already mounting are a result of them since 2016 developing AI (ignoring, allowing, enabling or performing) such that their crashes have been increasing in volume, variety and velocity due to an organized intentional disregard for law and order?

ChatGPT, what do you think, given that Tesla now claims that you were its creation?