Software developer, cyclist, photographer, hiker, reader.I work for the Library of Congress but all opinions are my own.Email: chris@improbable.org
13060 stories
·
126 followers

Talos Blog || Cisco Talos Intelligence Group

1 Share

Phone, computer fingerprint scanners can be defeated with 3-D printing


By Paul Rascagneres and Vitor Ventura.


Executive summary

Passwords are the traditional authentication methods for computers and networks. But passwords can be stolen. Biometric authentication seems the perfect solution for that problem. There are several kinds of biometric authentication, including retina scanning, facial recognition and fingerprint authentication, the most common one. Everyone's fingerprints are unique, and it is commonly accepted that they can identify a person without being reproduced.


Technological evolution expanded fingerprint authentication to all kinds of devices, from laptops to mobile phones, to padlocks and encrypted USB drives. Fingerprint authentication became commonly available on phones with the launch of Apple TouchID in the iPhone 5 in 2013. That technology was bypassed shortly after being released. Since then, the technology evolved into three main kinds of sensors: optic, capacitance and ultrasonic.


Our tests showed that — on average — we achieved an ~80 percent success rate while using the fake fingerprints, where the sensors were bypassed at least once. Reaching this success rate was difficult and tedious work. We found several obstacles and limitations related to scaling and material physical properties. Even so, this level of success rate means that we have a very high probability of unlocking any of the tested devices before it falls back into the pin unlocking. The results show fingerprints are good enough to protect the average person's privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication.


We developed three threat models use cases to match real world scenarios. As a result the reader should compare the result to a home security system. If you want it to stop well funded actors like national security agencies from spying on your house, this may not provide enough resistance to be effective. For a regular user, fingerprint authentication has obvious advantages and offers a very intuitive security layer. However, if the user is a potential target for funded attackers or their device contains sensitive information, we recommend relying more on strong passwords and token two-factor authentication.



These results together with the recent leaks concerning a

biometric company

and the recent

issue

with the sensor used by Samsung on the Galaxy S10 smartphone, the understanding of this technology and the impact of fingerprint (or more generally biometric) data leaks raised some questions. As 3-D printing has evolved and a home resin printer has a resolution in micron. Can the average person create a fake fingerprint collected from glass using a 3-D printer? Or does it need to be a government agency? And can it be done while a user is at the border checkpoint?


We translated these questions into three main goals:


  • What are the security improvements in fingerprint scanning since it was first defeated on the iPhone 5?
  • How does 3-D printing technology impact fingerprint authentication?
  • Define a threat model to the attacks to provide a realistic context.

We tested different brands and models of devices. To determine the threat model, we imposed budgetary restrictions, with the assumption that if it can be done on a low budget, it can be done by state-sponsored actors.


The complexity of the process was also important to define the threat model. We wanted to know how hard it would be for the common user to reproduce our results.


The third component of the threat model was the collection technique. We defined three collection techniques, each one associated with a threat model that includes its own characteristics. Some of them have the added complexity of acquiring the enrolled fingerprint, as most users won't use more than one finger.



What's new?

3-D printing technologies made it possible for anyone to create fake fingerprints. But not only that it also made it possible, with the right resources, to be done at scale. Moreover, with the democratization of the usage of fingerprint authentication, the impact of biometric data copies is even bigger than in the past. We applied our threat models to mobile phones, laptops, padlocks and USB pen drives.



How did it work?

We created copies using three different methods, which were defined according to the defined threat profiles. A mold was created using a 3-D printer, which was then used to recreate the fingerprint with textile glue.



So what?

Fingerprint authentication is now in common usage, on all kinds of devices. However, its reliability is not the same on all devices. Organizations need to be aware that the security of fingerprint authentication is not secure, despite common assumptions. This means that depending on the threat profile of each user, it may not be advisable to use it. In reality, some companies have the same reliability as they had six years ago. This means that with the advances of technologies like 3-D printing, it's now even easier to defeat them.


A video of presentation of this research.



State-of-the-art

Attackers exploited fingerprint authentication several times in the past, which lead to advances in sensor technology. Apple's TouchID was first publicly broken in 2013. A researcher called "Starbug" first demonstrated this technique on the iPhone 5s during the

Chaos Computer Club conference

. More recently, Samsung's flagship

mobile phone, the S10

, was inadvertently broken by a user when she was using a silicon cover. Samsung eventually fixed this problem with a software update. During the

Geekpwn 2019

Cybersecurity competition, the X-Lab security research team from Tencent broke the fingerprint authentication from three different phones, but no details about the research were provided. However, according to a

Forbes

article, the team took a picture of a fingerprint on a glass and created a fake fingerprint. This whole process took 20 minutes and, according to the team leader, the hardware costs around 200 euros. However, the process is a black box and isn't documented.



Concept

Fingerprint authentication design

A fingerprint authentication can be divided in two steps. The first step is the capture, in which the sensor generates an image of the fingerprint. The second step is the analysis and comparison of the generated images. This task can be done by the sensor itself, for example, in embedded and autonomous devices such as a door lock, or it can be done by the Operating System. For example, on Microsoft Windows, the comparison is performed by "Windows Hello." The OS asks the sensor to capture the data and this data is forwarded to the OS with the

ANSI INCITS 378-2004

format created by NIST. The OS does the comparison and chooses whether to approve the connection to the system. The comparison algorithm must include a certain level of tolerance. If the fingerprint is slightly altered, for example with a small cut-off, the authentication must work. The thresholds are not public, so some editors are more tolerant than others. The weakness can be found in the first and second steps.



Type of sensor

In our tests, we found three main types of sensors: capacitive, optical and ultrasonic. Different sensors react differently to different materials and collection techniques. Most of the sensors are developed by third-party companies and then integrated into the device. The only exception is Apple, which builds its own sensors after acquiring company

AuthenTec

in 2012.


The most common type of sensor is the capacitive, while some are active or passive.


Capacitive fingerprint sensor

In simple terms, capacitive sensors use the body's natural capacitance to read the fingerprints. The ridges in touch with the reader will create a natural capacitor which will be detected by the sensor. Oppositely, the valleys will be too far away from the reader to create a natural capacitor.


Active capacitive fingerprint sensor

The active capacitive sensors don't rely on the natural capacitance alone, they will inject a small signal that travels through the finger and finally reaches the sensor through the touch of the fingerprint ridges.


Optical fingerprint sensor

Optical fingerprint sensors actually read the image of the fingerprint. In this type of sensor, there is a light source that will illuminate the ridges in contact with the sensor. An image sensor reads these through a prism.


Ultrasonic sensors

Ultrasonic sensors types are the newest. Their usage is mainly on devices that have on-screen sensors. In these cases, the sensor emits an ultrasonic pulse whose echo will be read by the sensor. Ridges and valleys will have different echoes allowing the sensor to create a pseudo-image from a fingerprint.


On average, the ultrasonic sensor seems to be least reliable, as these gave us better success rates. Goodix is one of the main vendors of the display optical sensor. Qualcomm developed the ultrasonic sensor for the Samsung S10 and Synaptics developed the majority of the capacitive sensors we tested.



Creation based on threat scenarios

Our process consists of two main stages: collection and creation. In the collection stage, we collected the targeted fingerprint and created a mold (see limitations section). The mold is used to cast the fake fingerprint by using different materials depending on our context.


The first step is to collect the fingerprint. In the collection techniques section, we will explain the different methods we tried. Each method matches a specific context and a specific threat model.


  1. Direct collection: This method represents an attack scenario where the victim is either unconscious or in a state where he doesn't have full control over their own actions (ex. drunk). In this case, a mold is made in a soft material directly on the victim, which is then hardened. It is also used as our control method. In this method, the attacker could collect all the fingerprints or could observe the target to collect the enrolled one.
  2. Fingerprint sensor: This method represents a collection made at the border/customs at the airport or by a private security company with a fingerprint reader. Most borders/customs collect all fingerprints, which would eliminate this problem.
  3. Third-party approach: In this scenario, the collection is done via a third-party object. It can be a glass, a bottle, etc. by taking a picture of the object. The concept is that an attacker will collect the fingerprint from the victim, and afterward prepare the fake fingerprint. In this approach, having the enrolled finger might be a problem since the attacker does not control the source of the collection. However, a fingerprint mold can be created from several pieces of the same finger.

The second step is to create a mold based on the previously collected information. This is no easy task, as we will explain in detail in the limitations section. We used a 3-D printer to create the molds. The precision of a domestic UV LED printer is 25 microns. The dermal fingerprint ridges are ~500 microns wide and 20-50 microns deep. The resolution of the printer fits perfectly our needs. The last step is to cast the fingerprint. We tried a lot of different materials, the most relevant were silicon and fabric glue.


Here's an example of the materials we used for the molds, using infamous gangster Al Capone's publicly available fingerprints as an example.



Fake fingerprint creation

The different collection techniques

Direct Collection

The first approach is the "direct collection" approach. The purpose is to use the real finger to create a negative (aka a mold) of the fingerprint. For this technique, we use Plastiline, a clay used by sculptors. The advantage of this clay is the fact that it is hard on standard temperature and it becomes soft and even liquid if the temperature is high enough. In our case, we have heated the clay with a hot air blower to soften it and allow a fingerprint imprint.


Creating a mold using Plastiline


Fingerprint sensor approach — Low-cost fingerprint reader to obtain a BMP

The second approach we took is to get a bitmap image from a fingerprint reader. For the test we used a low-cost UART sensor connected to an Arduino UNO (or a CP2102 USB to TTL convertor).


You can use

SYNODemo

application to perform this task. Here is a screenshot of the application:


The fingerprint can be downloaded by the software or our script. The image is a 256x288 pixel bitmap.



Third-party approach — High-resolution picture to obtain a raw image

The last approach we took consisted of taking a picture of a fingerprint on glass. Here is an example:


To increase the contrast on the ridges, we used graphite powder with a brush:


We do not want to leak fingerprints of our researchers, so we used a palm on a glass as an illustration.



Fingerprint collection optimization

Photo optimization

The pictures were not directly actionable. We discovered two issues depending on the collection methodology.


In the fingerprint sensor approach, we discovered that the obtained picture is too small for several sensors such as the Samsung S10 sensor. In this case, we need to merge a couple of pictures to have a larger picture. Here is an example using Al Capone's fingerprint from the

FBI database

.


In the glass approach, we needed to apply a couple of filters in order to increase the contrast and optimize the lines. The 3-D software works on alpha (shades of grey):



3-D enhancement

The 3-D design is created with a 3-D digital sculpting software (ex. ZBrush). We used the black and white image as an Alpha brush in order to extrude the fingerprint from an oval blank mold:


The size of the mold is 32x24mm. You can see the picture and the 3-D object.



The different replication techniques

3D printing the mold — Tested 0.025 mm and 0.05 mm precision in our molds

During our test, our biggest constraint was the size of the mold. The fake fingerprint needs to have an exact size. However, the models designed with ZBrush do not have a size option. So we had to play a lot with the object size during the creation. One percent too small or too large and the fake fingerprint did not work. In addition to this issue, the resin used by a 3-D printer needs to be cured after the printing. The curing is mandatory to make the object solid and remove the toxicity of the resin. The cure is performed in a UV chamber over a few minutes. We discovered that this process generates retraction and the mold's size varied depending on the curing time. The same behavior occurs if we expose the mold directly to sunlight. Due to this parameter, we need to print more than 50 molds, create a fake fingerprint with them and compare the results and sizes with a fingerprint sensor in order to have a valid mold and, by consequence, a valid fake fingerprint.


Picture of molds after printing:


The next step is UV Curing. Out of the printer, the object is not hard enough and toxic. We used a UV chamber for three minutes to make it solid and remove the toxicity of the final mold:


Here's a picture of all the attempts and the fake fingerprint before we made an exploitable object:


During our test, we obtained better results with a 25-micron resolution printing. However, the printing time was longer: one hour per mold. With a 50-micron resolution printing, the time is halved.


As explained in the limitation section, the size of the mold was our biggest challenge during this research and the most time consuming, more than 50 molds were created during this project. This is one of the reasons it is complicated to reproduce the mold creation on demand.



Different filling materials

During our tests, it became clear that the material used is a determining factor depending on the kind of sensor, especially when comparing sonic with capacitive sensors. To increase our success rate, we used silicon and different kinds of glue, mixed with conductive (graphite and aluminum) powder.


The two main constraints are resolution and conductivity for capacitive sensors.


Indeed, the definition of the fingerprint is crucial as we have shown above. Achieving a good resolution depends on two parameters: the collection method and the material used to create the replica. While creating the cloned fingerprints we discovered that fabric glue allows better definition than silicone.


One of the challenges in the capacitive sensors, especially the active kind, is to ensure that there is a certain amount of conductivity in the fingerprint. The silicon is insulating so it's impossible to use on capacitive sensors. However, thin fabric glue with a real finger behind is conductive enough to enable the sensor.


Finally, the silicon is good enough for the tested sonic sensor but the best global choice in our research is a low-cost fabric glue:



The tested platforms



Mobile devices

Mobile phones have been the biggest motivator for the evolution of fingerprint authentication. These are the devices that have more variety of sensors. In fact, the development of the ultrasonic sensors was due to the need of having in-display sensors on mobile phones. This is also the reason why optical sensors are being used on recent devices.


Our fake fingerprints didn't work on the Samsung A70, however, even with a real fingerprint, the authentication rate was way lower than on the other devices. These devices were also the targets of some of the first research into fingerprint authentication, which should give this platform more maturity in the technology. However, the results show that mobile phone fingerprint authentication has weakened compared to when it was first broken in 2013.


We also discovered that there is a lack of a clear advantage between the different types of sensors.



Laptops

Contrary to mobile devices, we found a clear advantage from one platform to the other on the laptops we tested. We had no success against the Windows Hello framework, which is only available on Windows 10. We tested five different Windows platforms and the results were all the same. As a control, we tested the same clone on the MacBook Pro and we got the same 95 percent unlocked success rate. The reason for the better and recurrent results from the Windows platforms is the fact that on all platforms the comparison algorithm resides on the OS, thus is shared among all platforms.



Other devices

We also tested smart devices: a padlock and two USB-encrypted pen drives.


The fingerprint sensor of this padlock is a capacitive one that requires a conductive fingerprint. The results showed that it can be bypassed with a success rate similar to the previously tested devices.


For the USB devices, we tested two, a Verbatim Fingerprint Secure and a Lexar Jumpdrive Fingerprint F35.


USB drives tested

In both cases we were not able to bypass the fingerprint authentication. All attempts returned a wrong reading. As a control during these tests we used the same fake fingerprint on a MacbookPro which confirmed a success rate of 95 percent.



Integrated tests and results

The orange lines are the percent of success with the direct collection method, the blue lines with the image sensor method and finally the yellow line with the picture on the third party method.


The percent is calculated based on 20 attempts for each device with the best fake fingerprint we were able to create.


The USB keys — Verbatim and Lexar — were only tested via the direct collection method. Since this was the most effective collection method, and it never worked, there was no value added in testing the other two methods.



Limitations and mitigations

We would like to reinforce that this is an intentionally low-budget project.


We did not have any limitations for the direct collection approach. The mitigations mentioned here only concern the approach using 3-D printing (sensor picture and picture on a glass).


Our first approach was to use a 3-D printer to directly create a fake fingerprint. This did not work out, mainly due to resin-related problems. Although the definition of the printer was good enough, the printed results were fragile, non-conductive and were too rigid. These problems may be solved with alternative resins.


The alternative was to create a 3-D printed mold that would then be used to create the fake fingerprint using different materials.


During our research we discovered a few limitations. The biggest one is the size of the mold. To create a good fingerprint, the mold must have the same dimensions as expected by the fingerprint recognition system: 0.5mm too big or too small and the mold is not usable.


There is no direct mapping from the size of a digitized object to the size of a real-world object. This became a problem for us when we printed our digital representation of the mold. We also didn't have a high-resolution microscope that would allow us to measure micron-based distances. The mitigation for this problem could be a software that can scale the digital size into the 3-D printing sizes, ensuring micron-based accuracy, would solve this problem.


As explained previously, direct exposure to UV altered the size of the object, due to resin contraction. During our research, we had to create more than 50 molds to get the exact size, which cost us weeks of work. For each fake fingerprint, tests on a real sensor were necessary to confirm the exact size. A resin mold (or more precisely the selected resin) is not the best choice and alternative material with no retraction constraint would be better to create a mold.


Finally, the devices running Microsoft Windows 10 (and using Windows Hello) posed us real difficulties no matter the brand of the device. Our approach did not work. From our research, the authentication and the fingerprint comparison is performed by the operating system following the "

Biometric Devices Design Guide

." All our attempts failed.


The best mitigation for the manufacturers is to limit the number of attempts. For example, Apple limits users to five attempts before asking for the PIN on the device. The number of attempts was quickly reached during our tests. Samsung implemented the same mitigation but the users must wait 30 seconds after five failed attempts and we can do that 10 times, making the final number of attempts 50, which is too high for proper security. We tested the fingerprint scanner on the Honor device more than 70 times so we assume you could do this an unlimited number of times. We have the same behaviour on the tested padlock where we do not reach any attempts limit.



Conclusion

We started this project with a couple of goals in mind:


  • What are the security improvements since it was first broken on the iPhone 5?
  • How does the 3-D printing technology impact fingerprint authentication?
  • Define a threat model for the attacks to provide a realistic context.

Clearly, our results show that fingerprint technology has not evolved enough to be generally considered safe for all the proposed threat models. Think about this like a home security system. If you want it to stop secret agencies from spying on your house, it won't work. But if you want to stop petty crime, it's good enough. For a regular user, fingerprint authentication the advantages are obvious and should be used. However, if the user is a more high-profile user or their device contains sensitive information, we recommend relying more on strong passwords and token two-factor authentication.


We defined the threat models starting from the collection methods. The creation process is time-consuming and complex. We had to create more than 50 molds and test it manually. It took months. Once we created an accurate mold, the fake fingerprint creation was easy. Today, by using our methodology and our budget it is not possible to create a fingerprint copy on-demand and quickly.


We did not find an ultimate approach that would allow us to bypass all fingerprint sensors. For example, we were not able to bypass sensors managed by Microsoft Windows and "Windows Hello." More research is needed to understand exactly why. However, we were able to create fake fingerprints that bypassed a large number of fingerprint authentication on phones, laptops and padlocks.


The 3-D printing technology definitely has an impact on fingerprint authentication. Using alternative materials and different resins with less retraction, along with specialized software to ensure the correct scaling and printing, would contribute highly to a massification of the fingerprint cloning process. In addition, it would also allow fingerprint cloning on a large scale for whoever has the biometric databases. The usage of high-end tools like electronic microscopes to measure micron-based differences in the fingerprint, or high-precision laser engraving tools can also contribute to great improvements in the whole process. These kinds of tools put the threat model back into highly funded and motivated teams, rather than the average person.


Finally, it is important to reinforce that, just because we had no success defeating the Windows platform and the USB pen drives, that does not mean they are necessarily safer. An even more special case is the Samsung A70, which according to our tests, fails a lot with real fingerprints. We estimate that with a larger budget, more resources and a team dedicated to this task, it is possible to bypass these systems, too.



Read the whole story
Share this story
Delete

What you need to know about Twitter on Firefox

1 Share

Yesterday Twitter announced that for Firefox users data such as direct messages (DMs) might be left sitting on their computers even if they logged out. In this post I’ll try to help sort out what’s going on here.

First, it’s important to understand the risk: what we’re talking about is “cached” data. All web browsers store local copies of data they get from servers so that they can avoid downloading the same data over the internet repeatedly. This makes a huge performance difference because websites are full of large files that change infrequently. Ordinarily this is what you want, but if you share a computer with other people, then they might be able to see that cached data, even if you have logged out of Twitter. It’s important to know that this data is just stored locally, so if you don’t share a computer this isn’t a problem for you. If you do share a computer, you can make sure all of your Twitter data is deleted by following the instructions here. If you do nothing, the data will be automatically deleted after 7 days the next time you run Firefox.

Second, why is this just Firefox? The technical details are complicated but the high level is pretty simple: caching is complicated and each browser behaves somewhat differently; with the particular way that Twitter had their site set up, Chrome, Safari, and Edge don’t cache this data but Firefox will. It’s not that we’re right and they’re wrong. It’s just a normal difference in browser behavior. There is a standard way to ensure that data isn’t cached, but until recently Twitter didn’t use it, so they were just dependent on non-standard behavior on some browsers.

As a software developer myself, I know that this kind of thing is easy to do: the web is complicated and it’s hard to know everything about it. However, it’s also a good reminder of how important it is to have web standards rather than just relying on whatever one particular browser happens to do.

The post What you need to know about Twitter on Firefox appeared first on The Mozilla Blog.

Read the whole story
Share this story
Delete

Why Has Germany Been Effective at Limiting Covid-19 Deaths?

2 Comments and 7 Shares

As I’m writing this, according to Johns Hopkins’ Covid-19 tracker, Germany has recorded 100,186 confirmed cases of Covid-19 (fourth most in the world) and 1590 deaths — that’s a death rate of about 1.6%. Compare that to Italy (12.3%), China (4%), the US (2.9%), and even South Korea (1.8%) and you start to wonder how they’re doing it. This article from the NY Times details why the death rate is so low in Germany.

Another explanation for the low fatality rate is that Germany has been testing far more people than most nations. That means it catches more people with few or no symptoms, increasing the number of known cases, but not the number of fatalities.

“That automatically lowers the death rate on paper,” said Professor Kräusslich.

But there are also significant medical factors that have kept the number of deaths in Germany relatively low, epidemiologists and virologists say, chief among them early and widespread testing and treatment, plenty of intensive care beds and a trusted government whose social distancing guidelines are widely observed.

This article is a real punch in the gut if you’re an American. Obviously there are bureaucracies and inefficiencies in Germany like anywhere else, but it really seems like they listened to the experts and did what a government is supposed to do for its people before a disaster struck.

“Maybe our biggest strength in Germany,” said Professor Kräusslich, “is the rational decision-making at the highest level of government combined with the trust the government enjoys in the population.”

This whole crisis is really laying bare many of the worst aspects of American society — it’s increasingly obvious that the United States resembles a failed state in many ways. I can’t be the only American whose response to the pandemic is to think seriously about moving to a country with a functioning government, good healthcare for everyone, and a real social safety net.

Tags: COVID-19   Germany   medicine   politics   science   USA
Read the whole story
CallMeWilliam
2 days ago
reply
If Warren were magically President for the past 3 years, C19 may well've been stopped before it was a global pandemic.
diannemharris
2 days ago
reply
Share this story
Delete
1 public comment
DMack
2 days ago
reply
the idea of american voters moving here makes me nervous
Victoria, BC
mxm23
6 hours ago
Let's build that wall. On the 49th.

Almost a Third of Young People Have Lost Their Jobs So Far

2 Shares

Emilio Romero, 23, has mixed feelings about losing his job. It’s a major financial setback, but with two previous hospitalizations for pneumonia, a restaurant was not the safest place for the recent college graduate as the COVID-19 pandemic mushroomed.

“Working in a restaurant, there’s obviously exposure to a lot of people and dirty plates,” Romero said. “Even before I was officially laid off, I was getting pretty nervous about the way everything was playing out, for my own safety.”

Romero worked his last shift as a restaurant host in San Diego’s Little Italy on March 16, the same day San Diego County officials ordered all restaurants to switch to takeout and delivery only. Since then, COVID-19 cases in California have risen more than twentyfold, from 598 to 11,986 as of Friday afternoon. If his restaurant asked him back tomorrow, Romero said, he wouldn’t risk it.

Yet he worries about his bank balance, which is barely sufficient to cover one month’s rent and expenses.

He’s considering asking his landlord whether he can break his lease to move back in with his parents. But he hopes a government check from the recently passed $2 trillion stimulus package will allow him to stay put as he continues to study for his real estate license—though it’s another industry jeopardized by the virus-driven economic downturn.

As measures to slow the pandemic decimate jobs and threaten to plunge the economy into a deep recession, young adults such as Romero are disproportionately affected. An Axios-Harris survey conducted through March 30 showed that 31 percent of respondents ages 18 to 34 had either been laid off or put on temporary leave because of the outbreak, compared with 22 percent of those 35 to 49 and 15 percent of those 50 to 64.

John Gerzema, CEO of the Harris Poll, said it was important to note that the latest survey data do not factor in the doubling of U.S. jobless claims to over 6.6 million in the past week. That number “would suggest further pain and dislocation to 18-34 year olds,” he said.

But the economic fears of many young people, even ones with uncomplicated medical histories, are increasingly counterbalanced by health worries as they grow more aware of the risks of COVID-19. After hearing for months that it threatens primarily seniors and people with chronic diseases, they are now seeing how it imperils their own age group, with consequences such as lung failure.

“It’s natural that as we learn more, it’ll become clear that there are substantial costs for young people, even if the risks are, in fact, much greater for the elderly,” said Jeffrey Clemens, a health and labor economist at the University of California-San Diego. “Whether people want to work depends in part on other qualities of the job, one of which is whether it comes with serious health, physical or other risks.”

Despite the harsh economic impact, “epidemiologists and economists agree that the isolation is necessary, at least for a short period of time, both to avoid the big spike and to have the number of cases go down ideally to low-enough levels,” said Philip Oreopoulos, a labor economist at the University of Toronto and researcher for the Cambridge, Massachusetts-based National Bureau of Economic Research.

However, long-term unemployment and lower wages, associated with entering the workforce during a prolonged down economy, also carry health risks, including higher mortality, said Oreopoulos, who co-authored a paper on recessions and wages.

“That’s the part that gets me restless at night.”

A recent study of the recession of the early 1980s shows that people who entered the labor market at the time later suffered increased mortality, starting in their late 30s, due to causes that included lung cancer, liver disease and drug abuse.

About 20 million people age 24 and younger will either seek work or hold jobs in this pandemic-stricken economy, said UCLA economist Till von Wachter, a co-author of the study.

Economists say it’s too soon to predict how a pandemic-induced recession will affect young people. Nobody knows how long businesses will remain closed, and data on workers is still coming in, said Sarah Anzia, faculty director of the Berkeley Institute for Young Americans at UC-Berkeley’s Goldman School of Public Policy.

But a record-smashing 10 million people applied for unemployment benefits in the U.S. over the past two weeks, and Anzia said service industries such as leisure and hospitality—the first to be hit by the shutdowns—have a large share of young service workers who could feel the impact for years.

For now, many young people are just hunkering down, waiting for the COVID-19 storm to pass.

Quinn Stephens, a 22-year-old student at Santa Barbara City College, lost his job as a server at a hotel restaurant earlier this month. Before that, he had continued going to work even after his managers said employees could turn down shifts if they were nervous about COVID-19. He was trying to save money for tuition, and the gravity of the pandemic had not yet sunk in.

But he’s changed his mind now. “I’d lean toward staying home at this point, because I’m seeing how my actions can affect so many others,” and young people are also being “affected pretty severely” by the virus, Stephens said.

“Going outside and continuing life as normal, right now at least, would be a big mistake that could lead to a lot of people dying.”

This story was produced by Kaiser Health News, which publishes California Healthline, an editorially independent service of the California Health Care Foundation.

Sign up for our newsletter to get the best of VICE delivered to your inbox daily.

Read the whole story
zipcube
1 day ago
reply
Dallas, Texas
Share this story
Delete

Trump removes Inspector General Glenn Fine, who was tasked to oversee coronavirus stimulus spending - The Washington Post

1 Comment
Read the whole story
Share this story
Delete
1 public comment
acdha
1 day ago
reply
I had previously failed to understand that most Republicans took a different lesson from Watergate:

“We wanted inspectors general because of an out-of-control president named Richard Nixon and this president is trying to destroy them,” said Danielle Brian, executive director of the Project on Government Oversight. “What’s happened this week has been a total full-on assault on the IG system.”
Washington, DC

Angiotensin and Coronavirus Infection: The Latest as of April 7

1 Share

I wrote here the other day on the recent recommendation that people taking either ACE (angiotensin-converting enzyme) inhibitors or ARBs (angiotensin receptor blockers) should not alter their treatment regimens because of the coronavirus outbreak. Some background on the angiotensin system is here, and here’s an open-access review for those who know the basics and want to dive much deeper into the details. But now there’s even more to report on the subject, so I wanted to do an update post.

Recall that the coronavirus itself uses the ACE2 protein as an entry point into cells. One worry has been that the use of antihypertensive drugs (of either class mentioned above) might well cause ACE2 expression to increase, which seems as if it could be a bad idea, providing more targets for the virus to latch on to. But this survey of the literature found little evidence that these expression changes even happen. The animal data that show these effects, they report, tend to be via acute injury models or doses that are much higher than human patients encounter, and there seems to be no good evidence that it happens in humans. So that’s one thing to think about: a big part of the worry about antihypertension drugs may not be even be founded on a real problem.

We also have some clinical data: this preprint from a multicenter team in Wuhan retrospectively evaluates 43 patients with hypertension who were taking drugs in these two classes versus 83 hypertension patients who were not taking ACE inhibitors or ARBs, versus. 125 age- and gender-matched controls without hypertension at all. They also compared hospital admission statistics in general to patients’ medical histories. They first confirmed what others have found, that hypertension itself is a risk factor: the patients admitted for treatment had higher levels of hypertension than the general population, and once admitted those patients had higher death rates and longer hospital stays. But when they looked at the hypertension patients who were taking either ACE inhibitors or ARBs, their numbers were better. They had comparable blood pressure numbers to those taking other drugs, but they were a lower percent of critical patients (9.3% versus 22.9%, near miss on statistical significance) and had a lower death rate (4.7% versus 13.3%). The ACE/ARB cohort also had lower inflammation markers (c-reactive protein and calcitonin). So while the data are noisy, there may be a trend towards protection in those taking angiotensin-targeting drugs. All the more reason to heed the advice not to change therapies for people with hypertension.

This recent paper speculates that there could be a biphasic aspect to all this. Note that it assumes that ACE2 may be upregulated by these drugs, which (see above) may not even be the case – if that’s true, then we go from biphasic (bad before infection, good during infection) to more of a pure benefit:

At present, we cannot rule out that long‐term intake of ACEIs and/or ARBs may facilitate SARS‐CoV‐2 entry and virus replication. Conversely, it is yet unknown whether intake of ACEIs and/or ARBs, when infected, is beneficial with regard to pulmonary outcome. Possibly, we are dealing here with a double‐edged sword, depending on the phase of the disease: increased baseline ACE2 expression could potentially increase infectivity and ACEI/ARB use would be an addressable risk factor. Conversely, once infected, downregulation of ACE2 may be the hallmark of COVID‐19 progression. Consequently, upregulation by preferentially using renin‐angiotensin system blockade and ACE2 replacement in the acute respiratory syndrome phase may turn out to be beneficial.

What, though, if you deliberately give someone ACE2 protein? An email correspondent wrote to me a while ago wondering about doing that in a nebulizer, and my response was that it wasn’t a crazy idea, but that I didn’t know if anyone would go to the trouble of making and testing a whole new recombinant protein under the current conditions. I had forgotten about Apeiron! They have been developing an infused (not nebulized) recombinant version of the human ACE2 protein for some years now, and were in a deal with GSK to look at respiratory distress in general. The deal lapsed last year after a good deal of work in the clinic and a refocus at GSK away from respiratory disease in general. The clinical data were consistent with the mechanism: infusing ACE2 enzyme dropped the amount of angiotensin II protein, as it should, since it’s in there clipping it up, and raised the amounts of the shorter product peptides. So the mechanism was operating as it should – the problem was that it didn’t seem to help ARDS patients much (!)

But a viral infection that causes respiratory distress and enters cells through membrane-bound ACE2 proteins, well, that’s different. You could imagine that circulating ACE2 protein would be a decoy for the virus – it would bind as if it’s infecting a cell, but the protein in this case isn’t on a cell surface at all, so you could potentially soak up the virus and take it out of commission. They and their collaborators have just demonstrated this in cell culture, actually: adding the recombinant protein to a viral replication assay seems to have caused a large decrease in viral RNA, whereas adding the mouse version of ACE2 had no effect at all.

Apeiron is jumping back into the clinic, and a trial has already started in China, with one getting underway in Europe as well to see if the treatment can decrease the number of patients going on to ventilators. This will be quite interesting; to the best of my knowledge this and perhaps camostat are the only agents directly targeting the ACE2 viral mechanism (and that one’s being studied as well). And we only have that by good luck, that Apeiron had already been looking at the mechanism for respiratory distress in general. Those earlier failed trials have now provided a quick entry into human studies!

Read the whole story
Share this story
Delete
Next Page of Stories