LAS VEGAS—Fingerprint scans, retina prints, and even heart signatures are touted as security silver bullets. Hackers can guess your password, but they can't guess your fingerprints, right? Not exactly. FireEye's senior staff research scientist, Tao Wei, and fellow researcher Yulong Zhang took the stage at Black Hat in Las Vegtas to show all the ways they found to defeat fingerprint scanners on mobile phones.
Four Attacks
During his presentation, Zhang showed four different attacks that could allow a hacker to steal or circumvent fingerprint scanners. The first was very straightforward, but extremely important. He showed how an attacker could create a specially crafted app that mimicked a phone's unlock screen. When the victim swipes a finger to unlock the phone, they're actually using their fingerprint to seal a financial transaction.
This attack stems from a problem in the industry where fingerprints are used for both authentication—proving who you are—and authorization—allowing an action. Context, Zhang said, is also an issue. You wouldn't, for example, allow a transaction in an app without being able to see the amount being spent. Zhang recommended standards be put in place to ensure that users always know what their fingerprint is used for and why.Zhang also demonstrated that fingerprint data is not always securely stored on devices. On the HTC One Max, Zhang discovered that the fingerprint data was stored as a bitmap file. Though it had been altered, it was easily reassembled into an image. Zhang said that he has disclosed this issue to HTC, and the One Max has already been patched. However, it does show that other phones may have similar vulnerabilities.
In another attack, Zhang showed how he could pre-load fingerprint data into a phone and then prevent the user from seeing that additional fingerprints had been added. Zhang demonstrated this using an Android device. Though the Settings menu indicated only one fingerprint had been registered, he successfully unlocked the phone using two of his other fingers he'd stealthily registered. This, said Zhang, could give an attacker a backdoor into his device.
But the attack Zhang said was his favorite was truly impressive. Normally, when an app needs fingerprint data on an Android device, that's handled by the TrustZone—a secure environment that only talks to the outside world through go-betweens. But apps that need to know when the fingerprint scanner is being used, but without being able to see the fingerprint, have direct access to the fingerprint scanner. Zhang was able to take advantage of this and craft an attack that could grab fingerprint data any time the scanner was touched.
This issue was confirmed on the Samsung Galaxy S5 and the HTC Max One, though both have now been patched against this attack. That doesn't mean your digits are safe, though. "It should be a general problem and not limited to HTC or Samsung," said Zhang.
With this last attack, Zhang pointed out that Apple solves this problem rather neatly with Touch ID. Like Android devices, Apple apps sometimes need to see that the fingerprint sensor is in use— like when you enroll fingerprints. But Apple encrypts all data coming out of the fingerprint sensor. "This forbids the attacker from easily obtaining the fingerprint data because it is encrypted," explained. Zhang
Who Cares?
We should all care about security, but we should be particularly careful about biometric security. As Wei pointed out at Black Hat, if your biometric data is somehow stolen, you may lose the ability to use that biometric identifier. You can always change a password, but you only have 10 fingers.
And biometric authentication is exploding right now. Though fingerprint readers have long been available as peripheral devices and embedded into some laptops, the introduction of Touch ID on the iPhone has spurred wider adoption across smartphones. According to Wei, more than 50 percent of smartphones will have fingerprint sensors by 2019.
The small form factor and technology available in smartphones are also encouraging developers to look at other forms of biometric authentication. EyeVerify, for example, uses your phone's camera to read your eyeprint. Some Samsung devices even let you use your whole face with the Face Unlock feature.
Zhang advised anyone who used biometric sensors on their phone to get updates frequently, avoid third-party app stores, and avoid rooting your device if possible. It was clear, Zhang said, that biometric security was still a severe security challenge for vendors. "We've shown you four attacks," he said. "But there could be more out there."
No comments:
Post a Comment