uTalk

Official forum for Utopia Community

You are not logged in.

#1 2023-05-29 23:35:55

thrive
Member
Registered: 2023-01-04
Posts: 2,575

Attackers can now unlock smartphones using their fingerprints

uuscUpu.png
Attackers can now unlock smartphones using their fingerprints thanks to the new BrutePrint attack.

Researchers have found a low-cost attack method that can be used to brute-force fingerprints on smartphones to get around user authentication and take over the devices.

The BrutePrint method uses two zero-day vulnerabilities in the smartphone fingerprint authentication (SFA) framework to circumvent restrictions set up to prevent unsuccessful biometric authentication attempts.

The Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL) vulnerabilities take advantage of logical flaws in the authentication framework that result from inadequate protection of fingerprint data on the Serial Peripheral Interface (SPI) of fingerprint sensors.

The end result, according to researchers Yu Chen and Yiling He in a research paper, is a "hardware approach to do man-in-the-middle (MitM) attacks for fingerprint image hijacking.". Between the fingerprint sensor and the TEE (Trusted Execution Environment), bruteprint serves as a middleman. ".

The main objective is to be able to submit an infinite number of fingerprint images until a match is found. However, it assumes that the target device in question is already in the possession of a threat actor.

To carry out the attack for as little as $15, the adversary also needs a fingerprint database and a set-up that includes a microcontroller board and an auto-clicker that can intercept data sent by a fingerprint sensor.

The first of the two vulnerabilities that make this attack possible is CAMF, which enables increasing the fault tolerance capabilities of the system by invalidating the checksum of the fingerprint data and granting an attacker unlimited tries.

In contrast, MAL uses a side-channel to infer matches of the fingerprint images on the target devices, even when it locks itself out after a certain number of failed login attempts.

The researchers stated, "Although the lockout mode is further checked in Keyguard to disable unlocking, the authentication result has been made by TEE.

"Side-channel attacks may be able to guess the outcome because the success authentication result is always returned right away when a sample match is made. Examples of such behaviors include response time and the quantity of images acquired. ".

In a test environment, 10 different smartphone models from Apple, Huawei, OnePlus, OPPO, Samsung, Xiaomi, and vivo were used to evaluate BrutePrint. The evaluation resulted in an infinite number of attempts on Android and HarmonyOS devices and an additional 10 attempts on iOS devices.

The discoveries follow the publication of a hybrid side-channel by a group of academics that takes advantage of the "three-way tradeoff between execution speed (i. e. pixel stealing and history sniffing attacks" against Chrome 108 and Safari 16.2 using "browser-based system-on-chips (SoCs) and GPUs in modern system-on-chips (SoCs) and GPUs.

The Hot Pixels attack, which makes use of this behavior, mounts website fingerprinting attacks and uses JavaScript code to collect browsing histories from users.

This is achieved by developing a computationally intensive SVG filter to stealthily harvest the information with an accuracy of up to 94 percent while measuring the rendering times and leaking pixel colors.

Apple, Google, AMD, Intel, Nvidia, and Qualcomm have all expressed awareness of the problems. As well as preventing unauthorized access to sensor data, the researchers advise "preventing SVG filters from being applied to iframes or hyperlinks.".

Following Google's discovery of ten security flaws in Intel's Trust Domain Extensions (TDX) that could result in arbitrary code execution, denial-of-service situations, and loss of integrity, BrutePrint and Hot Pixels were also released.

On a related note, it has been discovered that Intel CPUs are vulnerable to a side-channel attack that uses variations in execution time brought on by changing the EFLAGS register during transient execution to decode data without using the cache.

Offline

Board footer

Powered by FluxBB