uTalk

Official forum for Utopia Community

You are not logged in.

#1 2023-05-30 22:13:26

thrive
Member
Registered: 2023-01-04
Posts: 2,575

Attackers can now unlock smartphones using their fingerprints

0BXEHmA.png
Researchers have found a low-cost attack method that can be used to brute-force fingerprints on smartphones in order to get around user authentication and take over the devices.

The BrutePrint method uses two zero-day vulnerabilities in the smartphone fingerprint authentication (SFA) framework to circumvent restrictions put in place to stop unsuccessful biometric authentication attempts.

The vulnerabilities, Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), take advantage of logical flaws in the authentication framework that result from inadequate protection of fingerprint data on the Serial Peripheral Interface (SPI) of fingerprint sensors.

Researchers Yu Chen and Yiling He claimed in a research paper that the outcome is a "hardware approach to do man-in-the-middle (MitM) attacks for fingerprint image hijacking.". "BrutePrint serves as a go-between for the TEE [Trusted Execution Environment] and the fingerprint sensor. ".

To submit as many fingerprint images as necessary until a match is found is the main objective. However, it assumes that a threat actor already has the concerned target device in their possession.

In order to carry out the attack for as little as $15, the adversary also needs a fingerprint database and a set-up that includes a microcontroller board and an auto-clicker that can intercept data sent by a fingerprint sensor.

The first of the two flaws that makes this attack possible is CAMF, which enables increasing the fault tolerance capabilities of the system by invalidating the fingerprint data's checksum and granting an attacker an unlimited number of tries.

In contrast, MAL uses a side-channel to infer matches of the fingerprint images on the target devices, even when it locks itself out after a certain number of failed login attempts.

Even though Keyguard has an additional checkbox to prevent unlocking while in lockout mode, the researchers noted that TEE had produced the authentication result.

It is possible for side-channel attacks to infer the result from behaviors such as response time and the number of acquired images because the success authentication result is returned instantly when a matched sample is met. ".

BrutePrint was tested against 10 different smartphone models from Apple, Huawei, OnePlus, OPPO, Samsung, Xiaomi, and vivo in an experimental setting. The results showed infinite attempts on Android and HarmonyOS devices and 10 additional attempts on iOS devices.

The discoveries follow the publication of a hybrid side-channel by a group of academics that takes advantage of the "three-way tradeoff between execution speed (i. e. to perform "browser-based pixel stealing and history sniffing attacks" against Chrome 108 and Safari 16.2 on contemporary system-on-chips (SoCs) and GPUs.

The attack, known as Hot Pixels, makes use of this behavior to launch website fingerprinting attacks and use JavaScript code to collect browsing histories from users.

This is achieved by developing a computationally intensive SVG filter to stealthily harvest the data with an accuracy of up to 94 percent while measuring the rendering times and leaking pixel colors.

Google, AMD, Intel, Nvidia, Qualcomm, Apple, and Google have all acknowledged the problems. In addition, the researchers advise "preventing SVG filters from being applied to iframes or hyperlinks" and limiting unauthorized access to sensor data.

As a result of 10 security flaws that Google found in Intel's Trust Domain Extensions (TDX), which could result in arbitrary code execution, denial-of-service situations, and loss of integrity, BrutePrint and Hot Pixels were also developed.

On a related note, it has been discovered that Intel CPUs are vulnerable to a side-channel attack that uses variations in execution time brought on by changing the EFLAGS register during transient execution to decode data without using the cache.

Offline

#2 2023-06-01 22:12:54

Europ
Member
Registered: 2023-05-23
Posts: 2,186

Re: Attackers can now unlock smartphones using their fingerprints

thrive;10981 wrote:

https://i.imgur.com/0BXEHmA.png
Researchers have found a low-cost attack method that can be used to brute-force fingerprints on smartphones in order to get around user authentication and take over the devices.

The BrutePrint method uses two zero-day vulnerabilities in the smartphone fingerprint authentication (SFA) framework to circumvent restrictions put in place to stop unsuccessful biometric authentication attempts.

The vulnerabilities, Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), take advantage of logical flaws in the authentication framework that result from inadequate protection of fingerprint data on the Serial Peripheral Interface (SPI) of fingerprint sensors.

Researchers Yu Chen and Yiling He claimed in a research paper that the outcome is a "hardware approach to do man-in-the-middle (MitM) attacks for fingerprint image hijacking.". "BrutePrint serves as a go-between for the TEE [Trusted Execution Environment] and the fingerprint sensor. ".

To submit as many fingerprint images as necessary until a match is found is the main objective. However, it assumes that a threat actor already has the concerned target device in their possession.

In order to carry out the attack for as little as $15, the adversary also needs a fingerprint database and a set-up that includes a microcontroller board and an auto-clicker that can intercept data sent by a fingerprint sensor.

The first of the two flaws that makes this attack possible is CAMF, which enables increasing the fault tolerance capabilities of the system by invalidating the fingerprint data's checksum and granting an attacker an unlimited number of tries.

In contrast, MAL uses a side-channel to infer matches of the fingerprint images on the target devices, even when it locks itself out after a certain number of failed login attempts.

Even though Keyguard has an additional checkbox to prevent unlocking while in lockout mode, the researchers noted that TEE had produced the authentication result.

It is possible for side-channel attacks to infer the result from behaviors such as response time and the number of acquired images because the success authentication result is returned instantly when a matched sample is met. ".

BrutePrint was tested against 10 different smartphone models from Apple, Huawei, OnePlus, OPPO, Samsung, Xiaomi, and vivo in an experimental setting. The results showed infinite attempts on Android and HarmonyOS devices and 10 additional attempts on iOS devices.

The discoveries follow the publication of a hybrid side-channel by a group of academics that takes advantage of the "three-way tradeoff between execution speed (i. e. to perform "browser-based pixel stealing and history sniffing attacks" against Chrome 108 and Safari 16.2 on contemporary system-on-chips (SoCs) and GPUs.

The attack, known as Hot Pixels, makes use of this behavior to launch website fingerprinting attacks and use JavaScript code to collect browsing histories from users.

This is achieved by developing a computationally intensive SVG filter to stealthily harvest the data with an accuracy of up to 94 percent while measuring the rendering times and leaking pixel colors.

Google, AMD, Intel, Nvidia, Qualcomm, Apple, and Google have all acknowledged the problems. In addition, the researchers advise "preventing SVG filters from being applied to iframes or hyperlinks" and limiting unauthorized access to sensor data.

As a result of 10 security flaws that Google found in Intel's Trust Domain Extensions (TDX), which could result in arbitrary code execution, denial-of-service situations, and loss of integrity, BrutePrint and Hot Pixels were also developed.

On a related note, it has been discovered that Intel CPUs are vulnerable to a side-channel attack that uses variations in execution time brought on by changing the EFLAGS register during transient execution to decode data without using the cache.

These is getting more interesting. With all this alterations steps there's a chance of massive panics if security is ensured. We can see a lot of  organization and public users who rely on the biometric security method.

Offline

Board footer

Powered by FluxBB