![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Entry tags:
Interesting attack on smartphone fingerprint locks
This works against both Android and iPhone devices. However, Apple went to facial recognition a few generations ago, so you've got a much older iPhone if you're still using a finger print reader.
The attack is not quick and straightforward. It requires the attacker to have physical control of the devices and can take up to hours to execute. But it is quite clever!
The phone is partially disassembled and a chip is mounted onto the system board. A memory card with a database of fingerprint data is part of this attack system. The basics of the attack is quite simple: while you and I may not have identical fingerprints as far as a fingerprint expert is concerned, they might be similar. This attack exploits a vulnerability in the system and "...manipulates the false acceptance rate (FAR) to increase the threshold so fewer approximate images are accepted."
Meaning that if your fingerprint is similar to mine, and yours is in this fingerprint database, through this system your fingerprint might unlock my phone!
Now, one thing the manufacturers did to prevent multiple attempts at unlocking phones was to code in a hard limit as to how many unlock attempts that you get. This system TRIPLES that limit!
Pretty darn clever.
Now here's the killer: the parts to make this are about $15.
And the database of fingerprints? Biometric database breaches. Not difficult to obtain.
https://arstechnica.com/information-technology/2023/05/hackers-can-brute-force-fingerprint-authentication-of-android-devices/
https://it.slashdot.org/story/23/05/24/0435205/brute-force-test-attack-bypasses-android-biometric-defense
The attack is not quick and straightforward. It requires the attacker to have physical control of the devices and can take up to hours to execute. But it is quite clever!
The phone is partially disassembled and a chip is mounted onto the system board. A memory card with a database of fingerprint data is part of this attack system. The basics of the attack is quite simple: while you and I may not have identical fingerprints as far as a fingerprint expert is concerned, they might be similar. This attack exploits a vulnerability in the system and "...manipulates the false acceptance rate (FAR) to increase the threshold so fewer approximate images are accepted."
Meaning that if your fingerprint is similar to mine, and yours is in this fingerprint database, through this system your fingerprint might unlock my phone!
Now, one thing the manufacturers did to prevent multiple attempts at unlocking phones was to code in a hard limit as to how many unlock attempts that you get. This system TRIPLES that limit!
Pretty darn clever.
Now here's the killer: the parts to make this are about $15.
And the database of fingerprints? Biometric database breaches. Not difficult to obtain.
https://arstechnica.com/information-technology/2023/05/hackers-can-brute-force-fingerprint-authentication-of-android-devices/
https://it.slashdot.org/story/23/05/24/0435205/brute-force-test-attack-bypasses-android-biometric-defense
no subject
There are reasons I avoid fingerprint readers, but I do have an older iPhone SE that I will be using as an iPod (no sim card) when I am forced to upgrade. It wants a 6 digit passcode and that's annoying and awkward to type in at times, so it's the only device I have a fingerprint on.
Sigh.
no subject
I think you can go into settings and change it to four digits, if that would be more attractive. It'd be nice if you could say 'Hey, this device has absolutely nothing important or sensitive on it, turn off security!'
no subject
Keep hold of your phone. :o
Hugs, Jon
no subject
Keep hold of your phone. :o
Hugs, Jon
no subject
One of the primary concepts underlying computer security is that if you lose physical control of your device - phone, PC, whatever - it can be compromised.
no subject
no subject
There's a specific type of attack known as the Bad Maid, and it started in China. American businessmen would travel over there, and go out to dinner with their business clients. And while they were gone, a maid, actually an operative for the state security services, would come in and disassemble their laptop, removing the hard drive and cloning it, then putting it back together. You couldn't prevent it except with high-level full disk encryption. You could detect it with what's known as the nail polish trick, applying it to the screws in the case to see if they get broken by a screwdriver. Smart businesspeople travel with empty laptops, and when they get there and need data, log in through VPNs to a remote server and they don't travel with anything remotely confidential. And when they get home, that empty laptop is destroyed because it may well have had malware installed on it.
no subject
That's crazy, but doesn't surprise me at all that China would do that. :o
no subject
Still, a hack is a hack, and this is all very interesting.
no subject
no subject
no subject
Thank you! I didn't have a cite. That goes back before I started reading his blog.
no subject
Yep! You've seen the crime investigation shows and how they dust for fingerprints, it's possible to lift fingerprints from a glass or something with a gummy bear.
no subject
I remember a Mythbusters about faking fingerprints, and they found it to be not very difficult. However, I think the new fingerprint readers also look for body heat, so a gummy bear by itself might not cut the proverbial mustard.
no subject
I use facial ID and I know that could be problematic too. Argh!
no subject
Anything can be compromised. That's the basic rule of computer security. A secure computer is one in a shielded room, no network access, turned off, and encased in concrete.
no subject
i know at least three (not connected with each other) people who got dosed in bar (or beaten), and then those facial/finger identifications were used with their phones
and one of those guys, imagine that, had a mobile banking app which did not require ANY additional logins! so he lost all of his money in a matter of 5 minutes
NAAAH! you'd have to torture me the old-school way to get my password, sir! :)
no subject
I've read about people getting their phones stolen in bars and finding their accounts drained. They used PIN access and someone shoulder-surfed them, got the PIN, then doped them and stole their phone. The world sucks oft times.
no subject
The jokes just write themselves: Bankruptcy Court approved the bid after subtracting 32 million from it and multiplying it by five-ninths.
no subject
Heh. Pity it didn't happen on April 1. ;-)
no subject