![]() The BrutePrint attack exploits two vulnerabilities. Source The two vulnerabilities at the bottom of BrutePrint: Cancel-After-Match-Fail and Match-After-Lock Images returned by different types of fingerprint sensors are quite different from one another. Thus the hardware component part was set up to feed multiple fingerprint images to smartphones in automatic mode. The researchers built such a device (pseudo-sensor) and supplemented it with a gadget for automatic clicking on the smartphone’s sensor screen. This opens up the opportunity for an MITM attack on the authentication system: with a device connected to the smartphone via the motherboard’s SPI port, one can both intercept incoming messages from the fingerprint sensor, and send one’s own messages by emulating the fingerprint sensor. The researcher’s method is based on a flaw in Android smartphones’ generic fingerprint sensor implementation: none of the tested models encrypted the communication channel between the sensor and the system. BrutePrint: preparing to brute-force fingerprint-protected Android smartphones Normally only five of them are allowed, followed by a prolonged fingerprint authentication lockout period.Ĭan this obstacle be overcome? Yu Chen and Yiling He give an affirmative reply to that in their study. So, the potential hacker is only one obstacle away from the prize: the limit on the number of fingerprint recognition attempts. Which is already within reach for brute-forcing. This takes us from billions to thousands. So it can be assumed that for budget-friendly sensor models the probability will shrink further by an order or two. For example, Apple estimates the probability for Touch ID at 1 to 50,000. So when referring to sensors used in smartphones, much less optimistic figures are quoted for fingerprint fragment match probability than the famous 1 to 64 billion. The result is not very accurate authentication systems. Source and SourceĪnd, of course, the developer needs to make the device dirt-cheap (or no one will buy it), achieve split-second authentication (or get overwhelmed by complaints about slow speed), and avoid false negatives at all costs (or the user will discard the whole thing altogether). The quality of digital fingerprint representation depends on multiple factors: type of sensor, its size and resolution, and - in no small measure - “image” post-processing and matching algorithms.įingerprints as they were seen by Sir Francis Galton 150 year ago (left), and by your cutting-edge smartphone’s optical sensor (right). But things are somewhat different in the (cold) digital reality. Sir Francis’s work and all that stemmed from it, however, relates to the (warm) analog world, covering things like the taking of fingerprints, matching them to those left at, say, a crime scene, and Bob’s your uncle. Forensic experts stick with this value even to this day.īy the way, if you’re into hardcore anatomy or the biological factors behind the uniqueness of fingerprints, here’s a new research paper on the subject. In it, he summarized the then-current scientific data on fingerprints, and Galton’s work laid the theoretical foundation for further practical use of fingerprints in forensics.Īmong other things, Sir Francis Galton calculated that fingerprint match probability was “less than 2 36, or one to about sixty-four thousand million”. Now, way back in 1892, English scientist Sir Francis Galton published a work laconically entitled Finger Prints. How unique are fingerprints?īefore we get to investigate our Chinese comrades’ work, briefly - some background theory… To begin with, and you may know this, but fingerprints are truly unique and never alter with age. But is it possible to do it somehow more elegantly, without leaving the purely digital world and all its benefits? Turns out, it is: Chinese researchers Yu Chen and Yiling He recently published a study on how to brute-force almost any fingerprint-protected Android smartphone. In a nutshell, all these methods come with lots of real-world hassle. This involves procuring a high-quality image of a finger - and not any finger, mind, but the one registered in the system. Publications on different ways to trick the fingerprint sensor do pop up now and again, but all the suggested methods one way or another boil down to physical imitation of the phone owner’s finger - whether using a silicone pad or conductive ink printout. KasperskyPremium Support and Professional Servicesįingerprint recognition is believed to be a fairly secure authentication method.KasperskyEndpoint Security for Business Advanced.KasperskyEndpoint Security for Business Select.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |