Security industry enthusiast FireEye is concerned that the unsafe fingerprint identification ecosystem will make this lifetime-proven user identity mechanism much more dangerous than passwords, and showcase various attack techniques at the Black Hat conference held last week.
More and more mobile devices have fingerprint scanning and identification capabilities. According to Capsule estimates, half of the world's smartphone shipments will be built into fingerprint scanners by 2019. However, security industry enthusiast FireEye is concerned that an unsafe fingerprint identification ecosystem will make this lifetime-proven user identity mechanism much more dangerous than passwords, and at the Black Hat 2015 held last week (Black Hat 2015) Showcase various attack techniques.
FireEye believes that modern mobile devices have insufficient security mechanisms for fingerprints, which may lead to the risk of fingerprint leakage, including Confused AuthorizaTIon Attack, fingerprint data storage vulnerabilities, fingerprint scanner exposure vulnerabilities, and preloading. Fingerprint back door and so on. And if the future hacker has the ability to obtain fingerprints from the remote, this will probably become a catastrophe in the security!
The so-called confusing authorization attack is to make the user unclear the authorized fingerprint identification. FireEye researchers designed an application to fake the lock screen of the mobile phone, and then ask the user to use the fingerprint to unlock, but in fact the fingerprint is used. To execute the voucher for the money transaction.
In terms of fingerprint data storage vulnerabilities, for example, FireEye found that the fingerprint data on HTC One Max is stored in a BMP file that everyone can access. Although the content of the file has been changed, the hacker can easily reconstitute the correct one. Fingerprint images mean that not all users can properly store the user's fingerprint data. HTC has fixed the vulnerability after receiving FireEye's notice.
Perhaps the most dangerous of these is the vulnerability of the mobile fingerprint scanner. ARM's security architecture design allows operators to isolate certain important devices, but most manufacturers do not use this feature to protect fingerprint scanners, giving hackers access to fingerprint scanners and continuous reception through malicious programs in the background. Information from the scanner. The researchers successfully obtained fingerprint scanner access on HTC Max One and Samsung Galaxy S5, and fingerprint information was obtained whenever the scanner was operating. However, both HTC and Samsung have patched the related vulnerabilities.
In this attack scenario, Apple's Touch ID is relatively safe. Because Apple encrypts all the data sent from the fingerprint scanner, even if the hacker can read the scanner, it must obtain the encryption key to obtain the fingerprint image.
The hacker can also embed the fingerprint back door before the mobile phone is handed over to the user, add his fingerprint information, and use his fingerprint as the certificate of the device.
Many security operators have warned against biometric authentication mechanisms, pointing out that in the era of passwords, when passwords are leaked, just reset a new password, but fingerprint leakage is a bigger disaster because Fingerprints represent the identity of the user, from criminal records, entry and exit records, to bank vouchers. FireEye recommends that all platforms should improve the fingerprint authentication framework to enhance the protection of fingerprint data and fingerprint scanners. Users are also advised to update the device regularly and avoid installing programs from unsafe sources.
China's leading manufacturer and supplier of solar panels, all black solar panels, PERC solar panel technology in China, we specialize in solar panels, solar power systems and more.
Jinko Solar Panels, Longi Solar Panels, Canadian Solar Panels, Trina Solar Panels, JA Solar Panels, Solar Panel, Monocrystalline Solar Panel, MONO Solar Panel, Polycrystalline Solar Panel, All Black Solar Panel, 400W Solar Panel
Power X (Qingdao) Energy Technology Co., Ltd. , https://www.solarpowerxx.com