close
  • Sc chevron_right

    Brute-Forcing a Fingerprint Reader

    news.movim.eu / Schneier · Friday, 26 May - 18:41 · 1 minute

It’s neither hard nor expensive :

Unlike password authentication, which requires a direct match between what is inputted and what’s stored in a database, fingerprint authentication determines a match using a reference threshold. As a result, a successful fingerprint brute-force attack requires only that an inputted image provides an acceptable approximation of an image in the fingerprint database. BrutePrint manipulates the false acceptance rate (FAR) to increase the threshold so fewer approximate images are accepted.

BrutePrint acts as an adversary in the middle between the fingerprint sensor and the trusted execution environment and exploits vulnerabilities that allow for unlimited guesses.

In a BrutePrint attack, the adversary removes the back cover of the device and attaches the $15 circuit board that has the fingerprint database loaded in the flash storage. The adversary then must convert the database into a fingerprint dictionary that’s formatted to work with the specific sensor used by the targeted phone. The process uses a neural-style transfer when converting the database into the usable dictionary. This process increases the chances of a match.

With the fingerprint dictionary in place, the adversary device is now in a position to input each entry into the targeted phone. Normally, a protection known as attempt limiting effectively locks a phone after a set number of failed login attempts are reached. BrutePrint can fully bypass this limit in the eight tested Android models, meaning the adversary device can try an infinite number of guesses. (On the two iPhones, the attack can expand the number of guesses to 15, three times higher than the five permitted.)

The bypasses result from exploiting what the researchers said are two zero-day vulnerabilities in the smartphone fingerprint authentication framework of virtually all smartphones. The vulnerabilities—­one known as CAMF (cancel-after-match fail) and the other MAL (match-after-lock)—result from logic bugs in the authentication framework. CAMF exploits invalidate the checksum of transmitted fingerprint data, and MAL exploits infer matching results through side-channel attacks.

Depending on the model, the attack takes between 40 minutes and 14 hours.

Also:

The ability of BrutePrint to successfully hijack fingerprints stored on Android devices but not iPhones is the result of one simple design difference: iOS encrypts the data, and Android does not.

Other news articles . Research paper .

Smartphones With Popular Qualcomm Chip Secretly Share Private Information With US Chip-Maker

This data is sent without user consent, unencrypted, and even when using a Google-free #Android distribution. This is possible because of proprietary Qualcomm #software which provides hardware support also sends the #data. #USA

  • chevron_right

    Huawei’s foldable is thinner, lighter, and has more battery than Samsung

    news.movim.eu / ArsTechnica · Tuesday, 28 March - 21:56 · 1 minute

Giant Huawei logo onstage.

Enlarge (credit: Huawei )

Huawei is still making phones, even if the US-China trade war puts most of the stalwart Android component vendors in a complicated relationship with the Chinese tech company. Huawei's new phones are the flagship Huawei P60 Pro slab phone and a flagship foldable, the Huawei Mate X3 .

The trade war makes these phones unique in the world of Android. First, it has a Qualcomm chip, but Huawei isn't allowed to use the latest technology from Qualcomm, so the chip in both of these phones is the "Snapdragon 8+ Gen 1 4G Mobile Platform." Besides being last year's chip, this is a special, Huawei-only version of the chip that is branded as "4G." It has had the 5G bands stripped out of it—both mmWave and sub 6 GHz.

The other oddity is the lack of Google Play apps internationally. Huawei isn't allowed to ship the Google apps due to the export ban. While that's normal in China (where Google Play isn't available), internationally it means the phone is missing standard Google apps like YouTube, Gmail, Google Maps, the Google Assistant, Docs, Search, Photos, and other apps that make Android a competitive consumer OS. Instead of the Google ecosystem, you'll be getting the OS with Huawei Mobile Services , which includes the Huawei AppGallery, Huawei Petal Maps , the Huawei Assistant (which appears just to be a search tool and some widgets, not a voice assistant), Huawei Pay, and Huawei apps for books, music, and video.

Read 10 remaining paragraphs | Comments

  • chevron_right

    Tech makers must provide repairs for up to 10 years under proposed EU law

    news.movim.eu / ArsTechnica · Thursday, 23 March, 2023 - 18:37

DIY repair mobile phone at home. Woman repairing mobile phone at home, changing damaged part.

Enlarge / Smartphone repairs could be required for up to five years, while other products, like washing machines, may require up to a decade of vendor repairs. (credit: Getty )

Makers of numerous product categories, including TVs, vacuums, smartphones, and tablets, could be required to enable repairs for their products for up to 10 years after purchase, depending on the device type. The European Commission on Wednesday announced a proposal it has adopted that would implement long-term repair requirements on electronics makers, if the European Parliament and Council approve it.

The regulation would apply to any devices with repairability requirements in the EU, including vacuum cleaners, washer-dryers, welding equipment, servers, and data-storage devices. The EU is currently hammering out right to repair requirements for smartphones and tablets.

Already, the EU requires vendors to repair or replace products within two years of purchase for free if the product is defective. The new regulation would require companies to provide a free repair (instead of replacing the product) if doing so would be the same price or cheaper than replacing it.

Read 17 remaining paragraphs | Comments

  • Sc chevron_right

    Ukraine Intercepting Russian Soldiers’ Cell Phone Calls

    news.movim.eu / Schneier · Tuesday, 20 December, 2022 - 23:04

They’re using commercial phones, which go through the Ukrainian telecom network :

“You still have a lot of soldiers bringing cellphones to the frontline who want to talk to their families and they are either being intercepted as they go through a Ukrainian telecommunications provider or intercepted over the air,” said Alperovitch. “That doesn’t pose too much difficulty for the Ukrainian security services.”

[…]

“Security has always been a mess, both in the army and among defence officials,” the source said. “For example, in 2013 they tried to get all the staff at the ministry of defence to replace our iPhones with Russian-made Yoto smartphones.

“But everyone just kept using the iPhone as a second mobile because it was much better. We would just keep the iPhone in the car’s glove compartment for when we got back from work. In the end, the ministry gave up and stopped caring. If the top doesn’t take security very seriously, how can you expect any discipline in the regular army?”

This isn’t a new problem and it isn’t a Russian problem. Here’s a more general article on the problem from 2020.

  • Sc chevron_right

    Using Pupil Reflection in Smartphone Camera Selfies

    news.movim.eu / Schneier · Tuesday, 3 May, 2022 - 16:17

Researchers are using the reflection of the smartphone in the pupils of faces taken as selfies to infer information about how the phone is being used:

For now, the research is focusing on six different ways a user can hold a device like a smartphone: with both hands, just the left, or just the right in portrait mode, and the same options in horizontal mode.

It’s not a lot of information, but it’s a start. (It’ll be a while before we can reproduce these results from Blade Runner .)

Research paper .

  • Sc chevron_right

    Samsung Encryption Flaw

    news.movim.eu / Schneier · Wednesday, 2 March, 2022 - 20:45 · 1 minute

Researchers have found a major encryption flaw in 100 million Samsung Galaxy phones.

From the abstract:

In this work, we expose the cryptographic design and implementation of Android’s Hardware-Backed Keystore in Samsung’s Galaxy S8, S9, S10, S20, and S21 flagship devices. We reversed-engineered and provide a detailed description of the cryptographic design and code structure, and we unveil severe design flaws. We present an IV reuse attack on AES-GCM that allows an attacker to extract hardware-protected key material, and a downgrade attack that makes even the latest Samsung devices vulnerable to the IV reuse attack. We demonstrate working key extraction attacks on the latest devices. We also show the implications of our attacks on two higher-level cryptographic protocols between the TrustZone and a remote server: we demonstrate a working FIDO2 WebAuthn login bypass and a compromise of Google’s Secure Key Import.

Here are the details:

As we discussed in Section 3, the wrapping key used to encrypt the key blobs (HDK) is derived using a salt value computed by the Keymaster TA. In v15 and v20-s9 blobs, the salt is a deterministic function that depends only on the application ID and application data (and constant strings), which the Normal World client fully controls. This means that for a given application, all key blobs will be encrypted using the same key. As the blobs are encrypted in AES-GCM mode-of-operation, the security of the resulting encryption scheme depends on its IV values never being reused.

Gadzooks. That’s a really embarrassing mistake. GSM needs a new nonce for every encryption. Samsung took a secure cipher mode and implemented it insecurely.

News article .