BrutePrint Unveiled: A New Wave of Cyber Threats
A brand-new assault, ‘BrutePrint,’ has been brought to light by scientists from Tencent Labs and Zhejiang University. Intriguingly, it’s specifically designed to decode smartphone fingerprint protection, seizing control of devices by bypassing users’ authorisation.
Decoding the Attack Strategy
BrutePrint, the new attack, hinges on a brute-force method. Simply put, it relentlessly attempts trials until successful. What’s unique about this team’s approach is how they’ve bypassed usual smartphone safeguards. These include attempt limits and liveness detection.
Their breakthrough came from exploiting two unknown vulnerabilities: Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL). These gaps in security allowed them to override traditional protection measures, adding a new dimension to cybersecurity threats.
The Security Gap
Here’s where it gets even more concerning. They discovered fingerprint sensor data was poorly shielded. This puts it in the crosshairs for middle-man attacks, making it easy prey for hijacking attempts. So, while the technology might be advancing, it’s clear there are still areas we need to secure.
Rethinking Breaches
Attacks on fingerprints deviate from conventional password breaches. Instead of relying on an exact value, fingerprint hacks exploit a reference threshold. In simpler terms, hackers can play around with the False Acceptance Rate (FAR) to enhance their success rate. Further tests revealed that BrutePrint could take advantage of the CAMF flaw to manipulate the fingerprint authentication process, enabling unlimited attempts without setting off any alarms.
The Neural Style Transfer
One of the unique aspects of BrutePrint is its use of ‘neural style transfer.’ This nifty tool effectively modifies all fingerprint images to appear as if the target device’s sensor scanned them. Consequently, it significantly boosts the likelihood of a successful breach.
In a series of tests, it was found that both Android and iOS devices are vulnerable. Despite the security of iOS appearing more robust, all tested Android devices allowed unlimited fingerprint attempts. Evidently, given enough time, this opens the door wide open for successful attacks.
The Balancing Act: Security vs. Privacy Rights
BrutePrint brings notable risks. Stolen devices, once in the wrong hands, can compromise our privacy.
It could also present law enforcement with tough choices in the pursuit of justice, potentially stirring ethical discussions. It’s essential that we strike the right balance – prioritising safety while upholding privacy. Addressing these issues calls for clear, thoughtful action.
