Fingerprint Security on Cell Phones Breached...
Now there is a new hack that allows hackers to access your phone using a brute-force fingerprint attack.
Using your fingerprint to open your phone or even unlock your computer is convenient. I use it myself. But as I’ve said hundreds (Thousands?) of times, “Convenience is the antithesis of security.”
Before we go any further, let me tone down the rhetoric a little. This is not a common attack. The chances of it being used against you are slim, and the attacker needs access to your cell phone. BUT, if you keep sensitive information on your phone, and your phone gets stolen or lost, your probability of a breach skyrockets.
How It Works...
The attack is called "BluePrint" and it bypasses security measures that are supposed to stop attackers from being able to continue to attempt to unlock your phone after multiple failed fingerprint unlock attempts.
What has been done is the equivalent of a hardware “Man In The Middle” attack. Using this attack, a bad agent uses a fingerprint database and exploits some zero-day flaws in some routines called “Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL)”. Using this, a hacker can run thousands, or millions, of fingerprint encodings past your phone at the speed of computers.
The hack requires the bad agent to be in possession of your phone (which could happen if it is stolen or lost), be in possession of a fingerprint database (which they can get easily on the dark web), and have a specialized microcontroller board with an auto-clicker (that you can put together for about $15 if you know what you are doing.)
Almost all phones are susceptible...
Researchers tested the hack against 10 different phones including Apple, Huawei, OnePlus, OPPO, Samsung, Xiaomi, and Vivo. They were able to achieve infinite attempts at unlocking the phone on Android and Harmony OS-equipped phones and were able to get 10 additional attempts at unlocking iOS phones.
The issues that make this hack possible have been acknowledged by Apple, Google, AMD, Intel, Nvidia, and Qualcomm. We can only hope that future updates to the OS correct some of these issues, although to be completely honest, manufacturers sometimes de-prioritize fixes if they believe that the probability is too low to bother with. In other words, yes, your phone manufacturer frequently releases operating systems with known flaws and exploits in it because they are willing to let a few people get hacked rather than spend the money to close the vulnerability.
What you can do to protect yourself...
Is this something you should worry about? Not really. Is this something of which you should be aware? Absolutely. Knowledge is power. If you know what CAN be done, you know what precautions to take if your phone is lost or stolen. Assuming that no one can get into your phone because it is locked is not a good strategy.
If your phone is ever lost or stolen, and you can't locate it using whatever tools you have available (find-my-phone or other tools) you should take these immediate steps:
- If you have security software that allows you to lock down your phone or "brick" it, use it immediately
- If you don't have such software, assume that your phone is compromised and
- If you have corporate information or access from your phone, alert your company's IT department so they can take immediate action to stop any incoming access requests from your phone.
- Change all of your account passwords, starting with the most important ones, like bank accounts.
- Freeze or lock your credit profiles so that new accounts can't be created using your phone and 2 Factor Authorization or other credentials found on your phone.
- Log into your authenticator app from a computer and reset your access and/or remove the authenticator access from your phone.
- Contact your phone company and ensure that you have a voice password set on your account. (You should have already done this!) This will keep anyone from changing your phone access without the spoken password.
