Each year the world’s most notorious and fame-seeking security researchers, penetration testers and hackers make the long pilgrimage to Las Vegas, Nevada to showcase their latest tools, exploits and research to an interested and often shell-shocked audience.
During last week's Black Hat briefings we learned Tao Wei and Yulong Zhang of FireEye had found some serious fingerprint sensor vulnerabilities in Google’s Android mobile operating system which were more than troublesome.
Their presentation highlights three main vectors that could be exploited by attackers, such as the “confused authorisation attack that enables malware to bypass pay authorisations protected by fingerprints” as well as two architectural design flaws that permit remote fingerprint harvesting [pdf].
The research is interesting given all the big players - Google, Apple and Microsoft - have moved to providing biometric scanners in their hardware in an attempt to curtail the growing angst in the user community that passwords are insecure.
Fingerprints are deemed more secure than passwords because the biometric component is unique to the individual and doesn’t need to be remembered or written down.
Services in the operating system code base leverage the fingerprint sensor technology and allow authentication and authorisation to extend into application architecture, which in turn allows application vendors to permit users to log into applications using the same swipe of their finger they do to log into the device.
So with two swipes of their finger, they are accessing their bank account. Sounds good doesn’t it?
What's the catch?
Here’s something to consider. You have a banking service that sends you a text message with a one-time code that authorises an online bank transaction. It’s sent to your mobile phone.
Most of us now do our banking from our phones. And with the fingerprint reader allowing access to the phone and the banking application, and the same phone being the recipient of the one-time authorisation code, are we really getting the multi-factor authentication protection that we expect?
Hell no. The problem is that attackers are still out to steal our credentials, whether they are fingerprints or passwords, and the majority of users want convenience over security and are content to receive security theatre as an improvement rather than security fact.
In context of Wei and Yulong’s findings - and the fact that all new technology comes with an unquantifiable but guaranteed set of vulnerabilities that allow it to be exploited by determined hackers - it’s only a matter of time before phone cloning and synthetic fingerprint manufacturing is part of the mainstream hacker arsenal.
The fear is that this is only the beginning of a long onslaught from attackers against the next generation of authentication and authorisation systems, and undoubtedly we’re in for a rocky transition away from the password.
A new hope?
Microsoft's recent release of Windows 10 brings with it some new hope.
Over the past few years the company has worked closely with the FIDO Alliance to introduce the FIDO 2.0 standard into the Windows 10 operating system, under the branding of Windows Hello.
Along with Microsoft Passport, Windows Hello will provide the capabilities of facial recognition, iris scanning and fingerprint scanning to authenticate and authorise access to the operating system and any applications vendors choose to integrate with the operating system.
It’s very early in the Windows 10 hype cycle and while these new systems sound great and have been designed to use the latest standards in authentication and authorisation, the real test will come now the production code base is in the hands of researchers.
How to protect yourself
So, what can end-users and consumers do to try and protect themselves while the software and hardware industry marches on with technology innovation?
It comes back to considering your own security architecture - not the technical architecture, but the overall ecosystem you are living in.
Two-factor authentication is by far the favoured approach - three would clearly be better, but if you can get two disconnected factors that are not programmatically or physically bound together by you can rest more easily.
If you never authenticate your online banking system with the device that receives the one-time code, there is little chance that stolen passwords, fingerprints or even the handset will grant attackers access to your cash. If you have an option of chaining a pin with a fingerprint, do that, as it’s always better to have something you know as well as something that you are.
The key message is not to rely on what manufacturers sell us, but to consider the failure stakes yourself, and make your own mind up whether or not you trust it.
Ask yourself what a hacker would do: consider the simplest, brute force attack, which may be to lift your fingerprint from a glass you just drank from and then pinch your phone. If that happened, what would they then have access to?