Soldier
Essential
- Joined
- 20.10.20
- Messages
- 87
- Reaction score
- 606
- Points
- 83
Many modern smartphones have a fingerprint scanner to authorize access to the device, log in to your account, confirm payments, and other operations. The scanner is designed for secure authentication, but researchers have discovered new ways to manipulate it for malicious purposes. Security researchers from the Chinese University of Hong Kong and Sangfor Technologies presented a user interface-based attack technique aimed at scanning fingerprints in Android apps.
Information security specialists told at the Black Hat Europe conference about a new tactic of " fingerprint hacking "(fingerprint-Jacking). According to them, the term comes from clickjacking, because this type of attack hides the interface of a malicious application under a fake cover.
During the demonstration of the attack, the specialist opened the Magisk app on a device running Android 10, which allows you to manage programs with superuser rights. Then he launched a simple diary app, which brought up the lock screen interface when viewed. The fingerprint was used to unlock the device, and the user was redirected back to the diary app. However, when the Magisk app was re-opened, it was demonstrated that the diary app now has superuser rights on the device.
"The purpose of this attack is to trick the user into authorizing certain dangerous actions without noticing it," the experts explained.
Researchers have developed five new attack methods, all of which can be launched from malicious zero-resolution Android apps. Some of them can bypass the countermeasures introduced in Android 9, and one is effective against all apps that integrate with the fingerprint API.
Before Android 9, there was no system-level protection, so apps had to block background fingerprint input on their own. However, using the most effective attack method they found, the researchers were able to crack Android's defenses. The so-called Race attack uses a lifecycle behavior where two actions are triggered within a short period of time, allowing a fingerprint hack to be performed. The team reported this issue to Google and assigned the vulnerability ID CVE-2020-27059.
The researchers analyzed 1,630 Android apps using the fingerprint API, 347 (21.3%) of which contained various implementation issues. They tested attacks on some popular apps, during which they managed to steal money from a payment app with more than 1 million installations and get superuser rights.
Information security specialists told at the Black Hat Europe conference about a new tactic of " fingerprint hacking "(fingerprint-Jacking). According to them, the term comes from clickjacking, because this type of attack hides the interface of a malicious application under a fake cover.
During the demonstration of the attack, the specialist opened the Magisk app on a device running Android 10, which allows you to manage programs with superuser rights. Then he launched a simple diary app, which brought up the lock screen interface when viewed. The fingerprint was used to unlock the device, and the user was redirected back to the diary app. However, when the Magisk app was re-opened, it was demonstrated that the diary app now has superuser rights on the device.
"The purpose of this attack is to trick the user into authorizing certain dangerous actions without noticing it," the experts explained.
Researchers have developed five new attack methods, all of which can be launched from malicious zero-resolution Android apps. Some of them can bypass the countermeasures introduced in Android 9, and one is effective against all apps that integrate with the fingerprint API.
Before Android 9, there was no system-level protection, so apps had to block background fingerprint input on their own. However, using the most effective attack method they found, the researchers were able to crack Android's defenses. The so-called Race attack uses a lifecycle behavior where two actions are triggered within a short period of time, allowing a fingerprint hack to be performed. The team reported this issue to Google and assigned the vulnerability ID CVE-2020-27059.
The researchers analyzed 1,630 Android apps using the fingerprint API, 347 (21.3%) of which contained various implementation issues. They tested attacks on some popular apps, during which they managed to steal money from a payment app with more than 1 million installations and get superuser rights.