Fingerprint scanners have become a default feature on most mobile devices. They give users a sense of security and are usually a convenient way to unlock a mobile device.
But all of this biometric data can be a security risk. Suprema Corp. was in the news earlier this year when it was discovered the company exposed more than 1 million users’ biometric information, including fingerprints and facial recognition data. It is unclear if the data allowed attackers to reconstruct users’ fingerprints, or if any of the data was exfiltrated Still, this information was sure to be attractive to threat groups.
In July, news broke that China was installing malware on tourists’ phones. So we started to wonder how hard would it be to silently install malware into users’ devices silently.
We wanted to find out how much time is needed to go from fingerprint scanning to malware deployment on mobile devices. Could it be fast enough to be the equivalent of someone being stopped at the border having their fingerprints scanned during an interview while their devices are in the “x-ray machine”? Or would the amount of time needed to be a couple of hours? In this real-world scenario, time is only important for foreign opportunistic targets. Most country’s citizens will have their fingerprints on file, meaning that everything can be prepared in advance. Fingerprint authentication — like other biometric authentication mechanisms — has been broken before. Now that it’s grown in popularity, it’s time to test how to bypass the authentication, and more importantly, test a real-world attack scenario and the level of sophistication needed to execute it. Finally, our research showed that technology has not advanced enough to be considered generally safe. These practical attacks don’t require state-level resources to be executed, they can be performed by motivated attackers with a budget under $2,000.
Vitor Ventura Security Researcher, Cisco Talos
Vitor Ventura is a Cisco Talos security researcher. Has a researcher, he investigated and published various articles on emerging threats. Most of the days Vitor is hunting for threats, investigating, them reversing code but also looking for the geopolitical and/or economic context that better suits them. Vitor has been a speaker in conferences, like NorthSec, Virus Bulletin, Recon Brussels, Defcon Crypto Village and BSides Lisbon and oPorto among others. Prior to that he was IBM X-Force IRIS European manager where he was lead responder on several high profile organizations affected by the WannaCry and NotPetya infections, helping to determine the extent of the damage and to define the recovery path. Before that he did penetration testing at IBM X-Force Red, where Vitor lead flagship projects like Connected Car assessments and Oil and Gas ICS security assessments, custom mobile devices among other IoT security projects. Vitor holds multiple security related certifications like GREM (GIAC Reverse Engineer Malware), CISM (Certified Information Security Manager).