I just wanted to post a heads-up on the recent buzz around BrutePrint, which is an attack on the fingerprint sensors of some phones, where it can be bypassed in a relatively short time if the attacker has physical access to the phone.
In particular, it shows that Android is particularly vulnerable because the fingerprint database is not encrypted.
I’m wondering what people make of this in a FP context, and if it is feasible to encrypt the fingerprint database with the current codebase.
It’s in display finger print readers because that’s what’s used in most devices now. They do exploit the actual scanner by soldering to it, the puck you see on one of the pictures isn’t the exploit and is labeled as auto-clicker.
I see no reason why the FP4 wouldn’t be affected.
That setting won’t help either:
BrutePrint acts as an adversary in the middle between the fingerprint sensor and the trusted execution environment and exploits vulnerabilities that allow for unlimited guesses.
And, as mentioned by @KjetilK, there’s also this …
The ability of BrutePrint to successfully hijack fingerprints stored on Android devices but not iPhones is the result of one simple design difference: iOS encrypts the data, and Android does not.
… so yeah, completely fixing this would probably require significant changes to the proprietary bits, I’m not getting my hopes up …
I see also old iPhones indeed, they still have a similar sensor as the FP4. So it’s not only in-display sensors indeed. I haven’t read the report or dived into the other sources, so can’t really comment further on it.
Since I’m a bit paranoid and was afraid my fingerprints might get stolen, I never did use the fingerprint sensor before.
And see what? I was right with that!
The attack still requires the attacker to have physical access to your phone, at which point I wouldn’t trust the FP4’s stock security model anyway, bootloader accepting test keys etc.
From what I’ve read about the exploit (and I might be completely wrong here) it seems the problem is the data not being encrypted in transit, the fingerprints should still be stored in the TPM which isn’t easily accessible
Regardless, I’d agree, fingerprints aren’t a safe form of authentication, but they haven’t been before either.
An identifier that isn’t changeable is always a bad idea.
But there are still cases where they can be useful.
I can’t imagine the fingerprint is kept as an image it’s a data string of some pattern. Another device will have a different patterrn
For starters, Apple uses a similar solution and if you have an older model with a fingerprint sensor you’re just as safe using it as you were before. The same goes for older Samsung phones that launched pre-Marshmallow and used Samsung’s own methods.
The way Google stores your fingerprint data is the most secure way possible with current tech. It’s also fascinating how simple the overview of the whole thing is once you have a look at it. How does Android save your fingerprints? | Android Central
Android requires your fingerprint data to be secured with a unique key, and you can;t take it to another phone or reuse it for another user.
Your fingerprints don’t “get stolen” in this attack. They’re still in the TEE. @KjetilK did not sum that up correctly from how I read the article.
What the article says is that it’s possible to have unlimited guesses using a large database of other known fingerprints until one of them matches closely enough to unlock. The unlimited guesses are in turn only possible because communication between fingerprint reader and TEE can be manipulated because it’s unencrypted.
Indeed, fingerprints are stored as hashes, and a hash of the scanned finger is compared to them.
That been said, fingerprints are not, I repeat, not a secure solution. Not only can they easily be stolen and/or faked, they are quite impossible to change, and the system managing them on your phone/laptop is a bunch of shortcuts and compromises.
(For the record, the exploits the OP mentions can easily bypass the number of failed attempts simply by not completing them… Which allows to brute-force the fingerprint.)
Anyway, hacking doesn’t happen like you see it in the movies: Here is what actually happens…
So obviously the security of your fingerprints is irrelevant… Fingerprints only help keeping nosy colleagues/spouses/kids at bay, anything more determined will get through.
The way Google stores your fingerprint data is the most secure way possible with current tech. It’s also fascinating how simple the overview of the whole thing is once you have a look at it. How does Android save your fingerprints? | Android Central
Android requires your fingerprint data to be secured with a unique key, and you can;t take it to another phone or reuse it for another user.
Reading the replies now rather than knee jerk (sorry), the data is safely stored in the TEE, which is encrypted and isolated. Phew. Looks like according to one person who read about the hack, it’s the removal of the 15 attempts fix that’s the issue. Thank you for sharing.
After several security holes have been traced back to intelligence agencies, I would not be surprised if this security hole was intentionally built in, or at least intentionally not fixed.