“Instead of an implementation bug, CAMF and MAL leverage logical defects in the authentication framework,” the researchers wrote. The two zero-days leveraged in the attack, either of which can be used to bypass attempt limits, are a Cancel-After-Match-Fail (CAML) flaw and a Match-After-Lock (MAL) flaw. “Specifically, the bypassing exploits two zero-day vulnerabilities in smartphone fingerprint authentication (SFA) framework, and the hijacking leverages the simplicity of SPI protocol,” the researchers wrote. Simply put, BrutePrint acts as a middleman to bypass any attempt limits and to hijack fingerprint images. The equipment costs around 15 dollars in total.”Īlso read: Google Launches Passkeys in Major Push for Passwordless Authentication Bypassing Attempt Limits “For specific smartphone models, adaptive flexible printed circuit (FPC) is required. “The adversarial equipment is mainly a printed circuit board (PCB), which is inexpensive and universal,” the researchers wrote. Yiling He of China’s Zhejiang University and Yu Chen of Tencent Security’s Xuanwu Lab are calling the attack BrutePrint, which they say can be used to hijack fingerprint images.Īn attack like BrutePrint could present a significant threat to passkeys, an increasingly popular way to replace passwords with authentication methods like fingerprint authentication or face recognition.Īnd the attack is cheap to carry out. Security researchers recently published a paper detailing an attack they say can be used to bypass smartphone fingerprint authentication.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |