Friends, today we will bring up a very interesting topic. We will talk about whether the fingerprint scanner on the phone can be hacked and how to do it.
Quantity vs quality
Today, Apple is installing Touch ID sensors in almost all devices (with the exception of the iPod Touch line), while Android smartphone manufacturers were able to access the required API only with the release of Android 6.0, which now runs about 15% of devices. Let's try to figure out how safe the fingerprint authentication method is and whether it makes practical sense to use it.
Observing the historical order, we will probably start with Apple.
Touch ID and Secure Enclave: a sweet couple
Once the problem of Apple, already at that time beginning to pay attention to data security, was that the majority of users did not want to protect their own devices in any way. Enter your PIN to unlock your phone? It is long and inconvenient. After looking at the situation, Apple decided not to force people to use lock codes, but simply to make the unlocking process as easy as possible. The main idea of Touch ID technology is not at all about making your particular device safer. The idea is to make security convenient and attractive enough for the general public. And the company achieved its goal.
Touch ID is a unique hardware and software complex, and the word “unique” does not carry an advertising connotation here: each sensor during the production process is configured to work with a specific device. Remember the Error 53 scandal? It was this feature that became a stumbling block that blocked the operation of devices with a fingerprint sensor replaced in artisanal conditions.
Where fingerprints are stored
It would seem that the need to store fingerprint data in the form of a one-way hash function is obvious, but it only seems to you: the developers of HTC One Max decided that you can store fingerprints in the form of pictures in the most ordinary folder in the device's memory. No matter what HTC developers think, Apple engineers did not make such a mistake: the scanned fingerprint is passed through a hash function and stored in the Secure Enclave, a microcomputer protected from outside access. Separately, I note that this data does not go to iCloud and is not transferred to the company's server.
Interestingly, even the one-way hash functions of the fingerprints are encrypted, with encryption keys calculated at boot time based on a unique hardware key (which is also stored inside the Secure Enclave and cannot be retrieved from there) and a lock code that the user enters. Decrypted fingerprint data is stored only in the device's RAM and is never saved to disk. At the same time, the system from time to time deletes fingerprint data even from the device's RAM, forcing the user to log in using a lock code (which, recall, will allow the system to decrypt the fingerprint data and resume the Touch ID sensor).
When and why iOS deletes fingerprint data from RAM
Perhaps the most interesting part of the iOS security system is precisely the question of under what circumstances iOS will delete fingerprint data from the device's RAM and force the user to re-authorize with an unlock code. But first, let's think about why Apple even needed to periodically delete fingerprints?
The company understands very well (and understood three years ago) that any biometric system can be deceived. Yes, Apple has developed excellent fingerprint scanners, which are not as easy to get around as a sensor, for example, on the Samsung Galaxy S5. But at the same time it is still possible. After all, the owner can be forced to put his finger on to unlock the phone - only under the American legal system this requires a warrant, which takes time ... after which the phone will delete the fingerprint data from memory and will not allow the device to be unlocked by the fingerprint.
Sounds like a stretch? Does it smell like a conspiracy theory? No, it's just that Apple did not like the attempt at pressure from law enforcement agencies, in response to which it introduced this measure: Apple adds another rule forcing iPhone and iPad users to employ a passcode to unlock their device.
But let's not be distracted, but let's take a closer look at the conditions under which the system blocks Touch ID and forces you to log in using the lock code. Touch ID turns off and fingerprint data is deleted from the device if any of the following conditions are met:
- the phone is turned off or rebooted;
- the user adds the data of one more finger;
- the phone receives a remote lock command via Find My iPhone;
- there were five unsuccessful fingerprint unlocking attempts in a row;
- the device has never been unlocked within two days;
- antipolice: more than six days have passed since the last time you entered the lock code, and the device itself has not been unlocked with the Touch ID sensor in the last eight hours.
How to bypass the fingerprint scanner
If we are talking about hacking Touch ID, then tricking the sensor is difficult, but possible. To fool modern sensors, you have to create a 3D model of your finger, and from the correct material. On older devices (iPhone 5s, iPad mini 3), bypassing the sensor is much easier. For example, a team of German hackers was able to swipe the iPhone 5s sensor two days after the device hit the market, simply by printing the original fingerprint at 2400 dpi.
But before you start modeling the print, you need to take care of the safety of the data on the device, as well as that the print data does not have time to "rot".
You need to act clearly and quickly: you have a minimum of time.
- So, you got your hands on a phone in an unknown state. Don't touch the Touch ID button! If the phone is locked (and it is most likely locked), you will be wasting one in five attempts. Check the status of the device by short pressing the power button.
- If the device is blocked, isolate it from external radio networks by placing it in a Faraday cage (at home, an ordinary microwave will perform its role. Microwave off!). Do not forget to put it on charge, even if its role is played by an external battery. All this is done in order to protect the device from the commands under the Find My iPhone protocol, which will allow both to remotely lock the device and destroy its contents. (Do you think these measures are obvious? No matter how they are! Science knows at least two sensational cases when police officers allowed remote destruction of data from already confiscated devices.)
- But if the device is unlocked, it is in your power to prevent it from locking the screen. To do this, simply turn off the automatic blocking (unlike the procedure for removing the blocking code, you do not need to enter any code to turn off the automatic blocking).
- If the device has been locked, you have a maximum of 48 hours (actually less) to try to trick the fingerprint sensor.
- Please note: all manipulations with the device must be carried out exclusively in an environment protected from radio waves (Wi-Fi networks and cellular networks). Find My iPhone takes a couple of seconds to trigger.
- If you managed to trick the fingerprint sensor, turn off the automatic screen lock (see point 3). Keep in mind: attempts to add another fingerprint in the settings or change the lock code will not work - for these operations, the system will always require you to enter the code.
Let's say you managed to trick the fingerprint sensor. What's next? iOS is a closed system and all device memory will be encrypted. Options?
- Jailbreak installation: no. To jailbreak a 64-bit iPhone or iPad, you will need to enter the lock code anyway (and in some cases also disable the lock code in the settings).
- Physical data extraction: you can try. If the jailbreak is already installed, you will be able to extract most of the data, but you will not be able to decrypt the keychain. But if there is no jailbreak, then nothing can be done - to install it you need a lock code.
- iCloud: Possible. By unlocking your device, you can force it to save a fresh backup to iCloud (Settings -> iCloud -> Backup -> Backup now). Remember, however, that to retrieve this data from the cloud, you will need a password from the Apple ID, and if two-factor authentication is activated in the account, then access to the second factor (which, however, can be the device under investigation). An important point: you will have to connect the device to Wi-Fi, as a result of which, instead of a backup, a command to block or destroy data may arrive on the device.
- ITunes backup: perhaps this is the only thing that can and should be done. The unlocked device easily connects to iTunes, which creates a backup copy of the data on your computer. The rest is a matter of technology. One point: the password for the backup. If it is installed, you will have to hack it (for example, with Elcomsoft Phone Breaker).
- But if it is not installed, be sure to install your own! The simplest 123 will be enough. You can extract all data from a password-encrypted backup, and everything except the keychain from an unencrypted one. Since the keychain stores the most interesting things, it will be very useful to set a temporary password before taking a backup.
Bottom Line
Apple was able to create a complete and very successful protection scheme on the first try. The fingerprint sensor fits well into the overall concept. It is impossible to bypass this protection programmatically, the hacker has very little time for any attempts to deceive the sensor, and the result on new devices is not guaranteed. Definitely - the company achieved its goal.
Fingerprints and Android
Let's move on to examining fingerprint authentication in Android devices. Having examined a very successful implementation from Apple, let's take a closer look at the state of affairs in the competitors' camp.
Google Android 4.x – 5.1.1: everything is very sad
The first devices with built-in fingerprint sensors began to appear quite a long time ago, back in the days of Android 4.4. Today there are already a lot of them: Samsung Galaxy S5, S6, S7, Motorola Moto Z, Sony Xperia Z5, LG G5, Huawei Ascend Mate 7 and subsequent, Meizu Pro 5 - and that's not all. But not every device uses the fingerprint sensor in the right way. This is primarily due to the fact that up to the Android 6.0 version, there was no universal API for fingerprint authentication in the system. No API - there are no formal Compatibility Definition requirements, and, accordingly, there is no certification from Google.
With the complete absence of external control, manufacturers have piled up this ... in a nightmare you will not dream. For example, the developers of the HTC One Max passed the "Android in 21 Days" exam externally and implemented a wonderful system that stores full-fledged copies of fingerprints in a publicly accessible directory in an uncompressed (not to mention encrypted) format. Perhaps there is no need for instructions on how to "hack" this system. I will only clarify that the data is stored in the file /data/dbgraw.bmp, and for your convenience, the access permission is set to 0666.
This is not an isolated example. Samsung Galaxy S5 came out with Android 4.4 on board. Soon, hackers managed to gain access to the fingerprint scanner and successfully bypass the protection.
Before the release of the sixth version of Android, manufacturers managed to release a lot of devices to which fingerprint sensors were illiterately attached. Breaking them is not even interesting, before that everything was dull there. It is clear that Google could not endure such a situation for a long time. They didn't.
Android 6.0: Fingerprint API and Nexus Imprint
With the release of Android 6.0, Google not only developed its own API for fingerprint authentication, but also updated the Compatibility Definition Document, which must be followed by all manufacturers wishing to certify their devices to install Google services (this is a very important moment, about him a little later).
Two reference devices were released at once: Nexus 5X and Nexus 6P. They contain both non-removable encryption of the data section, and the correct implementation of fingerprint sensors, called Nexus Imprint.
So, what does Google require from manufacturers to obtain certification of conformity? Unlike the situation with mandatory encryption on Android 5.0, this time the list of requirements does not allow for double interpretations. Let's translate an excerpt from the official document.
7.3.10. Fingerprint sensor
It is RECOMMENDED to use a fingerprint sensor on devices that can use the screen lock. Requirements for devices equipped with such a sensor and providing API access to third-party developers:
- It is MANDATORY to declare support for android.hardware.fingerprint.
- MUST fully implement the fingerprint API from the Android SDK documentation [Resources, 95].
- It is MANDATORY to have a false positive rate of less than 0.002%.
- It is STRONGLY RECOMMENDED that the false negative rate is less than 10%, the triggering delay is less than 1 second (for 1 stored print).
- It is MANDATORY to limit the rate of attempts to a 30 second delay after 5 unsuccessful attempts.
- It is MANDATORY to have hardware secure storage and to verify fingerprints exclusively in the Trusted Execution Environment (TEE) trusted zone or on a dedicated processor with a secure communication channel with the TEE. (This burned out the Samsung S5, which had a problem with a secure communication channel)
- It is MANDATORY to encrypt the fingerprint data so that it cannot be accessed outside the Trusted Execution Environment (TEE) according to the Android Open Source Project [Resources, 96].
- It is MANDATORY not to allow adding fingerprints without establishing a trusted chain (user must add or verify PIN / pattern / password via TEE according to Android Open Source).
- DO NOT ALLOW third-party applications to distinguish between individual prints.
- It MUST handle the DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT flag correctly.
- ALL THE ABOVE REQUIREMENTS ARE MANDATORY when upgrading to Android 6.0, and fingerprint data must either be safely migrated or reset.
- PREFERRED to use the Android Fingerprint icon from the Android Open Source Project.
Elsewhere in the document, it is mandatory to enable encryption when using a secure screen lock (including the fingerprint sensor). As you can see, in theory, things are not bad. What is it really?
Android Smart Lock
And in fact, Android still has a number of gaping security holes that allow not just bypassing, but bypassing all these fingerprints and passwords at once. One of these holes is the Android Smart Lock system, with which you can automatically unlock your phone when some external factors coincide. For example, many users allow automatic unlocking at home, forgetting that the positioning accuracy is far from ideal and the concept of “home” for the phone will cover an 80-meter radius. Many people activate unlocking with a trusted Bluetooth device or turn on pseudo-biometric unlocking based on a picture of a face (it is quite easy to do it with a demonstration of a video or a 3D model).
Interestingly, there is no need for Smart Lock in the presence of a working fingerprint sensor: the screen in any case turns on and unlocks by pressing one button. Why is there no Compatibility Definition requirement to disable Smart Lock when the fingerprint sensor is active? Mystery. But you can use this system to unlock your device. Just keep in mind that Smart Lock will not be active immediately after the device is rebooted; to activate the system, the device will need to be unlocked with a password or pattern at least once.
Our Chinese friends
And what about the numerous Chinese phones that also come with fingerprint sensors? Everything is very different there.
Above, we talked about Google's requirements outlined in the Android Compatibility Document. If a manufacturer wants to certify its devices for installing Google services on them, its device running a specific firmware version must be certified in one of the laboratories.
In China, Google is banned, and many semi-basement manufacturers are not going to bother with unnecessary certifications at all. Yes, you yourself know what kind of firmware devices from China often come with. For the sake of performance, encryption, as a rule, is not enabled even in firmware based on Android 6.0, and the bootloader is not blocked in principle (in the case of MediaTek processors) or can be easily unlocked. Accordingly, there is a fingerprint sensor there or not - does not play the slightest role.
Even if encryption is enabled by the user (unlikely in the case of cheap devices, but still), the user has no guarantee that the fingerprint sensor is correctly integrated. This is especially true for devices that were sold with Android 5 and earlier on board, and were updated to the 6th version of Android later.
There are exceptions to this rule. All international models of Huawei, Lenovo are certified by Google without fail (but this cannot be said about specifically Chinese models). An interesting situation is with LeEco smartphones, which are sold in China and are trying to conquer foreign markets. In the case of LeEco, there are often both purely Chinese and international firmwares for the same model. They differ not only in the pre-installed Google Play store, the list of available languages and the presence / absence of "Chinese garbage". In the case of international firmware (India, USA, Russia), the company formally certifies the device for installing Google Play Services.
In particular, in international LeEco firmware based on Android 6.0 (for example, for Le2 Max), encryption of the data section is activated (and not disabled) - in full compliance with the Android Compatibility Document requirements. Many users perceive this as an inconvenience, and they are trying to switch from such firmware to something else based on Chinese assemblies, which in the light of the unlocked bootloader completely depreciates the entire security model.
How to Hack a Fingerprint Scanner
Hacking a fingerprint sensor for Android involves imitating a finger that can be used to unlock a smartphone. How detailed and high-quality the imitation should be, what material it is made of, depends on the technology on which the sensor of a particular smartphone model is built.
For example, it is useless to try to cheat ultrasonic sensors with a high-resolution print on special conductive paper - but standard capacitive scanners can be outsmarted in this way.
But the ultrasonic sensor is deceived with a finger printed on a 3D printer, and the material does not really matter. Finally, almost any sensor will mistake it for a real patch, made of a thin layer of conductive material and worn over a finger.
[IM]
You do not have permission to view link
Log in or register now.
Probably, there is no need to mention the fact that to unlock a phone equipped with a fingerprint sensor, you can use the finger of a sleeping, unconscious person or even a corpse (the police use this method all the time).
But the fact that in some countries governments collect fingerprint databases of their own and not only their citizens (have you ever received an American visa?) It is necessary to mention. And if now legislative restrictions do not allow using these bases to unlock phones simply on suspicion, then in the future I will not give such a guarantee.
Comparison with Touch ID
It is impossible to directly compare the security of Apple Touch ID with the situation in the Android world: if Apple has only a few devices, then, on the contrary, there are too many smartphones on Android. They can use a wide variety of sensors based on a variety of technologies (from capacitive and optical to ultrasonic). Different bypass technologies are selected for different sensors. For example, for the Samsung Galaxy S6, the trick with unlocking the phone with a finger model printed on a 3D printer from ordinary plastic works quite well (with Apple Touch ID, such a simple trick will not work; for printing, you will need to use a material with special properties). Some other devices are easily deceived by high-resolution printed pictures.
But the comparison with the Nexus Imprint makes perfect sense. On the Nexus 5X and 6P, Google has taken an exemplary approach to security. This is non-removable encryption of the data section, and competent integration of fingerprint sensors, and the sensors themselves were not chosen anyhow.
Third-party devices may have insufficiently secure sensors and open security holes (despite being formally compliant with the Android Compatibility Definition).
How to protect your fingerprint reader from being hacked
Did you read the article and was determined to disable the ill-fated sensor in your device, using a complex alphanumeric password instead? Do not rush. In fact, things are not so bad. In the case of relatively modern Apple devices (starting with the iPhone 6, iPad mini 4, iPad Air), you are not in danger of hacking the fingerprint sensor: even if they manage to scan your fingerprint in high enough resolution, the attacker will have absolutely no time to use it. Little. Law enforcement agencies can force you to unlock your phone with your fingerprint (and unlike unlocking with a password, they have every right to do so), but for this action they will need to get a special order, which will stipulate the entire procedure. It takes time to receive the order, during which the fingerprint data in your iPhone will have time to "rot".
But if you have an Android smartphone ... Turn on encryption. Without it, the data from your phone will be merged without any sensors. Turn off Smart Lock - it's a gaping security hole. Make sure your device is Google certified and runs Android 6.0 or newer. If this is not the case, I would disconnect the sensor from harm's way. Finally, do not be lazy to look for information about whether the fingerprint sensor for your device was hacked and if it was - it is simple or difficult to do it. Make a decision depending on how personally you are satisfied with the complexity of hacking a fingerprint sensor by a potential attacker on your device.
Conclusion
Fingerprint authentication is not a panacea. Its main purpose is not to make your device more secure, but to reduce the inconvenience associated with locking the phone securely, and thus convince the bulk of users to still lock their devices. Apple did it. In Android, the situation is more complicated: the Nexus Imprint reference system works perfectly, almost completely copying the Touch ID methods. For other manufacturers, things are not so rosy. The quality and safety of the sensors is at times questionable, and in devices running Android 5.1 and earlier, fingerprint sensors remain an open security hole.