With the release of iPhone 5S smartphone makers began to massively deploy data protection with a fingerprint scanner. However, experts believe that this method of protection, despite the apparent reliability, actually represents a considerable danger to the user.
The issue of data protection with the help of fingerprint was raised at a conference of experts to develop safety systems Black Hat in Las Vegas. Experts from FireEye plunged the audience into shock when told that some Android-smartphone fingerprints stored in an unencrypted form.
In particular, experts have found that the apparatus HTC One Max fingerprints are in the general section of the file system in the form of an unprotected image file dbgraw.bmp. These data are also vulnerable on devices from Samsung and Huawei.
As a result, attackers with any malicious process or application can access this image in high resolution.
Hackers can also use fake lock screen for authenticating identity in the popular payment systems to intercept money transfers and embezzlement. In conclusion, the experts pointed out that many manufacturers of mobile devices based on Android are not using TrustZone technology to protect the biometric data.
Since 2019, half of all mobile devices sold will be equipped with a fingerprint reader, the attackers will be able to not only massively steal data but also add their fingerprints, thereby blocking access to the device.
At the same time, experts noted that most Android-smartphone fingerprint sensors are protected weaker than on the iPhone. Apple smartphone encrypt the fingerprint image, so even access data, hackers cannot read it without a cryptographic key.
According to anti-virus expert "Kaspersky Lab" Sergei Lozhkina if scan fingerprint stored in the phone, somehow gets to the cybercriminals, then make a duplicate of thumb is simple enough. "And, accordingly, they can get access to all devices that use your fingerprint", - the expert added.
He also noted that the phone does not matter whether you are using a real finger or a rubber clone.
Getting a fingerprint is not actually a complicated process, because we leave them literally everywhere. Moreover, there are ways to make prints and even without access to it. German hacker Yang Krissler could make a copy of thumb German Defense Minister only her photographs with the public statements made at a distance of 3 m.
Before that Krissleru managed to get a valid fingerprint scanner prints directly from iPhone 5S. To do this, he used only wood glue and graphite.
However, access to the data using the latent fingerprint, as shown by the inquisitive mind of jealous wives, can be much easier: they are simply applied to the finger scanner their husbands while they were sleeping.
As told to "Gazeta.ru" head of the department of marketing and technical support of products ESET Alex Os'kin, soon, when the data protection using fingerprints will be massive, the attackers immediately pay attention to it.
"Begins the hunt for the biometric data of users, and sooner or later they will be in the hands of criminals, if not to take special measures to protect them" - warns expert.
At the same time, according to Oskina, users themselves can hardly do something to protect their fingerprints so that they have only one option: to not use corny fingerprints as a primary authentication type.
I agree with him and Sergey Lozhkyn. You can protect yourself by using a combination of fingerprint and password, he said. "In addition, it is recommended to set a password yet more difficult. It is not too comfortable, but safe, "- said the expert.
At the same time, if we talk about the best way of using a single authentication factor protection, fingerprint still looks strong passwords, said Alexei Os'kin. "But the question is not whether a reliable way, and how dangerous it is to use fingerprint as the only factor authentication - the expert said.
At the same time Lozhkyn absolutely sure that the password is in any case more reliable way to protect data than a fingerprint.
According Oskina, large technology companies actively implement these authentication methods, as well as state organizations and experts in information security should be to develop a common policy for the further development of such mechanisms for the protection of data, and to take security standards to encrypt and store the data on biometric factors.
One solution to the potential problem of the expert calls the use of two-factor authentication, where the main key inputs acts as a password, but with it the authorization is made, and by other means: additional one-time passwords, graphical key or retinal scanner.
