To mark its accomplishments, the company released a short documentary describing the company's evolution from the perspective of founders Miroslav Trnka and Peter Paško. In 2013, ESET launched WeLiveSecurity, a blog site dedicated to a vast spectrum of security-related topics.ĭecember 2017 marked the 30th anniversary of the company's first security product. In parallel with NOD, the company also started developing Perspekt. It wasn't until 1992 when Miroslav Trnka and Peter Paško, together with Rudolf Hrubý, established ESET as a privately owned limited liability company in the former Czechoslovakia. Under the communist regime, private entrepreneurship was banned. The product NOD was launched in Czechoslovakia when the country was part of the Soviet Union's sphere of influence. At present, ESET is recognized Europe's biggest privately held cybersecurity company. This sparked an idea between friends to help protect PC users and soon grew into an antivirus software company. However, its history dates back to 1987, when two of the company's founders, Miroslav Trnka and Peter Paško, developed their first antivirus program called NOD. The company was founded in 1992 in Bratislava, Slovakia. ESET's security products are made in Europe and provide security software in over 200 countries and territories worldwide, and its software is localized into more than 30 languages. “We hope this work can inspire the community to improve SFA security.ESET, s.r.o., is a Slovak software company specializing in cybersecurity. “The unprecedented threat needs to be settled in cooperation of both smartphone and fingerprint sensor manufacturers, while the problems can also be mitigated in OSes,” they wrote. To mitigate the CAMF flaw, the researchers recommended an additional error-cancel attempt limit setting – and more importantly, they urged vendors of fingerprint sensors to encrypt key data.Īnd it’s not just about smartphones – they warned that BrutePrint could also be applied to other biometric systems. BrutePrint attack overview How to Respond to the BrutePrint Threat “Fingerprint image hijacking is feasible on all devices except for Apple, which is the only one that encrypts fingerprint data on SPI,” they added. “Together with the frequency that is possible for injection, the situation leads SFA vulnerable to MITM attack on SPI.” “SFA sensors except Touch ID do not encrypt any data and lack mutual authentication,” they wrote. They tested the attacks on the following devices, covering iOS, Android, and HarmonyOS: Apple iPhone SE and iPhone 7, Samsung Galaxy S10+, OnePlus 5T and 7 Pro, Huawei P40 and Mate30 Pro 5G, OPPO Reno Ace, Vivo X60 Pro, and Xiaomi Mi 11 Ultra.Īlso read: Mobile Malware: Threats and Solutions Fingerprint Image Hijackingįor fingerprint image hijacking, the researchers took advantage of a weakness in fingerprint sensors’ SPI protocol to enable man-in-the-middle attacks. Trying the attack on 10 different smartphone models with updated operating systems, the researchers were able to go three times over the attempt limit on Touch ID – and they successfully enabled unlimited attempts on Android devices, clearing the way for brute-force attacks. “Therefore, it exists across various models and OSes.” “Instead of an implementation bug, CAMF and MAL leverage logical defects in the authentication framework,” the researchers wrote. The two zero-days leveraged in the attack, either of which can be used to bypass attempt limits, are a Cancel-After-Match-Fail (CAML) flaw and a Match-After-Lock (MAL) flaw. “Specifically, the bypassing exploits two zero-day vulnerabilities in smartphone fingerprint authentication (SFA) framework, and the hijacking leverages the simplicity of SPI protocol,” the researchers wrote. Simply put, BrutePrint acts as a middleman to bypass any attempt limits and to hijack fingerprint images. The equipment costs around 15 dollars in total.”Īlso read: Google Launches Passkeys in Major Push for Passwordless Authentication Bypassing Attempt Limits “For specific smartphone models, adaptive flexible printed circuit (FPC) is required. “The adversarial equipment is mainly a printed circuit board (PCB), which is inexpensive and universal,” the researchers wrote. Yiling He of China’s Zhejiang University and Yu Chen of Tencent Security’s Xuanwu Lab are calling the attack BrutePrint, which they say can be used to hijack fingerprint images.Īn attack like BrutePrint could present a significant threat to passkeys, an increasingly popular way to replace passwords with authentication methods like fingerprint authentication or face recognition.Īnd the attack is cheap to carry out. Security researchers recently published a paper detailing an attack they say can be used to bypass smartphone fingerprint authentication.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |