exploring vulnerabilities in android 6 0 fingerprint
play

Exploring vulnerabilities in Android 6.0 fingerprint authentication - PowerPoint PPT Presentation

Oct 02, 2023 •239 likes •586 views

Exploring vulnerabilities in Android 6.0 fingerprint authentication Thom Does & Mike Maarse KPMG 02-02-2016 Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 1 / 34 Introduction Motivation/relevance Preferred

  1. Exploring vulnerabilities in Android 6.0 fingerprint authentication Thom Does & Mike Maarse KPMG 02-02-2016 Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 1 / 34

  2. Introduction Motivation/relevance Preferred authentication method by users Growing number of mobile devices with fingerprint hardware ◮ 990 million in 2017 (Goode Intelligence) ◮ Over 50% of all smartphones by 2019 (MarketResearch.com) Used to protect sensitive data/transactions Android 6.0 provides ”native” support through API Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 2 / 34

  3. Introduction Motivation/relevance Preferred authentication method by users Growing number of mobile devices with fingerprint hardware ◮ 990 million in 2017 (Goode Intelligence) ◮ Over 50% of all smartphones by 2019 (MarketResearch.com) Used to protect sensitive data/transactions Android 6.0 provides ”native” support through API Research question Is it possible to bypass Android 6.0’s fingerprint authentication, by modifying its vendor-independent software components, or by tampering with their interprocess communication? Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 3 / 34

  4. Introduction Motivation/relevance Preferred authentication method by users Growing number of mobile devices with fingerprint hardware ◮ 990 million in 2017 (Goode Intelligence) ◮ Over 50% of all smartphones by 2019 (MarketResearch.com) Used to protect sensitive data/transactions Android 6.0 provides ”native” support through API Research question Is it possible to bypass Android 6.0’s fingerprint authentication, by modifying its vendor-independent software components, or by tampering with their interprocess communication? The short answer... Yes, in both cases! Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 4 / 34

  5. Results 1. False positive recognition Fingerprints not enrolled can perform authentication ... or any capacitative body part (live demo) 2. Forced release of authentication protected keys Allows attackers to perform cryptographic operations ◮ Decrypt sensitive data Attacks possible within vendor specific time-frame Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 5 / 34

  6. Impact Determined by number of API implementations Compromises apps handling sensitive data ◮ Financial transactions ◮ Personal data Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 6 / 34

  7. Case study bol.com First large Dutch web shop to use fingerprint authentication Observations Triggers authentication on: 1 ◮ checkout ◮ editing user profile Trusts rooted device 2 Does not use the keystore 3 Figure 1: bol.com app dialog Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 7 / 34

  8. Methodology - Equipment Hardware Figure 2: LG Nexus 5X Software Android 6.0 ”bullhead” (MDA89E) Android SDK platform tools Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 8 / 34

  9. Methodology - Approach Explore the authentication system Analyse source code Replace software components Intercept and manipulate IPC Goal Forcing a successful authentication by returning a positive result code. Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 9 / 34

  10. Software components Figure 3: Fingerprint authentication software Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 10 / 34

  11. Software components Figure 4: Communication components Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 11 / 34

  12. Source code analysis Finding the entry point... FingerprintService ◮ Managed (Java) code ◮ System service ◮ Compiled as *.class fingerprintd ◮ Native (C/C++) code ◮ Separate process ◮ Compiled as single executable Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 12 / 34

  13. Source code analysis FingerprintService checks return values if fingerprint_id == 0 return false else return true Problem? No verification the fingerprint ID actually exists. Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 13 / 34

  14. False positive recognition Method I - Replacing fingerprintd Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 14 / 34

  15. Fake fingerprint ID Figure 5: Result propagation Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 15 / 34

  16. Fake fingerprint ID Figure 6: False positive Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 16 / 34

  17. User warning Figure 7: dm-verity warning Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 17 / 34

  18. False positive recognition Method II - Manipulating IPC traffic Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 18 / 34

  19. Binder IPC Figure 8: Binder transaction flow Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 19 / 34

  20. Manipulating IPC traffic Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 20 / 34

  21. Comparing attack methods Replacing fingerprintd Manipulating IPC Requires root access Yes Yes Shows user warning Yes No No 1 Key release Yes Table 1: Method comparison 1 Future work... Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 21 / 34

  22. Forced release of authentication-gated keys Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 22 / 34

  23. Key release Figure 9: Keystore interaction Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 23 / 34

  24. HAT replay Figure 10: Replay attack Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 24 / 34

  25. Challenge implementation Hardware Authentication Token 2 security 64-bit ”random” challenge... ...prevents replay attacks? Problem? Value of challenge equal to crypto operation ID [1..19]. 2 Also referred to as ”AuthToken” Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 25 / 34

  26. Attack feasibility Attacks only possible with root Can only be practically be exploited with physical access Might trigger warnings on start-up ◮ But this can be circumvented using Binder Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 26 / 34

  27. Mitigation Application developers Use keystore Do not trust rooted devices OS developers Randomise HAT challenge values (vendor’s responsibility?) Erase HAT from memory after use Why offer less secure method? Protect Binder message integrity End-users Do not use fingerprint authentication on rooted device Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 27 / 34

  28. Questions? Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 28 / 34

  29. FingerprintService.java /frameworks/base/services/core... /java/com/android/server/fingerprint/FingerprintService.java Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 29 / 34

  30. FingerprintDaemonProxy.cpp /system/core/fingerprintd/FingerprintDaemonProxy.cpp Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 30 / 34

  31. Manipulating IPC traffic Subverting the Binder Capturing IPC traffic ◮ Library injection ◮ Hooking IOCTL system calls ◮ Dumping raw parcel data Manipulating parcel content ◮ Select parcel by Interface Descriptor and Function Code ◮ Retrieve memory address of IPC data from parcel Proves to be less detectable for end-users ◮ No warning is triggered on start-up Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 31 / 34

  32. IPC Traffic Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 32 / 34

  33. HAT Data Structure Field Type Value AuthToken Version 1 byte 0 Challenge 64-bit unsigned integer 2 User SID 64-bit unsigned integer 6642721394326884821 64-bit unsigned integer 3 Authenticator ID 13239196515636370186 64-bit unsigned integer 1 Authenticator type 33554432 64-bit unsigned integer 1 Timestamp 12838108872145108992 AuthToken HMAC 256-bit blob 243-169-20-223-... Table 2: AuthToken capture 3 In network order (big endian) Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 33 / 34

  34. Challenge ID Logcat output 07:12:05.191 ... fingerprintd: authenticate(sid=15, gid=0) 07:12:10.533 ... fingerprintd: authenticate(sid=14, gid=0) 07:12:13.274 ... fingerprintd: authenticate(sid=13, gid=0) 07:12:15.975 ... fingerprintd: authenticate(sid=12, gid=0) 07:12:18.682 ... fingerprintd: authenticate(sid=11, gid=0) 07:12:21.707 ... fingerprintd: authenticate(sid=10, gid=0) 07:12:24.744 ... fingerprintd: authenticate(sid=9, gid=0) Thom Does & Mike Maarse (KPMG) RP1 Presentation 02-02-2016 34 / 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android Applications Daniele Gallingani, Rigel Gjomemo , V.N. Venkatakrishnan, Stefano Zanero Android Message Passing Mechanism Android apps are composed of

566 views • 23 slides
To Towards(Understanding(Android(System( Vu Vulnerabilities:( Te Techniques(and(Insights(

To Towards(Understanding(Android(System( Vu Vulnerabilities:( Te Techniques(and(Insights(

ACM#Asia#Conf.#on#Comp.#and#Comm.#Security#( AsiaCCS ),#Auckland,#Jul#2019# To Towards(Understanding(Android(System( Vu Vulnerabilities:( Te Techniques(and(Insights( Daoyuan'Wu 1 ,#Debin Gao 1 ,#Eric#K.#T.#Cheng 2 ,# Yichen Cao 3

332 views • 21 slides
Exploring the Android APK via Pokemon GO The story of a Cat and a Mouse Structure of APK

Exploring the Android APK via Pokemon GO The story of a Cat and a Mouse Structure of APK

Exploring the Android APK via Pokemon GO The story of a Cat and a Mouse Structure of APK Extraction Techniques Solutions Us Niantic (Pokemon Go) Connor Tumbleson Software Engineer Apktool Maintainer @iBotPeaches

967 views • 53 slides
Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android Applications Daniele Gallingani Rigel Gjomemo, V.N. Venkatakrishnan Stefano Zanero University of Illinois at Chicago University of Illinois at Chicago

419 views • 11 slides
Exploring the Integration of User Feedback in Automated Testing of Android Applications G.

Exploring the Integration of User Feedback in Automated Testing of Android Applications G.

Exploring the Integration of User Feedback in Automated Testing of Android Applications G. Grano, A. Ciurumelea, S. Panichella, F. Palomba, H. Gall SANER 2018, 20-23 March, Campobasso (Italy) grano@ifi.uzh.ch giograno90 149 billions of

593 views • 27 slides
WE MAKE INNOVATION HAPPEN Pry-ID The cable fingerprint Pry-ID is the fingerprint for your

WE MAKE INNOVATION HAPPEN Pry-ID The cable fingerprint Pry-ID is the fingerprint for your

WE MAKE INNOVATION HAPPEN Pry-ID The cable fingerprint Pry-ID is the fingerprint for your cable. It does not need a power supply and it lasts for the whole lifetime of the cable, following it in even the harshest environments. With the

499 views • 25 slides
A Whorlwind Tour A Guide To Expert Fingerprint Evidence Presented by Philip Gilhooley

A Whorlwind Tour A Guide To Expert Fingerprint Evidence Presented by Philip Gilhooley

Fingerprints A Whorlwind Tour A Guide To Expert Fingerprint Evidence Presented by Philip Gilhooley Independent Fingerprint Consultant My Background Over forty-five years experience Qualified to National Advanced Fingerprint

987 views • 55 slides
DactyMatch Green Bit Green Bit Fingerprint Recognition Recognition Fingerprint SDK v.2.2

DactyMatch Green Bit Green Bit Fingerprint Recognition Recognition Fingerprint SDK v.2.2

DactyMatch Green Bit Green Bit Fingerprint Recognition Recognition Fingerprint SDK v.2.2 SDK v.2.2 Green Bit SpA General Description DactyMatch contains all necessary functions to perform fingerprint image recognition in both

390 views • 13 slides
Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2 Anthony Morris Jan-Felix Schmakeit Tech Lead, Android Maps API Android Developer Relations Code, Slides, Worksheet: http://goo.gl/MfY67 Welcome!

687 views • 49 slides
COSEC DOOR FMX High Performance Door Controller with Multispectral Fingerprint Reader Demanding

COSEC DOOR FMX High Performance Door Controller with Multispectral Fingerprint Reader Demanding

COSEC DOOR FMX High Performance Door Controller with Multispectral Fingerprint Reader Demanding Working Conditions Damaged Dry Fingerprint Identification Wet Dirty Elderly Upper Layer of Issues of workers Fingerprint is not Readable

597 views • 18 slides
S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in

S MV -H UNTER : Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps David Sounthiraraj Justin Sahs Garret Greenwood Zhiqiang Lin Latifur Khan University of Texas at Dallas February 26, 2014

671 views • 40 slides
Assessing and Exploiting BigNum Vulnerabilities Ralf-Philipp Weinmann Director of Research -

Assessing and Exploiting BigNum Vulnerabilities Ralf-Philipp Weinmann Director of Research -

Assessing and Exploiting BigNum Vulnerabilities Ralf-Philipp Weinmann Director of Research - Comsecuris <ralf@comsecuris.com> PGP fingerprint : D244D6F2E79B529BF5548F39B27967D58C07C5B7 twitter: @esizkur 1 PARENTAL ADVISORY Sparse

419 views • 28 slides
Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to use operating system that powers more than a billion devices across the globe - from phones and tablets to watches, TV, cars and more to come.

464 views • 21 slides
HIGH-DEF FUZZING EXPLORING VULNERABILITIES IN HDMI-CEC name = "Joshua Smith" job =

HIGH-DEF FUZZING EXPLORING VULNERABILITIES IN HDMI-CEC name = "Joshua Smith" job =

HIGH-DEF FUZZING EXPLORING VULNERABILITIES IN HDMI-CEC name = "Joshua Smith" job = "Senior Security Researcher" job += "HP Zero Day Initiative" irc = "kernelsmith" twit = "@kernelsmith"

577 views • 54 slides
CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest <manifest

CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest <manifest

Project #1: Color Guess Game CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="net.cserna.bence.colorguess

201 views • 3 slides
What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4 Development, Meier, Ch 11, pg 437 Speech recognition: Accept inputs as speech (instead of typing) e.g. dragon dictate app? Note: Google

333 views • 16 slides
IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX)

IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX)

IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX) elisa.boschi@hitachi-eu.com {boschi, zseby, mark, hirsch}@fokus.fraunhofer.de Outline Outline IPFIX Terminology Applicability Initial Goals

212 views • 19 slides
I Control Your Code Attack Vectors through the Eyes of Software-based Fault Isolation Mathias

I Control Your Code Attack Vectors through the Eyes of Software-based Fault Isolation Mathias

I Control Your Code Attack Vectors through the Eyes of Software-based Fault Isolation Mathias Payer <mathias.payer@nebelwelt.net> Motivation Current exploits are powerful because Applications run on coarse-grained user-privilege

800 views • 39 slides
SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length

SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length

SAT Solver Attacks on CubeHash Ben Bloom Hash Functions Variable length input, fixed length output. H(m) = h Cryptographic Hash Functions Preimage resistance Collision resistance Applications of Cryptographic Hash Functions

672 views • 38 slides
The Power of SUSE Linux for POWER [FUT1144] Jay Kruemcke Sr. Product Manager Linux for IBM Power

The Power of SUSE Linux for POWER [FUT1144] Jay Kruemcke Sr. Product Manager Linux for IBM Power

The Power of SUSE Linux for POWER [FUT1144] Jay Kruemcke Sr. Product Manager Linux for IBM Power Systems jayk@suse.com @mr_sles Enabling Advanced Data Center Solutions for More Than 20 Years 2000 2002 2004 2008 2010 2012 2014 2015

361 views • 32 slides
Lecture 23 Reminders: Programming Project 5 (reassigned Homework Problem 5.48) due on

Lecture 23 Reminders: Programming Project 5 (reassigned Homework Problem 5.48) due on

Lecture 23 Reminders: Programming Project 5 (reassigned Homework Problem 5.48) due on Thursday. Homework 7 due next Tuesday. Questions? Tuesday, November 15 CS 475 Networks - Lecture 23 1 Outline Chapter 7 - End-to-End Data 7.1

602 views • 20 slides
Parallel Nonnegative Matrix Factorization Algorithms for Hyperspectral Images A Masters Thesis

Parallel Nonnegative Matrix Factorization Algorithms for Hyperspectral Images A Masters Thesis

Parallel Nonnegative Matrix Factorization Algorithms for Hyperspectral Images A Masters Thesis Lukasz Grzegorz Maciak Montclair State University Department of Computer Science 1 Objectives 1. Background 2. Investigate Novel Feature Extraction

887 views • 61 slides
Hacking Consumer Devices for Fun and Profit An Insider's View of the NSLU2-Linux Open-Source

Hacking Consumer Devices for Fun and Profit An Insider's View of the NSLU2-Linux Open-Source

Hacking Consumer Devices for Fun and Profit An Insider's View of the NSLU2-Linux Open-Source Project Rod Whitby <rod@whitby.id.au> NSLU2-Linux Project Lead Hacking Consumer Devices for Fun and Profit 5. Official Kernel Support 1.

285 views • 26 slides
308-435 Socket Programming Juan de Lara, Hans Vangheluwe Edited for Fall 2001 by Clark Verbrugge

308-435 Socket Programming Juan de Lara, Hans Vangheluwe Edited for Fall 2001 by Clark Verbrugge

308-435 Socket Programming Juan de Lara, Hans Vangheluwe Edited for Fall 2001 by Clark Verbrugge McGill University Fall Term 2001 Background In order to use sockets, you need some understanding of how addressing over sockets works. The

343 views • 17 slides

More recommend