Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Fingerprint. Show all posts

Laptops with Windows Hello Fingerprint Authentication Vulnerable

 


Microsoft’s Windows Hello security, which offers a passwordless method of logging into Windows-powered machines may not be as secure as users think. Microsoft Windows Hello fingerprint authentication was evaluated for security over its fingerprint sensors embedded in laptops. This led to the discovery of multiple vulnerabilities that would allow a threat actor to bypass Windows Hello Authentication completely. 

As reported by Blackwing Intelligence in a blog post, Microsoft's Offensive Research and Security Engineering (MORSE) had asked them to conduct an assessment of the security of the three top fingerprint sensors embedded in laptops, in response to a recent request. 

There was research conducted on three laptops, the Dell Inspiron 15, the Lenovo ThinkPad T14, and the Microsoft Surface Pro Type Cover with Fingerprint ID, which were used in the study. It was discovered that several vulnerabilities in the Windows Hello fingerprint authentication system could be exploited by researchers working on the project.

In addition, The document also reveals that the fingerprint sensors used in Lenovo ThinkPad T14, Dell Inspiron 15, Surface Pro 8 and X tablets made by Goodix, Synaptics, and ELAN were vulnerable to man-in-the-middle attacks due to their underlying technology. 

A premier sensor enabling fingerprint authentication through Windows Hello is not as secure as manufacturers would like. It has been discovered that there are several security flaws in many fingerprint sensors used in many laptops that are compatible with the Windows Hello authentication feature due to the use of outdated firmware. 

It was discovered by researchers at Blackwing Intelligence, a company that conducts research into the security, offensive capabilities, and vulnerability of hardware and software products. The researchers found weaknesses in fingerprint sensors embedded in the devices from Goodix, Synaptics, and ELAN, all of which are manufactured by these manufacturers. 

Using fingerprint reader exploits requires users to already have fingerprint authentication set up on their targeted laptops so that the exploits can work. Three fingerprint sensors in the system are all part of a type of sensor that is known as "match on chip" (MoC), which includes all biometric management functions in the integrated circuit of the sensor itself.

Concept Of Vulnerability Match On Chip As reported by Cyber Security News, this vulnerability is due to a flaw within the concept of the "match on chip" type sensors. Microsoft removed the option of storing some fingerprint templates on the host machine and replaced it with a "match on chip" sensor.  This means that the fingerprint templates are now stored on the chip, thus potentially reducing the concern that fingerprints might be exfiltrated from the host if the host becomes compromised, which could compromise the privacy of your data. 

Despite this, this method has a downside as it does not prevent malicious sensors from spoofing the communication between the sensor and the host, so in this case, an authorized and authenticated user who is using the sensor can easily be fooled. 

There have been several successful attempts at defeating Windows Hello biometric-based authentication systems in the past, but this isn't the first time. This month, Microsoft released two patches (CVE-2021-34466, CVSS score: 6.1), aimed at patching up a security flaw that was rated medium severity in July 2021, and that could allow an adversary to hijack the login process by spoofing the target's face. 

The validity of Microsoft's statement as to whether they will be able to find a fix for the flaws is still unclear; however, this is not the first time Windows Hello, a biometric-based system, has been the victim of attacks. A proof of concept in 2021 showed that by using an infrared photo of a victim with the facial recognition feature of Windows Hello, it was possible to bypass the authentication method. Following this, Microsoft fixed the issue to prevent the problem from occurring again.

Google Chrome Extensions can be Employed to Track Your Online Activity

 

A web developer going by the alias ‘z0ccc’ has created a website that can generate a unique online tracking fingerprint based on Chrome extensions installed on the visiting browser. 

The methodology is primarily based on securing the extensions’ web-accessible resources, a type of file within the extension’s infrastructure that web pages can access. The file can consequently be employed to detect installed extensions and create a fingerprint of a visiting user based on the combination of installed extensions. 

The procedure was previously demonstrated in 2019, but the website has only recently been designed. Some extensions can bypass detection by using secret tokens required to access their web resources, but there is novel” resource timing comparison” technique to detect if an extension is installed on the endpoint or not. 

"Resources of protected extensions will take longer to fetch than resources of extensions that are not installed,” z0ccc explained on the project’s GitHub page. “By comparing the timing differences, you can accurately determine if the protected extensions are installed." 

To illustrate this fingerprinting technique, the web developer designed an Extension Fingerprints website that will examine a visitor's browser for the existence of web-accessible resources in 1,170 popular extensions available on the Google Chrome Web Store. 

The methodology also operates with extensions installed from the Chrome Web Store in Chromium browsers, such as Microsoft Edge. It can spot Edge extensions from Microsoft’s dedicated store, but z0ccc’s website doesn’t support this feature. 

Interestingly, the technique doesn’t work for Firefox extensions as the browser extension IDs are unique for every browser instance, making the web-accessible resources URL impossible to identify by third parties. 

To restrict fingerprinting via browser extension detection, Chrome users can limit the number of extensions they install on their Chrome and Chromium browsers. Installing more extensions and in unique combinations increases the risk of having multiple tracking hash, which facilitates fingerprinting.

"This is definitely a viable option for fingerprinting users," z0ccc explained in the blog post. "Especially using the 'fetching web accessible resources' method. If this is combined with other user data (like user agents, timezones etc.) users could be very easily identified."

Gummy Browsers Attack Lets Hackers Spoof Browser's Digital Fingerprints

 

Gummy Browsers is a new fingerprint collecting and browser spoofing threat developed by university researchers in the United States. They warn about how simple it is to carry out the attack and the serious consequences it might have. The 'Gummy Browsers' attack involves obtaining a person's fingerprint by forcing them to visit an attacker-controlled website, then utilizing that fingerprint to fake that person's identity on a target platform. 

The researchers created the following way to impersonate the user on other sites after establishing a fingerprint of the user using existing or custom scripts: 

 • Script injection - Spoofing the fingerprint of the victim by running scripts (with Selenium) that deliver values retrieved from JavaScript API calls. 

 • Browser setting and the debugging tool - Both can be used to change the browser attributes to any custom value, which affects both the JavaScript API and the HTTP header value. 

 • Script manipulation - Modifying the scripts placed in the website before they are transmitted to the webserver to change the browser properties with faked values. 

A digital fingerprint is a one-of-a-kind online identifier linked to a certain person based on a device's characteristics. IP addresses, browser and OS versions, installed software, active add-ons, cookies, and even how a user moves their mouse or enters on the keyboard are all examples of these characteristics. These fingerprints can be used by websites and advertisers to verify that a visitor is human, monitor a user across several sites, and serve tailored advertising. Some authentication systems use fingerprints as well, allowing MFA or other security features to be circumvented if a valid fingerprint is identified. 

The researchers claimed they could fool state-of-the-art fingerprinting solutions like FPStalker and Panopliclick for long periods of time by just capturing the victim's fingerprint once. 

The researchers explained their findings in an Arxiv paper, "Our results showed that Gummy Browsers can successfully impersonate the victim’s browser transparently almost all the time without affecting the tracking of legitimate users." 

The attack system obtained average false-positive rates of greater than 0.95 in experimental tests, meaning that most of the faked fingerprints were misidentified as real ones, successfully fooling the digital fingerprinting algorithms. A breach of ad privacy and a bypass of defensive procedures put in place to verify users and detect fraud are two consequences of such an assault. 

"The impact of Gummy Browsers can be devastating and lasting on the online security and privacy of the users, especially given that browser fingerprinting is starting to get widely adopted in the real world," the researchers concluded. "In light of this attack, our work raises the question of whether browser fingerprinting is safe to deploy on a large scale."

Biometric Data Exposure Vulnerability in OnePlus 7 Pro Android Phones Highlighted TEE Issues


In July 2019, London based Synopsys Cybersecurity Research Center discovered a vulnerability in OnePlus 7 Pro devices manufactured by Chinese smartphone maker OnePlus. The flaw that could have been exploited by hackers to obtain users' fingerprints was patched by the company with a firmware update it pushed in the month of January this year. As per the findings, the flaw wasn't an easy one to be exploited but researchers pointed out the possibility of a bigger threat in regard to TEEs and TAs.

Synopsys CyRC's analysis of the vulnerability referred as CV toE-2020-7958, states that it could have resulted in the exposure of OnePlus 7 pro users' biometric data. The critical flaw would have allowed authors behind malicious android applications with root privileges to obtain users' bitmap fingerprint images from the device's Trusted Execution Environment (TEE), a technique designed to protect sensitive user information by keeping the Android device's content secure against illicit access.

As it has become increasingly complex for malicious applications to acquire root privileges on Android devices, the exploitation of the flaw would have been an arduous task and might also be an unlikely one given the complexity of the successful execution. Meanwhile, the fix has been made available for months now– ensuring the protection of the users.

However, the issue with Trusted Execution Environments (TEEs) and Trusted Applications (TAs) remains the major highlight of Synopsys's advisory released on Tuesday, “Upon obtaining root privileges in the REE [Rich Execution Environment], it becomes possible to directly communicate with the factory testing APIs exposed by Trusted Applications (TAs) running in the TEE. This attacker invokes a sequence of commands to obtain raw fingerprint images in the REE,” it read.

While explaining the matter, Travis Biehn, principal consultant at Synopsys, told, “Of course, people’s fingerprints don’t usually change. As attackers become successful in retrieving and building large datasets of people’s fingerprints, the usefulness of naïve fingerprint recognition in any application as a security control is permanently diminished,”

“A further possible consequence is that fingerprints become less trustworthy as evidence in our justice systems.”

“...this vulnerability shows that there'there are challenges with Trusted Execution Environments (TEEs) and Trusted Applications (TAs); these are software components that are opaque to most (by design), expertise is limited, and typically involve long supply chains. These factors together mean there'there are opportunities for organizations to make a mistake, and hard for security experts to catch at the right time,” he further added.

The flaw would have allowed attackers to recreate the targeted user's complete fingerprint and then use it to generate a counterfeit fingerprint that further would have assisted them in accessing other devices relying upon biometric authentication.

The Rise of Fingerprinting and Monitoring Of Our Digital Activities




 The concept of digital privacy has evolved so much with time that regardless of whether we secure our data to ensure that we are not tracked on the web, the ad tech industry, through some way or different finds ways to monitor our digital activities.

Being alluded to as a cutting edge tracking technology by security researchers, the fingerprinting technology has for sure achieved new statures.

While it incorporates taking a look at the many characteristics of the user's mobile device or computer, like the screen resolution, operating system and model, it likewise very effectively while triangulating this data, pinpoints and follows the user as they browse the web and make use of the other apps.

Presently since the technique happens imperceptibly out of sight in applications and websites, it becomes very hard to block the particular technology at whatever point it isn't required.

In the course of the most recent couple of years, tech companies like Apple and Mozilla 'introduced aggressive privacy protections' in their internet browsers to make it harder for advertisers to follow the users around the web and serve targeted ads on promotions.

But since a large number of those technologies ended up getting blocked by default, the advertisers needed to come up with an alternate method to track more users.

That is when the fingerprinting technology becomes an integral factor, as it gathers apparently harmless attributes that are commonly shared as default to make applications and sites work appropriately, which happens when the users gives an application the consent to access their location data, their camera and microphone. Thus, many other browsers likewise require the permission before a website can access those sensors.

While some state that the fingerprint method can be dependable and reliable, others say that it is abusive on the grounds that in contrast to cookies, which the users can see and delete, one for the most part can't tell it is going on and can't opt out it.

Nonetheless the solutions for averting fingerprinting are generally new, and some are still being developed. Thus it is difficult to tell how powerful they are since fingerprinting happens undetectably. So here are a few solutions for blocking browser fingerprinting.
  1. Apple users can make use of the protections installed in the Safari browser for computers and mobile devices.
  2. Android users and Windows users can try the Firefox web browser.
  3. Furthermore, the other desktop browsers can easily install an add-on.

In case of mobile users:
Privacy Pro and Disconnect Premium can examine the application activities on the device to recognize and block trackers, including finger printers.

Since Fingerprinting is a perplexing subject since the tracking method applies to both the web and mobile applications it is thusly recommended for the users to become familiar with it and be one at least one step ahead in ensuring their privacy protection themselves.

Indian Government asks WhatsApp to fingerprint messages









The government of India has asked the instant messaging app WhatsApp to digitally fingerprint every message which is sent on its platform, to ensure traceability of all content. 

According to two senior government officials, WhatsApp should keep a track off a message, from where it originated, how many people read it and how many forwarded it. 

“Fingerprinting WhatsApp messages will help find the originator of the message. That is all we want,” the official said.

“We don’t want to read the messages but when we see a problematic message we should be able to go to WhatsApp to help us trace the sender,” the official further added. “They have to find a way, it is technically possible.”

After several public unrests over message forward, in December last year, the government of India has amended the Information Technology Act, which made traceability of messages compulsory for all internet platforms. 

"It is not acceptable that no one can trace any message. Somebody should be able to trace some messages sometimes. We have reached the limit of anonymity on the internet and that has to go," said official. 

However, WhatsApp declined to comment on the development.