Researchers from FireEye have revealed that it is possible to attack Android smartphone to remotely steal user's fingerprints on a "large scale."

Security experts have often expressed concerns regarding the fingerprint management implemented by the principal mobile vendors. Hackers have demonstrated that it is not difficult to trigger vulnerabilities inside systems that manage fingerprints in order to bypass authentication mechanisms, in April 2015 a group of security researchers at FireEye have discovered a vulnerability in the Samsung Galaxy S5 that allows hackers to clone fingerprints.

Now security experts from FireEye have discovered four new methods to hack Android devices and extract user fingerprints remotely.

The researchers Tao Wei and Yulong Zhang presented the findings of their hack in a talk titled, Fingerprints on Mobile Devices: Abusing and Leaking, at the Black Hat conference last week.

The techniques are very insidious because the victim will never notice the disconcerting theft of its fingerprints.

The researchers dubbed the attack "Fingerprint Sensor Spying attack" and it could allow attackers to "remotely harvest fingerprints in a large scale from the handset of the major manufacturers including HTC, Samsung and Huawei.

The experts avoided to release any "proof-of-concept" for obvious reason.
The targets of the attack are Android devices equipped with Fingerprint Sensors that allow users to authenticate themselves by simply touching the display of their smartphone.

Let's note that Google doesn't yet officially support the authentication mechanism based on fingerprints based on its mobile operating system, but the company will soon implement the support in the next release Android M.

The researchers tested their attack on the HTC One Max and Samsung's Galaxy S5, the succeeded to steal a fingerprint image from the device due to the lack of a proper implementation of a locking mechanism for the fingerprint sensor.

I have explained several times the risks related to a wrong implementation of biometric authentication, the theft of a biometric data like fingerprints would be more dangerous compared the theft of a stolen password.

Users can reset their compromised password, but cannot change fingerprints neither the iris in the case of data breach.

"In this attack, victims' fingerprint data directly fall into attacker's hand. For the rest of the victim's life, the attacker can keep using the fingerprint data to do other malicious things," said Zhang.

Fortunately, the security issue is quite easy to fix, for example by encrypting fingerprint data on Android devices, and a number of vendors are already working to a security update.

The measure is already adopted by Apple iOS that encrypts data acquired by the Touch ID sensor. The experts explained that Apple iOS is "quite secure" because it encrypts fingerprint data from the scanner with a crypto key, making it unreadable even if hackers gain access.

Google, Samsung and LG will start to issue monthly security patches for Android devices, taking a cue from the PC industry after critical vulnerabilities put hundreds of millions of smartphone users at risk.

Security experts have warned for years that Android devices receive critical updates from manufacturers either too slowly or not at all. Phones and tablets have been increasingly targeted by hackers looking to steal data or defraud users.

Google's Nexus devices will get monthly over-the-air security patches, said Adrian Ludwig, lead engineer for Android security, at the Black Hat security conference in Las Vegas.

"Nexus devices will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability, or 18 months from last sale of the device via the Google Store, he wrote in a blog post.

The first update, released on Wednesday, will include a patch for a severe vulnerability called Stagefright, he said.

Most Android devices are vulnerable to Stagefright, which can compromise a device merely through delivery of a specially crafted multimedia message (MMS). An attacker needs only to know the victim's phone number.

Google has provided manufacturers with monthly notices about security fixes for the last three years, Ludwig wrote. But that doesn't mean they necessarily distributed those updates to users, which might have required cooperation from mobile operators.

"Samsung is currently in conversation with carriers around the world to implement the new approach," the company wrote in a blog postWednesday. "In collaboration with carriers and partners, more details about the specific models and timelines will be released soon."

Samsung has also fast-tracked updates for its Galaxy device line to fix Stagefright.

At Black Hat, Ludwig said at LG has made a similar commitment. The move to monthly patching mirrors one made by Microsoft in 2003 after it grappled with an increasing number of operating systems flaws that worried security experts.

Microsoft still issues patches on the second Tuesday of the month, a day know as Patch Tuesday. For dangerous flaws, the company occasionally deviates from the schedule and issues an emergency patch. In 2009, Adobe Systems also moved to regular patch schedule after its products were increasingly targeted by hackers.

Stagefright is a nasty potential problem for a huge majority of the World’s Android users. Thomas Fox-Brewster covered it in detail in his article yesterday, but here in brief is how to prevent the bug being used to access your phone without you even knowing.

Stagefright is a core part of the Android OS that is used to handle video and audio. The exploit, which Google has been notified about, will be detailed in full at the Black Hat conference on August 5 and at DEFCON on August 7. If your phone isn’t protected by then, either via an update or through a simple step detailed below then you may well be vulnerable.

Because the exploit works by downloading code via MMS, to prevent being infected you must go to you SMS settings either in your phone’s SMS app, or through Google Hangouts, whichever you use. There will be an option there to auto-download MMS messages, simply disable it and your phone will not be able to execute the malicious code automatically.

The downsides of doing this are practically none, if you trust someone sending you an MMS you can still get the data, you’ll just be asked each time. Avoid accepting messages from people you don’t know.

There is still a risk involved in you opening the message yourself, but with Google Hangouts the code can be executed without you ever knowing, which is incredibly worrying given that it could then be possible for code to access your phone’s camera and microphone and read data from image folders.


So far it’s not clear what manufacturers are planning updates to take care of the problem. Google has known for a while and while it appears to have fixed certain issues, not all have been addressed. There is some indication here that Android has some problems that allow apps to run with administrative privileges when they shouldn’t. The wider issue though is that with so many different versions of Android and various manufacturer implementations it’s quite hard to tell which devices will potentially be affected.

The vast majority of Android phones can be hacked by sending them a specially crafted multimedia message (MMS), a security researcher has found.

The scary exploit, which only requires knowing the victim's phone number, was developed by Joshua Drake, vice president of platform research and exploitation at mobile security firm Zimperium.

Drake found multiple vulnerabilities in a core Android component called Stagefright that's used to process, play and record multimedia files. Some of the flaws allow for remote code execution and can be triggered when receiving an MMS message, downloading a specially crafted video file through the browser or opening a Web page with embedded multimedia content.

There are many potential attack vectors because whenever the Android OS receives media content from any source it will run it through this framework, Drake said.

The library is not used just for media playback, but also to automatically generate thumbnails or to extract metadata from video and audio files such as length, height, width, frame rate, channels and other similar information.

This means that users don't necessarily have to execute malicious multimedia files in order for the vulnerabilities found by Drake to be exploited. The mere copying of such files on the file system is enough.

The researcher isn't sure how many applications rely on Stagefright, but he believes that just about any app that handles media files on Android uses the component in one way or another.

The MMS attack vector is the scariest of all because it doesn't require any interaction from the user; the phone just needs to receive a malicious message.

For example, the attacker could send the malicious MMS when the victim is sleeping and the phone's ringer is silenced, Drake said. After exploitation the message can be deleted, so the victim will never even know that his phone was hacked, he said.

The researcher didn't just find the vulnerabilities, but actually created the necessary patches and shared them with Google in April and early May. The company took the issues very seriously and applied the patches to its internal Android code base within 48 hours, he said.

That code gets shared in advance with device manufacturers that are in the Android partnership program, before it's released publicly as part of the Android Open Source Project (AOSP).

Unfortunately, due to the generally slow pace of Android updates, over 95 percent of Android devices are still affected, Drake estimates.

Even among Google's Nexus line of devices, which typically get patches faster than those from other manufacturers, only the Nexus 6 has received some of the fixes so far, the researcher said.

Android patches can take months to reach end-user devices through over-the-air updates. That's because manufacturers have to first pull Google's code into their own repositories, build new firmware versions for each of their devices, test them and then work with mobile carriers to distribute the updates. Devices older than 18 months generally stop receiving updates entirely, leaving them vulnerable to newly discovered issues indefinitely.

The vulnerabilities found by Drake affect devices running Android versions 2.2 and higher, which means that there are a huge number of devices that will probably never receive patches for them.

The researcher estimates that only around 20 to 50 percent of the Android devices that are in use today will end up getting patches for the issues he found. He noted that 50 percent is wishful thinking and that he would be amazed if that happened.

In an emailed statement, Google thanked Drake for his contribution and confirmed that patches have been provided to partners.

"Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult," the company said. "Android devices also include an application sandbox designed to protect user data and other applications on the device."

What attackers can do after they exploit the vulnerabilities found by Drake can vary from device to device. Their malicious code will be executed with the privileges of the Stagefright framework, which on some devices are higher than on others. In general the attackers will get access to the microphone, camera and the external storage partition, but won't be able to install applications or access their internal data.

emv chip
Predicting winners and losers in the EMV rollout
usa goverment cyber security
Silicon Valley wary of U.S. push for cyber security info sharing
How to surf the Dark Web for fun and profit
That said, Drake estimates that on around 50 percent of the affected devices the framework runs with system privileges, making it easy to gain root access and therefore complete control of the device. On the rest of devices, attackers would need a separate privilege escalation vulnerability to gain full access.

Since the patches for these flaws are not yet in AOSP, device manufacturers that are not Google partners don't have access to them. It also means that third-party AOSP-based firmware like CyanogenMod is still likely vulnerable.

Drake shared the patches privately with some other affected parties, including Silent Circle and Mozilla.

Silent Circle included the fixes in version 1.1.7 of PrivatOS, the Android-based firmware it developed for its Blackphone privacy-focused device.

Mozilla Firefox for Android, Windows and Mac, as well as Firefox OS were affected by the flaws because they used a forked version of Stagefright. Mozilla fixed the issues in Firefox 38, released in May.

Drake plans to present more details about the vulnerabilities along with proof-of-concept exploit code at the Black Hat Security conference on Aug. 5.

ccording to a report published by The Telegraph, scammers are targeting iPhone and iPad users with a new elaborate scheme that relies on iOS crash warnings Scammers are targeting iPhone and iPad users with a new-old elaborate scheme that relies on iOS crash warnings. Scammers are using JavaScript generated dialogs to display IOS Crash warnings, as explained by the experts at F-Secure, the IOS Crash Report scam is a variation of the technical support scam. “cases of which have been documented as early as 2008. In the past, cold-calls originated directly from call centers in India. But more recently, web-based lures are used to prompt potential victims into contacting the scammers.” wrote F-Secure. The new fraud scheme going around the English-speaking world, according The Telegraph, iPhone and iPad users in the US and the UK have started getting pop-ups on their devices, informing them the iOS had crashed and that they need to call support in order to fix the problem. The scam was first reported in the US at the end of 2014 and it is still being used across the United Kingdom. Scammers are targeting the Safari browser used by iOS devices, they request victims to call the helpline and pay between $19 (£12) and $80 (£51) to fix the problem. Different payments are requested to users in the UK, they were requested to pay for £20 to fix the crash. “Scammers have targeted Safari, the default web browser for iOS devices, telling users in the US to ring the helpline and pay between $19 and $80 to fix it. Users in the UK have also reported the issue, with one saying they had been asked for £20 to fix the crash.” states the Telegraph. Let’s analyze the schema step by step, when browsing users receive a notification warning: “Warning!! iOS Crash Report!!. Due to a third party application in your device, iOS is crashed. Contact Support for Immediate Fix.” Some users reported the pop-up caused the freezing of their browser. The warning displayed on the iOS device gives one of a set of numbers to dial (i.e. 0800 279 6211 and 0800 310 1061). Users in the UK who called the helpline were informed of the presence of a malware on their device that is stealing data, the operators demanded credit card details in order to solve the issue and eliminate the malicious code. In order to fix and block these crash reports, Apple says users should: Switch to Airplane Mode Delete Safari Data: Settings > Safari > Clear History and Website Data Exit Airplane Mode The Telegraph wrote: “To prevent the issue happening again, go to Settings -> Safari -> Block Pop-ups.” Unfortunately, this suggestion is not correct. “Safari’s “Fraudulent Website Warning” and “Block Pop-ups” features didn’t prevent the page from loading. What looks like a pop-up on the image above is actually a JavaScript generated dialog. One which will continuously re-spawn itself and can be very difficult to dismiss. Turning off JavaScript in Safari is the quickest way to regain control. Unfortunately, leaving JavaScript disabled will significantly impact a large number of legitimate websites.” continues F-Secure. A Google Search returns several live scam web sites containing the text used by fraudsters: “Due to a third party application in your phone, IOS is crashed.” Browsing the malicious websites with Google Chrome for Windows: “Notice the additional text in the image above: prevent this page from creating additional dialogs. Current versions of Chrome and Firefox (for Windows, at least) will inject this option into re-spawning dialogs, allowing the user to break the loop. Sadly, Internet Explorer and Safari do not. (We tested with IE for Windows / Windows Phone, and iOS Safari.)” explained experts at F-Secure. Please spread this news, awareness on scam could limit the efficiency of the fraudsters’ action. As usual, let me suggest to never give the iCloud credentials, financial information over the phone, neither dial a given number. Users victim of this scam should report it to Action Fraud on 0300 123 2040 or online

We often make things harder than they have to be by securing everything, when some things just aren’t as important as others. Often times, the steps we take to secure our mobile devices do not provide management or security benefits. They’re simply, “security theater,” or measures intended to provide the feeling of improved security while doing little or nothing to actually secure, like some of our favorite airport “security” practices. Last week I spoke with a company rolling out a MDM product as THE mobile security solution. The company was concerned about the security of mobile apps, data and access back to their network. They decided to roll out a MDM solution because it “secured the device,” which really means it allowed them to set a passcode on the device. However, it fails to address their actual security needs. The MDM, or EMM as it has been reclassified, does not provide any security capabilities that align with their concerns including app tampering prevention, data encryption, access control or authentication. Not only does this implementation miss their requirements, it also comes with huge overhead for IT. The EMM solution requires managing the device, which adds work to IT’s already full plate. The team has to ensure they could manage various versions of iOS, Android and more. They also have to troubleshoot how policies are applied across different device operating systems, versions and even different device models. The ROI on their mobile security investment quickly erodes, as the time the spent addressing device OS and version issues diverts resources from addressing original security concerns. Additionally, their choice results in a loss of privacy for their users, especially for BYOD users, which is at odds with the increasing pressure from regulators and global laws to protect user privacy. This story is very common. I’ve traveled to over a dozen cities for IT and security round tables in the past year and have spoken with more than 200 people about their security strategies. Every person I’ve talked to had some variation on their own, “security theater,” and stressed the need for a change because their existing strategy and execution wasn’t working. Mobile is one of those rare areas that has moved so quickly, we in the enterprise can’t keep up even if we’re at the bleeding edge. Technologies are being released and consumed by our users at such a rapid pace that our previous strategies just don’t apply any longer. EMM products are configuration tools, they have a purpose but security is not one of them. Thinking about mobile security is much like thinking about security in other parts of our enterprise. We care about “the noun” or the thing of value, and in most cases the thing of value is the data. So we must focus on monitoring, logging and controlling the data as close as possible – this is what we do everywhere else in the organization and mobile shouldn’t be the exception. We’re finally at a time where managing and deploying mobile applications and securing and fortifying virtually any mobile app can and must co-exist. We can finally stop worrying about the glass, plastic and circuits and move up the stack to focus on the applications that matter. Those applications that don’t have the built-in security controls and prevention capabilities or that require management and distribution. By applying controls to those applications and enforcing encryption, authentication, secure connections and DLP, we gain visibility into the actions of the users, applications and data. So here is the easy guide to mobile security: • Focus on the apps and data to meet your requirement as the threats to the device are evolving and devices can’t be trusted. • Apply monitoring and security controls to the apps and data • Use a mobile app catalog to distribute both your internal and secured versions of 3rd party applications • Monitor apps and data to prevent security vulnerabilities • Implement solutions that allow apps to connect without full device VPN This straightforward strategy will reduce time spent attempting to manage various devices and focus teams on ensuring user privacy, applying controls and allowing solutions and processes to scale while still securing internal and 3rd party applications.


Page 4 of 5