How can major manufacturers prove their innocence when Android fingerprint unlocking is hacked?

Just look at your own phone to see how unsafe this mobile Internet world is.

Recently, a huge vulnerability in the fingerprint recognition function of Android smartphones was exposed, which once again aroused people's attention to mobile security. At the same time, whether this incident will have an impact on domestic mobile phone users is also the focus of public debate.

The incident originated from the Black Hat Security Technology Conference (BlackHat) held in Los Angeles, USA this week. Two programmers from China used the security loopholes of the Android system to break through its fingerprint recognition function and successfully stole the user's fingerprint information. The models displayed on site included Samsung's Galaxy S5 and HTC One Max.

According to the above-mentioned person, in this attack, the vulnerability stems from the security architecture of the Android system and the defects of the remote support tools created by the original equipment manufacturer. The user's fingerprint data will fall directly into the hands of the attacker, "as long as the victim is alive, the attacker can use his fingerprint information to do bad things" - mobile payment, device passwords, identity, and even illegal immigration and crime. At the same time, the vulnerability will also involve the fingerprint sensor systems of many high-end laptops.

It is reported that since many device manufacturers have not completely "locked" their fingerprint payment systems, attackers can steal fingerprint information from infected devices without anyone noticing.

Fortunately, Google and Samsung have responded and said they will fix the vulnerability:

Google: "Thanks to the researchers for raising the issue, which has spurred us to make improvements. Android phone manufacturers have resolved this issue and provided update patches. We hope everyone will use reliable application sources, such as Google Play."

Samsung: "Thank you for your trust in our products and services. We are aware of the problem and have provided a solution. We hope that everyone will not install untrusted applications."

In China, many mobile phone manufacturers have added fingerprint recognition functions to their products, including Huawei Mate7 and Honor 7, ZTE AXON, etc. So, will they also be caught in the crossfire in this incident?

ZTE technical personnel told Zhidongxi (public account: zhidxcom) that the fingerprint data of AXON Tianji is stored in the TrustZone area of ​​its core chip, which is "completely isolated" from the Android system and other hardware environments. Therefore, even if hackers break into the Android system, they cannot enter the TrustZone to obtain the user's fingerprint image.

Previously, Huawei also made a public statement about its fingerprint recognition function and said it is a security solution based on chip hardware: the fingerprint encryption, storage, and verification programs are run in the physically isolated secure OS in the HiSilicon chip, and programs in the Android environment cannot directly access it. Even after the phone is rooted, this part cannot be accessed or tampered with. At the same time, the phone does not save the fingerprint image, but only the extracted template information. The fingerprint template cannot restore the fingerprint image.

It should be pointed out that Google added native fingerprint recognition function in Android M system, and the above functions currently installed by major mobile phone manufacturers are mostly developed by themselves or use third-party technology. The current fingerprint recognition function in China basically comes from a common solution, that is, based on the TrustZone area on the ARM chip. The system that controls the fingerprint area is independent of the Android system and only provides the Android program with correct or incorrect fingerprint information.

Judging from the official statement, this vulnerability does not seem to have much impact on domestic devices.

Of course, you don't have to be too nervous. On the one hand, the vulnerability was exposed in a demonstration at a hacker conference, and Google usually fixes such vulnerabilities quickly. On the other hand, there are not many Android smartphones on the market that support fingerprint recognition, so the impact may not be too great.

However, a forecast report has pointed out that by 2019, half of the world's smartphones will be equipped with fingerprint sensors, and the threat to personal information security will increase greatly by then - compared with traditional passwords, fingerprint recognition is theoretically safer, but the impact of theft may be more serious. For the former, you can improve security by replacing a new and more complex alphanumeric combination; for the latter, you can't have plastic surgery on your fingers to record new fingerprints, right?

As for how to prevent it, it’s still the same old story: download APP from reliable channels and don’t root it unless necessary.

The good news for iPhone and iPad users is that hackers have not yet cracked the iOS TouchID.