The Samsung Galaxy S5 fingerprint sensor has been spoofed - what can be done to prevent it

With the recent news that researchers from SR Labs in Germany have successfully fooled (spoofed) the Samsung Galaxy S5's integrated fingerprint sensor; allowing unauthorised access to the device and the ability to make payments using the PayPal app, there are questions as to how secure fingerprint biometrics are for authentication. These questions are justified. 

An authentication solution can be convenient but it must also be secure.  

A fingerprint biometric can be more convenient than using a PIN or password especially on a mobile phone. By touching or swiping a finger over a sensor a person can quickly unlock a device, gain access to an account or make a payment. However, if the sensor can be easily fooled than the solution is fundamentally flawed. 

The key point in my last sentence was "easily fooled". Attacks on fingerprint biometric systems are relatively difficult to carry out. As Marc Rogers from Lookout Mobile Security pointed out in his blog from last year -  "Why I hacked Apple's Touch ID and still think its awesome" - an attacker needs access to the device and then use a lot of kit to physically create the fake fingerprint. As Rogers stated this can be "tricky" and probably not within the reach of your average street thief. However, with the right equipment and a little ingenuity it can be done. 

So what can be done to ensure we benefit from the convenience of biometric authentication on mobile devices but also have a level of assurance that the solution is difficult to spoof and attack? 

One solution is to improve the anti-spoofing solutions within the biometric system. NexID Biometrics develops spoof mitigation and liveness detection solutions including its Mobile Live Finger Detection (LFD) software. The company claims that the solution can help ensure that the fingerprint system is not spoofed and states that authentication accuracy is as high as 94-97 percent. 

I spoke with NexID Biometrics' COO, Mark Cornett, to get his views on this and he said; "While Apple validated the convenience of fingerprint authentication on mobile devices, the spoof of the iPhone 5S should have sent a signal to other device manufacturers that while providing users with convenient authentication, the current level of security is vulnerable to spoofing. The layers of security for unlocking mobile devices and their applications needs to be stronger to properly meet the needs of users, and facilitators of mobile commerce and BYOD policies. Now that the two largest distributors of mobile devices in the world have had their solutions spoofed, they will hopefully add liveness detection solutions to mitigate this vulnerability and thereby instil confidence in the use of mobile device fingerprint authentication."

As well as anti-spoofing and liveness detection solutions there are other tools that can be deployed to improve the security of these emerging authentication solutions. This include combining biometric authentication with other factors as part of a multi-factor authentication solution - especially useful for step-up verification where a highly level of user assurance is required. 

I am a big fan of behavioural, or gesture, biometrics where the device learns about how a specific user engages with their mobile device to create a profile that can be used as part of a risk-based authentication solution. By combining behavioural biometrics with fingerprint authentication a greater level of trust in who is actually using the device can be created. And when an unauthorised user attempts to spoof the system by using a gummy bear or wood glue mould then the authentication service can request for another level of authentication to ensure that it is the valid owner of the phone and service. The link between the end user authentication client and cloud-based risk-based (anti-fraud) solutions, especially in financial services, cannot be underestimated. 

There are ways in which you can improve the security of mobile-based biometric authentication solutions and deter the type of spoofing attack that has been witnessed with the Samsung Galaxy S5 - I have just touched the surface in what is possible. 

However, an enhancement to the security of the biometric solution should not come at the expense of convenience and usability. 

Mobile device manufacturers and service providers are turning to biometrics because they can enhance the usability of the authentication experience - this must not be altered.

Lies, damned lies, and statistics… What do statistics tell us about the real risk from mobile malware?

The Evidence

Mobile malware, in particular Android mobile malware, is rising. This is a fact.

It has been rising slowly since 2004, as the figures below from McAfee detail, and the rate has been accelerating since autumn 2011 when a number of high-profile cases of Android mobile malware hit the press. This included Google’s official Android Appstore, then called Market now called Play, being used as a method to distribute Trojanised apps to unwitting customers. GGTracker [1], SuiConFo [2] and RuFraud [3] were all Trojanised Android apps that were attempting to defraud consumers largely by attacking the Premium Rate Service industry through the unauthorised sending of Premium Rate SMS messages.

Mobile Malware Explodes, Increases 1,200% in Q1/2012

Source: McAfee Threats Report: First Quarter 2012

“A comparison between the number of malicious Android application package files (APKs) received in Q1 2011 and in Q1 2012 reveals a more staggering find — an increase from 139 to 3063 counts.” Mobile Threat Report Q12012, F-Secure Figures from Goode Intelligence’s annual mSecurity survey back this up with a rise in the number of reported mobile malware incidents – read infection – in the workplace from 7% in 2009 to 24% late in 2011; nearly a quarter of all organisations. This figure is alarming. GI mSecurity Survey: Has your organisation experienced a mobile malware incident? We are also seeing evidence from other sources including telecommunications regulators. In the UK, the country’s premium rate regulator, PhonepayPlus, has been involved in investigations into premium rate fraud directly caused by mobile malware. With the assistance of Goode Intelligence, (providing research and analysis into the link between mobile malware and PRS fraud), PhonepayPlus are proactively tracking instances of mobile malware that are attacking PRS. One of these investigations hit the news recently and resulted in a hefty £50,000 fine for a mobile aggregator, A1 Aggregator Ltd based in Latvia, for managing the SMS shortcodes that were used in the RuFraud malware attack. From late November 2011, after receiving 34 complaints from consumers of unauthorised PSMS charges on their phone bills, including an individual losing around £80, the regulator investigated further and tracked the fraud down to Trojanised versions of Android Apps distributed via Android Market (Play). The fake apps included Trojanised versions of Angry Birds Assassins Creed and Cut the Rope. Consumers had no knowledge of three PSMS messages being sent every time the Trojanised app was started. Each PSMS message was costing the unwitting user £5.00. In this one case 1,391 mobile numbers in the UK were affected and an estimated £27,850 worth of fraud was attempted. Due to the swift action from the regulator, the shortcode was suspended and none of the £27,850 of UK consumer’s money was able to reach the fraudsters. PhonepayPlus found evidence of the RuFraud Trojan operating in 18 countries.  Thankfully the UK has a regulator that is well advised and has put into place procedures to ensure that this emerging area of PRS fraud is actively monitored. What about the other 17 countries that were targeted by this malware? How many consumers have been affected and how much financial damage has been done in regions where regulation is not so proactive? The Risk There is evidence from multiple sources, including our own, that mobile malware is rising and it is targeting consumers for, amongst other reasons, financial fraud. On the face of it, it seems that the risk of malware infection is getting stronger and both consumer and enterprise mobile users should take preventative measure to counteract that threat. These preventative measures include being cautious when downloading Android apps from appstores, including Google Play and from third-parties, and checking the permissions carefully. There is also the option of protecting your mobile device with a mobile security product that is proven to be effective in preventing mobile malware. Android is being targeted as it has a more open platform for downloading and installing apps and it is becoming the number one mobile platform around the world. This makes it the number one target for malware in today’s mobile market. However, we should also be cautious in assessing the current risk to both consumers and enterprise users from the threat of mobile malware. Apple’s iOS has been free of malware and there have been very small numbers of malware that have been known to affect BlackBerry devices.  Additionally, Google should be applauded in acknowledging the threat from Trojanised apps in Play by deploying a solution, Bouncer [4], which attempts to detect mobile malware on upload. Bouncer was announced early in 2012, although it has been running during 2011, and it is probably too early to state how effective the solution is in preventing mobile malware on Play [5]. There is also an acknowledgement from third-party Android appstores that security is important as a business differentiator. Goode Intelligence surveyed a number of the third-party appstores and was pleased that over two-thirds of the respondents (68 percent) replied with a ‘yes’ to the question “Do you think there is a commercial benefit for an app store to offer malware detection and prevention technology?” The tools are available for these third-party Android appstores with AVG [6] amongst the vendors offering specific security solutions aimed at preventing the spread of malware from these appstores. Yes the statistics do tell us of double and triple digit growth in mobile malware, mainly targeting the Android platform. However, the risk is still relatively low and the financial fraud that is being committed as a result of mobile malware is currently low in value. These are still early days in the history of malware targeting mobile platforms and indications are that the business drivers for attacking these platforms is growing which could result in the situation getting worse – especially in the short-to-medium term. And in answer to the question of attacks on Apple iOS, will this happen? You betcha! As the famous US bank robber, Willie Sutton, said in response to the question why he robbed banks; "because that's where the money is." Whether they will succeed is another matter and the topic for another blog. Alan Goode May 2012

---

[1] Google’s Blog announcement on Bouncer http://googlemobile.blogspot.co.uk/2012/02/android-and-security.html

[2] Although this article from Andy Greenberg on Forbes questions how effective Bouncer is: http://www.forbes.com/sites/andygreenberg/2012/05/23/researchers-say-they-snuck-malware-app-past-googles-bouncer-android-market-scanner/

[3] Press release in the partnership between AVG and Livewire: http://www.avg.com.au/news/Livewire-Mobile-partnership/

[4] Covered by Lookout Mobile Security in this blog: http://blog.mylookout.com/blog/2011/06/20/security-alert-android-trojan-ggtracker-charges-victims-premium-rate-sms-messages/

[5] Covered by Denis Maslennikov of Kaspersky Labs in this blog: http://www.securelist.com/en/blog/208193261/SMS_Trojans_all_around_the_world

[6] Covered by Lookout Mobile Security in this blog: http://blog.mylookout.com/blog/2011/12/11/european-premium-sms-fraud/