The recent discovery of a technique to brute-force fingerprints on Android phones gives a forewarning of emerging cyber risks that are harder to counter.
This is according to Kevin Mortimer, CEO of Triple4, who says the recent BrutePrint study by Chinese researchers Yu Chen and Yiling He on how to brute-force almost any fingerprint-protected Android smartphone may be on the relatively low end of concern for organisations at this stage, but it signals worse to come.
“It shows what is possible when hacker groups apply AI to nefarious activity. They are evolving, and we need to adapt too. With BrutePrint, there is a vulnerability which if overloaded, will kick out its lockout procedure and let you attempt as many prints as you want. Using AI to fashion a fingerprint is the first and major attack form where we see how hackers could use the full power of AI creativity. In the past, only dictionary-based AI was used to brute force into organisations,” Mortimer says.
He says the real threat of attack vectors such as this is not the vulnerability of devices, but delays in updating patches.
“Vendors are pretty good at providing patches and updates, although there is often a narrow window where they haven’t yet found a vulnerability. However, the major threat lies in the diligence of companies in ensuring that all devices and software are being regularly checked and updated. In our experience consulting with companies of all sizes, we see it all the time – many South African companies are months behind in updating their patches.”
He says: “Everyone knows prevention is better than cure, but many organisations aren’t keeping up with patching. This may be because if each average single user has two to three devices, and you extrapolate that across the entire environment, including everything from switches to firewalls, servers, lightbulbs, and thermostats, it’s a lot of work. It’s also monotonous and repetitive, so it gets put on the back burner until it grows into a beast of a project, by which time it may be too late.”
Mortimer says reducing the risk requires mapping the entire environment and ongoing monitoring of the network, with comprehensive patching schedules to stay up to date. “This is often too big a task for small, under-resourced IT teams, so Triple4 sees growing demand for managed services to keep patching up to date and minimise vulnerabilities. In our stable we have tools for network discovery, and we sweep through every environment at least once a month or set alerts for whenever a new device comes onto the network,” he says.
All unmanaged devices are investigated, checked for vulnerabilities and kept patched.
He notes: “In the world of security, the goalposts are always moving, so it is always a work in progress. Once you implement a fix within a week or two you will be looking at it again. Organisations need to work closely with vendors and stay aware of news and what is happening in the threat landscape. Most importantly, they need to be diligent.”
Mortimer says that outsourcing offers a solution where organisations are unable to keep up with monitoring and patching. “By outsourcing it you are giving a mandate to a partner who is being paid to deliver. To your IT teams it may be menial stuff, but for an outsource partner it’s a priority to sort it out. Organisations must either create the diligence internally, or employ a motivated incumbent like Triple4 to ensure that these risks are mitigated.”