HC Security Network News
Interpretation: It is unlikely that the same vulnerability will occur in the limited mainstream products of the attack scenario.
Reminder: The more the smart door lock unlocks, the greater the risk, the more careful to choose to buy
An accidental Home button breaks, the phone can be solved by everyone, is it an accident or a necessity? Is the same symptom in a multi-brand mobile phone, is it a small probability event or a product algorithm vulnerability? Is the same problem only existing in a chip supplier or a general problem?
Starting from a microblogging news, "IT Times" reporters continued to track the vulnerability of mobile phone fingerprint chips from October 2017, and issued five related reports in succession, especially on December 1, 2017, "mainstream domestic mobile phones appeared. In the article "Rare Vulnerabilities or Hundreds of Mobile Phones", through expert interviews and personal tests, it is clear that: due to the widespread adoption of full image recognition algorithms in the field of mobile phone fingerprint identification, this algorithm has a general loophole, once it is used by the mind, mobile phones Fingerprint locks are virtually ineffective, and everyone can solve them. In addition to mainstream domestic mobile phone manufacturers, there are even Apples.
After the report of the series, it attracted many attentions. The media such as "Yangtze Evening News" and CCTV reported many times. In a recent CCTV report, it was pointed out that not only the same problem exists in mobile phone fingerprint chips, but also related fingerprint locks. This caused a ripple in the smart lock market.
To this end, the "IT Times" reporter further interviewed the unlocked operators, lock manufacturers and security experts. In their view, the unlock mode mentioned in the report has a relatively special operation scenario, consumers do not have to panic, but at the same time, the algorithm It is only a way of unlocking the smart lock. Since there is no uniform standard at present, the more complicated the unlocking method used by the same lock, the higher the probability of the existence of the loophole. Therefore, the consumer is reminded to purchase the smart lock or try to choose the brand product.
Fingerprint door locks also have loopholes
"People eat food for the day, and live for peace." To make the home safe and comfortable, the importance of the "door" is often in the first place. However, the embarrassment of the key is often forgotten, and the lock manufacturers are beginning to seek a more convenient way to open the door, so the smart lock is hot in the home market.
However, at the same time, is the smart door lock really safe? On January 25th, CCTV-13 news channel "Fingerprint identification, is it really safe? In the news, in addition to pointing out that there is a security hole in the mobile phone, a film can be cracked, and a laptop with fingerprint unlocking and a fingerprint door lock are cracked. Compared with personal items such as notebooks and mobile phones, consumers are worried that the security risks caused by exposed fingerprint locks are even greater.
In the video, the staff of Suzhou Minray Microelectronics Co., Ltd., the chairman of the board, Li Yangyuan, revealed the cracking process of the fingerprint lock in the video when interviewed by the IT Times reporter. In the news report, the key method of the Android mobile phone cracking method is relatively simple. After the film is pasted, the original owner can unlock the effect once, and the cracking process of the fingerprint door lock is relatively complicated.
“After the filming, you need to re-register the fingerprint. After the registration is completed, you can unlock it several times to achieve the effect of unlocking everyone.†Li Yangyuan said that re-registering the fingerprint is a necessary operation and cannot be omitted.
This method of cracking is similar to the method in which the iPhone was cracked in the previous "IT Times" report, but the scene where the fingerprint door lock was cracked appeared less. Li Yangyuan admits that compared to mobile phones, the attack scene of fingerprint door locks is rare, because family members are relatively fixed, and it is less likely to enter fingerprints twice.
No panic is just a small range of alerts
The smart door locks that appeared in the news reports were purchased through Taobao. The prices ranged from 799 yuan to 999 yuan depending on the material. As you can see from the product details page, this smart door lock, known as German quality, uses semiconductor fingerprint recognition, is a RISC processor core, and integrates a dedicated hardware circuit for fingerprint algorithms.
Through dismantling, Li Yangyuan discovered that the lock used BYD chip, Zhaoyi innovative MCU, but the module manufacturer did not mark. "Unable to determine the module manufacturer, it is difficult to determine where the source of the problem is, but can confirm Yes, the last layer of the algorithm judged the error."
The fingerprint identification algorithm is a comprehensive model of the algorithm combination implementation of each link under the process framework. Generally speaking, it is divided into three parts: image enhancement, geometric registration and scoring. The film cracking method of the fingerprint door lock is aimed at the loophole of the judgment link. "If you reverse the results, there may be several situations, it may be that the image algorithm is used, or the traditional fingerprint feature point algorithm is not high," Li Yangyuan said. "Fingerprint feature extraction is not good, such as pseudo-details. Especially, when you finally decide whether to unlock, you may only know nothing."
Unlike the limited internal capacity of mobile phones, the mainstream fingerprint locks carry at least twice the sensor area of ​​the mobile phone chip. Most of the algorithm schemes of fingerprint door locks are based on the traditional algorithm of fingerprint feature. In order to improve the unlocking speed and experience, some algorithm vendors will adopt the combination of traditional algorithm and full image algorithm.
Liu Jun, chairman of Shanghai Tuzheng, a fingerprint door lock algorithm provider, said, "Now the fingerprint door lock takes into account the needs of commercial office, and can accommodate at least 100 fingerprints. The full image algorithm can't do this." Because the full image algorithm has high performance requirements on the CPU chip, it is difficult to perform a large number of operations in an instant, and hundreds of fingerprints are compared in one second, so the fingerprint door lock rarely adopts a full image algorithm solution. If the vulnerability is indeed caused by a full-image algorithm, Liu Jun believes that users do not have to worry, mainstream traditional vendors will not simply adopt a full-image algorithm solution.
Li Yangyuan also said that he discovered the loophole only after experimenting with a door lock. There was no general investigation and the attack scene was limited. "So it is only a small-scale alarm."
Consumer reminder: try to choose a famous brand
However, although fingerprint door lock chip manufacturers believe that the large-scale probability that fingerprints are cracked does not exist, this does not mean that people can be optimistic about smart locks.
On January 30th, the "IT Times" reporter visited the B&Q and Red Star Macalline Home City. Most of the fingerprint locks on the market were over 2,000 yuan. Similar to the kind of smart door locks that Li Yangyuan cracked, there is almost no offline store. Sales. However, on Taobao, Jingdong and other e-commerce platforms, there are thousands of shops with smart door lock flags, and the price difference is obvious. The sales volume is mostly smart door locks below 1,000 yuan.
“The fingerprint door lock market is mixed and uneven, and it is very difficult for consumers to intuitively distinguish whether it is safe.†A person engaged in public security science and technology research told reporters that “Jingdong and Tmall also wanted to give a standard to the on-line door lock products. So that consumers can clearly choose, but it is difficult to evaluate and understand only. At present, there is no mandatory testing requirement for smart door locks, so many manufacturers will not send them to specialized agencies for testing."
At present, the common smart door locks on the market often have multiple unlocking methods: fingerprints, IC cards, passwords, keys, etc. are common configurations, and the algorithm is only a loophole in the existence of fingerprints. Industry experts said that although the security risks mentioned in the previous report do not require much worry, but the need to pay attention to the overall security of smart door locks, copy IC cards, crack passwords, hackers attack networked door locks, etc., are likely to be more than Algorithmic cracking is much easier.
Since most smart locks still have mechanical lock cylinders, the only mandatory standard for smart locks is that the standard for domestic mechanical locks is “GA/T73-2015â€, which clearly states that Chinese mechanical locks are divided into three grades of ABC. The difference is in the length of the opening time.
“There is no absolute safety lock, only the resistance of the lock is strong.†Industry professionals suggest to consumers that although the high-priced door lock does not necessarily represent a good performance and high safety level, the cheap door lock exists. The core algorithm is simple, the probability of misidentification is high, and the strength of the lock body is low. The comprehensive risk is that consumers should try to choose a well-known brand when purchasing smart door locks.
Editor in charge: Zhang Zequn
Picoxystrobin Fungicide,Picoxystrobin Syngenta,Picoxystrobin Fungicide Label,Picoxystrobin Synthesis
Jiangsu Hanlian Biological Technology Co.,Ltd , https://www.hanlianbio.com