Researchers from Tencent Labs and Zhejiang University have presented a new attack called “BrutePrint”, which brutally forces fingerprints on modern smartphones to bypass user authentication and take control of the device.
Brute-force attacks rely on numerous trial-and-error attempts to crack a code, key, or password and gain unauthorized access to accounts, systems, or networks.
Chinese researchers have successfully overcome existing protections on smartphones, such as retry limits and liveness detection that protect against brute force attacks, by exploiting what they claim are two zero-day vulnerabilities, namely Cancel-After-Match-Fail (CAMF) and Match-After Lock (MAL).
The authors of the technical note published on Arxiv.org also found that biometric data on the serial peripheral interface (SPI) of fingerprint sensors was insufficiently protected, allowing a man-in-the-middle (MITM) attack to hijack images of fingerprints.
The BrutePrint and SPI MITM attacks were tested on ten popular smartphone models, performing unlimited attempts on all Android and HarmonyOS (Huawei) devices and ten additional attempts on iOS devices.
How BrutePrint Works
The idea of BrutePrint is to perform an unlimited number of fingerprint image submissions to the target device until the user-defined fingerprint is matched.
The attacker needs physical access to the target device to launch a BrutePrint attack, access to a database of fingerprints that can be acquired from academic datasets Or biometric data leaksand the necessary equipment, costing about $15.
Unlike how password cracking works, fingerprint matches use a baseline threshold instead of a specific value, so attackers can manipulate the false acceptance rate (FAR) to increase the threshold. acceptance and create matches more easily.
BrutePrint sits between the fingerprint sensor and the Trusted Execution Environment (TEE) and exploits the CAMF flaw to manipulate the multiple sampling and error cancellation mechanisms of fingerprint authentication on smartphones.
CAMF injects a checksum error into the fingerprint data to stop the authentication process prematurely. This allows attackers to try fingerprints on the target device while its protection systems will not register failed attempts, thus giving them infinite tries.
The MAL flaw allows attackers to infer authentication results from fingerprint images they try on the target device, even if the device is in “lockdown mode”.
Lock mode is a protection system activated after a certain number of consecutive unsuccessful unlocking attempts. During the lock “timeout”, the device should not accept unlock attempts, but MAL allows to circumvent this restriction.
The final component of the BrutePrint attack uses a “neural-style transfer” system to transform all fingerprint images in the database to resemble the sensor of the target device that scanned them. This makes the images valid and therefore has a better chance of success.
Researchers conducted experiments on ten Android and iOS devices and found that all were vulnerable to at least one flaw.
The tested Android devices allow infinite fingerprint trials, so brute-forcing the user’s fingerprint and unlocking the device is practically possible given enough time.
On iOS, however, authentication security is much more robust, effectively preventing brute force attacks.
Although the researchers found that the iPhone SE and iPhone 7 are vulnerable to CAMF, they could only increase the number of fingerprint trials to 15, which is not enough to brute force the fingerprint of the owner.
As for the SPI MITM attack which consists of hijacking the image of the user’s fingerprint, all tested Android devices are vulnerable to it, while iPhones are again resistant.
The researchers explain that the iPhone encrypts fingerprint data on the SPI, so any interception is of little value in the context of the attack.
In summary, experiments conducted have shown that the time taken to complete BrutePrint successfully on vulnerable devices is between 2.9 and 13.9 hours when the user has registered a fingerprint.
When multiple fingerprints are enrolled on the target device, the brute force time drops to only 0.66 to 2.78 hours, as the probability of producing matching images increases exponentially.
At first glance, BrutePrint may not seem like a formidable attack because it requires prolonged access to the target device. However, this perceived limitation should not detract from its value to thieves and law enforcement.
The former would allow criminals to unlock stolen devices and freely extract valuable private data.
This latter scenario raises questions about privacy rights and the ethics of using these techniques to circumvent device security during investigations.
This is a violation of rights in some jurisdictions and could affect the safety of some people living in oppressive countries.