The “BrutePrint” attack, developed by researchers at Tencent Labs and Zhejiang University, brute-forces fingerprints on contemporary smartphones to defeat user authentication and seize control of the device. In order to break a code, key, or password and obtain illegal access to accounts, systems, or networks, brute-force attacks use several trial-and-error efforts.
The Chinese researchers exploited what they believe are two zero-day vulnerabilities, namely Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), to get beyond existing defenses on smartphones, such as attempt limits and liveness detection that defend against brute-force assaults. The creators of the technical article posted on Arxiv.org discovered that fingerprint photos might be stolen by a man-in-the-middle (MITM) attack because biometric data on the fingerprint sensors’ Serial Peripheral Interface (SPI) was not effectively safeguarded.
Ten prominent smartphone models were used in tests for the BrutePrint and SPI MITM attacks, successful with an infinite number of tries on iOS, HarmonyOS (Huawei), and Android smartphones, respectively. With BrutePrint, you may submit an infinite number of fingerprint images to the target device until one of them matches the user-defined fingerprint.
To perform a BrutePrint attack, the attacker needs physical access to the target device, access to a fingerprint database that may be obtained via academic datasets or biometric data leaks, and the required equipment, which costs around $15. Additionally, attackers may influence the False Acceptance Rate (FAR) to raise the acceptance threshold and make matches more frequent since fingerprint matches operate differently from password matches in that they employ a reference threshold rather than a fixed number.
BrutePrint manipulates the multi-sampling and error-canceling processes of smartphone fingerprint authentication by placing itself between the fingerprint sensor and the Trusted Execution Environment (TEE) and taking advantage of the CAMF issue. For the purpose of prematurely terminating the authentication process, CAMF injects a checksum mistake into the fingerprint data. As a result, the target device’s security measures won’t record unsuccessful attempts, providing attackers with limitless attempts to test out fingerprints.
Even when the target device is in “lockout mode,” the MAL issue allows attackers to deduce the authentication status of the fingerprint images they attempt. A safety feature known as the lockout mode is enabled following a certain number of consecutively unsuccessful unlock attempts. The device shouldn’t allow unlocking attempts during the lockout “timeout,” however, MAL helps get around this restriction. The BrutePrint attack’s last step involves transforming every fingerprint picture in the database to appear as though a target device’s sensor scanned it via a “neural style transfer” technique. The visuals look credible as a result, increasing their likelihood of success.
Ten Android and iOS smartphones were used in the trials, and it was discovered that each one had at least one vulnerability. Given enough time and the fact that the tested Android smartphones support unlimited fingerprint trials, brute-forcing the user’s fingerprint to unlock the device is theoretically feasible. However, the authentication security on iOS is significantly more robust and efficiently thwarts brute-force attacks. As a result, despite discovering that the iPhone SE and iPhone 7 are susceptible to CAMF, the researchers could only boost the number of fingerprint tryouts to 15, which is insufficient to brute-force the owner’s fingerprint.
All tested Android devices are susceptible to the SPI MITM attack, which includes stealing the user’s fingerprint image, although iPhones are once more resistant. According to the researchers, the iPhone encrypts fingerprint data on the SPI, making any eavesdropping ineffective for the assault. In conclusion, the trials revealed that when the user has enrolled one fingerprint, it takes between 2.9 and 13.9 hours to execute BrutePrint against susceptible devices successfully. However, the brute-forcing time decreases to just 0.66 to 2.78 hours when several fingerprints are registered on the target device as the probability of obtaining matched images rises exponentially.
BrutePrint necessitates lengthy access to the target device, so it may not first appear to be an intense assault. However, its importance for criminals and law enforcement should not be diminished despite this apparent limitation. Thieves may easily unlock stolen devices and take valuable private data with the former. The latter case raises concerns about the right to privacy and the morality of employing such methods to get beyond device security during investigations. In addition, this might jeopardize the safety of some persons who reside in authoritarian nations and is considered a breach of rights in some jurisdictions.
