Researchers at Tencent Labs and Zhejiang University have presented a new attack called ‘BrutePrint’, which forces fingerprints on modern smartphones to bypass user authentication and take control of the device.
Brute force attacks rely on many trial and error attempts to crack a code, key, or password and gain unauthorized access to accounts, systems, or networks.
Chinese researchers managed to circumvent existing safeguards on smartphones, such as try and detection limits that protect against brute-force attacks, by exploiting what they claim are two zero-day vulnerabilities, Cancel-After-Match Fail (CAMF) and Match. – after locking (MAL).
The authors of the technical paper posted on Arxiv.org also found that biometric data on the fingerprint sensor’s serial peripheral interface (SPI) was not adequately protected, allowing a man-in-the-middle (MITM) attack to hijack fingerprint images.
BrutePrint and SPI MITM attacks have been tested against ten popular smartphone models, achieving unlimited attempts on all Android and HarmonyOS (Huawei) devices and an additional ten attempts on iOS devices.
How does BrutePrint work?
The idea of BrutePrint is to perform an unlimited number of fingerprint image submissions to the target device until the fingerprint selected by the user is matched.
An attacker needs physical access to the target device to launch a BrutePrint attack, access to a fingerprint database that can be obtained from academic data collections or biometric data leaks, and the necessary equipment, which costs about $15.
Unlike how password hacks work, fingerprint matches use a reference threshold rather than a set value, so attackers may manipulate the false acceptance rate (FAR) to increase the acceptance threshold and create matches more easily.
BrutePrint stands between a fingerprint sensor and a Trusted Execution Environment (TEE) and exploits a CAMF flaw to address multi-sample and error-canceling mechanisms for fingerprint authentication on smartphones.
CAMF injects a checksum error into the fingerprint data to stop the authentication process at a pre-mature point. This allows attackers to try fingerprints on the target device while its security systems will not record failed attempts, thus giving them unlimited attempts.
The MAL flaw enables attackers to deduce the authentication results of the fingerprint images they attempt on the target device, even if the latter is in “locked mode”.
Lock mode is a protection system that is activated after a certain number of consecutive failed unlock attempts. During a lock ‘timeout’, the device should not accept unlock attempts, but MAL helps bypass this restriction.
The final component of the BrutePrint attack is the use of a “neural pattern transfer” system to transform all fingerprint images in the database to appear as if the target device’s sensor had scanned them. This makes the images look correct and thus have better chances of success.
Tests on devices
The researchers conducted experiments on ten Android and iOS devices and found that all of them are vulnerable to at least one flaw.
The tested Android devices allow for infinite fingerprint experiences, so enforcing the user’s fingerprint and unlocking the device is practically possible given enough time.
On iOS though, the authentication security is much more robust, effectively preventing brute force attacks.
Although the researchers found that the iPhone SE and iPhone 7 are susceptible to CAMF, they can only increase the number of fingerprint trials to 15, which is not enough to force the owner’s fingerprint.
Regarding the SPI MITM attack which involves user fingerprint image hijacking, all tested Android devices are vulnerable to it, while iPhones are again resistant.
The researchers explained that the iPhone encrypts the fingerprint data on SPI, so any interception is of little value in the context of an attack.
In summary, experiments conducted have shown that the time to complete BrutePrint against vulnerable devices ranges from 2.9 to 13.9 hours when a user enrolls a single fingerprint.
When multiple fingerprints are registered on the target device, the brute force time drops to only 0.66 to 2.78 hours as the probability of producing matching images increases exponentially.
At first glance, BrutePrint may not seem like a massive attack due to the need for prolonged access to the target device. However, this perceived limitation should not undermine its value to thieves and law enforcement.
The first would allow criminals to freely unlock stolen devices and extract valuable private data.
The latter scenario raises questions about privacy rights and the ethics of using these technologies to bypass device security during investigations.
This constitutes an infringement of rights in some jurisdictions and could undermine the safety of some people living in repressive countries.
#Android #phones #vulnerable #fingerprint #brute #force #attacks