Chinese researchers from Tencent Labs and Zhejiang University have uncovered a new method of attack that can bypass user authentication on modern smartphones by brute-forcing fingerprints, BleepingComputer reports.
The attack, dubbed "BrutePrint," exploits two zero-day vulnerabilities called Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), effectively overcoming existing safeguards such as attempt limits and liveness detection.
What are Brute-force attacks?
Brute-force attacks involve systematically attempting different combinations of codes, keys, or passwords until the correct one is found.
In the case of BrutePrint, the researchers discovered that biometric data stored on the fingerprint sensors' Serial Peripheral Interface (SPI) lacked adequate protection, making it susceptible to a man-in-the-middle (MITM) attack that allows the interception of fingerprint images.
The researchers tested BrutePrint and the SPI MITM attacks on ten popular smartphone models, successfully achieving unlimited attempts on all Android and HarmonyOS (Huawei) devices. Additionally, they were able to make ten additional attempts on iOS devices.
How the BrutePrint Attack Is Executed
To execute a BrutePrint attack, the attacker needs physical access to the target device, access to a fingerprint database (which can be acquired from academic datasets or biometric data leaks), and approximately $15 worth of equipment.
Once these requirements are met, the attacker can submit unlimited fingerprint images until the user-defined fingerprint is matched.
Read Also: Cybersecurity Expert Warns Public About Android TV Boxes Infected with Stealthy Malware
Unlike cracking passwords, fingerprint matching involves a reference threshold rather than a specific value. Attackers can manipulate the False Acceptance Rate (FAR) to increase the acceptance threshold, making it easier to generate successful matches.
We reported last month that Dutch authorities were able to close down a massive marketplace that sold digital fingerprints of victims' devices in addition to personal credentials, enabling cybercriminals to circumvent online security checks by impersonating the victim.
BrutePrint operates between the fingerprint sensor and the Trusted Execution Environment (TEE) of smartphones, exploiting the CAMF vulnerability to manipulate the fingerprint authentication process.
By injecting a checksum error in the fingerprint data, the attack disrupts the authentication process without triggering the protection systems, allowing for infinite tries.
What Is Lockout Mode?
BleepingComputer explains that the MAL vulnerability enables the attacker to infer the authentication results of the fingerprint images, even when the device is in lockout mode.
Lockout mode activates after several consecutive failed unlock attempts, restricting further unlocking attempts. However, MAL bypasses this restriction.
The final element of the BrutePrint attack involves using a "neural style transfer" system to modify all fingerprint images in the database to resemble those scanned by the target device's sensor. This increases the chances of successfully matching the manipulated images.
The researchers conducted experiments on ten Android and iOS devices, revealing vulnerabilities in all tested Android devices. Brute-forcing the user's fingerprint and unlocking the device is practically possible on Android devices, given enough time.
On the other hand, iOS devices demonstrated stronger authentication security, effectively preventing brute-force attacks.
Stay posted here at Tech Times.
Related Article: iPhone Users Warning: Window 11's Phone Link for iOS Used for Spying
