Android phone fingerprint scanners found prone to brute-force attacks

Overcoming safeguards and exploiting vulnerabilities

Researchers reveal Android phone fingerprint scanners are vulnerable to BrutePrint attack

Researchers from Tencent Labs and Zhejiang University have revealed a new 'BrutePrint' attack that exploits vulnerabilities in modern smartphone fingerprint scanners. Brute-force attacks, which involve a series of trial-and-error attempts to crack codes or passwords, have now discovered a way to bypass user authentication and take control of Android and HarmonyOS (Huawei) devices.

Existing safeguards, such as attempt limits and liveness detection, designed to protect against brute-force attacks, were successfully circumvented by Chinese researchers. They achieved this by taking advantage of two zero-day vulnerabilities known as Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL). Furthermore, the researchers discovered that biometric data on the Serial Peripheral Interface (SPI) of fingerprint sensors were not adequately protected, allowing a man-in-the-middle (MITM) attack to hijack fingerprint images.

Testing the BrutePrint attack and vulnerable devices

The BrutePrint attack was tested against ten popular smartphone models, including Android, HarmonyOS (Huawei), and iOS devices, to determine its effectiveness. The attack was successful on all Android and HarmonyOS devices, with an additional ten attempts on iOS devices. The basic idea behind BrutePrint is to submit an infinite number of fingerprint images until the user-defined fingerprint is successfully matched.

Physical access to the target device, a fingerprint database obtained from academic datasets^[1] or leaks,^[2] and inexpensive equipment costing around $15 are all required to launch a BrutePrint attack. Unlike password cracking, which uses specific values, fingerprint matches use a reference threshold. This enables attackers to manipulate the False Acceptance Rate (FAR) and raise the acceptance threshold, making successful matches easier to create.

BrutePrint attack mechanism and implications

BrutePrint communicates between the fingerprint sensor and the smartphone's Trusted Execution Environment (TEE).^[3] The attack manipulates the multi-sampling and error-canceling mechanisms of fingerprint authentication by exploiting the CAMF flaw. Injecting a checksum error into the fingerprint data with CAMF disrupts the authentication process early on, allowing for infinite fingerprint tryouts without registering failed attempts.

Furthermore, the MAL flaw enables attackers to deduce authentication results even when the target device is locked out. After a certain number of failed unlock attempts, lockout mode is activated. Despite being in this mode, the MAL vulnerability is able to circumvent the lockout restrictions.

The BrutePrint attack concludes with the use of a “neural style transfer” system to transform all fingerprint images in the database to look like sensor scans from the target device. This modification makes the images appear valid and increases the likelihood of a successful match significantly.

While all tested Android devices were found to have at least one flaw, iOS devices had more robust authentication security, making brute-forcing attacks significantly more difficult. Although the iPhone SE and iPhone 7 were discovered to be CAMF-vulnerable, increasing the fingerprint tryout count to 15 still falls short of effectively brute-forcing the owner's fingerprint.

In terms of the SPI MITM attack, which involves intercepting the user's fingerprint image, all tested Android devices were vulnerable, whereas iPhones were resistant due to fingerprint data encryption on the SPI.

Finally, the researchers' experiments revealed that when only one fingerprint was enrolled, the time required to successfully complete the BrutePrint attack on vulnerable devices ranged from 2.9 to 13.9 hours. When multiple fingerprints were enrolled, however, the brute-forcing time was reduced to 0.66 to 2.78 hours, as the likelihood of producing matching images increased exponentially.

While the BrutePrint attack may appear to be limited at first because it requires prolonged access to the target device, its implications should not be underestimated. The attack may make theft easier by allowing criminals to unlock stolen devices and gain free access to valuable private data. Furthermore, its use in law enforcement raises ethical concerns and privacy rights concerns. Using such techniques to circumvent device security during investigations may violate individual rights, especially in jurisdictions where such practices are prohibited.