While biometric locks usually seem a safe device locking method, researchers have now devised a viable bypass. Dubbed “BrutePrint” the new attack method allows an adversary to brute-force fingerprint to unlock target devices like smartphones.
BrutePrint Attack Allows Fingerprint Brute-force
A team of researchers has shared details insights about vulnerabilities allowing to bypass fingerprints to unlock devices. To demonstrate the flaws in fingerprint lock technology, the researchers devised BrutePrint attack – a dedicated strategy to unlock a target smartphone by brute-forcing fingerprints.
Briefly, the BrutePrint attack exploits two inherent vulnerabilities in the Smartphone Fingerprint Authentication (SFA) framework and insufficient fingerprint data protection on the Serial Peripheral Interface (SPI) of fingerprint sensors.
The SFA vulnerabilities include Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL). These vulnerabilities allow an adversary to evade the existing security measures – limit on the number of attempts, and liveness detection – to prevent device unlocking via non-live fingerprint images.
The concept behind this attack is to unlock a physically possessed device, such as a smartphone, locked with fingerprint scans, via hardware. Although, carefully conducting this attack requires the attacker to possess a huge library of fingerprint scans for brute-forcing. Yet, it isn’t too challenging for a keen intruder. All it takes is a $15 setup comprising a microcontroller board and an auto-clicker to hijack the data from the fingerprint sensor.
In their study, the researchers performed the attack on ten different devices from top vendors like Samsung, Xiaomi, OPPO, Apple, OnePlus, and Huawei. These devices run different operating systems (Android 8, 9, 10, and 11, iOS 14.4.1 and 14.5.1, and HarmonyOS 2).
In almost every case, the researchers could bypass the existing security measures to brute-force fingerprints and unlock the devices, except iOS ones that exhibited some resilience. That’s because the Touch ID encrypts SPI data and employs Secure Enclave TEE implementation, preventing fingerprint image hijacking. Nonetheless, the researchers could still exploit CAMF vulnerability, increasing the attempt limit from 5 to 15.
Attack Mitigations
Though the existing fingerprint lock mechanisms employ attempt limit and liveness detection to prevent forged device unlocking, the researchers demonstrated how exploiting the inherent vulnerabilities still allows malicious intrusions via brute force.
Nonetheless, the researchers have shared some mitigations for the vendors to prevent the BrutePrint attack. These include applying an error-cancel limit – a limit on the number of canceled or failed attempts – to mitigate CAMF vulnerability. Likewise, enhancing the fingerprint matching rate can help prevent MAL flaw.
The researchers have shared the technical details of this study in their research paper, aiming to help improve SFA security.
Let us know your thoughts in the comments.