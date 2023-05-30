Cybersecurity researchers Yu Chen and Yiling He have discovered a technique that lets attackers use brute-force fingerprints to bypass smartphone authentication and take control of devices.

The researchers found they could achieve unlimited authentication attempts on all of the Android devices tested while exploiting the flaw on iOS devices only gave ten additional authentication attempts.

Dubbed BrutePrint, the technique ignores failed biometric attempt limits by exploiting two zero-day vulnerabilities in the smartphone fingerprint authentication framework.

The vulnerabilities relate to the framework’s Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL) components.

The vulnerabilities arise due to inadequately protected fingerprint data on the Serial Peripheral Interface of sensors.

Chen and He said this enables a “hardware approach to do man-in-the-middle (MitM) attacks for fingerprint image hijacking”.

“BrutePrint acts as a middleman between fingerprint sensor and TEE [Trusted Execution Environment].”

Attackers can then try to perform unlimited fingerprint image submissions until they get a match. However, this assumes that an attacker already possesses the target smartphone.

It also assumes they have access to a fingerprint database and an inexpensive setup comprising a microcontroller board and an auto-clicker that can steal data sent by a fingerprint sensor.

According to The Hacker News, the components can be purchased and assembled for as little as $15 (R296).

The CAMF vulnerability allows attackers to increase the fault tolerance of the authentication system by nullifying the checksum of the fingerprint data, resulting in the attacker getting unlimited attempts.

MAL weaponizes a side channel to infer fingerprint image matches on target devices, and this is possible even when the devices are in lockout mode after too many failed attempts.

“Although the lockout mode is further checked in Keyguard to disable unlocking, the authentication result has been made by TEE,” said Chen and He.

“As Success, authentication result is immediately returned when a matched sample is met, it’s possible for side-channel attacks to infer the result from behaviours such as response time and the number of acquired images.”

The table below provides a breakdown of the smartphones on which Chen and He tested the attack.