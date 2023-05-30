Fingerprint system zero-day flaw lets attackers unlock and control smartphones

30 May 2023

Cybersecurity researchers Yu Chen and Yiling He have discovered a technique that lets attackers use brute-force fingerprints to bypass smartphone authentication and take control of devices.

The researchers found they could achieve unlimited authentication attempts on all of the Android devices tested while exploiting the flaw on iOS devices only gave ten additional authentication attempts.

Dubbed BrutePrint, the technique ignores failed biometric attempt limits by exploiting two zero-day vulnerabilities in the smartphone fingerprint authentication framework.

The vulnerabilities relate to the framework’s Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL) components.

The vulnerabilities arise due to inadequately protected fingerprint data on the Serial Peripheral Interface of sensors.

Chen and He said this enables a “hardware approach to do man-in-the-middle (MitM) attacks for fingerprint image hijacking”.

“BrutePrint acts as a middleman between fingerprint sensor and TEE [Trusted Execution Environment].”

Attackers can then try to perform unlimited fingerprint image submissions until they get a match. However, this assumes that an attacker already possesses the target smartphone.

It also assumes they have access to a fingerprint database and an inexpensive setup comprising a microcontroller board and an auto-clicker that can steal data sent by a fingerprint sensor.

According to The Hacker News, the components can be purchased and assembled for as little as $15 (R296).

The CAMF vulnerability allows attackers to increase the fault tolerance of the authentication system by nullifying the checksum of the fingerprint data, resulting in the attacker getting unlimited attempts.

MAL weaponizes a side channel to infer fingerprint image matches on target devices, and this is possible even when the devices are in lockout mode after too many failed attempts.

“Although the lockout mode is further checked in Keyguard to disable unlocking, the authentication result has been made by TEE,” said Chen and He.

“As Success, authentication result is immediately returned when a matched sample is met, it’s possible for side-channel attacks to infer the result from behaviours such as response time and the number of acquired images.”

The table below provides a breakdown of the smartphones on which Chen and He tested the attack.

Smartphones tested for fingerprint exploit vulnerability
Smartphone Operating system Vulnerability Number of authentication attempts achieved
Xiaomi Mi 11 Ultra Android 11 CAMF, MAL Unlimited
Vivo X60 Pro Android 11 CAMF, MAL Unlimited
OnePlus 7 Pro Android 11 CAMF Unlimited
OPPO Reno Ace Android 10 CAMF Unlimited
Samsung Galaxy S10+ Android 9 CAMF Unlimited
OnePlus 5T Android 8 CAMF Unlimited
Huawei Mate30 Pro 5G HarmonyOS 2 MAL Unlimited
Huawei P40 HarmonyOS 2 MAL Unlimited
Apple iPhone SE iOS 14.5.1 CAMF 15
Apple iPhone 7 iOS 14.4.1 CAMF 15

Now read: South Africa’s winter crime surge is coming — devices that can protect your home

Share your thoughts: Fingerprint system zero-day flaw let…

Latest news

Partner Content

Show comments

Follow us

Recommended

Share this article
Fingerprint system zero-day flaw lets attackers unlock and control smartphones