Researchers have discovered a new type of attack targeting smartphones using brute-force attacks that can bypass fingerprint authentication called BrutePrint.
Brute-force attacks use numerous trial-and-error attempts to decipher a key or password in order to obtain access to accounts without authorization. The new method has been tested on a handful of smartphone models. These tests resulted in unlimited login attempts on all Android and Huawei phones and ten additional attempts on iOS devices.
The exploited two vulnerabilities in this attack are Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL) and the Serial Peripheral Interface (SPI) of the fingerprint sensors biometric data was insufficiently safeguarded, making it possible for a MITM attack to steal fingerprint images.
The main goal of this type of brute-force attack is to allow intruders to an unlimited number of attempts in unlocking a device using a fingerprint match.
BrutePrint stands in between the fingerprint sensor and the Trusted Execution Environment (TEE) and exploits the CAMF flaw to manipulate the multi-sampling and error-canceling mechanisms of fingerprint authentication on smartphones.
Cancel-After-Match-Fail vulnerability inserts an error in the fingerprint data that stops the authentication process. This way, threat actors can try an infinite number of fingerprints on the device without triggering the security system.
The Match-After-Lock bug allows them to continue the authentication attempts even when the device is in lockout mode that getd lls activated after a number of failed attempts, and it shouldn’t allow any more attempts for a while.
The BrutePrint attack enables a transfer system. This makes all the images from the fingerprint database look like the targeted device scanned them. This tricks the scanning sensor into thinking that it is a valid image.
Android devices permit an endless number of fingerprint trials, making it practically viable to brute-force the user’s fingerprint and unlock the device. The authentication security on iOS is significantly stronger and efficiently thwarts brute-force attacks.
Although the researchers found that iPhone SE and iPhone 7 are vulnerable to CAMF, they could only increase the fingerprint tryout count to 15, which isn’t enough to brute-force the owner’s fingerprint.
BrutePoint attacks to be successful, time ranges from 2.9 to 13.9 hours, when the user has enrolled one fingerprint. And from 0.66 to 2.78 hours, when multiple fingerprints are enrolled.
This type of cyberattack is a slower one, criminals and thieves could use it to unlock stolen smartphones.