Language
Android Fingerprint Biometrics Fall to 'BrutePrint' Attack
HomeHome > Blog > Android Fingerprint Biometrics Fall to 'BrutePrint' Attack
LATEST NEWS

Android Fingerprint Biometrics Fall to 'BrutePrint' Attack

Feb 06, 2024

Endpoint Security , Identity & Access Management , Security Operations

Security researchers have demonstrated a practical attack that can be used to defeat biometric fingerprint checks and log into a target's Android smartphone.

See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense

Security researchers Yu Chen at Tencent and Yiling He at Zhejiang University unveiled the attack, which they dubbed "BrutePrint," in a new research paper. Their brute force attack is inexpensive, practical to deploy at a large scale and can be used to log into devices as well as authorize payments, they said.

To simplify such attacks, the researchers detailed how a printed circuit board, which costs about $15, can be created for each type of device to be targeted, which can automate the attack sequence. As a result, little experience or training is required to bring BrutePrint to the masses.

Since Apple debuted its Touch ID feature in 2013, numerous smartphone manufacturers have shipped devices that users can unlock with a fingerprint. Fingerprint biometrics offers a combination of usability and security - at least when it works as promised.

Researchers have found innovative ways to defeat fingerprint-based security checks. Some of the most memorable methods involve gummy bears, Play-Doh, photocopies and wood glue. In response, manufacturers have continued to add security features, such as locking devices, after too many failed attempts and have used capacitive checks to detect if a finger is real (see: Biometrics: Advances Smack Down Workarounds).

Yu and Yiling said BrutePrint allows them to bypass spoof detection and attempts to limit the number of tries on 10 different Android devices, including the Xiaomi Mi 11 Ultra, Vivo X60 Pro, OnePlus 7 and Samsung Galaxy S10 Plus. The techniques can be used to eventually unlock a vulnerable device nearly three-quarters of the time, they said.

To bypass attempt limits, the researchers exploited two zero-day flaws in the smartphone fingerprint authentication - aka SFA - framework on Android devices. They also targeted weak security in the implementation of the serial peripheral interface of fingerprint sensors, to attempt to reverse-engineer copies of stored fingerprints. While this isn't essential, the researchers said recovering fingerprints increases the chance of BrutePrint succeeding.

BrutePrint proceeds via four stages:

While the attack worked on every Android device the researchers tested, it failed on both Apple models - an iPhone 7 and SE - they tested, owing to their storing fingerprint data in encrypted format, as well as protections that prevent the fingerprint data input from being hijackable.

Rate limits, which lock a device after too many failed fingerprint-authentication attempts, are a feature of all modern smartphone operating systems. The SFA bugs the researchers targeted as part of BrutePrint allowed them to bypass rate-limit defenses, giving them infinite attempts to succeed. They said this capability remains essential, since successful attacks may take hours to complete.

Liveness detection is another widespread defense designed to block spoofed input. To defeat this, the researchers use the Cycle Generative Adversarial Network, aka CycleGAN, which is a technique that trains a neural network to translate one image into another. Using CycleGAN, they said, allows them to create dictionary images of sufficient quality, which look correct enough to a smartphone's safety checks for BrutePrint to succeed against any given Android device 71% of the time.

The researchers said that the vulnerabilities targeted via BrutePrint could be closed via operating system updates or if smartphone and fingerprint sensor manufacturers work more closely together to build countermeasures.