Cracking the Code: Hackers Break Through Phone Fingerprint Locks with BrutePrint Attack

Cracking the Code: Hackers Break Through Phone Fingerprint Locks with BrutePrint Attack

A seemingly affordable attack method that could potentially brute-force smartphone fingerprints, bypass user authentication, and gain control over the devices has been discovered.

This technique, known as BrutePrint, exploits two zero-day vulnerabilities within the smartphone fingerprint authentication (SFA) framework, effectively sidestepping safeguards against repeated failed biometric authentication attempts.

The vulnerabilities, named Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), exploit logical flaws within the authentication framework that stems from inadequate protection of fingerprint data transmitted through the Serial Peripheral Interface (SPI) of fingerprint sensors.

The outcome is a “hardware-based approach for man-in-the-middle (MitM) attacks on fingerprint image hijacking,” as stated by researchers Yu Chen and Yiling He in their research paper. BrutePrint serves as an intermediary between the fingerprint sensor and the Trusted Execution Environment (TEE).

The main objective of BrutePrint is to enable an unlimited number of fingerprint image submissions until a match is found. However, this presupposes that the threat actor already has physical possession of the targeted device.

Furthermore, executing the attack requires the adversary to possess a fingerprint database and a setup comprising a microcontroller board and an auto-clicker, which can intercept data transmitted by a fingerprint sensor. Remarkably, the attack can be executed with a budget as low as $15.

No alt text provided for this image

The initial vulnerability, CAMF, enables this attack by allowing the system’s fault tolerance capabilities to be manipulated. By invalidating the fingerprint data checksum, an attacker gains the ability to make unlimited attempts to match the fingerprint.

On the other hand, MAL exploits a side channel to deduce matches of fingerprint images on targeted devices, even when they are in lockout mode due to repeated login attempts.

Although the lockout mode is checked in Keyguard to prevent unlocking, the authentication result is determined by the Trusted Execution Environment (TEE). Side-channel attacks can infer the result by analyzing behaviors like response time and the number of acquired images.

In an experiment involving 10 different smartphone models from various manufacturers such as Apple, Huawei, OnePlus, OPPO, Samsung, Xiaomi, and Vivo, BrutePrint allowed for unlimited attempts on Android and HarmonyOS devices. iOS devices had an additional 10 attempts.

These findings coincide with another study that revealed a hybrid side-channel attack leveraging the tradeoff between execution speed, power consumption, and temperature in modern system-on-chips (SoCs) and GPUs. Known as Hot Pixels, this attack targets Chrome 108 and Safari 16.2 browsers and employs JavaScript code to conduct website fingerprinting attacks and extract a user’s browsing history.

This is achieved by creating a computationally intensive SVG filter that extracts pixel colors by measuring rendering times, allowing for the stealthy collection of information with an accuracy of up to 94%.

The identified issues have been acknowledged by major technology companies, including Apple, Google, AMD, Intel, Nvidia, and Qualcomm. The researchers propose recommendations such as preventing the application of SVG filters to iframes or hyperlinks and restricting unprivileged access to sensor readings.

Furthermore, in addition to BrutePrint and Hot Pixels, Google has also uncovered ten security vulnerabilities in Intel’s Trust Domain Extensions (TDX). These vulnerabilities could potentially lead to arbitrary code execution, denial-of-service situations, and compromises in integrity.

In a related finding, Intel CPUs have been found vulnerable to a side-channel attack that takes advantage of variations in execution time caused by altering the EFLAGS register during transient execution. This technique allows for the extraction of data without relying on cache mechanisms.

No alt text provided for this image



To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics