Endpoint Security , Identity & Access Management , Security Operations

Android Fingerprint Biometrics Fall to 'BrutePrint' Attack

Dictionary Attack Plus Neural Network Fools Security Checks, Researchers Find
Android Fingerprint Biometrics Fall to 'BrutePrint' Attack
Image: Shutterstock

Security researchers have demonstrated a practical attack that can be used to defeat biometric fingerprint checks and log into a target's Android smartphone.

See Also: OnDemand | Endpoint Security in a Hybrid World

Security researchers Yu Chen at Tencent and Yiling He at Zhejiang University unveiled the attack, which they dubbed "BrutePrint," in a new research paper. Their brute force attack is inexpensive, practical to deploy at a large scale and can be used to log into devices as well as authorize payments, they said.

To simplify such attacks, the researchers detailed how a printed circuit board, which costs about $15, can be created for each type of device to be targeted, which can automate the attack sequence. As a result, little experience or training is required to bring BrutePrint to the masses.

Since Apple debuted its Touch ID feature in 2013, numerous smartphone manufacturers have shipped devices that users can unlock with a fingerprint. Fingerprint biometrics offers a combination of usability and security - at least when it works as promised.

Researchers have found innovative ways to defeat fingerprint-based security checks. Some of the most memorable methods involve gummy bears, Play-Doh, photocopies and wood glue. In response, manufacturers have continued to add security features, such as locking devices, after too many failed attempts and have used capacitive checks to detect if a finger is real (see: Biometrics: Advances Smack Down Workarounds).

Yu and Yiling said BrutePrint allows them to bypass spoof detection and attempts to limit the number of tries on 10 different Android devices, including the Xiaomi Mi 11 Ultra, Vivo X60 Pro, OnePlus 7 and Samsung Galaxy S10 Plus. The techniques can be used to eventually unlock a vulnerable device nearly three-quarters of the time, they said.

To bypass attempt limits, the researchers exploited two zero-day flaws in the smartphone fingerprint authentication - aka SFA - framework on Android devices. They also targeted weak security in the implementation of the serial peripheral interface of fingerprint sensors, to attempt to reverse-engineer copies of stored fingerprints. While this isn't essential, the researchers said recovering fingerprints increases the chance of BrutePrint succeeding.

4 Steps

BrutePrint proceeds via four stages:

  1. Physical access: Attackers remove the rear cover of a smartphone while connecting a BrutePrint printed circuit board, created at a cost of about $15, to get to the smartphone motherboard and the fingerprint sensor connector.
  2. Stealing stored prints: The BrutePrint circuit board attempts to collect stored fingerprint data that normally flows from the fingerprint sensor to the processor.
  3. Compiling dictionary: The board generates a "fingerprint dictionary" using any collected fingerprint data, as well as a dictionary of stored fingerprints.
  4. Fingerprint injection attack: The dictionary gets transferred into memory on the researchers' circuit board, after which the target smartphone is set to receive fingerprint inputs every second until the attack succeeds.

While the attack worked on every Android device the researchers tested, it failed on both Apple models - an iPhone 7 and SE - they tested, owing to their storing fingerprint data in encrypted format, as well as protections that prevent the fingerprint data input from being hijackable.

Rate Limits, Liveness Checks

Rate limits, which lock a device after too many failed fingerprint-authentication attempts, are a feature of all modern smartphone operating systems. The SFA bugs the researchers targeted as part of BrutePrint allowed them to bypass rate-limit defenses, giving them infinite attempts to succeed. They said this capability remains essential, since successful attacks may take hours to complete.

Liveness detection is another widespread defense designed to block spoofed input. To defeat this, the researchers use the Cycle Generative Adversarial Network, aka CycleGAN, which is a technique that trains a neural network to translate one image into another. Using CycleGAN, they said, allows them to create dictionary images of sufficient quality, which look correct enough to a smartphone's safety checks for BrutePrint to succeed against any given Android device 71% of the time.

The researchers said that the vulnerabilities targeted via BrutePrint could be closed via operating system updates or if smartphone and fingerprint sensor manufacturers work more closely together to build countermeasures.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing devicesecurity.io, you agree to our use of cookies.