New BrutePrint Attack Lets Attackers Unlock Smartphones with Fingerprint Brute-Force

May 29, 2023Ravie LakshmananMobile Authentication/Security

Researchers have devised a low-cost attack technique that can be leveraged to force fingerprints on smartphones to bypass user authentication and seize control of the device.

The approach, dubbed BrutePrintbypassed the limits imposed to counter failed biometric authentication attempts by weaponizing two zero-day vulnerabilities in the smartphone fingerprint authentication (SFA) framework.

The weaknesses, Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), exploit a logical flaw in the authentication framework, which arises due to insufficient protection of fingerprint data in the Serial Peripheral Interface (SPI) of the fingerprint sensor.

The result is a “hardware approach to performing a man-in-the-middle (MitM) attack for fingerprint image piracy,” researchers Yu Chen and Yiling He said in a research paper. “BrutePrint acts as an intermediary between the fingerprint sensor and the TEE (Trusted Execution Environment).”

The goal, in essence, is to be able to send an unlimited number of fingerprint images until a match is found. However, that presupposes that the threat actor already has the intended target device.

Additionally, adversaries must have a fingerprint database and setup consisting of a microcontroller board and an automatic clicker that can hijack data sent by the fingerprint sensor to carry out attacks for as little as $15.

The first of the two vulnerabilities that made this attack possible was CAMF, which allows increasing a system’s fault-tolerant capabilities by aborting checksums fingerprint data, thus giving attackers unlimited tries.

MAL, on the other hand, exploits side-channels to infer the match of fingerprint images on the target device, even when entering lock mode after too many repeated login attempts.

“Even though the lockout mode is checked further in Keyguard to disable unlocking, the authentication results have been made by TEE,” explained the researchers.

“Because a Success authentication result is returned immediately when a matching sample is met, a side-channel attack might infer the result from behavior such as response time and number of images acquired.”

In an experimental setting, BrutePrint was evaluated against 10 different smartphone models from Apple, Huawei, OnePlus, OPPO, Samsung, Xiaomi, and vivo, resulting in unlimited efforts on Android and HarmonyOSand 10 additional attempts on the iOS device.

The findings come as a group of academics detail hybrid side-channels that leverage “a three-way trade-off between execution speed (i.e., frequency), power consumption, and temperature” in modern systems-on-chip (SoC) and GPUs to perform “browser-based pixel theft.” and history sniffing attacks” against Chrome 108 and Safari 16.2.

The attack, so called Hot Pixelsleverage this behavior to mount a website fingerprinting attack and use JavaScript code to harvest a user’s browsing history.

This is achieved by designing computationally heavy SVG filters to leak pixel colors by measuring rendering times and silently harvesting the information with as high as 94% accuracy.

The issue has been acknowledged by Apple, Google, AMD, Intel, Nvidia, Qualcomm. The researchers also recommend “prohibiting SVG filters from being applied to iframes or hyperlinks” and preventing unreachable access to sensor readings.

BrutePrint and Hot Pixels also followed suit owned by Google invention from 10 security flaws in the Intel Trust Domain Extension (TDX) which can lead to arbitrary code execution, denial of service conditions, and loss of integrity.

On a related note, Intel CPUs have also been found prone to to side-channel attacks that take advantage of execution time variations caused by changes EFLAGS registration during temporary execution to decode data without relying on cache.