It’s no secret that over the past few years, the threat of hackers exploiting vulnerabilities to gain access to information has prompted many smartphone companies to implement robust cybersecurity measures. However, researchers from Tencent Labs and Zhejiang University have discovered a new type of attack that targets fingerprint authentication systems on modern smartphones. Dubbed BrutePrint, the attack aims to bypass user authentication by repeated trial-and-error attempts, posing a significant threat to accounts and individuals.
How does the BrutePrint attack work?
To execute the BrutePrint attack, researchers identified and exploited two zero-day vulnerabilities named Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), which allowed them to overcome existing safeguards on smartphones, such as attempt limits and liveness detection. Additionally, the researchers also discovered that the data on fingerprint sensors’ Serial Peripheral Interface (SPI) was unprotected, thus making it susceptible to an attack.
The attack functions by systematically attempting to unlock the device using databases sourced from academic datasets, leaked biometric data, and similar sources. However, it is important to note that the time required for a successful breach depends on the number of stored fingerprints. For example, on smartphones with only one registered fingerprint, the attack can take between 2.9 and 13.9 hours. However, on devices with multiple registered fingerprints, the attack only takes about 0.66 to 2.78 hours, as the probability of finding the right fingerprint increases dramatically.
Devices vulnerable to the attack
In their report, researchers stated that they tested the attack on ten popular smartphone models and found that all Android devices were vulnerable. Therefore, if an attacker gains access to your device, they would only need to disable the safeguards, have ample time, and minimal hardware costing around $15. On the other hand, iOS devices were much more secure, and the researchers could only gain ten additional attempts on iPhone SE and iPhone 7 models, rendering the attack ineffective.
While this type of attack might not appeal to the average hacker since it requires physical access to the smartphone, researchers have warned that state-sponsored actors and law enforcement agencies can exploit this technique to access data. Therefore, device manufacturers will need to act swiftly and patch these zero-day vulnerabilities as soon as possible.