On the 23rd of May, researchers from Tencent's Xuanwu Lab and Zhejiang University announced the development of a novel offensive technique they've termed "BrutePrint." This technique employs a brute-force strategy to crack the fingerprint authentication on Android smartphones, thereby bypassing the user's identity verification and commandeering the device.
A brute-force attack typically involves repetitive trial-and-error attempts to decipher codes, keys, or passwords to gain unauthorized access to accounts, systems, or networks. These researchers have exploited two zero-day vulnerabilities, dubbed Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL). They've identified that biometric data on the Serial Peripheral Interface (SPI) of fingerprint sensors is inadequately safeguarded, permitting a Man-In-The-Middle (MITM) attack to hijack fingerprint images and thus decode smartphone fingerprints.
The attack overview of BRUTEPRINT
Their research paper, available on Arxiv.org, details tests conducted on ten commonly used smartphones. They successfully executed an unlimited number of fingerprint cracking attempts on all Android and Huawei HarmonyOS devices, and an additional ten attempts (making a total of fifteen attempts) on iOS devices.
Example of implementing automatic fingerprint bruteforce attack-which uses a suppressible attacking board-a hardware auto-clicker-and an optional operating board
The BrutePrint attack operates by perpetually submitting fingerprint images to the target device until a user-defined fingerprint is matched. To instigate a BrutePrint attack, the attacker needs physical access to the target device, a fingerprint database either procured from an academic dataset or a biometric data breach, and a device costing around $15, as depicted above.
Moreover, the researchers bypassed the limit for unlocking fingerprint attempts by exploiting the MAL zero-day vulnerability. Therefore, they could perpetually attempt to unlock on Android/HarmonyOS phones. The "neural style transfer" system was used to morph all fingerprint images in the database into images resembling the sensor scans of the target device, facilitating the approximation of the correct fingerprint.
For the cracking tests, the researchers utilized ten devices, including six Android phones, two Huawei HarmonyOS phones, and two Apple iPhones. The test results revealed that each device had at least one flaw, with Android and HarmonyOS devices being vulnerable to infinite brute-force attempts.
Summary table of fingerprint test data results of different brands of mobile phones
The experiment demonstrates that for a device on which the user has registered a single fingerprint, the time required to successfully execute BrutePrint ranges from 2.9 to 13.9 hours. When multiple fingerprints are registered on the target device, the brute-force cracking time decreases to just 0.66 to 2.78 hours due to the exponential increase in the probability of generating matching images.
Success rate of fingerprint brute-force attack overtime. The number of enrolled fingerprints r is set to 1 forthe solid lines and rmax for the dash lines.
The E(T) is the expected value of the time (in hour) taken by a successful attack.
In response to this vulnerability, Huawei officially responded that it has released a patch for the vulnerability in December 2021. According to the update log provided by Huawei's official website, the vulnerability affects HarmonyOS version 2.0, numbered CVE-2021-40006, and users who have updated to the new system are no longer affected.
Huawei HarmonyOS system update log| CVE | Vulnerability description | Vulnerability impact | severity | Affected version |
|---|
| CVE-2021-40006 | The fingerprint module has security risks that can be cracked by violence | Successful exploitation of this vulnerability could result in compromised confidentiality | high | HarmonyOS2.0 |
| CVE-2021-40001 | CaasKit module has a path traversal vulnerability | Successful exploitation of this vulnerability may render the Changlian application unavailable | middle | HarmonyOS2.0 |
| CVE-2021-40003 | Path Traversal Vulnerability in HwPCAssistant | Successful exploitation of this vulnerability could result in compromised confidentiality | middle | HarmonyOS2.0 |
Figure source paper:‘BRUTEPRINT:Expose Smartphone Fingerprint Authentication to Brute-force Attack'
Nantian Electronics a professional distributor of electronic components, providing a wide range of electronic products, saving you a lot of time, effort and cost through our meticulous order preparation and fast delivery service.
Share this post
