Bleeping computer reports* that Researchers at Tencent Labs and Zhejiang University have presented a new attack called ‘BrutePrint,’ which brute-forces fingerprints on modern smartphones to bypass user authentication and take control of the device.
Brute-force attacks rely on many trial-and-error attempts to crack a code, key, or password and gain unauthorized access to accounts, systems, or networks.
The Chinese researchers managed to overcome existing safeguards on smartphones, like attempt limits and liveness detection that protect against brute-force attacks, by exploiting what they claim are two zero-day vulnerabilities, namely Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL).
The authors of the technical paper published on Arxiv.org also found that biometric data on the fingerprint sensors’ Serial Peripheral Interface (SPI) were inadequately protected, allowing for a man-in-the-middle (MITM) attack to hijack fingerprint images. BrutePrint and SPI MITM attacks were tested against ten popular smartphone models, achieving unlimited attempts on all Android and HarmonyOS devices and ten additional attempts on iOS devices.
Commentary by Thomas Uhlemann, Security Specialist at ESET
“These findings sound alarming at first glance. Upon closer look however, the threat may not be as immanent as suggested. First and foremost, this flaw is now publicly documented and can be fixed. Second, for attackers there’s a whole lot of prerequisites to be met – old hardware, old Android versions, but also physical access to the victim’s device.
Therefore it’s safe to say, that to the average users, these kind of attacks pose little to no direct threat. If these flaws are not already fixed by current hardware and software, it is likely they’ll be mitigated in future updates. Depending on local laws, one can imagine this might be a viable technique for law enforcement in case their suspect uses an older/unpatched phone.“
*ESET does not bear any responsibility for the accuracy of this information.
ESET Ireland 