Unlocking Smartphones with a New Bruteprint Attack
Researchers have found a low-cost attack method that may be used to brute-force fingerprints on cell phones in order to get beyond user authentication and take over the devices.
The BrutePrint method uses two zero-day vulnerabilities in the smartphone fingerprint authentication (SFA) framework to circumvent restrictions placed in place to stop unsuccessful biometric authentication attempts.
Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL) vulnerabilities take use of logical deficiencies in the authentication framework that result from inadequate security of fingerprint data on the Serial Peripheral Interface (SPI) of fingerprint sensors.
This leads to a “hardware approach to do man-in-the-middle (MitM) attacks for fingerprint image hijacking,” according to research by Yu Chen and Yiling He. “BrutePrint acts as a middleman between a fingerprint sensor and a TEE [Trusted Execution Environment].”
The main objective is to be able to submit an infinite number of fingerprint images until a match is found. However, it assumes that the target device in question is already in the possession of a threat actor.
To carry out the assault for as little as $15, the adversary also needs a fingerprint database and a set-up that includes a microcontroller board and an auto-clicker that can intercept data received by a fingerprint sensor.
The first of the two flaws that make this attack possible is CAMF, which increases the system’s fault tolerance capabilities by invalidating the checksum of the fingerprint data and granting an attacker an infinite number of attempts.
Although the lockout mode is further checked in Keyguard to disable unlocking, the authentication result has been made by TEE. As Success authentication result is immediately returned when a matched sample is met, it’s possible for side-channel attacks to infer the result from behaviors such as response time and the number of acquired images.
Yu Chen and Yiling He, Reasearchers
BrutePrint was tested against 10 various smartphone models from Apple, Huawei, OnePlus, OPPO, Samsung, Xiaomi, and Vivo in an experimental environment. The results showed infinite attempts on Android and HarmonyOS smartphones and 10 additional attempts on iOS devices.
Our Readers ALSO READUncovering the Hidden Dangers of Google Cloud SQL Service
The discoveries coincide with the publication of a study by a group of academics that describes a hybrid side-channel that employs browser-based pixel stealing and history sniffing attacks against Chrome 108 and Safari 16.2 by taking advantage of the “three-way tradeoff between execution speed (i.e., frequency), power consumption, and temperature” in modern system-on-chips (SoCs) and GPUs.
Leading technology companies such as Apple, Google, AMD, Intel, Nvidia, and Qualcomm have acknowledged the existence of these vulnerabilities. To mitigate the risks, experts recommend implementing preventive measures such as restricting the application of SVG filters to iframes or hyperlinks, as well as limiting unprivileged access to sensor readings.
BrutePrint and Hot Pixels, in addition to Google’s recent findings, shed light on further security vulnerabilities within Intel’s Trust Domain Extensions (TDX). These flaws expose the potential for arbitrary code execution, denial-of-service situations, and compromises in data integrity.
Moreover, Intel CPUs have also been identified as susceptible to a side-channel attack that capitalizes on variations in execution time. By manipulating the EFLAGS register during transient execution, attackers can decode data without relying on the cache, posing a significant threat to system security.