Android Fingerprint Biometrics Fall to 'BrutePrint' AttackDictionary Attack Plus Neural Network Fools Security Checks, Researchers Find
Security researchers have demonstrated a practical attack that can be used to defeat biometric fingerprint checks and log into a target's Android smartphone.
Security researchers Yu Chen at Tencent and Yiling He at Zhejiang University unveiled the attack, which they dubbed "BrutePrint," in a new research paper. Their brute force attack is inexpensive, practical to deploy at a large scale and can be used to log into devices as well as authorize payments, they said.
To simplify such attacks, the researchers detailed how a printed circuit board, which costs about $15, can be created for each type of device to be targeted, which can automate the attack sequence. As a result, little experience or training is required to bring BrutePrint to the masses.
Since Apple debuted its Touch ID feature in 2013, numerous smartphone manufacturers have shipped devices that users can unlock with a fingerprint. Fingerprint biometrics offers a combination of usability and security - at least when it works as promised.
Researchers have found innovative ways to defeat fingerprint-based security checks. Some of the most memorable methods involve gummy bears, Play-Doh, photocopies and wood glue. In response, manufacturers have continued to add security features, such as locking devices, after too many failed attempts and have used capacitive checks to detect if a finger is real (see: Biometrics: Advances Smack Down Workarounds).
Yu and Yiling said BrutePrint allows them to bypass spoof detection and attempts to limit the number of tries on 10 different Android devices, including the Xiaomi Mi 11 Ultra, Vivo X60 Pro, OnePlus 7 and Samsung Galaxy S10 Plus. The techniques can be used to eventually unlock a vulnerable device nearly three-quarters of the time, they said.
To bypass attempt limits, the researchers exploited two zero-day flaws in the smartphone fingerprint authentication - aka SFA - framework on Android devices. They also targeted weak security in the implementation of the serial peripheral interface of fingerprint sensors, to attempt to reverse-engineer copies of stored fingerprints. While this isn't essential, the researchers said recovering fingerprints increases the chance of BrutePrint succeeding.
BrutePrint proceeds via four stages:
- Physical access: Attackers remove the rear cover of a smartphone while connecting a BrutePrint printed circuit board, created at a cost of about $15, to get to the smartphone motherboard and the fingerprint sensor connector.
- Stealing stored prints: The BrutePrint circuit board attempts to collect stored fingerprint data that normally flows from the fingerprint sensor to the processor.
- Compiling dictionary: The board generates a "fingerprint dictionary" using any collected fingerprint data, as well as a dictionary of stored fingerprints.
- Fingerprint injection attack: The dictionary gets transferred into memory on the researchers' circuit board, after which the target smartphone is set to receive fingerprint inputs every second until the attack succeeds.
While the attack worked on every Android device the researchers tested, it failed on both Apple models - an iPhone 7 and SE - they tested, owing to their storing fingerprint data in encrypted format, as well as protections that prevent the fingerprint data input from being hijackable.
Rate Limits, Liveness Checks
Rate limits, which lock a device after too many failed fingerprint-authentication attempts, are a feature of all modern smartphone operating systems. The SFA bugs the researchers targeted as part of BrutePrint allowed them to bypass rate-limit defenses, giving them infinite attempts to succeed. They said this capability remains essential, since successful attacks may take hours to complete.
Liveness detection is another widespread defense designed to block spoofed input. To defeat this, the researchers use the Cycle Generative Adversarial Network, aka CycleGAN, which is a technique that trains a neural network to translate one image into another. Using CycleGAN, they said, allows them to create dictionary images of sufficient quality, which look correct enough to a smartphone's safety checks for BrutePrint to succeed against any given Android device 71% of the time.
The researchers said that the vulnerabilities targeted via BrutePrint could be closed via operating system updates or if smartphone and fingerprint sensor manufacturers work more closely together to build countermeasures.