Getty Images:
Researchers have developed a low-cost smartphone attack that cracks the fingerprint authentication used to unlock the screen and perform other sensitive operations on a variety of Android devices in just 45 minutes.
Called BrutePrint by its creators, the attack requires an adversary to take physical control of a device when it is lost, stolen, temporarily surrendered, or unattended, such as when the owner is asleep. The purpose: gain the ability to perform a brute force attack that tries to guess a huge number of fingerprints until one is found that will unlock the device. The attack exploits the vulnerabilities and weaknesses of the SFA device (smartphone fingerprint authentication).
BrutePrint Review
BrutePrint is a low-cost attack that allows people to unlock devices by exploiting various vulnerabilities and weaknesses in smartphone fingerprint authentication systems. Here is the workflow of these systems, commonly abbreviated as SFAs.
Smartphone fingerprint identification system workflow.
The core hardware required for BrutePrint is a $15 circuit board containing (1) an STM32F412 microcontroller from STMicroelectronics, (2) a bidirectional, two-channel analog switch known as RS2117, (3) an 8GB SD flash card : memory, and (4) a board-to-board connector that connects the phone’s motherboard to the fingerprint sensor’s flexible printed circuit board.
The adversary device that forms the core of the BrutePrint attack.
Additionally, the attack requires a database of fingerprints similar to those used in research or leaked in real-world breaches such as these.
BrutePrint attack overview.
Not all smartphones are created equal
More on how BrutePrint works later. First, a breakdown of the performance of different phone models. In total, the researchers tested 10 models: Xiaomi Mi 11 Ultra, Vivo X60 Pro, OnePlus 7 Pro, OPPO Reno Ace, Samsung Galaxy S10+, OnePlus 5T, Huawei Mate30 Pro 5G, Huawei P40, Apple iPhone SE, Apple iPhone 7.
List of tested devices along with various features of the devices.
The researchers tested each for vulnerabilities, weaknesses, or susceptibility to different attack techniques. Attributes investigated included the number of samples in multisampling, the presence of error cancellation, hot-plug support, whether data can be decoded, and the frequency of data transfers in the SPI. In addition, the researchers tested three attacks: a border bypass attempt, fingerprint image hijacking, and fingerprint brute force.
Results of different attacks on different devices tested.
Finally, the researchers provided results showing how long it took to brute-force fingerprints on different phones. Because the amount of time depends on the number of prints allowed, the researchers limited each to a single print run.
The success rate of the different devices tested, with the Galaxy S10+ taking the least time (0.73 to 2.9 hours) and the Mi11 the longest (2.78 to 13.89 hours).
While the features vary, the bottom line is that BrutePrint can attempt an unlimited number of authentication fingerprints on all eight Android models. Depending on various factors, including the fingerprint authentication range of a particular phone and the number of fingerprints stored for authentication, it takes about 40 minutes to 14 hours.