‘BrutePrint’ Unlocks Android Phones — Chinese Researchers

Android phone fingerprint sensorOr, at least, older phones.

Researchers have found a brace of zero days that allow them to unlock Android phones with a fake fingerprint. They’ve dubbed it BrutePrint, but it only seems to be a problem in older phones that don’t follow Google’s standards.

Check your threat model for broken biometrics. In today’s SB Blogwatch, we touch on all the issues.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Ogmios.


What’s the craic? Bill Toulas reports—“Android phones are vulnerable to fingerprint brute-force attacks”:

Value for thieves and law enforcement
A new attack called ‘BrutePrint’ … brute-forces fingerprints on modern smartphones to bypass user authentication and take control of the device. … Researchers managed to overcome existing safeguards on smartphones, like attempt limits and liveness detection … by exploiting what they claim are two zero-day vulnerabilities, namely Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL).

The [researchers] also found that biometric data on the fingerprint sensors’ Serial Peripheral Interface (SPI) were inadequately protected, allowing for a man-in-the-middle (MITM) attack to hijack fingerprint images. … MITM attacks were tested against ten popular smartphone models, achieving unlimited attempts on all Android … devices and ten additional attempts on iOS devices.

The attacker needs physical access to the target device to launch a BrutePrint attack. … However, this perceived limitation should not undermine its value for thieves and law enforcement.

Whodunnit? Mathew J. Schwartz points the finger—“Biometrics Fall to ‘BrutePrint’ Attack”:

Samsung Galaxy
Security researchers Yu Chen at Tencent and Yiling He at Zhejiang University unveiled the attack. [It] is inexpensive, practical to deploy at a large scale and can be used to log into devices as well as authorize payments.

Fingerprint biometrics offers a combination of usability and security – at least when it works as promised. … The researchers detailed how a printed circuit board, which costs about $15, can be created for each type of device to be targeted, which can automate the attack sequence.

Yu and Yiling said BrutePrint allows them to [unlock] 10 different Android devices, including the Xiaomi Mi 11 Ultra, Vivo X60 Pro, OnePlus 7 and Samsung Galaxy S10 Plus … nearly three-quarters of the time. … The researchers said that the vulnerabilities targeted via BrutePrint could be closed via operating system updates.

Tell me more? Jeff Goldman obliges—“How to Respond to the BrutePrint Threat”:

To mitigate [it] the researchers recommended an additional error-cancel attempt limit setting – and … they urged vendors of fingerprint sensors to encrypt [SPI] data. And it’s not just about smartphones – they warned that BrutePrint could also be applied to other biometric systems.

Any other ideas? Mmm, danann[You’re fired—Ed.]

If this requires opening up the phone while turned on … manufacturers could also place a sensor to detect if the phone got opened up while turned on—and lockdown or force a reboot.

Wait. Pause. Attackers need to open the phone? sillywalk flies into the circus:

The exploit requires physically opening the phone and attaching a cable to the phone motherboard/fingerprint reader chip.

But surely Android’s Trusted Execution Environment encrypts the fingerprint data in transit? ikjadoon suggests why this might not be the case:

Android requires OEMs to have a “secure path” between the sensor and the TEE. … Android 12 added official Android support for under-display fingerprint sensors. That could mean that those sensors in older Android versions [had] non-standard implementations without the same requirements.

How come? FrankSchwab explains:

I worked on fingerprint sensors in the 00’s, shipping a couple hundred million units to major Phone and Laptop manufacturers. Our top line sensors fully encrypted all communications between the sensor and the host. … But the mobile world wanted cheaper, cheaper, cheaper and simpler, simpler, simpler — the mobile customers neither wanted to pay an extra dime for encryption, nor did they want to deal with the hassle of encryption. So we sold them hundreds of millions of sensors with no encryption.

What these researchers were attacking were the bottom-of-the-barrel sensors, selling for pennies, that the manufacturers demanded. The result isn’t too surprising. … Caught by the race to the bottom.

Meanwhile, Odin Allfather snarks it up a touch:

I’m not at all surprised to see the Pixel 6 missing from the list of devices where this hack was successful. I can’t unlock my Pixel 6 in 30 minutes using the finger I registered.

I’ll show myself out.

And Finally:

ASMR driving instructor in London

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Lukenn Sabellano (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 644 posts and counting.See all posts by richi