{"id":31729,"date":"2023-05-31T07:13:09","date_gmt":"2023-05-31T11:13:09","guid":{"rendered":"https:\/\/www.kaspersky.co.za\/blog\/fingerprint-brute-force-android\/31729\/"},"modified":"2023-06-01T12:08:58","modified_gmt":"2023-06-01T10:08:58","slug":"fingerprint-brute-force-android","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/fingerprint-brute-force-android\/31729\/","title":{"rendered":"BrutePrint: bypassing smartphone fingerprint protection"},"content":{"rendered":"

Fingerprint recognition is believed to be a fairly secure authentication method. Publications on different ways to trick the fingerprint sensor<\/a> do pop up now and again, but all the suggested methods one way or another boil down to physical imitation of the phone owner\u2019s finger \u2014 whether using a silicone pad or conductive ink printout<\/a>. This involves procuring a high-quality image of a finger \u2014 and not any finger, mind, but the one registered in the system.<\/p>\n

In a nutshell, all these methods come with lots of real-world hassle. But is it possible to do it somehow more elegantly, without leaving the purely digital world and all its benefits? Turns out, it is: Chinese researchers Yu Chen and Yiling He recently published a study on how to brute-force almost any fingerprint-protected Android smartphone. They called the attack BrutePrint<\/a>.<\/p>\n

How unique are fingerprints?<\/h2>\n

\nBefore we get to investigate our Chinese comrades\u2019 work, briefly \u2014 some background theory\u2026 To begin with, and you may know this, but fingerprints are truly unique and never alter with age.<\/p>\n

Now, way back in 1892, English scientist Sir Francis Galton published a work laconically entitled Finger Prints<\/a>. In it, he summarized the then-current scientific data on fingerprints, and Galton\u2019s work laid the theoretical foundation for further practical use of fingerprints in forensics.<\/p>\n

Among other things, Sir Francis Galton calculated that fingerprint match probability was \u201cless than 236<\/sup>, or one to about sixty-four thousand million\u201d. Forensic experts stick with this value even to this day.<\/p>\n

By the way, if you\u2019re into hardcore anatomy or the biological factors behind the uniqueness of fingerprints, here\u2019s a new research paper<\/a> on the subject.<\/p>\n

How reliable are fingerprint sensors?<\/h2>\n

Sir Francis\u2019s work and all that stemmed from it, however, relates to the (warm) analog world, covering things like the taking of fingerprints, matching them to those left at, say, a crime scene, and Bob\u2019s your uncle. But things are somewhat different in the (cold) digital reality. The quality of digital fingerprint representation depends on multiple factors: type of sensor, its size and resolution, and \u2014 in no small measure \u2014 \u201cimage\u201d post-processing and matching algorithms.<\/p>\n

\"Comparing<\/a>

Fingerprints as they were seen by Sir Francis Galton 150 year ago (left), and by your cutting-edge smartphone\u2019s optical sensor (right). Source<\/a> and Source<\/a><\/p><\/div>\n

And, of course, the developer needs to make the device dirt-cheap (or no one will buy it), achieve split-second authentication (or get overwhelmed by complaints about slow speed), and avoid false negatives at all costs (or the user will discard the whole thing altogether). The result is not very accurate authentication systems.<\/p>\n

So when referring to sensors used in smartphones, much less optimistic figures are quoted for fingerprint fragment match probability than the famous 1 to 64 billion. For example, Apple estimates the probability for Touch ID<\/a> at 1 to 50,000. So it can be assumed that for budget-friendly sensor models the probability will shrink further by an order or two.<\/p>\n

This takes us from billions to thousands. Which is already within reach for brute-forcing<\/a>. So, the potential hacker is only one obstacle away from the prize: the limit on the number of fingerprint recognition attempts. Normally only five of them are allowed, followed by a prolonged fingerprint authentication lockout period.<\/p>\n

Can this obstacle be overcome? Yu Chen and Yiling He give an affirmative reply to that in their study.<\/p>\n

BrutePrint: preparing to brute-force fingerprint-protected Android smartphones<\/h2>\n

The researcher\u2019s method is based on a flaw in Android smartphones\u2019 generic fingerprint sensor implementation: none of the tested models encrypted the communication channel between the sensor and the system. This opens up the opportunity for an MITM attack<\/a> on the authentication system: with a device connected to the smartphone via the motherboard\u2019s SPI port, one can both intercept incoming messages from the fingerprint sensor, and send one\u2019s own messages by emulating the fingerprint sensor.<\/p>\n

The researchers built such a device (pseudo-sensor) and supplemented it with a gadget for automatic clicking on the smartphone\u2019s sensor screen. Thus the hardware component part was set up to feed multiple fingerprint images to smartphones in automatic mode.<\/p>\n

\"Device<\/a>

Device for brute-forcing the fingerprint authentication system. Source<\/a><\/p><\/div>\n

From there, they proceeded to prepare fingerprint specimens for brute-forcing. The researchers don\u2019t disclose the source of their fingerprint database, confining themselves to general speculation as to how the attackers might get it (research collections, leaked data, own database).<\/p>\n

As a next step, the fingerprint database was submitted to an AI to generate something like a fingerprint dictionary to maximize brute-forcing performance. Fingerprint images were adapted by AI to match those generated by the sensors installed on the smartphones participating in the study.<\/p>\n

\"Examples<\/a>

Images returned by different types of fingerprint sensors are quite different from one another. Source<\/a><\/p><\/div>\n

The two vulnerabilities at the bottom of BrutePrint: Cancel-After-Match-Fail and Match-After-Lock<\/h2>\n

The BrutePrint attack exploits two vulnerabilities. The researchers discovered them in the basic logic of the fingerprint authentication framework which, from the looks of it, comes with all Android smartphones without exception. The vulnerabilities were called Cancel-After-Match-Fail and Match-After-Lock.<\/p>\n

The Cancel-After-Match-Fail vulnerability<\/h3>\n

Cancel-After-Match-Fail (CAMF)<\/strong><\/p>\n

exploits two important features of the fingerprint authentication mechanism. The first is the fact that it relies on multisampling, meaning that each authentication attempt uses not just one but a series of two to four fingerprint images (depending on the smartphone model). The second is the fact that, in addition to fail<\/em>, an authentication attempt can also result in error<\/em> \u2014 and in this case, there\u2019s a return to the start.<\/p>\n

This allows sending a series of images ending in a frame pre-edited to trigger an error. Thus, if one of the images in the series triggers a match, a successful authentication will take place. If not, the cycle will end in an error, after which a new series of images can be submitted without wasting the precious attempt.<\/p>\n

\"Cancel-After-Match-Fail<\/a>

How Cancel-After-Match-Fail works: error gets you back to the starting point without wasting an attempt. Source<\/a><\/p><\/div>\n

The Match-After-Lock vulnerability<\/h3>\n

The second vulnerability is Match-After-Lock (MAL)<\/strong>. The fingerprint authentication logic provides for a lockout period following a failed attempt, but many smartphone vendors fail to correctly implement this feature in their Android versions. So even though successful fingerprint authentication is not possible in lockout mode, one can still submit more and more new images, to which the system will still respond with an honest \u2018true\u2019 of \u2018false\u2019 answer. That is, once you detect the correct image, you can use it as soon as the system is out of lockout, thus completing a successful authentication.<\/p>\n

Attacks exploiting Cancel-After-Match-Fail and Match-After-Lock<\/h2>\n

The attack exploiting the first vulnerability was successful for all the tested smartphones with genuine Android onboard, but for some reason it didn\u2019t work with HarmonyOS<\/a>. Match-After-Lock was exploited on Vivo and Xiaomi smartphones as well as on both Huawei phones running HarmonyOS.<\/p>\n

\"Table<\/a>

All the tested smartphones turned out to be vulnerable to at least one attack. Source<\/a><\/p><\/div>\n

All Android and HarmonyOS smartphones participating in the study were found to be vulnerable to at least one of the described attacks. This means that all of them allowed an indefinite number of malicious fingerprint authentication attempts.<\/p>\n

According to the study, it took from 2.9 to 13.9 hours to hack an Android smartphone authentication system with only one fingerprint registered. But for smartphones with the maximum possible number of registered fingerprints for a given model (four for Samsung, five for all the others), the time was greatly reduced: hacking them took from 0.66 to 2.78 hours.<\/p>\n

\"Smartphone<\/a>

Successful BrutePrint attack probability as a function of spent time: one registered fingerprint (solid line) and maximum number of registered fingerprints (dashed line). Source<\/a><\/p><\/div>\n

What about iPhones?<\/h2>\n

\nThe Touch ID system used in iPhones turned out to be more resistant to BrutePrint. According to the study, the iPhone\u2019s main advantage is that the communication between the fingerprint sensor and the rest of the system is encrypted. So there\u2019s no way to intercept or to feed the system a prepared fingerprint on a device equipped with Touch ID.<\/p>\n

The study points out that iPhones can be partially vulnerable to manipulations used to maximize the number of possible fingerprint recognition attempts. However, it\u2019s not as bad as it may sound: while Android smartphones allow the party to last forever on and on, in iPhones the number of attempts can only be increased from 5 to 15.<\/p>\n

So iOS users can sleep peacefully: Touch ID is much more reliable than the fingerprint authentication used in both Android and HarmonyOS. On top of that, nowadays most iPhone models use Face ID anyway.<\/p>\n

How dangerous is all this?<\/h2>\n

Android smartphone owners shouldn\u2019t be too worried about BrutePrint either \u2014 in practice the attack hardly poses a major threat. There are several reasons for this:<\/p>\n