Getty Images
Researchers have devised a low-cost smartphone attack that cracks the authentication fingerprint used to unlock the screen and perform other sensitive actions on a range of Android devices in just 45 minutes.
Dubbed BrutePrint by its creators, the attack requires an adversary to have physical control over a device when it is lost, stolen, temporarily surrendered, or left unattended, such as while the owner is asleep. The goal: gain the ability to perform a brute-force attack that tries a large number of fingerprints until one is found that will unlock the device. The attack exploits vulnerabilities and weaknesses in the SFA (Smartphone Fingerprint Authentication) device.
BrutePrint overview
BrutePrint is a cheap attack that exploits vulnerabilities that allow people to unlock devices by exploiting various vulnerabilities and weaknesses in smartphone fingerprint authentication systems. This is the workflow of these systems, which are commonly abbreviated as SFAs.
The workflow of a smartphone fingerprint authentication system.
The core equipment required for BrutePrint is a $15 printed circuit board that contains (1) a STM32F412 microcontroller from STMicroelectronics, (2) a bi-directional, two-channel, analog switch known as an RS2117, (3) an SD flash card with 8 GB of memory, and (4) a board-to-board connector that connects to the phone’s motherboard on the fingerprint sensor flexible circuit board.
The enemy device at the heart of the BrutePrint attack.
In addition, the attack requires a database of fingerprints, similar to those used in research or leaked in such real-world breaches.
An overview of the BrutePrint attack.
Not all smartphones are created equal
More on how BrutePrint works later. First, an overview of how different phone models fared. In total, the researchers tested 10 models: Xiaomi Mi 11 Ultra, Vivo X60 Pro, OnePlus 7 Pro, OPPO Reno Ace, Samsung Galaxy S10+, OnePlus 5T, Huawei Mate30 Pro 5G, Huawei P40, Apple iPhone SE, Apple iPhone 7.
A list of the tested devices along with various characteristics of the devices.
The researchers tested each for different vulnerabilities, weaknesses or susceptibility to different attack techniques. Attributes examined included the number of samples in multi-sampling, the existence of error-cancelling, hot-plugging support, whether data could be decoded, and data transmission rate on SPI. In addition, the researchers tested three attacks: attempted limit evasion, fingerprint image hijacking, and fingerprint brute force.
Results of various attacks on the various devices tested.
Finally, the researchers provided results showing how long it took for different phones to brute force their fingerprints. Because the amount of time depends on the number of prints authorized, the researchers set each to a single print.
The success rate of several tested devices, with the Galaxy S10+ taking the least amount of time (0.73 to 2.9 hours) and the Mi11 the longest (2.78 to 13.89 hours).
While the details varied, the result is that BrutePrint can try an unlimited number of authentication fingerprints on all eight Android models tested. Depending on various factors, including the fingerprint authentication framework of a specific phone and the number of fingerprints stored for authentication, it will take approximately 40 minutes to 14 hours.
