The Rise of BrutePrint: How Biometric Bypass Threatens Fingerprint Security

Android Phone Biometric Security Flaw Allows Brute-Force Attacks

Weaknesses in the biometric security architecture of Android phones have been exposed in a recent paper published by two researchers from media giant Tencent and Zhejiang University in China. The researchers demonstrated that using two logical vulnerabilities related to how fingerprint sensors and the trusted execution environment (TEE) handle errors, an attacker with physical access to a smartphone can gain the ability to submit an unlimited number of encoded fingerprints, essentially guessing until a specific one works. This technique is called BrutePrint. If the attacker has a copy of a fingerprint database, they can even break into security apps. Researchers Yu Chen and Yiling He warned that fingerprint authentication still needs to be hardened against side-channel attacks, and this attack technique shows that just because smartphones have adopted biometrics and TEEs, attackers can find a way around these defenses.

Attack Technique and Limitations

The attack technique is made possible by two vulnerabilities: the Cancel After Match Fail (CAMF) and Match After Lock (MAL) vulnerabilities, which allow attackers unlimited authentication attempts on Android phones and to triple the number of attempts to 15, on iPhones. By connecting a cheap hardware device that can be constructed for about $15, attackers can intercept the signals between the fingerprint sensor on an Android device and the processor. The brute-force attack is only feasible if attackers have physical access to the smartphone for hours and have a copy of the fingerprint database. In the most difficult scenario, with only a single fingerprint enrolled on the device, the attack can take anywhere from 3 to 14 hours while a greater number of enrolled fingerprints reduces the time significantly. Apple users are not vulnerable to this attack as the encryption of the channel between the sensor on the secure processor prevented the researchers from eavesdropping on iPhones’ internal communications — it merely increases the number of attempts before the phone disallows more. Thus, politicians, dissidents, and corporate executives may want to consider it as part of their threat model.

Biometric Security Weaknesses and Risk Assessment

Fingerprints are not as good as strong passwords, and security professionals know this, but strong passwords are not as usable as authenticating through a quick finger press or swipe. “We all knew this kind of attack was possible, because security is always a tradeoff between convenience and efficacy,” says Bruce Schneier, Chief of Security Architecture at Inrupt, a data security and software firm. However, the attack technique is not a significant risk for the average user as it would require hours of physical access to a targeted device and a copy of its fingerprint database. It would only be useful if someone wanted to break into specific phones, such as politicians, dissidents, and corporate executives. The convenience of having access to fingerprint biometrics outweighs the risks. “Fingerprint access allows us to maintain a level of restriction to our phones but also allows us to get quick access with just a finger swipe,” says Deral Heiland, a principal security researcher in IoT at Rapid7, a vulnerability management firm. While Google should harden its smartphone fingerprint authentication mechanism, the current risk is not high for most users.

Conclusion

While biometric authentication mechanisms provide user convenience, this attack on Android devices emphasizes that biometric security is still in its infancy, and the technology is not as secure as other methods, such as strong passwords. As cyber attackers become more sophisticated, researchers must continue to identify and expose security flaws, and device manufacturers must be vigilant in updating their security protocols to protect against future attacks. While risk-based assessments may differ depending on individual threat models, strong passwords remain the safest way to protect sensitive data. Enterprises and governments using biometric authentication should factor in these vulnerabilities and conduct appropriate risk assessments.