BrutePrint is a new attack method that exploits flaws in the fingerprint authentication method.
Si you thought your mobile device is 100% secure by implementing any of the layers of protection that it offers you, let me tell you that you are totally wrong and in the case of Android, things get much worse.
And it is that for Android, there are various bugs throughout its different versions that allow bypassing the screen lock, one of the best known at the time was in which it was simply enough to make a flame and from there be able to access the menu setup and the rest is history.
Another method that caught my attention a lot was to be able to bypass the pin code protection from the SIM, with which it is enough to change the SIM for one that has the PUK code, after that it was only wrong to place the PIN 3 times. PIN code continues by entering the PUK code of the card and after that, a new PIN is chosen and the phone automatically displays the home screen.
The fact of giving some examples of this is that recently the news was released After that, a team of researchers from Tencent and Zhejiang University has introduced an attack technique called "BrutePrint" which can bypass Android's anti-fingerprint protection methods.
About BrutePrint
In normal mode, fingerprint selection is hampered by a limit in the number of attempts: after several failed unlock attempts, the device suspends biometric authentication attempts or proceeds to request a password. The proposed attack method allows to organize an infinite and unrestricted selection cycle.
El ataque you can use two unpatched vulnerabilities in SFA (Smartphone Fingerprint Authentication), combined with the lack of adequate protection of the SPI protocol.
- The first vulnerability (CAMF, Cancel-After-Match-Fail) leads to the fact that if an incorrect checksum is transmitted from the fingerprint data, the verification is restarted at the final stage without recording a failed attempt, but with the possibility of determining the result.
- The second vulnerability (WRONG, Match-After-Lock) allows using third-party channels to determine the verification result if the biometric authentication system switches to temporary lock mode after a certain number of failed attempts.
These vulnerabilities they can be harnessed by connecting a special board between the fingerprint sensor and the TEE chip (Trusted Execution Environment). The researchers have identified a flaw in the organization of the protection of data transmitted through the SPI (Serial Peripheral Interface) bus, which made it possible to enter the data transmission channel between the sensor and the TEE, and organize the interception of fingerprints. fingerprints taken and their replacement with your own data.
In addition to orchestrating the selection, connecting via SPI allows authentication using the available photo of the victim's fingerprint without creating their layout for the sensor.
After the restrictions on the number of attempts were removed, a dictionary method was used for selection, based on the use of collections of fingerprint images that were made public as a result of leaks, for example, the biometric authentication databases Antheus Tecnologia and BioStar, which were compromised at one point.
To increase the efficiency of working with different fingerprint images and increase the probability of false identification (FAR, false acceptance rate), a neural network is used that forms a unified data stream with fingerprints in a format that matches the sensor format (simulation that the data was scanned by a native sensor).
The effectiveness of the attack was demonstrated for 10 Android devices from different manufacturers (Samsung, Xiaomi, OnePlus, Vivo, OPPO, Huawei), which took 40 minutes to 36 hours to select a fingerprint to unlock.
The attack requires physical access to the device and the connection of special equipment to the board, which cost an estimated $15 to manufacture. For example, the method can be used to unlock seized, stolen, or lost phones.
Finally if you are interested in knowing more about it, you can check the details In the following link.