BRUTEPRINT: Brute-Forcing Fingerprint Authentication

Apple Beats Android for the Vulnerability
BRUTEPRINT [1]

BRUTEPRINT: Brute-Forcing Fingerprint Authentication

Apple Beats Android for the Vulnerability

In a new paper [1], Che and He outline the BRUTEPRINT method to conduct a brute force attack against a smartphone:

Within the paper, BRUTEPRINT automates an attack to overcome the attempt limit and then hijack fingerprint images. For this, it uses two zero-day vulnerabilities within the smartphone fingerprint authentication (SFA) framework. They found that 71% of the spoofs were accepted on 10 smartphones and for applications that involved payments, privacy, and screen locking. These related to Android devices, and where it was not possible to compromise iPhones. The shortest time to break into a phone was 40 minutes.

Figure 2 outlines the typical process of fingerprint authentication, and where an image is taken of the finger, and also to detect that it is a finger. Next, a base image (the background) is subtracted from this, to reveal the ridges of the print. An anti-faking system is then used to check the quality of the scan and that the finger is alive. This is then compared with the existing finger enrolments, and, if successful, applications will be enabled for their use. Overall, fingerprint data manipulation is conducted within a TEE (Trusted Execution Environment) on the device. With Apple devices, we have a Secure Enclave.

Figure 2: Typical fingerprint authentication process [1]

The BLUEPRINT attack (Figure 3) uses the Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL) vulnerabilities, where BRUTEPRINT is a middle-person between the fingerprint sensor and the TEE. With CAMF, there is an invalidation of the checksum of the fingerprint data, and MAL uses a side channel attack to intercept finger data and replace it with injected data. CAMF thus removes the limit on the number of tries, and then MAL allows for incorrect data to be injected into the process.

Figure 3: BLUEPRINT attack

In order to bypass the authentication system the research team added additional hardware to the device (Figure 4). The total cost of the hardware was less than $15.

Figure 4: Additional hardware for the hack [1]

As seen in Figure 5, most devices have a five-attempt lock-out feature. Most of the Android devices used an optical scanner, while Apple iPhone devices use a capacitive one.

Figure 5: [1]

Each type of sensor produces different images from the scale (Figure 6). We see that the capacitive one provides good detail from the finger.

Figure 6: Images from fingerprint scans [1]

In terms of results (Figure 7), the team found that they could bypass authentication on a range of Android devices, but could not on iPhones. The CAMF implementation allowed them to apply an infinite amount of tries, while the iPhone only extended to 15.

Figure 7: Results [1]

Conclusions

And, so, we have moved much of our trusted processing into a TEE or secure enclave. Unfortunately, if the information is interrupted before it gets there, it is possible to interfere with the data, and thus bypass fingerprint authentication. And, if it was not known already, Apple often provides enhanced security with their secure enclaves. This scales to their laptops and iPads, too.

References

[1] Chen, Y., & He, Y. (2023). BRUTEPRINT: Expose Smartphone Fingerprint Authentication to Brute-force Attack. arXiv preprint arXiv:2305.10791.