Researchers from Tencent and the University of Zhazyansk in China have unveiled a new hacking technique called Bruteprint. This method allows hackers to bypass fingerprint protection on Android-based devices. In regular situations, a user is only allowed a certain number of attempts to unlock a device using their fingerprint. However, with Bruteprint, hackers can create an unlimited cycle of attempts. The proposed attack method needs physical access to the device and special equipment which costs around $15.
The attack method was tested on ten different Android devices including Samsung, Xiaomi, OnePlus, Vivo, Oppo, and Huawei. The selection of a fingerprint ranged from 40 minutes to 36 hours. The method can help unlock seized, lost, or stolen phones. The attack is dependent on two vulnerabilities in the Smartphone Fingerprint Authentication (SFA) tools which combine with the lack of proper protection of the Serial Peripheral Interface (SPI) protocol. The vulnerabilities are CAMF (CANCEL-AFTER-MATCH-FAIL) and MAL (Match-After-Lock).
Hackers can use a special board between the fingerprint sensor and TEE EXECUTION ENVIRONMENT to leverage the vulnerabilities. The researchers identified a shortage in the organization of data protection transmitted via the SPI. This allowed them to wedge into the data transmission channel between the sensor and TEE, and organize the interception of the removed prints and replace them for their own data, and this can be done without creating a layout for the sensor.
After the restrictions on the number of attempts for the selection, the vocabulary method which uses images with leaked fingerprints, was used to unlock the devices. For example, the biometric authentication antheus tecnologia suffered a leak. However, this method is no longer useful once the attack has taken place.
The China-based researchers have presented a significant threat to Android devices due to the integrated fingerprint sensors. While attacking devices that use fingerprints is not new, the Bruteprint attack technique shows that the protection of biometric authentication can be easily compromised.