Researchers have unearthed an inexpensive attack method known as BrutePrint, which enables the brute-forcing of fingerprints on smartphones, ultimately bypassing user authentication and gaining control of the devices.
This technique exploits two zero-day vulnerabilities, called Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), within the smartphone fingerprint authentication (SFA) framework. These vulnerabilities stem from logical defects in the authentication system, which arise due to insufficient protection of fingerprint data on the Serial Peripheral Interface (SPI) of fingerprint sensors.
BrutePrint functions as a "hardware approach to do man-in-the-middle (MitM) attacks for fingerprint image hijacking," as explained by researchers Yu Chen and Yiling He in their research paper. Essentially, it acts as an intermediary between the fingerprint sensor and the Trusted Execution Environment (TEE).
The primary objective of BrutePrint is to allow an unlimited number of fingerprint image submissions until a match is found. However, it assumes that the threat actor already possesses the target device in question.
Furthermore, executing this attack necessitates the adversary having access to a fingerprint database, as well as a setup comprising a microcontroller board and an auto-clicker capable of intercepting data transmitted by a fingerprint sensor. Surprisingly, the attack can be carried out for as low as $15.
One of the vulnerabilities enabling this attack is CAMF, which enhances the system's fault tolerance by invalidating the fingerprint data checksum, granting unlimited attempts to an attacker.
The second vulnerability, MAL, exploits a side-channel to deduce matches of fingerprint images on target devices, even if the device enters a lockout mode following multiple login attempts.
"While the lockout mode is checked in Keyguard to prevent unlocking, the authentication result is determined by TEE," elucidated the researchers. "Since a successful authentication result is immediately returned upon finding a match, side-channel attacks can infer the result from behaviors like response time and the number of acquired images."
BrutePrint was tested against ten smartphone models from various manufacturers, including Apple, Huawei, OnePlus, OPPO, Samsung, Xiaomi, and vivo. The evaluation revealed that the attack allowed infinite attempts on Android and HarmonyOS devices, and an additional ten attempts on iOS devices.
Meanwhile, a group of academics has disclosed a hybrid side-channel attack exploiting the tradeoff between execution speed, power consumption, and temperature in modern system-on-chips (SoCs) and GPUs. This attack, named Hot Pixels, facilitates browser-based pixel stealing and history sniffing attacks against Chrome 108 and Safari 16.2.
Apple, Google, AMD, Intel, Nvidia, and Qualcomm have acknowledged these issues. The researchers have suggested measures such as prohibiting the application of SVG filters to iframes or hyperlinks, as well as preventing unprivileged access to sensor readings.
Furthermore, BrutePrint and Hot Pixels join Google's recent discovery of ten security vulnerabilities in Intel's Trust Domain Extensions (TDX), which could result in arbitrary code execution, denial-of-service situations, and loss of integrity.
On a related note, Intel CPUs have also been identified as vulnerable to a side-channel attack that leverages changes in execution time caused by modifying the EFLAGS register during transient execution to decode data without relying on the cache.
As per Our Cyber Security Expert & Founder of Heritage Cyber World Mr.Dhruv.A.Pandit following are the preventions and remediation’s we can follow:
- Users are required to use a strong passcode or PIN in addition to fingerprint authentication because extra layer of security and makes it more difficult for attackers to gain unauthorized access through brute-force methods.
- Smartphone's operating system is updated and configured to utilize the latest security features and enhancements for fingerprint authentication.
- Enable MFA wherever possible to add an extra layer of security. This requires users to provide additional authentication factors, such as a unique code sent to their mobile device or a biometric scan
- Enable remote wipe capabilities on smartphones so that in the event of a lost or stolen device, sensitive data can be erased remotely to prevent unauthorized access.
- Implement mechanisms that lock or disable fingerprint authentication after a certain number of failed attempts. This discourages attackers from persistently trying different fingerprint combinations
- Avoiding password reuse, and being cautious of phishing attempts. Educate them on the risks and consequences of brute-force attacks.
- Don’t provide a piece of biometric information without carefully considering the need to do so, investigating the security in place, and determining the track record of any entity asking you to provide it.