BrutePrint: bypassing smartphone fingerprint protection

Android fingerprint protection isn’t that reliable after all: it can be brute-forced even without a copy of your fingerprint.

Brute-forcing a fingerprint-protected smartphone

Fingerprint recognition is believed to be a fairly secure authentication method. Publications on different ways to trick the fingerprint sensor do pop up now and again, but all the suggested methods one way or another boil down to physical imitation of the phone owner’s finger — whether using a silicone pad or conductive ink printout. This involves procuring a high-quality image of a finger — and not any finger, mind, but the one registered in the system.

In a nutshell, all these methods come with lots of real-world hassle. But is it possible to do it somehow more elegantly, without leaving the purely digital world and all its benefits? Turns out, it is: Chinese researchers Yu Chen and Yiling He recently published a study on how to brute-force almost any fingerprint-protected Android smartphone. They called the attack BrutePrint.

How unique are fingerprints?

Before we get to investigate our Chinese comrades’ work, briefly — some background theory… To begin with, and you may know this, but fingerprints are truly unique and never alter with age.

Now, way back in 1892, English scientist Sir Francis Galton published a work laconically entitled Finger Prints. In it, he summarized the then-current scientific data on fingerprints, and Galton’s work laid the theoretical foundation for further practical use of fingerprints in forensics.

Among other things, Sir Francis Galton calculated that fingerprint match probability was “less than 236, or one to about sixty-four thousand million”. Forensic experts stick with this value even to this day.

By the way, if you’re into hardcore anatomy or the biological factors behind the uniqueness of fingerprints, here’s a new research paper on the subject.

How reliable are fingerprint sensors?

Sir Francis’s work and all that stemmed from it, however, relates to the (warm) analog world, covering things like the taking of fingerprints, matching them to those left at, say, a crime scene, and Bob’s your uncle. But things are somewhat different in the (cold) digital reality. The quality of digital fingerprint representation depends on multiple factors: type of sensor, its size and resolution, and — in no small measure — “image” post-processing and matching algorithms.

Comparing a digital fingerprint captured by an optical sensor to an analog fingerprint copy

Fingerprints as they were seen by Sir Francis Galton 150 year ago (left), and by your cutting-edge smartphone’s optical sensor (right). Source and Source

And, of course, the developer needs to make the device dirt-cheap (or no one will buy it), achieve split-second authentication (or get overwhelmed by complaints about slow speed), and avoid false negatives at all costs (or the user will discard the whole thing altogether). The result is not very accurate authentication systems.

So when referring to sensors used in smartphones, much less optimistic figures are quoted for fingerprint fragment match probability than the famous 1 to 64 billion. For example, Apple estimates the probability for Touch ID at 1 to 50,000. So it can be assumed that for budget-friendly sensor models the probability will shrink further by an order or two.

This takes us from billions to thousands. Which is already within reach for brute-forcing. So, the potential hacker is only one obstacle away from the prize: the limit on the number of fingerprint recognition attempts. Normally only five of them are allowed, followed by a prolonged fingerprint authentication lockout period.

Can this obstacle be overcome? Yu Chen and Yiling He give an affirmative reply to that in their study.

BrutePrint: preparing to brute-force fingerprint-protected Android smartphones

The researcher’s method is based on a flaw in Android smartphones’ generic fingerprint sensor implementation: none of the tested models encrypted the communication channel between the sensor and the system. This opens up the opportunity for an MITM attack on the authentication system: with a device connected to the smartphone via the motherboard’s SPI port, one can both intercept incoming messages from the fingerprint sensor, and send one’s own messages by emulating the fingerprint sensor.

The researchers built such a device (pseudo-sensor) and supplemented it with a gadget for automatic clicking on the smartphone’s sensor screen. Thus the hardware component part was set up to feed multiple fingerprint images to smartphones in automatic mode.

Device used for the BrutePrint attack

Device for brute-forcing the fingerprint authentication system. Source

From there, they proceeded to prepare fingerprint specimens for brute-forcing. The researchers don’t disclose the source of their fingerprint database, confining themselves to general speculation as to how the attackers might get it (research collections, leaked data, own database).

As a next step, the fingerprint database was submitted to an AI to generate something like a fingerprint dictionary to maximize brute-forcing performance. Fingerprint images were adapted by AI to match those generated by the sensors installed on the smartphones participating in the study.

Examples of images generated by fingerprint sensors of different types

Images returned by different types of fingerprint sensors are quite different from one another. Source

The two vulnerabilities at the bottom of BrutePrint: Cancel-After-Match-Fail and Match-After-Lock

The BrutePrint attack exploits two vulnerabilities. The researchers discovered them in the basic logic of the fingerprint authentication framework which, from the looks of it, comes with all Android smartphones without exception. The vulnerabilities were called Cancel-After-Match-Fail and Match-After-Lock.

The Cancel-After-Match-Fail vulnerability

Cancel-After-Match-Fail (CAMF)

exploits two important features of the fingerprint authentication mechanism. The first is the fact that it relies on multisampling, meaning that each authentication attempt uses not just one but a series of two to four fingerprint images (depending on the smartphone model). The second is the fact that, in addition to fail, an authentication attempt can also result in error — and in this case, there’s a return to the start.

This allows sending a series of images ending in a frame pre-edited to trigger an error. Thus, if one of the images in the series triggers a match, a successful authentication will take place. If not, the cycle will end in an error, after which a new series of images can be submitted without wasting the precious attempt.

Cancel-After-Match-Fail fingerprint authentication logic vulnerability diagram

How Cancel-After-Match-Fail works: error gets you back to the starting point without wasting an attempt. Source

The Match-After-Lock vulnerability

The second vulnerability is Match-After-Lock (MAL). The fingerprint authentication logic provides for a lockout period following a failed attempt, but many smartphone vendors fail to correctly implement this feature in their Android versions. So even though successful fingerprint authentication is not possible in lockout mode, one can still submit more and more new images, to which the system will still respond with an honest ‘true’ of ‘false’ answer. That is, once you detect the correct image, you can use it as soon as the system is out of lockout, thus completing a successful authentication.

Attacks exploiting Cancel-After-Match-Fail and Match-After-Lock

The attack exploiting the first vulnerability was successful for all the tested smartphones with genuine Android onboard, but for some reason it didn’t work with HarmonyOS. Match-After-Lock was exploited on Vivo and Xiaomi smartphones as well as on both Huawei phones running HarmonyOS.

Table of vulnerability of various smartphones to Cancel-After-Match-Fail and Match-After-Lock

All the tested smartphones turned out to be vulnerable to at least one attack. Source

All Android and HarmonyOS smartphones participating in the study were found to be vulnerable to at least one of the described attacks. This means that all of them allowed an indefinite number of malicious fingerprint authentication attempts.

According to the study, it took from 2.9 to 13.9 hours to hack an Android smartphone authentication system with only one fingerprint registered. But for smartphones with the maximum possible number of registered fingerprints for a given model (four for Samsung, five for all the others), the time was greatly reduced: hacking them took from 0.66 to 2.78 hours.

Smartphone hack time using BrutePrint

Successful BrutePrint attack probability as a function of spent time: one registered fingerprint (solid line) and maximum number of registered fingerprints (dashed line). Source

What about iPhones?

The Touch ID system used in iPhones turned out to be more resistant to BrutePrint. According to the study, the iPhone’s main advantage is that the communication between the fingerprint sensor and the rest of the system is encrypted. So there’s no way to intercept or to feed the system a prepared fingerprint on a device equipped with Touch ID.

The study points out that iPhones can be partially vulnerable to manipulations used to maximize the number of possible fingerprint recognition attempts. However, it’s not as bad as it may sound: while Android smartphones allow the party to last forever on and on, in iPhones the number of attempts can only be increased from 5 to 15.

So iOS users can sleep peacefully: Touch ID is much more reliable than the fingerprint authentication used in both Android and HarmonyOS. On top of that, nowadays most iPhone models use Face ID anyway.

How dangerous is all this?

Android smartphone owners shouldn’t be too worried about BrutePrint either — in practice the attack hardly poses a major threat. There are several reasons for this:

  • BrutePrint requires physical access to the device. This factor alone reduces the probability of anything like it happening to you by a great margin.
  • Moreover, to pull off the attack one needs to open the device and make use of a specific connector on the motherboard. Doing that without the knowledge of the owner is hardly easy.
  • Even in the best case scenario, the attack will require considerable time — measured in hours.
  • And, of course, BrutePrint requires a peculiar setup — both hardware and software wise — including custom equipment, a fingerprint database, and trained AI.

Combined, these factors make it extremely unlikely that such an attack could be used in real life — unless some entrepreneurially-minded folks build an easy-to-use commercial product based on the study.

Protecting Android smartphones against fingerprint brute-forcing

If, despite the foregoing, you believe you could fall victim to such an attack, here are a few tips on how to protect yourself:

  • Register as few fingerprints as possible (ideally just one). The more fingers you use for authentication, the more vulnerable the system becomes to the described tactic as well as other attacks.
  • Don’t forget to use an extra PIN or password protection for apps that have this option.
  • By the way, the AppLock function available in the paid version of Kaspersky for Android allows using separate passwords for any of your apps.