A Threat to Passkeys? BrutePrint Attack Bypasses Fingerprint Authentication

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Security researchers recently published a paper detailing an attack they say can be used to bypass smartphone fingerprint authentication.

Yiling He of China’s Zhejiang University and Yu Chen of Tencent Security’s Xuanwu Lab are calling the attack BrutePrint, which they say can be used to hijack fingerprint images.

An attack like BrutePrint could present a significant threat to passkeys, an increasingly popular way to replace passwords with authentication methods like fingerprint authentication or face recognition.

And the attack is cheap to carry out. “The adversarial equipment is mainly a printed circuit board (PCB), which is inexpensive and universal,” the researchers wrote. “For specific smartphone models, adaptive flexible printed circuit (FPC) is required. The equipment costs around 15 dollars in total.”

Also read: Google Launches Passkeys in Major Push for Passwordless Authentication

Bypassing Attempt Limits

Simply put, BrutePrint acts as a middleman to bypass any attempt limits and to hijack fingerprint images. “Specifically, the bypassing exploits two zero-day vulnerabilities in smartphone fingerprint authentication (SFA) framework, and the hijacking leverages the simplicity of SPI [Serial Peripheral Interface] protocol,” the researchers wrote.

The two zero-days leveraged in the attack, either of which can be used to bypass attempt limits, are a Cancel-After-Match-Fail (CAML) flaw and a Match-After-Lock (MAL) flaw. “Instead of an implementation bug, CAMF and MAL leverage logical defects in the authentication framework,” the researchers wrote. “Therefore, it exists across various models and OSes.”

Trying the attack on 10 different smartphone models with updated operating systems, the researchers were able to go three times over the attempt limit on Touch ID – and they successfully enabled unlimited attempts on Android devices, clearing the way for brute-force attacks.

They tested the attacks on the following devices, covering iOS, Android, and HarmonyOS: Apple iPhone SE and iPhone 7, Samsung Galaxy S10+, OnePlus 5T and 7 Pro, Huawei P40 and Mate30 Pro 5G, OPPO Reno Ace, Vivo X60 Pro, and Xiaomi Mi 11 Ultra.

Also read: Mobile Malware: Threats and Solutions

Fingerprint Image Hijacking

For fingerprint image hijacking, the researchers took advantage of a weakness in fingerprint sensors’ SPI protocol to enable man-in-the-middle attacks.

“SFA sensors except Touch ID do not encrypt any data and lack mutual authentication,” they wrote. “Together with the frequency that is possible for injection, the situation leads SFA vulnerable to MITM attack on SPI.”

“Fingerprint image hijacking is feasible on all devices except for Apple, which is the only one that encrypts fingerprint data on SPI,” they added.

BrutePrint fingerprint attack
BrutePrint attack overview

How to Respond to the BrutePrint Threat

To mitigate the CAMF flaw, the researchers recommended an additional error-cancel attempt limit setting – and more importantly, they urged vendors of fingerprint sensors to encrypt key data.

And it’s not just about smartphones – they warned that BrutePrint could also be applied to other biometric systems.

“The unprecedented threat needs to be settled in cooperation of both smartphone and fingerprint sensor manufacturers, while the problems can also be mitigated in OSes,” they wrote. “We hope this work can inspire the community to improve SFA security.”

Read next:

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Jeff Goldman Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis