Just as IT pros figure out how to complexify passwords enough that it will take hackers a literal septillion years to crack them, researchers from Zhejiang University and the Tencent Security Xuanwu Lab have found a way to brute-force the fingerprint.
The proof-of-concept throws some cold water on the popular smartphone security method as orgs begin passwordless implementations.
“Large-scale fingerprint brute-force attack is practical on off-the-shelf smartphones,” said the report (the italics for emphasis are in the report).
How the attack works
- One needs an easy-to-find circuit board and a less-easy-to-find (but available!) fingerprint database.
- Unlike password authentication, a fingerprint matches with a reference threshold instead of a specific value—meaning a print can be close enough.
- The engineers exploited two zero-day vulnerabilities, allowing them to bypass attempt limits and hijack fingerprint images on the sensor’s Serial Peripheral Interface to infer matching results.
- A “hijacker in the middle” attack achieved both fingerprint-image eavesdropping and replacement.
- “The shortest time to unlock the smartphone without prior knowledge about the victim is estimated at 40 minutes,” said the team, which evaluated 10 different smartphone models.
- “For bypassing, we achieve infinite attempts on Android/HarmonyOS devices while making 10 additional attempts on iOS devices. For hijacking, fingerprint image interception and replacement are achieved on all devices except iPhone,” read the report. (The study looked at the iPhone SE (iOS 14.5.1) and Apple iPhone7 (iOS 14.4.1), as well as six devices using a range of operating systems between Android 8 and Android 11.)
Prepping for more passwordless. Concerns about password security and password-related data breaches are driving the adoption of passwordless technology such as biometrics and security keys.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Passkeys, an increasingly popular option amongst organizations, initially requires authentication through a biometric characteristic like fingerprints.
A recent survey from the password management service Bitwarden found that 57% of US respondents said they were excited about passwordless technology, with 49% deploying or planning to deploy; 51% of the organizations adopting passwordless options use biometrics, facial recognition, fingerprints, or voiceprints.
A “BrutePrint- style attack can be added to the pile of biometric hacks that involve crafty equipment.
- A $5 method revealed in 2021 used a printed-out Photoshop negative and wood glue to trick commercial scanners.
- In 2018, an AI-generated “MasterPrint,” made up of enough of a database's partial characteristics that it fooled authenticators.
- One hack even used Play-Doh!
Layers are part of any good defense that’s ready for a creative attack to take a component down, said Dan Lohrmann, Field CISO, who recommends fraud prevention software that monitors for suspicious activity, like logins from an unusual location.
Gonen Tiberg, CISO of the presentation-platform startup Demostack, urged the use of risk-based multi-factor authentication (MFA) for sensitive assets and processes. Such “adaptive” options, for example, could send one-time password (OTPs) for high-priority transactions.
Given the use of zero-day vulnerabilities, Tiberg also endorsed a classic security best practice: updating software and hardware.
“Companies recognize that the vulnerabilities come along, and they need to keep reinventing how they protect the devices and our data,” Tiberg told IT Brew.