22 May 2023

BrutePrint: A new technique to bypass phone fingerprint authentication


BrutePrint: A new technique to bypass phone fingerprint authentication

A group of Chinese academics have devised a new attack method they dubbed “BrutePrint” that can bypass user authentication on modern smartphones by brute-forcing fingerprints.

The BrutePrint attack involves the exploitation of two security weaknesses called Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), which allows to bypass existing security measures.

The researchers found that biometric data stored on fingerprint sensors’ Serial Peripheral Interface (SPI) is susceptible to Man-in-the-Middle (MITM) attacks due to the lack of proper protection, thus enabling threat actors to intercept and hijack fingerprints images.

The technique requires the attacker to have physical access to the target device, access to a fingerprint database, and equipment costing around $15.

According to the researchers, it only takes between 2.9 and 13.9 hours to break a fingerprint using BrutePrint. A series of experiments involving ten Android and iOS devices showed that Android devices were susceptible to unlimited fingerprint attempts, while iOS devices resisted the brute-forcing attacks, as iPhones encrypt fingerprints in SPI.


Back to the list

Latest Posts

Cyber Security Week in Review: April 12, 2024

Cyber Security Week in Review: April 12, 2024

In brief: Microsoft and Palo Alto fix zero-days, Sisense suffers data breach, and more.
12 April 2024
TA547 threat actor targets German orgs with Rhadamanthys info-stealer

TA547 threat actor targets German orgs with Rhadamanthys info-stealer

The group appears to have incorporated LLM-generated PowerShell scripts in their attacks.
11 April 2024
Apple enhances spyware threat notifications

Apple enhances spyware threat notifications

The company will alert users who are individually targeted by mercenary spyware attacks.
11 April 2024