BrutePrint: The attack that challenges mobile fingerprint security

  • BrutePrint exploits vulnerabilities in fingerprint sensors, especially on Android.
  • It requires physical access and affordable hardware to force unlocking through mass fingerprint testing.
  • Apple phones, thanks to internal encryption, are much more resistant to this type of attack.
Joaquin Romero

13 minutes

What is BrutePrint?

Mobile device security is a fundamental aspect of today's digital life, especially with the rise of biometric authentication methods such as fingerprints. In recent years, many users have placed their trust in these unlocking systems, believing that their uniqueness and difficulty in replicating them offered solid protection against unauthorized access. However, the emergence of new attack techniques has challenged this trust, with BrutePrint being one of the most recent and notable threats.

This methodology, discovered by a team of Chinese researchers, has shown that, far from being invulnerable, fingerprint sensors BrutePrint can be forced onto many smartphones using a method that's as ingenious as it is disturbing. In this article, we explain, in detail and simply, what BrutePrint is, how it works, what its success is based on, and what its implications are for the security of today's devices.

Why are fingerprints so popular as protection?

Fingerprints are considered one of the most reliable and exclusive biometric features for digital authentication., since each person has a unique pattern that remains practically constant throughout their lives. Therefore, technology companies have incorporated fingerprint sensors as the primary unlocking method and as a barrier to accessing sensitive information on their smartphones and other devices.

Biometric identification using fingerprints has gradually replaced traditional methods such as PIN or password., as it's fast, convenient, and, in theory, difficult to circumvent with conventional attacks. However, this trust has also led cybercriminals to focus their attention on searching for flaws and vulnerabilities that allow them to circumvent this system.

Learn about malware that clones cards using NFC technology
Related article:
SuperCard X and NGate: The new malware that clones credit cards via NFC on Android and how to protect yourself

How it affects the BrutePrint fingerprint sensor

Classic attempts to bypass fingerprint sensors: Why don't they work at all?

Until the arrival of BrutePrint, the best-known methods for circumventing fingerprint authentication were primarily physical and quite laborious.Among these, the creation of molds from the victim's fingerprint, high-quality photography of the fingerprint on a surface (such as a cell phone glass), and its subsequent replication in silicone or conductive materials are notable. The hacker group Chaos Computer Club has even demonstrated this procedure, although the practice requires time, prolonged physical access, and specialized equipment.

These traditional methods, although possible, are considered impractical in real life., as they involve a complex process and the need to capture a perfect image of the appropriate fingerprint, which greatly limits their chances of success beyond controlled scenarios or highly targeted attacks. This is where BrutePrint revolutionizes the landscape, as its approach is digital, automated, and potentially applicable to a wider variety of devices.

What exactly is BrutePrint?

BrutePrint is an attack technique specifically designed to exploit vulnerabilities in fingerprint authentication systems on smartphones, primarily those with the Android operating system.. It was presented in 2024 by Yu Chen (Tencent) and Yiling He (Zhejiang University), demonstrating that it is feasible to force biometric authentication on almost any device, even in circumstances previously thought impossible.

The key to BrutePrint lies in the concept of brute force attack applied to biometric dataInstead of attempting to physically replicate the fingerprint, it systematically generates and tests a massive number of fingerprints or fingerprint images until it finds an acceptable match for the sensor of the device being compromised. But the method goes much further, exploiting specific weaknesses in the architecture of fingerprint readers and their security protocols, making it particularly effective.

Why can fingerprint sensors be vulnerable?

The effectiveness of the BrutePrint attack is not based on weaknesses in biometrics themselves, but on how they are technologically implemented in modern smartphones.There are several reasons why current sensors are susceptible:

  • Sensor quality and typeNot all sensors offer the same accuracy. There are optical, ultrasonic, and capacitive sensors, with the most economical and popular being those that sacrifice safety for speed or manufacturing costs.
  • Sensor resolution and sizeSmall, low-resolution sensors do not capture fingerprints with the same accuracy as more advanced models, which increases the authentication system's margin of error.
  • Biometric comparison algorithms: To speed up unlocking and avoid accidental rejections, manufacturers adjust the similarity threshold, allowing small differences to be tolerated, which broadens the so-called False Acceptance Rate (FAR).
  • Protection of internal communicationMany Android phones do not properly encrypt the channel that connects the fingerprint sensor to the operating system, making it easy to intercept and manipulate data at that point.

This set of design and production decisions opens the door to attacks like BrutePrint, where a perfect match is not required, but simply finding a fingerprint that is sufficiently similar to overcome the sensor threshold.

BrutePrint step by step: How is the attack executed?

The mechanics of BrutePrint are ingenious, but it requires physical access to the target device.The entire process involves the following phases:

  • Physical access to the smartphoneThe attacker must physically possess the phone, as it requires tampering with its hardware. It could be a stolen, lost, or even borrowed phone.
  • Removing and connecting external hardware: The back cover is removed to access the motherboard and the fingerprint sensor's SPI (Serial Peripheral Interface) channel. A printed circuit board (PCB) is connected there, serving as a bridge between the sensor and the phone's CPU.
  • Data injection and Man in the Middle (MITM) attacks: The external circuit intercepts and modifies communication between the sensor and the operating system, allowing the attacker to send fingerprint images from an external database and receive instant responses.
  • Fingerprint databaseThe attacker uses collections of fingerprints, which can come from leaks, research sets, or generated by artificial intelligence. At this point, an AI modifies and adapts the fingerprints to match the specific sensor of the attacked device, creating what is called a "fingerprint dictionary."
  • Automatic scan until unlocked: The hardware systematically attacks the sensor by testing the dictionary fingerprints one by one, modifying parameters such as the FAR so that the system accepts less strict matches and, consequently, increasing the probability of success.
PlayPraetor, the malware that mimics the Google Play Store
Related article:
PlayPraetor: The malware that impersonates Google Play and steals data

The cost of the necessary hardware is only around $15, making it accessible to groups with technical resources.Tests have shown that unlocking can be achieved within a timeframe ranging from 40 minutes to nearly 14 hours, depending on the device and the number of fingerprints stored by the user.

Vulnerabilities exploited by BrutePrint

The success of BrutePrint is not a coincidence, but the result of exploiting two vulnerabilities particularly present in Android smartphones:

  • Cancel-After-Match-Fail (CAMF)Many sensors perform multiple captures per authentication attempt. If an error occurs in the final step, the system doesn't count that attempt as a failure, allowing the cycle to be repeated indefinitely without triggering the attempt limit lockout.
  • Match-After-Lock (MAL)After several failed attempts, devices typically temporarily block access. However, on many models, even if authentication isn't completed during the lockout period, the system responds to new images by indicating whether or not they match, allowing the successful fingerprint to be automatically prepared for use once the lockout period expires.

In practice, the study showed that all Android and HarmonyOS phones tested were vulnerable to at least one of these flaws, allowing unlimited attempts, or at least many more than the system intended. This weakness is much less common on Apple devices, which we'll discuss later.

Automation, AI, and the fingerprint database: the attack dictionary

A differentiating factor of BrutePrint is the use of artificial intelligence to optimize and adapt the prints to the different sensors.The initial database can come from a variety of sources, but it's the AI ​​that does the fine-tuning, taking advantage of the differences in quality and processing power of each sensor model to create optimal versions of each image.

The automation is such that the system connects the external hardware, prepares the adapted dictionary and starts launching attempts one after another until one of the fingerprints is accepted.This entire process is performed without human intervention, which reduces both time and the possibility of errors.

Comparison between Android, HarmonyOS and iOS: which systems are more vulnerable?

One of the most interesting sections of the study is the difference in device resistance depending on their operating system and the sensor implementation model.The data collected yields very clear results:

  • AndroidMost Android phones allow BrutePrint to execute unlimited attempts due to the lack of encryption in the communication channel and the presence of vulnerabilities such as CAMF and MAL. The time required to crack the authentication varies between 40 minutes and 14 hours, depending on the number of registered fingerprints (the lower the number, the more difficult). If the user only has one registered fingerprint, the attack can take several hours; if the maximum allowed number is reached, the process is considerably faster.
  • HarmonyOS: It has similar vulnerabilities to Android, as it shares many sensor implementations and security protocols. The attack is also effective, although some models show partial resistance.
  • iOS (iPhone): Apple devices are the toughest. Their greatest protection comes from the fact that Communication between the fingerprint sensor and the operating system is fully encryptedThis prevents the injection of external fingerprint data or the interception of the authentication process. However, it has been observed that some models allow the limit of attempts to be increased from 5 to 15, although the attack is not viable using the same techniques as on Android.

Therefore, while no system is completely invulnerable, the difference between Android and iPhone is substantial, placing Apple models in a much safer position against BrutePrint. Furthermore, it's important to remember that the latest iPhones rely on facial recognition (Face ID) instead of fingerprints, which eliminates this attack vector.

What factors increase the risk of success of BrutePrint?

There are several factors that can make it easier or faster for BrutePrint to compromise a smartphone:

  • Number of fingerprints recorded: The more fingerprints the user stores (fingers from both hands, fingers of relatives, etc.), the greater the range of possible matches and the shorter the time required for the attack.
  • Sensor quality and protection: Cheap, older, or low-resolution sensors tend to have higher tolerance thresholds, which translates into a higher probability of accepting 'similar' fingerprints.
  • Firmware updates: Outdated systems may retain vulnerabilities that have already been fixed in recent firmware or OS versions.

How long does the attack take and what are the chances of success?

Here's what you need to know about BrutePrint

The time required for BrutePrint to compromise a device varies depending on the database and the specific model, but estimates range from 40 minutes to nearly 14 hours. If the user only has one registered fingerprint, the attack takes longer, but if the maximum number of available fingerprints is used, the process is considerably shorter, with the phone unlocked in less than an hour in some cases.

What is SpyLend and how does it work?
Related article:
SpyLend: Android malware that steals your data and extorts its victims

The probability of success is high as long as the attacker has prolonged physical access to the terminal and the technical knowledge necessary to assemble the hardware.In fact, all experimental tests conducted on various Android and HarmonyOS models managed to force authentication at some point.

Limitations and requirements for running BrutePrint

Despite being very effective, BrutePrint presents logistical barriers that make it difficult to be a massive danger to the average user:

  • Physical access to the deviceWithout direct access to the phone, the attack is not viable. This limits its use to theft, loss, or unmonitored access.
  • Technical knowledge: Although the hardware is affordable, the attacker must have some knowledge of electronics and smartphone disassembly to access the SPI channel and connect to the PCB.
  • Execution time: The hours required to complete the attack can give away the attacker if the phone is monitored or tracking is activated.
  • Database and AI: Access to large collections of fingerprints and the AI ​​tools to tailor the attack to each sensor are required.

What protective measures exist against BrutePrint?

Although the risk of falling victim to BrutePrint is low for most, several precautions can be taken to make this or similar attacks as difficult as possible:

  • Record as few fingerprints as possible: Limiting authentication to just one finger significantly reduces the attack surface.
  • Regularly update the operating system and firmwareManufacturers release patches with security improvements and fixes aimed at protecting the sensor's communication channel and blocking known vulnerabilities.
  • Restrict physical access to the smartphone: Do not leave the phone unattended or in the hands of strangers.
  • Activate additional protection systems: Use strong passwords, PINs, and app protection for sensitive features, such as app-specific protection or two-step verification when possible.

In addition, cybersecurity experts recommend requiring manufacturers to implement end-to-end encryption in communication between the biometric sensor and the operating system, as well as regularly auditing systems to ensure compliance with good security practices.

Is Apple free of BrutePrint?

The iPhone's Touch ID system has proven to be much more resistant to BrutePrint and similar attacks., mainly thanks to the encryption of internal communications and the closed hardware-software integration that characterizes Apple products.

While researchers managed to increase the maximum number of attempts allowed on some models from 5 to 15, the attack itself is not as viable as on Android.Additionally, many current iPhones have migrated to Face ID (facial authentication), completely eliminating the fingerprint attack vector.

Is BrutePrint a real threat to most users?

The emergence of BrutePrint marks a key turning point in smartphone biometric security, but its practical impact is limited. Among the factors that reduce its danger to the general public are:

  • Need for prolonged physical access: The attack is only feasible if the attacker has access to the phone for hours and in an environment where they can disassemble it without being detected.
  • Equipment requirements and specialized knowledgeAlthough the hardware is inexpensive, executing the attack is beyond the reach of criminals without some technical training.
  • High execution time: The number of hours required may require the victim to recover the phone or remotely lock it before the attack is complete.
  • Progressive correction of vulnerabilitiesThe release of BrutePrint has motivated manufacturers and developers to strengthen security and encrypt the communication channel with sensors, progressively reducing the number of vulnerable devices.
What is SparkCat Malware and How Does It Work?
Related article:
SparkCat: Cryptocurrency-stealing malware infiltrates official apps

Although the threat is very real in high security environments, espionage, theft of corporate information or forensic investigation, where physical access and time can be guaranteed, the risks to the average user are low if appropriate measures are taken. Share the information so that other users know the news.


Follow us on Google News

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Actualidad Blog
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.