Saturday, March 29, 2025
HomeVulnerability AnalysisBrutePrint - Bruteforce Attack to Bypass User Authentication on Smartphones

BrutePrint – Bruteforce Attack to Bypass User Authentication on Smartphones

Published on

SIEM as a Service

Follow Us on Google News

A novel assault named ‘BrutePrint’ has been unveiled by the joint efforts of Tencent Labs and Zhejiang University researchers, enabling the forceful extraction of fingerprints on contemporary smartphones. 

This method circumvents user authentication, granting unauthorized access and full control over the targeted device.

Chinese researchers successfully bypassed existing security measures on smartphones, such as attempt limits and liveness detection, using two zero-day vulnerabilities, enabling them to perform brute-force attacks and gain unauthorized access to accounts, systems, or networks.

Here below we have mentioned those exploited zero-day vulnerabilities:-

  • Cancel-After-Match-Fail (CAMF)
  • Match-After-Lock (MAL)

BrutePrint Authentication bypass

Furthermore, analysts discovered a concern in protecting biometric data transmitted via the Serial Peripheral Interface (SPI) of fingerprint sensors. 

This inadequacy creates an opportunity for threat actors to perform man-in-the-middle (MITM) attacks, which enables the interception and hijacking of fingerprint images.

A comprehensive assessment was conducted on ten widely used smartphone models to evaluate the effectiveness of both BrutePrint and SPI MITM attacks

The results revealed that these attacks successfully allowed unlimited attempts on all Android and HarmonyOS-based devices from Huawei, while iOS devices exhibited a limited vulnerability with an additional ten attempts possible.

The fundamental concept behind BrutePrint involves carrying out an unrestricted sequence of fingerprint image submissions to the targeted device, persisting until a match is found with the user-defined fingerprint, without any imposed limits on the number of attempts.

By obtaining physical access to the target device, accessing a fingerprint database, and using affordable equipment of $15 approximately, attackers can launch a BrutePrint attack, manipulating the False Acceptance Rate (FAR) to increase the acceptance threshold for fingerprint matches and achieve easier unauthorized access.

BrutePrint exploits the CAMF flaw, injecting a checksum error in the fingerprint data, which bypasses protection systems and allows attackers to attempt infinite fingerprint matches on smartphones without being detected.

Exploiting the MAL vulnerability empowers attackers to deduce the authentication outcomes of the fingerprint images they test on the target device, even when the device is in a “lockout mode” state.

The BrutePrint attack bypasses the lockout mode by utilizing a mechanism called MAL and employs a “neural style transfer” system to modify fingerprint images in the database to resemble the target device’s sensor scans, increasing the likelihood of successful authentication.

Devices Tested Against BrutePrint

Through a series of experiments conducted on a selection of ten Android and iOS devices, the researchers discovered that each device exhibited susceptibility to at least one identified flaw.

While Android devices are vulnerable to brute-forcing attacks due to allowing unlimited fingerprint attempts, iOS devices have robust authentication security measures in place that effectively prevent such attacks.1

The researchers discovered that while certain iPhone models are vulnerable to CAMF, the limited number of fingerprint attempts (up to 15) makes it impractical to brute-force the owner’s fingerprint, and all tested Android devices are susceptible to the SPI MITM attack, except iPhones which encrypt fingerprint data on the SPI, rendering any interception ineffective.

While BrutePrint may appear to have limitations due to the need for prolonged access to the target device, its potential for enabling thieves to unlock stolen devices and extract private data, as well as the ethical concerns and privacy rights implications for law enforcement during investigations, raise significant issues regarding rights violations and the safety of individuals in overpowering countries.

Shut Down Phishing Attacks with Device Posture Security – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

SquareX Discloses Browser-Native Ransomware that Puts Millions at Risk

From WannaCry to the MGM Resorts Hack, ransomware remains one of the most damaging...

Hackers Exploit DNS MX Records to Create Fake Logins Imitating 100+ Brands

Cybersecurity researchers have discovered a sophisticated phishing-as-a-service (PhaaS) platform, dubbed "Morphing Meerkat," that leverages...

New Python-Based Discord RAT Targets Users to Steal Login Credentials

A recently identified Remote Access Trojan (RAT) has raised alarms within the cybersecurity community...

PJobRAT Android Malware Masquerades as Dating and Messaging Apps to Target Military Personnel

PJobRAT, an Android Remote Access Trojan (RAT) first identified in 2019, has resurfaced in...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Google Launches Open-Source OSV-Scanner for Detecting Security Vulnerabilities

Google has announced the launch of OSV-Scanner V2, an open-source tool designed to enhance vulnerability...

New Microsoft Windows GUI 0-Day Vulnerability Actively Exploited in the Wild

A newly discovered vulnerability in Microsoft Windows, identified by ClearSky Cyber Security, is reportedly...

Fortinet FortiOS & FortiProxy Zero-Day Exploited to Hijack Firewall & Gain Super Admin Access

Cybersecurity firm Fortinet has issued an urgent warning regarding a newly discovered zero-day authentication...