Android Phones are Vulnerable to Fingerprint Brute-Force Attacks (June 8th, 2023)

Ref# AL2023_44 | Date: Jun 8th 2023


Researchers at Tencent Labs and Zhejiang University have discovered a new attack called the “BrutePrint”. This new attack brute-forces fingerprints on modern smartphones to bypass user authentication and take control of the device. Brute-force attacks rely on many trial-and-error attempts to crack the code, key, or password and gain unauthorized access to accounts, systems, or networks. 


Chinese researchers managed to overcome existing safeguards on smartphones, like attempt limits and liveness detection that protect against brute-force attacks, by exploiting what they claim are two zero-day vulnerabilities known as Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL). 

It was also found that biometric data on the fingerprint sensors” Serial Peripheral Interface (SPI) were inadequately protected, allowing for a man-in-the-middle (MITM) attack to hijack fingerprint images. BrutePrint and SPI MITM attacks were tested against ten popular smartphone models including iPhone 7, SE, Huawei P40, and Samsung Galaxy S10+. Achieving unlimited attempts on all Android and HarmonyOS (Huawei) devices and ten additional attempts on iOS devices. On iOS, authentication security is much more robust, effectively preventing brute-forcing attacks. Although the researchers found that iPhone SE and iPhone 7 are vulnerable to CAMF, they could only increase the fingerprint tryout count to 15, which is not enough to brute-force the owner”s fingerprint. 

The aim of BrutePrint is to perform an unlimited number of fingerprint image submissions to the target device until the user-defined fingerprint is matched. The attacker needs physical access to the target device to launch a BrutePrint attack, access to a fingerprint database that can be acquired fromacademic datasetsorbiometric data leaks, and the necessary equipment which costs only a small amount of cash. 

Opposing to how password cracking works, fingerprint matches use a reference threshold instead of a specific value, so attackers may manipulate the False Acceptance Rate (FAR) to increase the acceptance threshold and create matches more easily. 

BrutePrint stands in between the fingerprint sensor and the Trusted Execution Environment (TEE) and exploits the CAMF flaw to manipulate the multi-sampling and error-canceling mechanisms of fingerprint authentication on smartphones. CAMF injects a checksum error in the fingerprint data to stop the authentication process at a pre-mature point. This allows the attackers to try out fingerprints on the target device while its protection systems would not register failed attempts, hence giving them infinite tries. 

The MAL flaw enables the attackers to deduce authentication results of the fingerprint images they try on the target device, even if the latter is in “lockout mode.” The lockout mode is a protection system activated after a certain number of failed consecutive unlock attempts. During the lockout “timeout,” the device should not accept unlocking attempts, but MAL helps to bypass this restriction. 

The final component of the BrutePrint attack is using a “neural style transfer” system to transform all fingerprint images in the database to look like the target device”s sensor scanned them. This makes the images appear valid and thus have better chances of success. In the final verdict, the conducted experiments showed that the time it takes to complete BrutePrint against vulnerable devices successfully ranges between 2.9 and 13.9 hours when the user has enrolled one fingerprint. 

When multiple fingerprints are enrolled on the target device, the brute-forcing time drops to just 0.66 to 2.78 hours as the likelihood of producing matching images increases exponentially. BrutePrint may not seem like a formidable attack due to requiring prolonged access to the target device. However, this perceived limitation should not undermine its value for criminals and law enforcement. This would allow criminals to unlock stolen devices and extract valuable private data freely. The latter scenario raises questions about privacy rights and the ethics of using such techniques to bypass device security during investigations which constitutes a rights violation in certain jurisdictions and could undermine the safety of certain people living in oppressive countries. 


  1. Implement two-factor authentication. 

  1. Limit login attempts. 

  1. Use CAPTCHAs. 

  1. Restrict access to authentication URLs (Uniform Resource Locators).  

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

PDF Download: Android Phones Vulnerable to Fingerprint Brute-Force Attacks.pdf