BrutePrint: the impact of mobile phone fingerprint vulnerabilities

In recent scientific advancements, an economical method, termed "BrutePrint", has been identified that can exploit fingerprints on mobile phones for unauthorized access and eventual control of the devices. This innovative strategy surpasses the preventative barriers designed to inhibit recurrent unsuccessful attempts of biometric verification by employing two undisclosed vulnerabilities in the structure of mobile phone fingerprint verification.

These susceptibilities, namely Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), exploit logical errors within the verification framework, brought about by inadequate security of fingerprint data on the Serial Peripheral Interface (SPI) of fingerprint detectors. Consequently, this facilitates a "hardware-based opportunity to launch man-in-the-middle (MitM) attacks for fingerprint image hijacking", as described by researchers Yu Chen and Yiling He in their investigative report. BrutePrint essentially functions as an intermediary between the fingerprint detector and the Trusted Execution Environment (TEE).

Fundamentally, the intention is to achieve limitless submission of fingerprint images until a match is identified. Nonetheless, this strategy assumes the malicious actor already possesses the device intended for attack. It also necessitates the antagonist to hold a fingerprint repository, and an assembly consisting of a microcontroller board and an auto-clicker that can seize data transmitted by a fingerprint detector, enabling the execution of the attack for as meager as $15.

CAMF, one of the two susceptibilities making this attack feasible, augments the system's fault tolerance capabilities by invalidating the fingerprint data's checksum, thereby granting the attacker infinite attempts. In contrast, MAL manipulates a side channel to infer matches of the fingerprint images on the targeted devices, even when the device enters lockout mode following numerous consecutive login attempts.

Despite a further check in Keyguard to inhibit unlocking during lockout mode, the verification result is determined by TEE, as clarified by the researchers. Therefore, the immediate return of a successful verification result when a matched sample is identified enables side-channel attacks to infer the result from features like response time and the quantity of obtained images.

BrutePrint was tested against ten varied smartphone models, including those from Apple, Huawei, OnePlus, OPPO, Samsung, Xiaomi, and Vivo, resulting in limitless attempts on Android and HarmonyOS, and an additional ten attempts on iOS devices.

This study's revelation aligns with the disclosure by a team of scholars regarding a hybrid side-channel that manipulates the "balance between execution speed (i.e., frequency), power consumption, and temperature" in contemporary system-on-chips (SoCs) and GPUs to initiate "browser-based pixel theft and history sniffing attacks" against Chrome 108 and Safari 16.2.

Another attack named "Hot Pixels", leverages this characteristic to launch website fingerprinting attacks and employ JavaScript code to gather a user's browsing history. This is achieved by crafting a computationally intense SVG filter to leak pixel colors by measuring rendering times and covertly collect the information with an accuracy of up to 94%.

Apple, Google, AMD, Intel, Nvidia, Qualcomm have recognized these issues. The researchers also advise "restricting SVG filters from being applied to iframes or hyperlinks" and blocking unprivileged access to sensor readings.

Additionally, BrutePrint and Hot Pixels accompany Google's detection of 10 security flaws in Intel's Trust Domain Extensions (TDX) that could result in arbitrary code execution, denial-of-service conditions, and a compromise of integrity. In a related development, Intel CPUs have also been identified as vulnerable to a side-channel attack that utilizes variations in execution time triggered by altering the EFLAGS register during transient execution to decode data without reliance on the cache.