BRUTEPRINT: Brute-Forcing Fingerprint Authentication
Apple Beats Android for the Vulnerability
In a new paper [1], Che and He outline the BRUTEPRINT method to conduct a brute force attack against a smartphone:
Within the paper, BRUTEPRINT automates an attack to overcome the attempt limit and then hijack fingerprint images. For this, it uses two zero-day vulnerabilities within the smartphone fingerprint authentication (SFA) framework. They found that 71% of the spoofs were accepted on 10 smartphones and for applications that involved payments, privacy, and screen locking. These related to Android devices, and where it was not possible to compromise iPhones. The shortest time to break into a phone was 40 minutes.
Figure 2 outlines the typical process of fingerprint authentication, and where an image is taken of the finger, and also to detect that it is a finger. Next, a base image (the background) is subtracted from this, to reveal the ridges of the print. An anti-faking system is then used to check the quality of the scan and that the finger is alive. This is then compared with the existing finger enrolments, and, if successful, applications will be enabled for…
