Shulou(Shulou.com)11/24 Report--

Thanks to CTOnews.com netizen OC_Formula for the clue delivery! Update: in response to this vulnerability, Huawei officially responded to CTOnews.com that it had released a patch fix in December 2021. According to the update log provided by Huawei's website, CTOnews.com found that the vulnerability affected HarmonyOS version 2.0, numbered CVE-2021-40006, and users who updated to the new system were no longer affected.

Vivo responded to CTOnews.com by saying:

The MAL (Match After Lock) and CAF (Cancel After Failed) vulnerability reports mentioned by XuanWu lab mainly contain two points:

The first point is to inject fingerprint image data used for the attack from the SPI bus through additional hardware devices, that is, to replace / forge the data to be collected from the fingerprint sensor.

Point 2, bypass the limit on the number of errors in fingerprint unlocking, and then attack an unlimited number of times.

The entire attack needs to meet both 1 and 2. In response to point 2 above, vivo phones have fixed this vulnerability in 2021, so vivo phones no longer exist the risks mentioned by the lab.

CTOnews.com, May 23 (Xinhua)-- Tencent Security XuanWu lab and researchers at Zhejiang University have proposed a new attack called "BrutePrint" that can bypass user authentication and control devices by violently cracking fingerprints on Android smartphones.

Brute force attacks rely on repeated attempts to crack codes, keys, or passwords and gain unauthorized access to accounts, systems, or networks. The above researchers cracked mobile phone fingerprints by exploiting two zero-day vulnerabilities, Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), and found that the biometric data on the serial peripheral interface (SPI) of the fingerprint sensor was not adequately protected, allowing man-in-the-middle (MITM) attacks to hijack fingerprint images.

▲ source paper "BRUTEPRINT:Expose Smartphone Fingerprint Authentication to Brute-force Attack", which has been published on Arxiv.org, the researchers tested ten common smartphones, made unlimited attempts to crack fingerprints on all Android and Huawei Hongmeng HarmonyOS devices, and made ten additional attempts on iOS devices (a total of 15 attempts).

According to the paper, the idea of the BrutePrint attack is to perform an unlimited number of fingerprint image submissions to the target device until a user-defined fingerprint is matched. Attackers need physical access to the target device to launch BrutePrint attacks, access to fingerprint databases that can be obtained from academic data sets or biometric data leaks, and a device that costs about $15 (CTOnews.com Note: currently about RMB106), as shown in the figure above.

In addition, through the MAL zero-day vulnerability, researchers have successfully bypassed the limit on the number of times to unlock fingerprints, so they can try to unlock them indefinitely on Android / Hongmeng phones, and use the "neural style transfer" system to convert all fingerprint images in the database into sensor scanned images that look like the target device, so they can get closer and closer to the correct fingerprint.

The researchers used 10 devices for cracking tests, including 6 Android phones, 2 Huawei Hongmeng phones and 2 Apple iPhone. Tests show that all devices have at least one flaw, while Android and Hongmeng devices can be cracked by unlimited violence.

Experiments show that when a user registers a fingerprint on the phone, the time it takes to successfully complete the BrutePrint for a vulnerable device is between 2.9 and 13.9 hours. When a user registers multiple fingerprints on the target device, the brute force cracking time decreases to only 0.66 to 2.78 hours, as the possibility of generating a matching image increases exponentially.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.