BrutePrint: Expose Smartphone Fingerprint Authentication to Brute-force Attack

Fingerprint authentication has been widely adopted on smartphones to complement traditional password authentication, making it a tempting target for attackers. The smartphone industry is fully aware of existing threats, and especially for the presentation attack studied by most prior works, the threats are nearly eliminated by liveness detection and attempt limit. In this paper, we study the seemingly impossible fingerprint brute-force attack on off-the-shelf smartphones and propose a generic attack framework. We implement BrutePrint to automate the attack, that acts as a middleman to bypass attempt limit and hijack fingerprint images. Specifically, the bypassing exploits two zero-day vulnerabilities in smartphone fingerprint authentication (SFA) framework, and the hijacking leverages the simplicity of SPI protocol. Moreover, we consider a practical cross-device attack scenario and tackle the liveness and matching problems with neural style transfer (NST). We also propose a method based on neural style transfer to generate valid brute-forcing inputs from arbitrary fingerprint images. A case study shows that we always bypasses liveness detection and attempt limit while 71% spoofs are accepted. We evaluate BrutePrint on 10 representative smartphones from top-5 vendors and 3 typical types of applications involving screen lock, payment, and privacy. As all of them are vulnerable to some extent, fingerprint brute-force attack is validated on on all devices except iPhone, where the shortest time to unlock the smartphone without prior knowledge about the victim is estimated at 40 minutes. Furthermore, we suggest software and hardware mitigation measures.