腾讯安全玄武实验室和浙江大学的研究人员披露了一种针对 Android 设备指纹解锁的低成本暴力破解攻击。这种攻击方法被称为 BrutePrint,攻击者需要物理控制设备,利用了两个 0day——其一称为 CAMF (cancel-after-match fail) 其二称为 MAL (match-after-lock)——对智能手机指纹验证(SFA)执行
无限次的暴力破解攻击。攻击者能在最短 45 分钟内破解手机。BrutePrint 的核心设备是一块 15 美元的电路板,包含一个来自意法半导体的微控制器 STM32F412、双向双通道模拟开关 RS2117、8GB 闪存卡、连接手机主板和指纹传感器柔性电路板的板对板连接器。此外还需要一个指纹数据库以加载到闪存卡中。研究人员对 10 款手机测试了漏洞,其中包括小米 Mi 11 Ultra、Vivo X60 Pro、OnePlus 7 Pro、OPPO Reno Ace、Samsung Galaxy S10+、OnePlus 5T、华为 Mate30 Pro 5G, 华为 P40、Apple iPhone SE 和 Apple iPhone 7。结果是 8 款 Android 手机都破解了,其中耗时最长的是 Mi 11(2.78 - 13.89 小时),最短的是三星 Galaxy S10+(0.73 -2.9 小时),苹果手机有匹配限制,并加密了指纹数据,因此没能破解。研究人员认为可通过设置额外的错误取消限制阻止 CAMF 漏洞利用,加密指纹传感器和设备处理器之间传输的数据防止中间人攻击。
注1:发送checksum错的指纹数据,这样系统会认为硬件错误,匹配失败也不会增加失败计数
注2:以上两0day均为2021年已知漏洞。该研究不是发现了新漏洞,只是提出一种利用方式。不清楚此文发布场景
注3:鸿蒙自认为非安卓系统,故单独列出
Translation:
Researchers reveal brute-force attack on Android/HarmonyOS device fingerprint unlocking
Researchers from Tencent Security Xuanwu Lab and Zhejiang University have revealed a low-cost brute-force attack on Android device fingerprint unlocking. This attack is called BrutePrint and requires physical control of the device. It uses two 0-days, known as CAMF (cancel-after-match fail) and MAL (match-after-lock), to carry out unlimited brute-force attacks on smartphone fingerprint authentication (SFA). Attackers can crack a phone in as little as 45 minutes. BrutePrint's core device is a $15 circuit board containing a microcontroller STM32F412 from STMicroelectronics, a bidirectional dual-channel analog switch RS2117, an 8GB flash memory card, and a board-to-board connector that connects to the smartphone motherboard and fingerprint sensor flex circuit board. In addition, a fingerprint database is required to load into flash memory. Researchers tested vulnerabilities in 10 phones, including Xiaomi Mi 11 Ultra, Vivo X60 Pro, OnePlus 7 Pro, OPPO Reno Ace, Samsung Galaxy S10+, OnePlus 5T, Huawei Mate30 Pro 5G, Huawei P40, Apple iPhone SE, and Apple iPhone 7. Eight Android phones were cracked, with the longest time taken being Mi 11 (2.78-13.89 hours) and the shortest being Samsung Galaxy S10+ (0.73-2.9 hours). Because Apple encrypts fingerprint data and has matching restrictions, Apple phones were not hacked. Researchers suggest that the CAMF vulnerability can be mitigated with additional error-canceling restrictions, and the data transfer between fingerprint sensors and device processors can be encrypted to prevent man-in-the-middle attacks.
Note 1: Sending checksum data that is incorrect to the fingerprint system makes the system think there is a hardware error, and matching failures will not increase the failure count.
Note 2: Both of the above 0-days are known vulnerabilities in 2021. This study did not discover new vulnerabilities but proposes a specific way to use known ones. It is unclear in what context this article was published.
Note 3: HarmonyOS considers itself a non-Android system.