We tend to think that if our Android phones are lost or stolen, a fingerprint lock ensures the security of the sensitive data they contain. But Chinese researchers have found a way to break through this protection using brute force attack.
Researchers from Tencent Labs and Zhejiang University have found that they can bypass a fingerprint lock on Android smartphones using a brute force attack, which is when a large number of attempts are made to discover a password, code, or other form of security protection.
To protect against brute force attacks, Android phones usually come with safeguards such as limiting the number of attempts a user can make, as well as activity detection. But the researchers circumvented these measures by using zero-day vulnerabilities called Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL).
It was discovered that the biometric data on the serial peripheral interface (SPI) of the fingerprint sensors was not fully protected, allowing a man-in-the-middle (MITM) attack to steal the fingerprints.
The researchers tested the brute-force attack, called BrutePrint, on ten popular smartphone models. They were able to make an unlimited number of fingerprint login attempts on Android and HarmonyOS (Huawei) phones. iOS devices fared much better, only allowing 10 more attempts on the iPhone SE and iPhone 7, for a total of 15 attempts, which isn’t enough for a brute force attack.
All Android devices were vulnerable to the MITM SPI attack, but it was ineffective against iPhones
According to the analysis, BrutePrint can hack a device with a single fingerprint in 2.9 to 13.9 hours. Devices with multiple fingerprints are easier to hack because an attacker is more likely to find a match, so swiping time drops between 0.66 hours and 2.78 hours.
The good news is that it’s not the easiest attack to pull off. It requires not only physical access to the target phone and some time, but also access to a fingerprint database of leaked biometrics or university datasets. Hardware is also needed, although it only costs about $15. However, this technique can be used by law enforcement and state-sponsored actors.
source : BRUTEPRINT: Expose smartphone fingerprint authentication to a brute force attack
And you?
What do you think about it? Do you find this information useful and relevant?
What do you think are the possible implications of these findings?
How would you rate the effectiveness of fingerprint locks on Android devices, in light of these researchers’ findings?
See further
An Android phone owner accidentally finds a way to bypass the lock screen and receives $70,000 from Google for reporting the problem
“Evil thinker. Music scholar. Hipster-friendly communicator. Bacon geek. Amateur internet enthusiast. Introvert.”