Researchers have discovered how to bypass fingerprint locks on Android phones with a brute force attack. The attack would be ineffective on iOS devices

We tend to think that if our Android phones are lost or stolen, a fingerprint lock ensures the security of the sensitive data they contain. But Chinese researchers have found a way to break through this protection using brute force attack.

Researchers from Tencent Labs and Zhejiang University have found that they can bypass a fingerprint lock on Android smartphones using a brute force attack, which is when a large number of attempts are made to discover a password, code, or other form of security protection.

To protect against brute force attacks, Android phones usually come with safeguards such as limiting the number of attempts a user can make, as well as activity detection. But the researchers circumvented these measures by using zero-day vulnerabilities called Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL).

It was discovered that the biometric data on the serial peripheral interface (SPI) of the fingerprint sensors was not fully protected, allowing a man-in-the-middle (MITM) attack to steal the fingerprints.

The researchers tested the brute-force attack, called BrutePrint, on ten popular smartphone models. They were able to make an unlimited number of fingerprint login attempts on Android and HarmonyOS (Huawei) phones. iOS devices fared much better, only allowing 10 more attempts on the iPhone SE and iPhone 7, for a total of 15 attempts, which isn’t enough for a brute force attack.

All Android devices were vulnerable to the MITM SPI attack, but it was ineffective against iPhones

According to the analysis, BrutePrint can hack a device with a single fingerprint in 2.9 to 13.9 hours. Devices with multiple fingerprints are easier to hack because an attacker is more likely to find a match, so swiping time drops between 0.66 hours and 2.78 hours.

See also  STALKER 2 may have resumed its development process

The good news is that it’s not the easiest attack to pull off. It requires not only physical access to the target phone and some time, but also access to a fingerprint database of leaked biometrics or university datasets. Hardware is also needed, although it only costs about $15. However, this technique can be used by law enforcement and state-sponsored actors.

source : BRUTEPRINT: Expose smartphone fingerprint authentication to a brute force attack

And you?

What do you think about it? Do you find this information useful and relevant?

What do you think are the possible implications of these findings?

How would you rate the effectiveness of fingerprint locks on Android devices, in light of these researchers’ findings?

See further

Malware attack attempts on mobile phones across Europe have increased by 500%, since February 2022, according to a Proofpoint report.

Her iPhone has been stolen, $10k withdrawn and she no longer has access to her Apple account: Once someone gets into this security environment, she turns on you

A new study finds that attackers can bypass fingerprint-based authentication, with a success rate of nearly 80%.

An Android phone owner accidentally finds a way to bypass the lock screen and receives $70,000 from Google for reporting the problem

Leave a Reply

Your email address will not be published. Required fields are marked *