Researchers from Tencent Labs and Zhejiang University have found that they can bypass a fingerprint lock on Android smartphones using a brute force attack, which is when a large number of attempts are made to discover a password, code, or other form of security protection.
To protect against brute force attacks, Android phones usually come with safeguards such as limiting the number of attempts a user can make, as well as activity detection. But the researchers circumvented these measures by using zero-day vulnerabilities called Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL).
It was discovered that the biometric data on the serial peripheral interface (SPI) of the fingerprint sensors was not fully protected, allowing a man-in-the-middle (MITM) attack to steal the fingerprints.
The researchers tested the brute-force attack, called BrutePrint, on ten popular smartphone models. They were able to make an unlimited number of fingerprint login attempts on Android and HarmonyOS (Huawei) phones. iOS devices fared much better, only allowing 10 more attempts on the iPhone SE and iPhone 7, for a total of 15 attempts, which isn’t enough for a brute force attack.
All Android devices were vulnerable to the MITM SPI attack, but it was ineffective against iPhones
According to the analysis, BrutePrint can hack a device with a single fingerprint in 2.9 to 13.9 hours. Devices with multiple fingerprints are easier to hack because an attacker is more likely to find a match, so swiping time drops between 0.66 hours and 2.78 hours.
The good news is that it’s not the easiest attack to pull off. It requires not only physical access to the target phone and some time, but also access to a fingerprint database of leaked biometrics or university datasets. Hardware is also needed, although it only costs about $15. However, this technique can be used by law enforcement and state-sponsored actors.
source : BRUTEPRINT: Expose smartphone fingerprint authentication to a brute force attack
What do you think about it? Do you find this information useful and relevant?
What do you think are the possible implications of these findings?
How would you rate the effectiveness of fingerprint locks on Android devices, in light of these researchers’ findings?
Malware attack attempts on mobile phones across Europe have increased by 500%, since February 2022, according to a Proofpoint report.
Her iPhone has been stolen, $10k withdrawn and she no longer has access to her Apple account: Once someone gets into this security environment, she turns on you
A new study finds that attackers can bypass fingerprint-based authentication, with a success rate of nearly 80%.
An Android phone owner accidentally finds a way to bypass the lock screen and receives $70,000 from Google for reporting the problem
“Evil thinker. Music scholar. Hipster-friendly communicator. Bacon geek. Amateur internet enthusiast. Introvert.”