Researchers have discovered how to bypass fingerprint locks on Android phones with a brute force attack. The attack would be ineffective on iOS devices

We tend to think that if our Android phones get lost or stolen, fingerprint locking ensures the safety of the sensitive data they contain. But Chinese researchers have found a way to break through this protection using a brute force attack.

Researchers from Tencent Labs and Zhejiang University have found that they can bypass a fingerprint lock on Android smartphones using a brute force attack, which is when a large number of attempts are made to discover a password, code or any other form of security protection.

To protect against brute force attacks, Android phones usually come with security measures such as limiting the number of attempts a user can make as well as liveness detection. But the researchers circumvented these measures by using two zero-day vulnerabilities called Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL).

It was also discovered that biometric data on the serial peripheral interface (SPI) of fingerprint sensors was not fully protected, allowing a man-in-the-middle (MITM) attack to steal fingerprints.

The researchers tested the brute-force attack, called BrutePrint, on ten common smartphone models. They were able to perform an unlimited number of fingerprint login attempts on Android and HarmonyOS (Huawei) phones. iOS devices fared much better, allowing only ten more attempts on the iPhone SE and iPhone 7, for a total of 15, which is not enough for a brute force attack.

All Android devices were vulnerable to the MITM SPI attack, but it was ineffective against iPhones

According to the analysis, BrutePrint can penetrate a device with a single fingerprint in 2.9 to 13.9 hours. Devices with multiple fingerprints are easier to penetrate because the attacker is more likely to find a match, so the time to hit falls between 0.66 hours and 2.78 hours.

The good news is that it’s not the easiest attack to pull off. It requires not only physical access to the target phone and some time, but also access to a database of fingerprints from leaked biometrics or university datasets. Hardware is also needed, though it only costs about $15. However, this technique could be used by law enforcement and state-sponsored actors.

Source: BRUTEPRINT: Expose smartphone fingerprint authentication to brute-force attacks

And you ?

What is your opinion on the subject? Do you find this information relevant and useful?

What do you think are the potential implications of these findings?

Given these researchers’ findings, how do you rate the effectiveness of fingerprint locks on Android devices?

Also see

Malware attack attempts on mobile phones across Europe have increased by 500% since February 2022, according to a Proofpoint report

She gets her iPhone stolen, $10,000 is withdrawn and she no longer has access to her Apple account: when someone enters this security environment, it turns against you

Attackers can bypass fingerprint-based authentication with about an 80% success rate, new study shows

Android phone owner accidentally finds a way to bypass the lock screen and receives $70,000 from Google for reporting the problem