This brute-force fingerprint attack could break into your Android phone

By Nick Heyman On May 23, 2023

There is a way to “brute-force” fingerprints on Android devices and with physical access to the smartphone, and enough time, a hacker would be able to unlock the device, a report from cybersecurity researchers at Tencent Labs and Zhejiang Unversity has claimed.

As per the report, there are two zero-day vulnerabilities present in Android devices (as well as those powered by Apple’s iOS and Huawei’s HarmonyOS), called Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL).

By abusing these flaws, the researchers managed to do two things: have Android allow an infinite number of fingerprint scanning attempts; and use databases found in academic datasets, biometric data leaks, and similar.

Cheap hardware

To pull the attacks off, the attackers needed a couple of things: physical access to an Android-powered smartphone, enough time, and $15 worth of hardware.

The researchers named the attack “BrutePrint”, and claim that for a device that only has one fingerprint set up, it would take between 2.9 and 13.9 hours to break into the endpoint. Devices with multiple fingerprint recordings are significantly easier to break into, they added, with the average time for “brute-printing” being between 0.66 hours and 2.78 hours.

The researchers ran the test on ten “popular smartphone models”, as well as a couple of iOS devices. We don’t know exactly which models were vulnerable, but they said that on Android and HarmonyOS devices, they managed to achieve infinite tries. For iOS devices, however, they only managed to get an extra ten attempts on iPhone SE and iPhone 7 models, which is not enough to successfully pull off the attack. Thus, the conclusion is that while iOS might be vulnerable to these flaws, the current method of breaking into the device via brute force won’t suffice.

While this type of attack might not be that attractive to the regular hacker, it could be used by state-sponsored actors and law enforcement agencies, the researchers concluded.

Via: BleepingComputer

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TheDailyCheck is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected] The content will be deleted within 24 hours.