There is a way to “brute-force” fingerprints on Android devices and with physical access to the smartphone, and enough time, a hacker would be able to unlock the device, a report from cybersecurity researchers at Tencent Labs and Zhejiang Unversity has claimed.
As per the report, there are two zero-day vulnerabilities present in Android devices (as well as those powered by Apple’s iOS and Huawei’s HarmonyOS), called Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL).
By abusing these flaws, the researchers managed to do two things: have Android allow an infinite number of fingerprint scanning attempts; and use databases found in academic datasets, biometric data leaks, and similar.
To pull the attacks off, the attackers needed a couple of things: physical access to an Android-powered smartphone, enough time, and $15 worth of hardware.
The researchers named the attack “BrutePrint”, and claim that for a device that only has one fingerprint set up, it would take between 2.9 and 13.9 hours to break into the endpoint. Devices with multiple fingerprint recordings are significantly easier to break into, they added, with the average time for “brute-printing” being between 0.66 hours and 2.78 hours.
The researchers ran the test on ten “popular smartphone models”, as well as a couple of iOS devices. We don’t know exactly which models were vulnerable, but they said that on Android and HarmonyOS devices, they managed to achieve infinite tries. For iOS devices, however, they only managed to get an extra ten attempts on iPhone SE and iPhone 7 models, which is not enough to successfully pull off the attack. Thus, the conclusion is that while iOS might be vulnerable to these flaws, the current method of breaking into the device via brute force won’t suffice.
While this type of attack might not be that attractive to the regular hacker, it could be used by state-sponsored actors and law enforcement agencies, the researchers concluded.