There is a way to “brute-force” fingerprints on Android devices and have physical access to the smartphone, and given enough time, a hacker can unlock the device, a report from cybersecurity researcher at Tencent Labs and Zhejiang Unversity claims.
According to the report, there are two zero-day vulnerabilities present in Android devices (as well as those running Apple’s iOS and Huawei’s HarmonyOS), called Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL ) .
By abusing these errors, researchers were able to do two things: Android allows an unlimited number of fingerprint scanning attempts; and use databases found in academic datasets, biometric data leaks, and the like.
To pull off the attacks, attackers need a few things: physical access to an Android-powered smartphone, enough time, and $15 worth of hardware.
The researchers named the attack “BrutePrint”, and claimed that for a device with only one fingerprint set up, it would take between 2.9 and 13.9 hours to finally break in. Devices with multiple fingerprint recordings are more prone to cracking, they added, with the average time for “brute-printing” between 0.66 hours and 2.78 hours.
The researchers ran the test on ten “popular smartphone models”, as well as a couple of iOS devices. We don’t know which models are vulnerable, but they say that with Android and HarmonyOS devices, they have achieved an infinite test. For iOS devices, however, they only got an additional ten tests on the iPhone SE and iPhone 7 models, which was not enough to successfully pull off the attack. Therefore, the conclusion is that while iOS may be vulnerable to these errors, the current method of breaking into the device by brute force is not enough.
While this type of attack may not be very attractive to the regular hacker, it could be used by state-sponsored actors and law enforcement agencies, the researchers concluded.
Via: Bleeping Computer