There is a way to “brute force” fingerprints on Android devices, and with physical access to the smartphone, hackers will be able to unlock the device, given enough time, according to a report by cybersecurity researchers at Tencent Labs and Zhejiang University. .
According to the report, two zero-day vulnerabilities exist in Android devices (as well as devices powered by Apple’s iOS and Huawei’s HarmonyOS), called Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL) .
By abusing these flaws, the researchers managed to do two things: make Android allow unlimited fingerprint scan attempts; and use databases found in academic datasets, biometric data leaks, and more.
To launch an attack, an attacker needs a few things: physical access to an Android smartphone, enough time, and $15 worth of hardware.
The researchers dubbed the attack “BrutePrint” and claimed that it took between 2.9 and 13.9 hours to gain access to the endpoint for devices with only one fingerprint set up. Devices with multiple fingerprint records were more likely to be hacked, with an average time for “brute force printing” between 0.66 hours and 2.78 hours, they added.
The researchers tested on ten “popular smartphone models” as well as several iOS devices. We don’t know which models are vulnerable, but they say that on Android and HarmonyOS devices, they managed to achieve unlimited attempts. However, for iOS devices, they only managed to make ten additional attempts on iPhone SE and iPhone 7 models, which was not enough for a successful attack. Therefore, the conclusion is that while iOS may be vulnerable to these flaws, current methods of brute-forcing the device are insufficient.
While this type of attack may not be as attractive to ordinary hackers, it could be used by state-sponsored actors and law enforcement agencies, the researchers concluded.
pass: Beep computer