Some Android phones are vulnerable to fingerprint brute-force attacks

MuzzMelbourne

MuzzMelbourne

Level 15
Thread author
Verified
Top Poster
Well-known
Mar 13, 2022
599
Content source
https://www.bleepingcomputer.com/news/security/android-phones-are-vulnerable-to-fingerprint-brute-force-attacks/
Researchers at Tencent Labs and Zhejiang University have presented a new attack called 'BrutePrint,' which brute-forces fingerprints on modern smartphones to bypass user authentication and take control of the device.

Brute-force attacks rely on many trial-and-error attempts to crack a code, key, or password and gain unauthorized access to accounts, systems, or networks.

The Chinese researchers managed to overcome existing safeguards on smartphones, like attempt limits and liveness detection that protect against brute-force attacks, by exploiting what they claim are two zero-day vulnerabilities, namely Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL).

The authors of the technical paper published on Arxiv.org also found that biometric data on the fingerprint sensors' Serial Peripheral Interface (SPI) were inadequately protected, allowing for a man-in-the-middle (MITM) attack to hijack fingerprint images.

BrutePrint and SPI MITM attacks were tested against ten popular smartphone models, achieving unlimited attempts on all Android and HarmonyOS (Huawei) devices and ten additional attempts on iOS devices.
Click to expand...
www.bleepingcomputer.com

Android phones are vulnerable to fingerprint brute-force attacks

Researchers at Tencent Labs and Zhejiang University have presented a new attack called 'BrutePrint,' which brute-forces fingerprints on modern smartphones to bypass user authentication and take control of the device.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • +Reputation
Reactions: RL.HAR, Nevi, harlan4096 and 5 others
H

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,140
Password, PIN, facial scan, fingerprint scan etc.........all not safe. So use what to log in to phone securely?

:rolleyes:
 
Last edited:
  • Like
  • Applause
Reactions: Nevi and vtqhtr413
vtqhtr413

vtqhtr413

Level 27
Well-known
Aug 17, 2017
1,609
I felt better after reading this 😍
yro.slashdot.org

Lawsuit Alleges DoorDash Charges iPhone Users More Than Android - Slashdot

SFGate reports: A proposed class-action lawsuit levels broad allegations that DoorDash, the San Francisco-headquartered food delivery giant, is engaging in fraudulent behavior — in part by charging iPhone users more than Android havers. The complaint, a hefty 134-page airing of grievances ...
yro.slashdot.org
 
  • Like
Reactions: Nevi, Zero Knowledge and MuzzMelbourne
Z

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
849
This attack only works if the country you live in is corrupt or has weak legal systems, which sadly is most of the world. You can't really defend against the attack as they will just use your fingerprint or face unlock after they have beaten you with a $5 wrench when your unconscious.

But the good news is that there are so many more ways to hack phones when they are in use it probably won't get to that stage unless your high value target and have OPSEC down to a art.

Even then some mobile malware like NSO and other malware implants are very slick and leave little forensic evidence on the phone post infection. Like desktop malware it's gotten very advanced and very hard to detect especially with 1-click attacks.
 
Last edited:
  • Like
Reactions: Trident, vtqhtr413, Nevi and 1 other person
I

Ink

Administrator
Verified
Jan 8, 2011
22,490
HarborFront said:
Password, PIN, facial scan, fingerprint scan etc.........all not safe. So use what to log in to phone securely?

:rolleyes:
Click to expand...
Don’t lose your phone, and don’t keep unencrypted data stored on your device that wouldn’t want others to obtain.

At first glance, BrutePrint may not seem like a formidable attack due to requiring prolonged access to the target device. However, this perceived limitation should not undermine its value for thieves and law enforcement.

The former would allow criminals to unlock stolen devices and extract valuable private data freely.

The latter scenario raises questions about privacy rights and the ethics of using such techniques to bypass device security during investigations.

This constitutes a rights violation in certain jurisdictions and could undermine the safety of certain people living in oppressive countries.
Click to expand...
 
  • Like
Reactions: Zero Knowledge and vtqhtr413
MuzzMelbourne

MuzzMelbourne

Level 15
Thread author
Verified
Top Poster
Well-known
Mar 13, 2022
599
Researchers have devised a low-cost smartphone attack that cracks the authentication fingerprint used to unlock the screen and perform other sensitive actions on a range of Android devices in as little as 45 minutes.

Dubbed BrutePrint by its creators, the attack requires an adversary to have physical control of a device when it is lost, stolen, temporarily surrendered, or unattended, for instance, while the owner is asleep. The objective: to gain the ability to perform a brute-force attack that tries huge numbers of fingerprint guesses until one is found that will unlock the device. The attack exploits vulnerabilities and weaknesses in the device SFA (smartphone fingerprint authentication).
Click to expand...
arstechnica.com

Here’s how long it takes new BrutePrint attack to unlock 10 different smartphones

BrutePrint requires just $15 of equipment and a little amount of time with a phone.
arstechnica.com arstechnica.com
 
  • Wow
  • Sad
Reactions: silversurfer, Zero Knowledge and Trident
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • Wow
    • +Reputation
Security News YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel
Replies
6
Views
2,189
Security News
bazang
bazang
Gandalf_The_Grey
    • Like
    • +Reputation
Malware News Ratel RAT targets outdated Android phones in ransomware attacks
Replies
0
Views
2,113
Security News
Gandalf_The_Grey
Gandalf_The_Grey
upnorth
    • Like
    • +Reputation
    • Applause
Microsoft Implements Brute Force Attack Protection for more Windows Devices
Replies
1
Views
871
News Archive
CyberTech
CyberTech

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top