Some Android phones are vulnerable to fingerprint brute-force attacks

MuzzMelbourne

Level 15
Thread author
Verified
Top Poster
Well-known
Mar 13, 2022
599
Researchers at Tencent Labs and Zhejiang University have presented a new attack called 'BrutePrint,' which brute-forces fingerprints on modern smartphones to bypass user authentication and take control of the device.

Brute-force attacks rely on many trial-and-error attempts to crack a code, key, or password and gain unauthorized access to accounts, systems, or networks.

The Chinese researchers managed to overcome existing safeguards on smartphones, like attempt limits and liveness detection that protect against brute-force attacks, by exploiting what they claim are two zero-day vulnerabilities, namely Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL).

The authors of the technical paper published on Arxiv.org also found that biometric data on the fingerprint sensors' Serial Peripheral Interface (SPI) were inadequately protected, allowing for a man-in-the-middle (MITM) attack to hijack fingerprint images.

BrutePrint and SPI MITM attacks were tested against ten popular smartphone models, achieving unlimited attempts on all Android and HarmonyOS (Huawei) devices and ten additional attempts on iOS devices.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Password, PIN, facial scan, fingerprint scan etc.........all not safe. So use what to log in to phone securely?

:rolleyes:
 
Last edited:
  • Like
  • Applause
Reactions: Nevi and vtqhtr413

vtqhtr413

Level 26
Verified
Top Poster
Well-known
Aug 17, 2017
1,448
I felt better after reading this 😍
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
841
This attack only works if the country you live in is corrupt or has weak legal systems, which sadly is most of the world. You can't really defend against the attack as they will just use your fingerprint or face unlock after they have beaten you with a $5 wrench when your unconscious.

But the good news is that there are so many more ways to hack phones when they are in use it probably won't get to that stage unless your high value target and have OPSEC down to a art.

Even then some mobile malware like NSO and other malware implants are very slick and leave little forensic evidence on the phone post infection. Like desktop malware it's gotten very advanced and very hard to detect especially with 1-click attacks.
 
Last edited:

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Password, PIN, facial scan, fingerprint scan etc.........all not safe. So use what to log in to phone securely?

:rolleyes:
Don’t lose your phone, and don’t keep unencrypted data stored on your device that wouldn’t want others to obtain.

At first glance, BrutePrint may not seem like a formidable attack due to requiring prolonged access to the target device. However, this perceived limitation should not undermine its value for thieves and law enforcement.

The former would allow criminals to unlock stolen devices and extract valuable private data freely.

The latter scenario raises questions about privacy rights and the ethics of using such techniques to bypass device security during investigations.

This constitutes a rights violation in certain jurisdictions and could undermine the safety of certain people living in oppressive countries.
 

MuzzMelbourne

Level 15
Thread author
Verified
Top Poster
Well-known
Mar 13, 2022
599
Researchers have devised a low-cost smartphone attack that cracks the authentication fingerprint used to unlock the screen and perform other sensitive actions on a range of Android devices in as little as 45 minutes.

Dubbed BrutePrint by its creators, the attack requires an adversary to have physical control of a device when it is lost, stolen, temporarily surrendered, or unattended, for instance, while the owner is asleep. The objective: to gain the ability to perform a brute-force attack that tries huge numbers of fingerprint guesses until one is found that will unlock the device. The attack exploits vulnerabilities and weaknesses in the device SFA (smartphone fingerprint authentication).
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top