Android fingerprint locks are on thin ice

Emre Çitak
May 24, 2023
Updated • May 24, 2023
Google Android
|
2

In a recent discovery, researchers from Tencent Labs and Zhejiang University have revealed a concerning vulnerability that puts Android smartphone users at risk.

By employing a brute-force attack technique, the researchers successfully bypassed the fingerprint locks on these devices, raising serious security concerns. To protect against brute-force attacks, Android phones employ various safeguards such as limited login attempts and liveness detection.

However, the researchers discovered two previously unknown vulnerabilities, named Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), that rendered these safeguards ineffective. Exploiting these vulnerabilities, the researchers were able to surpass the security measures put in place by Android devices.

Android BrutePrint attack
Most Android phones are vulnerable to BrutePrint attacks

The BrutePrint attack

The researchers also uncovered a critical flaw in the protection of biometric data stored on the fingerprint sensors' Serial Peripheral Interface (SPI). This flaw opened the door to a potential man-in-the-middle (MITM) attack, allowing unauthorized individuals to steal users' fingerprints. Such an attack could have severe implications, as fingerprints are widely used for authentication purposes.

The researchers conducted extensive testing of their brute-force attack, known as BrutePrint, on ten popular smartphone models. Shockingly, they found that the attack could be performed an unlimited number of times on both Android and HarmonyOS (Huawei) phones, granting unauthorized access to the devices. In comparison, iOS devices exhibited stronger resistance, limiting the attack to only ten additional attempts on models like the iPhone SE and iPhone 7, making it significantly more challenging to breach their security.

Furthermore, the researchers discovered that the SPI MITM attack affected all Android devices, making them susceptible to fingerprint theft. However, this attack proved ineffective against iPhones, highlighting the comparatively robust security measures implemented in iOS.

Android BrutePrint attack
Android BrutePrint attack - Image courtesy of Tencent Labs

It only takes 2 hours

The analysis conducted by the researchers revealed alarming insights into the potential impact of the BrutePrint attack. Devices with a single registered fingerprint could be compromised within a disconcertingly short timeframe, ranging from 2.9 to 13.9 hours.

Devices with multiple fingerprints registered were even more vulnerable, with success rates dropping to as little as 0.66 to 2.78 hours due to the higher likelihood of finding a matching fingerprint.

BrutePrint attacks need physical access to your phone

It is important to note that executing the BrutePrint attack requires certain conditions and resources. Attackers would need physical access to the targeted device, a significant amount of time, and access to fingerprint databases obtained through leaks or academic sources.

While the required hardware is relatively affordable, its availability may present limitations. Nevertheless, there is a concern that this technique could be exploited by law enforcement agencies or state-sponsored actors. You may read the full research here.

Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Anonymous said on May 24, 2023 at 9:27 pm
    Reply

    Is any of these worse than being fingerprinted by Google ?

  2. Samuel Beckett said on May 24, 2023 at 2:48 pm
    Reply

    Requires physical access to the device, and takes over an hour. IMHO not a big concern, but if you are worried about it just remove and stop using fingerprint print. Face unlock also should not be used.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.