Android fingerprint locks are on thin ice
In a recent discovery, researchers from Tencent Labs and Zhejiang University have revealed a concerning vulnerability that puts Android smartphone users at risk.
By employing a brute-force attack technique, the researchers successfully bypassed the fingerprint locks on these devices, raising serious security concerns. To protect against brute-force attacks, Android phones employ various safeguards such as limited login attempts and liveness detection.
However, the researchers discovered two previously unknown vulnerabilities, named Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), that rendered these safeguards ineffective. Exploiting these vulnerabilities, the researchers were able to surpass the security measures put in place by Android devices.
The BrutePrint attack
The researchers also uncovered a critical flaw in the protection of biometric data stored on the fingerprint sensors' Serial Peripheral Interface (SPI). This flaw opened the door to a potential man-in-the-middle (MITM) attack, allowing unauthorized individuals to steal users' fingerprints. Such an attack could have severe implications, as fingerprints are widely used for authentication purposes.
The researchers conducted extensive testing of their brute-force attack, known as BrutePrint, on ten popular smartphone models. Shockingly, they found that the attack could be performed an unlimited number of times on both Android and HarmonyOS (Huawei) phones, granting unauthorized access to the devices. In comparison, iOS devices exhibited stronger resistance, limiting the attack to only ten additional attempts on models like the iPhone SE and iPhone 7, making it significantly more challenging to breach their security.
Furthermore, the researchers discovered that the SPI MITM attack affected all Android devices, making them susceptible to fingerprint theft. However, this attack proved ineffective against iPhones, highlighting the comparatively robust security measures implemented in iOS.
It only takes 2 hours
The analysis conducted by the researchers revealed alarming insights into the potential impact of the BrutePrint attack. Devices with a single registered fingerprint could be compromised within a disconcertingly short timeframe, ranging from 2.9 to 13.9 hours.
Devices with multiple fingerprints registered were even more vulnerable, with success rates dropping to as little as 0.66 to 2.78 hours due to the higher likelihood of finding a matching fingerprint.
BrutePrint attacks need physical access to your phone
It is important to note that executing the BrutePrint attack requires certain conditions and resources. Attackers would need physical access to the targeted device, a significant amount of time, and access to fingerprint databases obtained through leaks or academic sources.
While the required hardware is relatively affordable, its availability may present limitations. Nevertheless, there is a concern that this technique could be exploited by law enforcement agencies or state-sponsored actors. You may read the full research here.
Advertisement
Is any of these worse than being fingerprinted by Google ?
Requires physical access to the device, and takes over an hour. IMHO not a big concern, but if you are worried about it just remove and stop using fingerprint print. Face unlock also should not be used.