Researchers discover brute-force attack that can bypass Android phone fingerprint locks

midian182

midian182

Posts: 9,734   +121
Staff member
In brief: We tend to believe that if our Android phones are lost or stolen, a fingerprint lock will ensure that the sensitive data they hold stays safe. But Chinese researchers have found a way to break through this protection by using a brute-force attack.

Researchers from Tencent Labs and Zhejiang University found that they could bypass a fingerprint lock on Android smartphones by using a brute-force attack, which is when a large number of attempts are made to discover a password, code, or some other form of security protection.

To protect against brute-force attacks, Android phones usually have safeguards such as limiting the number of attempts a user can make, as well as liveness detection. But the researchers bypassed these by using two zero-day vulnerabilities dubbed Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL).

As per Bleeping Computer, it was also discovered that biometric data on the fingerprint sensors' Serial Peripheral Interface (SPI) lacked comprehensive protection, thereby allowing a man-in-the-middle (MITM) attack to steal the fingerprints.

The researchers tested the brute-force attack, called BrutePrint, on ten popular smartphone models. They were able to perform an unlimited number of fingerprint login attempts on the Android and HarmonyOS (Huawei) phones. iOS devices fared much better, allowing just ten additional attempts on the iPhone SE and iPhone 7, bringing the total to 15, which isn't enough for a brute-force attack.

All Android devices were vulnerable to the SPI MITM attack, but it was ineffective against iPhones

According to analysis, BrutePrint could break into a device that has only one fingerprint set up in between 2.9 and 13.9 hours. Those with more than one fingerprint are easier as the attacker has a higher chance of finding a match, so the time for success drop to between 0.66 hours and 2.78 hours.

The good news is that this isn't the easiest attack to pull off. Not only would someone need physical access to a target phone and a some time, but they'd also require access to a fingerprint database from either biometric data leaks or academic datasets. Some hardware is also required, though it only costs around $15. However, the technique could find use with law enforcement and state-sponsored actors.

Masthead credit: Daniel Romero

Permalink to story.

https://www.techspot.com/news/98788-researchers-discover-brute-force-attack-can-bypass-android.html

 
"According to analysis, BrutePrint could break into a device that has only one fingerprint set up in between 2.9 and 13.9 hours. Those with more than one fingerprint are easier as the attacker has a higher chance of finding a match, so the time for success drop to between 0.66 hours and 2.78 hours."

Ha ha, so if you want to secure your android phone, better register all your ten fingerprints, while also saying goodby to your privacy. :laughing:
 
Last edited:
DSirius said:
"According to analysis, BrutePrint could break into a device that has only one fingerprint set up in between 2.9 and 13.9 hours. Those with more than one fingerprint are easier as the attacker has a higher chance of finding a match, so the time for success drop to between 0.66 hours and 2.78 hours."

Ha ha, so if you want to secure your android phone, better register all your ten fingerprints, while also saying goodby to your privacy.
Click to expand...
Valid point, back to passwords.
I always felt negative toward passwords managers for this reason. You give all of your passwords and put them under a lock that is serviced by someone else, a place that with every new update has a chance to break.
There gotta be a more secure way to keep things secure.
 
DSirius said:
"According to analysis, BrutePrint could break into a device that has only one fingerprint set up in between 2.9 and 13.9 hours. Those with more than one fingerprint are easier as the attacker has a higher chance of finding a match, so the time for success drop to between 0.66 hours and 2.78 hours."

Ha ha, so if you want to secure your android phone, better register all your ten fingerprints, while also saying goodby to your privacy.
Click to expand...

It's the opposite. The more fingerprints you register, the less secure the device
 
  • Like
Reactions: DSirius
DSirius said:
"According to analysis, BrutePrint could break into a device that has only one fingerprint set up in between 2.9 and 13.9 hours. Those with more than one fingerprint are easier as the attacker has a higher chance of finding a match, so the time for success drop to between 0.66 hours and 2.78 hours."

Ha ha, so if you want to secure your android phone, better register all your ten fingerprints, while also saying goodby to your privacy.
Click to expand...
I think you need to read that again. Having more fingerprints registered reduced the time taken to bruteforce it (I.e. made it less secure, not more secure). Which makes sense, fingerprint readers don't work by exactly matching the fingerprint to the sensor readout, because the sensor readout is not particularly accurate (otherwise the unlock failure rate would be too high). So it works on probabilities of matching the stored fingerprint, and the more stored fingerprints on the phone, the more likely it will (incorrectly) find a match. The vulnerability in the Android phones (compared to the iPhones in this study) was that the data from the fingerprint sensor wasn't encrypted, so the hackers can intercept the fingerprint sensor data through wiring into the SPI connectors on the phone motherboard. Fingerprint acquisition also was faster than a rejection on Android, allowing the device to sense a rejection before it was officially registered (bypassing X number of unlock limits in some phones).
 
  • Like
Reactions: DSirius
Tom Yum said:
I think you need to read that again. Having more fingerprints registered reduced the time taken to bruteforce it (I.e. made it less secure, not more secure). Which makes sense, fingerprint readers don't work by exactly matching the fingerprint to the sensor readout, because the sensor readout is not particularly accurate (otherwise the unlock failure rate would be too high). So it works on probabilities of matching the stored fingerprint, and the more stored fingerprints on the phone, the more likely it will (incorrectly) find a match. The vulnerability in the Android phones (compared to the iPhones in this study) was that the data from the fingerprint sensor wasn't encrypted, so the hackers can intercept the fingerprint sensor data through wiring into the SPI connectors on the phone motherboard. Fingerprint acquisition also was faster than a rejection on Android, allowing the device to sense a rejection before it was officially registered (bypassing X number of unlock limits in some phones).
Click to expand...
True indeed, should have better signed my post as a joke.
 
I think if the chinese state has your phone a good chance it has your finger - your kidney or whatever -- 7 attempts is all that is needed with an iphone - given your fingerprint will be on the screen or back somewhere - just winnow out best options or input it digitiatally as recreated .
Treat your phone - your credit cards as cash.
Use fingerprint in public - use pay wave with cards - or cover your hands.
I can tell from 5 metres away in a supermarket what many people press ( hard to hide open finger movements )
 
I tend to think this article is just more click-bait and not pointing out an actual threat for 99.5% of us. Really, what are the chances one of us is going to lose possession of our phone and it will be actually be submitted to the kind of lock-screen compromise this article goes into such detail over? When almost all of us lose their phone (I.e. theft or forgetting it in a public setting, or whatever) it's going to be found by someone who 'might' possibly spend a lot of time trying to gain access to, using the typical ways that are easily found by doing an online search. But the level of skill level and training of the necessary software and the required equipment are not something everybody has. This is just another 'lab setting' example and used to induce fear-mongering by trying to normalize an otherwise unlikely instance to be an actual, realistic threat.
Really, it's important to have a lock screen implemented when you're out in public. That's just a basic protection against the most common (by an overwhelming percentage) occurrence, someone trying to access your user account on your phone.
Oh, and pay attention to only installing apps for things you need and/or will use. Don't just install an app by happenstance.
 
smvim said:
I tend to think this article is just more click-bait and not pointing out an actual threat for 99.5% of us. Really, what are the chances one of us is going to lose possession of our phone and it will be actually be submitted to the kind of lock-screen compromise this article goes into such detail over? When almost all of us lose their phone (I.e. theft or forgetting it in a public setting, or whatever) it's going to be found by someone who 'might' possibly spend a lot of time trying to gain access to, using the typical ways that are easily found by doing an online search. But the level of skill level and training of the necessary software and the required equipment are not something everybody has. This is just another 'lab setting' example and used to induce fear-mongering by trying to normalize an otherwise unlikely instance to be an actual, realistic threat.
Really, it's important to have a lock screen implemented when you're out in public. That's just a basic protection against the most common (by an overwhelming percentage) occurrence, someone trying to access your user account on your phone.
Oh, and pay attention to only installing apps for things you need and/or will use. Don't just install an app by happenstance.
Click to expand...

I disagree. There is a massive black market for stolen phones and people who are capable of doing this will snap up a ton of them to see what they find.

Also, what has this got to do with installing aps?
 
You must log in or register to reply here.

Similar threads

midian182
US risks losing space and military tech dominance without commercial sector support, Space Force commander warns
Replies
13
Views
156
AdamNovagen
AdamNovagen
Daniel Sims
LG TV owners should update their firmware, webOS vulnerability found in a few models
Replies
8
Views
125
subnex
S
midian182
  • Locked
Microsoft issues warning on China's use of generative AI to disrupt US elections
2
Replies
41
Views
493
GodisanAtheist
GodisanAtheist

Latest posts

Back