A study from cybersecurity experts at Tencent Labs and Zhejiang University says that there is a way to “brute-force” fingerprints on Android devices. With enough time and access, a hacker could open the phone.
According to the study, Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL) are two zero-day flaws in Android devices, as well as those running Apple’s iOS and Huawei’s HarmonyOS.
By taking advantage of these flaws, the researchers could do two things: make Android scan fingerprints an endless number of times and use databases found in academic datasets, biometric data leaks, and other similar places.
The attackers needed direct access to an Android-powered smartphone, enough time, and $15 worth of gear to pull off the strikes.
The experts called the attack “BrutePrint” and said it would take between 2.9 and 13.9 hours to break into a target with only one fingerprint set up. They also said that devices with multiple fingerprint records are much easier to break into and that “brute-printing” usually takes between 0.66 and 2.78 hours.
The test was done on ten “popular smartphone models” and a couple of Apple iOS devices. We don’t know which models were weak, but they said they could get endless tries on Android and HarmonyOS devices. For iOS devices, however, they were only able to get ten more tries on the iPhone SE and iPhone 7, which is not enough to pull off the attack. The result is that iOS might be open to these flaws, but raw force won’t be enough to get into the device right now.
The experts concluded that this type of attack might not be very appealing to the average hacker but that state-backed players and law enforcement organizations could use it.