A group of security researchers has found a new way to hijack an Android device using only $15 worth of equipment. Naming it BrutePrint, the researchers can perform this fingerprint brute-force attack and unlock a phone in less than an hour.
As presented by Yu Chen of Tencent and Yiling He of Zhejiang University, the BrutePrint attack takes advantage of two zero-day vulnerabilities. One is called Cancel-After-Match-Fail (CAMF) which allows bypassing of attempt limits, and the other is called Match-After-Lock (MAL) that can be exploited to infer authentication results.
With physical access to the device and by attaching it with a $15 circuit board, the researchers can launch the BrutePrint attack. The false acceptance rate is manipulated to increase the acceptance threshold for fingerprint matches.
- How to remove malware from your Android smartphone
- 6 FREE apps for a more private and secure messaging experience
In their paper published in Arxiv.org, the researchers also mentioned that the serial peripheral interface of fingerprint sensors was insufficiently protected such that they could perform man-in-the-middle (MITM) attacks to hijack fingerprint images.
The researchers tested eight Android smartphones (the Galaxy S10+, OnePlus 7 Pro, and Mi 11 Ultra, to name a few) and were able to unlock all of them. The easiest to unlock only took an estimated 40 minutes.
They also tested BrutePrint on the iPhone SE and iPhone 7 but were unsuccessful. While the researchers discovered that these were also vulnerable to CAMF, they were only able to increase the fingerprint tryout count to fifteen. The iOS devices are also resistant to the SPI MITM attack, as they encrypt fingerprint data on the SPI.
Via: Android Authority