Scientists from Tencent Labs and Zhejiang University (PRC) open a way to hack the fingerprint scanner protection on a smartphone using the brute force method. This requires physical access to the device and sufficient time.
Image source: Luken Sabellano / unsplash.com
Devices running Android, HarmonyOS based on it, and to a very limited extent Apple iOS, exhibit two zero-day vulnerabilities identified as Cancel-After-Match-Fail and Match-After-Lock. ) are designated. By exploiting these vulnerabilities, researchers were able to force mobile devices to accept an infinite number of fingerprint scan attempts, as well as leverage academic databases, biometric leak databases, and other sources.
Hypothetical attackers would need physical access to a smartphone and $15 worth of equipment to perform attacks. The attack, which experts call BrutePrint, takes between 2.9 and 13.9 hours to execute. Cracking devices are used that support a single fingerprint. If the device supports multiple recorded fingerprints, the average time is from 0.66 to 2.78 hours.
The researchers tested the technology on ten “popular smartphones” and a pair of iPhones. The names of the models are not given, but scientists reported that they managed an infinite number of attempts on Android and HarmonyOS devices, but only ten additional attempts on iOS gadgets – that was the iPhone SE and iPhone 7 – which led to Hacking is clearly not enough.
The authors of the study conclude that the BrutePrint method is unlikely to be attractive to a common cybercriminal, but it is quite suitable for government agencies.
Add Comment