A recent report from cybersecurity researchers at Tencent Labs and Zhejiang University reveals a potential method to “brute-force” fingerprints on Android devices. If a hacker has physical access to the smartphone and sufficient time, they may be able to unlock the device.
CAMF and MAL
The report highlights the presence of two zero-day vulnerabilities named Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), which affect not only Android devices but also those running Apple’s iOS and Huawei’s HarmonyOS.
Through the exploitation of these vulnerabilities, the researchers successfully accomplished two objectives. Firstly, they bypassed the limit on the number of fingerprint scanning attempts allowed by Android, enabling an unlimited number of tries. Secondly, they leveraged databases sourced from academic datasets, biometric data leaks, and similar sources to enhance their attack methodology.
How it Works
In order to carry out these attacks, the perpetrators required a few key elements: physical possession of an Android smartphone, a sufficient amount of time, and hardware costing approximately $15.
The researchers coined the attack as “BrutePrint” and asserted that, for devices with a single fingerprint enrolled, it would take approximately 2.9 to 13.9 hours to breach the device’s security. Devices with multiple fingerprint records were found to be notably easier to compromise, with an average time for successful “brute-printing” ranging from 0.66 to 2.78 hours.
The researchers conducted their experiment on ten “popular smartphone models,” including a few iOS devices. Although the specific vulnerable models were not disclosed, the researchers reported that they were able to bypass the attempt limit and perform unlimited tries on Android and HarmonyOS devices.
iOS is Safer
However, for iOS devices, they were only able to gain an additional ten attempts on iPhone SE and iPhone 7 models, which proved insufficient to successfully carry out the attack. Consequently, while iOS may have potential vulnerabilities related to these flaws, the current method of brute-force entry is inadequate.
The researchers concluded that while this form of attack may not be appealing to typical hackers, it could be of interest to state-sponsored actors and law enforcement agencies.