Researchers discover that many Android phones are vulnerable to brute-force fingerprint attacks

The use of the fingerprint lock has meant a small revolution in the security of mobile phones, preventing unauthorized access and even deterring less “professionalized” thieves. But it is not a perfect method. Apart from the fact that a locked mobile can still be perfectly useful for its sale by parts, there are ways to avoid the real identification of the user through the fingerprint, as Chinese researchers have discovered.

Unlike other approaches to circumvent fingerprint identification, which often use fingers with plausible grooves and even innovative materials with which to recreate a real, living finger, the method designed by experts from Tencent Labs and Zhejiang University (PDF) makes it easy to launch brute force attacks, bypassing the attempt limit to bombard the fingerprint sensor with fake fingerprints generated from real ones.

Simplifying the operation of this hack a lot, there are several differentiated components with different objectives. On the one hand, the researchers make the software that identifies the fingerprints broaden its acceptance threshold to accept fake fingerprints that do not have to fully correspond to the real one stored on the device. On the other hand, the mechanisms that prevent the repeated sending of incorrect fingerprints and the blocking that is activated when this happens are avoided, so that false fingerprints can continue to be sent. ad infinitum.

The generation and sending of traces is also interesting. Instead of creating physical models, the researchers have used “neural-style transfer,” taking fingerprint images from a database that are then transformed to generate a sort of fingerprint dictionary. Later, a small device of low price (about 15 dollars in hardware) is used to send the fingerprint to the sensor as many times as necessary.

The test results speak for themselves: all tested Android devices, as well as Huawei devices with HarmonyOS, are vulnerable to this type of attack. Only iPhones manage to save, since the maximum possible number of attempts is only 15, which is insufficient to launch a successful brute force attack. For vulnerable devices, the time required to execute a successful attack ranges from 2.9-13.9 hours, although if a device has multiple fingerprints registered it can drop to 0.66-2.78 hours.

BleepingComputer He wisely points out that this method is not even remotely useful if what you want is to quickly access a list of contacts or spy on the contents of your mobile phone in an oversight. However, the ability to circumvent the fingerprint reader can be useful to thieves with the proper time and technical resources, as well as certain private and government organizations.