New BrutePrint Method Puts Android Smartphones at Risk of Fingerprint Brute Force Attacks
In a disconcerting revelation, Tencent Labs and Zhejiang University have unveiled a new method called 'BrutePrint' that poses a serious threat to the security of Android, HarmonyOS, and iOS smartphones. This method exploits two zero-day vulnerabilities, Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), allowing attackers to bypass user authentication mechanisms, including fingerprint recognition, through brute force attacks.
BrutePrint relies on physical access to the targeted device and utilizes inexpensive specialized hardware. Attackers obtain fingerprint images from leaked data or fingerprint databases available on the dark web, submitting them continuously to the device until a match is found. By manipulating the False Acceptance Rate (FAR) and exploiting the vulnerabilities, the attackers can breach existing safeguards against brute force attacks, such as attempt limits and liveness detection. Notably, Android and HarmonyOS devices are susceptible to unlimited fingerprint unlock attempts, while iOS devices have a limit of 10 attempts.
The consequences of this attack are dire, as compromised devices grant threat actors access to sensitive and personal data. Furthermore, once an attacker gains access, they can establish persistence by installing malware, such as Trojans, on the device.
To mitigate the risk of falling victim to BrutePrint attacks, users are advised to take the following precautions:
1. Keep devices in close proximity and ensure they do not fall into unauthorized hands.
2. Regularly update devices with the latest software and security patches to stay protected against emerging vulnerabilities.
3. Avoid using older devices that are no longer supported by manufacturers, as they are more likely to have unpatched vulnerabilities.
By staying vigilant and implementing these security measures, smartphone users can better protect themselves against the growing threat of fingerprint brute force attacks and safeguard their personal data.
Remember, maintaining strong cybersecurity practices and staying informed about emerging threats is essential to ensure the security and privacy of mobile devices in an increasingly interconnected world.
