Chinese researchers have found a way to penetrate Android phones by brute-forcing the fingerprint scanner. In addition, an infinite number of attempts were possible by exploiting some vulnerabilities.
Attackers would have to have physical access to the device for a long time to carry out the attack, report the researchers in their paper on Arxiv. It also requires custom hardware to enter the counterfeit fingerprints into the scanner. That hardware costs a total of around 15 dollars, the researchers estimate.
All Android devices examined were vulnerable to the attack. In all cases, these are Android phones from a few years ago. Because the vulnerabilities may be fixable with updates, it is possible that the exploit no longer works. The researchers say nothing about that. On iPhones, the attack allows the researchers to increase the number of attempts from five to fifteen, but the exploit is not really possible.
Most phones are vulnerable to Cancel-After-Match-Fail, a vulnerability in which the device generates an error in the checksum, so that the phone checks whether the fingerprint is correct, but does not report that it is wrong. This allows unlimited attempts.
For some phones, the researchers combined this with Match-After-Lock, a way to still be able to make attempts if the phone is temporarily locked due to too many wrong attempts. Then the researchers can enter the phone with the correct fingerprint when the lockout period is over.
The impact of the vulnerabilities is limited, as it requires long access to a device. This makes remote exploitation impossible. In addition, it is unclear whether smartphones have already been patched. The researchers are from Zhejiang University in China and tech giant Tencent’s Xuanwu Lab. They call the exploit Bruteprint.