Security News > 2023 > May > Android phones are vulnerable to fingerprint brute-force attacks

The authors of the technical paper published on Arxiv.org also found that biometric data on the fingerprint sensors' Serial Peripheral Interface were inadequately protected, allowing for a man-in-the-middle attack to hijack fingerprint images.
The idea of BrutePrint is to perform an unlimited number of fingerprint image submissions to the target device until the user-defined fingerprint is matched.
The attacker needs physical access to the target device to launch a BrutePrint attack, access to a fingerprint database that can be acquired from academic datasets or biometric data leaks, and the necessary equipment, costing around $15. Contrary to how password cracking works, fingerprint matches use a reference threshold instead of a specific value, so attackers may manipulate the False Acceptance Rate to increase the acceptance threshold and create matches more easily.
The tested Android devices allow infinite fingerprint tryouts, so brute-forcing the user's fingerprint and unlocking the device is practically possible given enough time.
Although the researchers found that iPhone SE and iPhone 7 are vulnerable to CAMF, they could only increase the fingerprint tryout count to 15, which isn't enough to brute-force the owner's fingerprint.
Regarding the SPI MITM attack that involves hijacking the user's fingerprint image, all tested Android devices are vulnerable to it, while iPhones are again resistant.
News URL
Related news
- Phishing platform 'Lucid' behind wave of iOS, Android SMS attacks (source)
- Triada Malware Preloaded on Counterfeit Android Phones Infects 2,600+ Devices (source)
- Google fixes Android zero-days exploited in attacks, 60 other flaws (source)
- iOS devices face twice the phishing attacks of Android (source)
- Chinese Android Phones Shipped with Fake WhatsApp, Telegram Apps Targeting Crypto Users (source)
- New Android malware steals your credit cards for NFC relay attacks (source)
- SuperCard X Android Malware Enables Contactless ATM and PoS Fraud via NFC Relay Attacks (source)