society is increasingly more aware of privacy and security on their devicesbut there are times when, despite our best efforts, an attacker can gain access to a certain service or our phone.
In fact, it is possible that they access our fingerprint protected mobile through brute force attacks. And, precisely, they discovered that Android phones are more sensitive to successfully receive this type of attack.
Vulnerability is at baseline
A brute force attack it consists of doing an enormous number of trial and error attempts to understand something. Imagine you have a four digit password, this type of attack would automatically try all possible combinations until the correct one is found.
In fact, technology has come a long way and hackers are also taking advantage of it. Previously a brute force attack on a strong password would take around 100 years to find the combination, now it would only take three weeks.
With the fingerprints of our phones, it is not so simple because they have to have the device physically, but researchers from Tencent Labs and Zheijiang University have managed to break the fingerprint lock with its new attack: BrutePrint.
There are two interesting parts to this story. To begin with, you will know that when you enter the fingerprint wrongly several times, you need to enter the PIN code or another unlock method before trying your fingerprint again. It is a security method which, as Chinese researchers have shown, can be easily replaced.
By removing this limit, the software or hardware can be automated to perform consecutive attacks until the “key” is found. In Android it was possible to increase unlimited, so that the PIN code request is not ignored. On iOS, it went from 5 serial attempts to 15. 15 attempts is not enough to successfully complete a brute force attack.
The second thing that is needed is the fingerprint or better said fingerprint data, which can be obtained in academic datasets or by obtaining leaked or stolen files. With this, and the necessary hardware which costs around $15, brute force attacks can be executed.
This hardware consists of a small plate that is connected to a kind of appendage that rests directly on the mobile sensor and that contains the information of the fingerprint database. This is called “automatic clicking” and, in addition to accessing fingerprints and increasing the number of attempts, the researchers manipulated the acceptance threshold.
And it is that, while in an alphanumeric password the values are exact, the fingerprint sensors move in a reference threshold. By manipulating this data, researchers made unsuccessful attempts do not count as an error to speed up the process and try another fingerprint as soon as possible.
How phones see our fingerprint and which phones have been compromised
If you’ve ever wondered how your phone “sees” the fingerprint, in the image that we leave you below you have the answer. The capacitive is the one found on the side or on the Home button of the iPhone SE. Optical and “ultra-thin” are present in most readers under the screen (and, at its core, it is a camera) and ultrasound is only available on some models.
The devices tested were a Xiaomi Mi 11 Ultra, a Vivo X60 Pro and a OnePlus 7 Pro with Android 11; an OPPO Reno Ace with Android 10; a Samsung Galaxy S10+ running Android 9 and a OnePlus 5T running Android 8. There were two Huaweis on the list, the Mate 30 Pro and the Huawei P40, both running HarmonyOS 2, as well as the iPhone SE running iOS 14.5. 1 and iPhone 7. with iOS 14.4.1.
The conclusion is that, sooner or later, Android phones will succumb to the attack while iPhones remain firm thanks to the fact that they encrypt fingerprint data, these types of attacks are therefore not very effective.
And if you’re wondering which phone lasted the least, the answer might surprise you. According to this graph, the Galaxy S10+ lasted between 73 minutes and nearly three hours. The Xiaomi 11 Ultra lasted between almost three and 14 hours. It all depends on the number of registered fingerprints, which was also confirmed by the. Researchers: the more fingerprints registered, the greater the risk.
Through | sleeping computer
In Xataka Android | What is malware, what types exist and what can you do if it infects your mobile
