Great Motorola Edge deal on Amazon!

Inexpensive tool can be used to easily break into Android phones

By
12comments
Android
Inexpensive device can be used to easily break into Android phones
Fake fingerprints can be used to unlock some Android phones, according to Tencent's Yu Chen and Zhejiang University's Yiling He (via Ars Technica).

The researchers have discovered that two zero-day vulnerabilities which are present in the fingerprint authentication framework of nearly all smartphones can be exploited to unlock Android handsets.

The attack has been named BrutePrint. It requires a $15 circuit board with a microcontroller, analog switch, SD flash card, and board-to-board connector. The attacker will also need to be in possession of the victim's smartphone for at least 45 minutes and a database of fingerprints will also be required.

Android phones can be hacked in as little as 45 minutes


The researchers tested eight Android phones - Xiaomi Mi 11 Ultra, Vivo X60 Pro, OnePlus 7 Pro, OPPO Reno Ace, Samsung Galaxy S10+, OnePlus 5T, Huawei Mate30 Pro 5G and  Huawei P40 - and two iPhones - iPhone SE and iPhone 7.

Smartphones allow for a limited number of fingerprint attempts but BrutePrint can bypass that limit. The fingerprint authentication process doesn't need a direct match between the inputted values and the database value. It uses a reference threshold to determine a match. A bad actor can take advantage of this by trying different inputs until they use an image that closely resembles the one stored in the fingerprint database.

The attacker will need to remove the back cover of the phone to attach the $15 circuit board and carry out the attack. The researchers were able to unlock all eight Android phones using the method. Once a phone is unlocked, it can also be used to authorize payments.

The entire process can take anywhere between 40 minutes and 14 hours, depending on factors such as the fingerprint authentication framework of a particular model and the number of fingerprints saved for authentication.

The Galaxy S10+  took the least amount of time to give in (0.73 to 2.9 hours), whereas the Mi 11 took the longest (2.78 to 13.89 hours).

Recommended Stories
iPhone is safe because iOS encrypts data

Smartphone fingerprint authentication uses a serial peripheral interface to connect a sensor and the smartphone chip. Since Android does not encrypt data, BrutePrint can easily steal images stored in target devices.

Security Boulevard says that owners of new Android phones need not worry as the attack will likely not work on phones that follow Google's latest standards.

Yu Chen and Yiling He have recommended several changes to foil these attacks such as addressing attempt-limiting bypasses and encrypting data sent between the fingerprint reader and the chipset.
https://m-cdn.phonearena.com/images/users/270-200/Anam.jpg
Anam Hamid Mobile Tech News and Deals Journalist
Anam Hamid is a computer scientist turned tech journalist who has a keen interest in the tech world, with a particular focus on smartphones and tablets. She has previously written for Android Headlines and has also been a ghostwriter for several tech and car publications. Anam is not a tech hoarder and believes in using her gadgets for as long as possible. She is concerned about smartphone addiction and its impact on future generations, but she also appreciates the convenience that phones have brought into our lives. Anam is excited about technological advancements like folding screens and under-display sensors, and she often wonders about the future of technology. She values the overall experience of a device more than its individual specs and admires companies that deliver durable, high-quality products. In her free time, Anam enjoys reading, scrolling through Reddit and Instagram, and occasionally refreshing her programming skills through tutorials.

Recommended Stories

Loading Comments...

Popular stories

Even longtime T-Mobile customers will have to put up with slow internet speed policy
Even longtime T-Mobile customers will have to put up with slow internet speed policy
Two more companies want FCC action against T-Mobile for interference from 5G
Two more companies want FCC action against T-Mobile for interference from 5G
The 51 million customers affected by the AT&T data breach are getting free protection for 12 months
The 51 million customers affected by the AT&T data breach are getting free protection for 12 months
Make your Galaxy fingerprint scanner unlock faster as Samsung fixes what One UI 6.1 broke
Make your Galaxy fingerprint scanner unlock faster as Samsung fixes what One UI 6.1 broke
iPhone users warned to disable iMessage temporarily to avoid getting hacked
iPhone users warned to disable iMessage temporarily to avoid getting hacked
T-Mobile will soon have another reason to gloat
T-Mobile will soon have another reason to gloat

Latest News

Verizon's Visible introduces annual plans with discounts up to 26%
Verizon's Visible introduces annual plans with discounts up to 26%
Comcast launches NOW, low-cost and prepaid brand for data, TV, and WiFi hotspots
Comcast launches NOW, low-cost and prepaid brand for data, TV, and WiFi hotspots
Apple tipped to reduce display size of iPhone 17 Plus
Apple tipped to reduce display size of iPhone 17 Plus
Google Photos working on an option to hide your downloaded memes and other UI tweaks
Google Photos working on an option to hide your downloaded memes and other UI tweaks
Hurry up and snatch Amazon's jumbo-sized Fire Max 11 tablet at its biggest discount yet
Hurry up and snatch Amazon's jumbo-sized Fire Max 11 tablet at its biggest discount yet
Memes of the week: Crazy Pixel leaks, OnePlus feels the heat in India, and more!
Memes of the week: Crazy Pixel leaks, OnePlus feels the heat in India, and more!
FCC OKs Cingular\'s purchase of AT&T Wireless