Researchers find way to bruteforce Android fingerprint unlock in record time

The Samsung Galaxy S10+ was the fastest to unlock, taking between 0.73 to 2.9 hours

Fingerprint scanner on a Pixel 7a.

Researchers have found a way to bypass ten different phones’ fingerprint authentication by brute-forcing.

The bypass, which only works on Android devices, takes as little as 45 minutes and $15 worth of equipment to be performed. The bypass attack has been dubbed ‘BrutePrint’ by its creators, and it attempts a huge number of fingerprint guesses until one that unlocks the phone is found, as shared by Ars Technica.

The attack can unlock a phone in minutes by exploiting smartphone fingerprint authentication system vulnerabilities. It requires physical access to the target device and a $15 circuit board that connects to the fingerprint sensor. The attacker also needs a database of fingerprints, which can be obtained from research or real-world breaches.

Unlike password or PIN authentication, which requires an exact match, fingerprint authentication uses a reference threshold to determine a match. BrutePrint manipulates this threshold to increase the chances of finding an approximate match.

The researchers who developed BrutePrint tested it on ten smartphone models: Xiaomi Mi 11 Ultra, Vivo X60 Pro, OnePlus 7 Pro, OPPO Reno Ace, Samsung Galaxy S10+, OnePlus 5T, Huawei Mate30 Pro 5G, Huawei P40, Apple iPhone SE, Apple iPhone 7. They found that all eight Android models were vulnerable to BrutePrint, while the two iPhones were not. The iPhones encrypt fingerprint data differently than Android, which prevents BrutePrint from brute-forcing through. The iPhones also limit the number of guesses to 15, which reduces the success rate of BrutePrint, which relies on several guesses.

The researchers also measured how long it took for BrutePrint to unlock each device. The Samsung Galaxy S10+ was the fastest to unlock with BrutePrint, taking between 0.73 to 2.9 hours. The Xiaomi Mi 11 Ultra was the slowest, taking between 2.78 to 13.89 hours.

Check out the full report here.

Source: Ars Technica