Using your fingerprint scanner to unlock your Android phone may make you believe that nobody can access it but you—that may not be true. Researchers from Tencent Labs and Zhejiang University recently discovered that under the right circumstances, hackers might be able to unlock it too.
In a paper titled “BRUTEPRINT: Expose Smartphone Fingerprint Authentication to Brute-force Attack,” researchers Yu Chen and Yiling He explain that an exploit they call a “BrutePrint” (a combination of “Brute Force Attack” and “Fingerprinting”) can be used to submit an unlimited number of fingerprints to the scanner until one matches the person they stole it from.
Of course, the hackers would need the right tools to unlock your phone. In order to perform a bruteprint attack, the thieves would need the right equipment and access to a fingerprint database that contains your fingerprints. The bad news is that, according to Bleeping Computer, the necessary equipment only costs about $15. And access to fingerprint databases is available through academic datasets and biometric data leaks.
The paper further reveals that since iPhones limit the number of times users can attempt a fingerprint scan, they are not vulnerable to bruteprint attacks.
It’s worth pointing out that this is a newly discovered exploit, and there’s no indication that bad actors have ever employed this technique to unlock users’ phones. However, the study’s publication means that the information is out there. If your fingerprints are part of academic datasets or were part of a leak, you could be vulnerable to this kind of attack if your phone is lost or stolen. But the likelihood of that actually occurring remains to be seen.
Sources: Bleeping Computer, TechSpot
