Researchers find that Android phones are prone to new fingerprint attack

The in-display fingerprint sensor of the Google Pixel 7a
(Image credit: Nicholas Sutrich / Android Central)

What you need to know

  • Chinese researchers have found that Android phones are vulnerable to new attacks.
  • Dubbed BrutePrint, it can unlock any Android phone that uses a fingerprint sensor for authentication.
  • It is done by brute forcing fingerprint images obtained by attackers to gain access to devices.

New research findings suggest Android phones are susceptible to fingerprint attacks (via BleepingComputer).

Dubbed BrutePrint, these attacks seem to bypass user authentication and take control of your Android device, per researchers from Tencent Labs and Zhejiang University.

Fingerprint authentication on Android phones generally comes with safeguards, which are associated with users' attempt limits as well as liveness detection, to protect against brute force attacks. The Chinese researchers, however, overcame these safeguards with two zero-day vulnerabilities dubbed Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL).

BrutePrint attack diagram

(Image credit: BleepingComputer)

Further, the researchers have found that "biometric data on the fingerprint sensors' Serial Peripheral Interface (SPI) were inadequately protected, allowing for a man-in-the-middle (MITM) attack to hijack fingerprint images," the BleepingComputer report states.

These BrutePrint and SPI MITM attacks, which utilize the user's fingerprint image, were carried out on nearly ten prominent smartphones running on Android, including the Xiaomi Mi 11 Ultra, OnePlus 7 Pro, Huawei devices running on HarmonyOS (Huawei P40), and some iOS devices.

"The tested Android devices allow infinite fingerprint tryouts, so brute-forcing the user's fingerprint and unlocking the device is practically possible given enough time."

Researchers suggest the attacker would need physical access to the phone as well as fingerprint databases, seemingly available from academic datasets or biometric data leaks from the past, notes the report. Moreover, the necessary equipment is said to be available for just $15.

It was found to take between 2.9 hours to 13.9 hours to complete a BrutePrint attack if the device owner has registered one fingerprint for authentication. This would take significantly less time with more fingerprints registered to the device.

That said, the threat from a BrutePrint attack is not an immediate cause for major concern, as the attacker still needs physical access to the device. That said, it could still be dangerous when it comes to stolen devices, as BrutePrint can then be used to bypass device authentication.

The BleepingComputer further implies that it could raise privacy-related questions regarding investigations conducted by law enforcement, saying they could potentially use the aforementioned techniques to unlock any phone with a fingerprint sensor for authentication.

Vishnu Sarangapurkar
News Writer

Vishnu works as a freelance News Writer for Android Central. For the past four years, he's been writing about consumer technology, primarily involving smartphones, laptops, and every other gizmo connected to the Internet. When he is away from keyboard, you can see him going on a long drive or chilling on a couch binge-watching some crime series.

  • InTheRough
    My Pixel 7 is safe from this. I haven't got the fingerprint reader to work since I got it 6 months ago.
  • fuzzylumpkin
    I don't think "prone" is the right word...

    This doesn't affect Samsung or Google phones anyway.
  • rvbfan
    Click bait articles are click bait.