You may agree with me that fingerprint Scanners have grown in popularity amongst most Android smartphone owners. The majority of Android smartphones come equipped with a fingerprint scanner.. In most cases, you will find fingerprint scanners at three different locations of Android smartphones. We have side-mounted fingerprint scanners, back-mounted and under display fingerprint scanners. Irrespective of its location, they all serve one main purpose, that is security.
Every human on earth has a different fingerprint. Therefore, there is no denying that fingerprint scanners on smartphone should be one of the most secured ways of keeping private data away from a third eye. While this statement is generally true, there are exceptions.
Do fingerprint scanners on smartphones provide optimal security?
The answer to this may depend on how you would like to unlock the fingerprint protected phone. If you are trying to unlock with a different fingerprint that is not registered on the smartphone, then you sure have the best form of protection. But what if someone tries to unlock it with a hacking tool? Is it really that difficult? Even if it is possible, that tool should surely cost a fortune. Expensive enough for government security agencies like the FBI and the rest to be able to afford for investigation purposes. In fact, there is now a tool available that can break through Android device fingerprint protection for as little as $15.
A $15 Tool Breaks Smartphone Fingerprint Scanner Protection
New research by Tencent’s Yu Chen and Zhejiang University’s Yiling He has indicated that there are two unknown vulnerabilities in most smartphones. These vulnerabilities are located in the fingerprint authentication system, and they are termed as zero-day vulnerabilities. Using these vulnerabilities, attackers can execute a BrutePrint attack to unlock almost any smartphone fingerprint scanner.
To accomplish this, they used a $15 circuit board equipped with a microcontroller, analog switch, SD flash card, and board-to-board connector. All the attackers need is to spend 45 minutes with the victim’s phone and of course, the database of fingerprints.
Android Smartphones Fingerprints Scanners Were Hacked Within 45 Minutes
The researcher tested eight different Android smartphones and two iPhones. The Android phones include Xiaomi Mi 11 Ultra, Vivo X60 Pro, OnePlus 7 Pro, OPPO Reno Ace, Samsung Galaxy S10+, OnePlus 5T, Huawei Mate30 Pro 5G and Huawei P40. The iPhones also include iPhone SE and iPhone 7.
Most smartphone fingerprint protections have a limited number of attempts, but the BrutePrint attack can bypass this limitation. Fingerprint authenticators do not require the exact match between the input and the stored fingerprint data to work. Instead, it uses threshold to determine if the input is close enough to be a match. This means, any malicious system can take advantage and try to match the stored fingerprint data. All they have to do is to be able to bypass the limit placed on the fingerprint attempts.
Gizchina News of the week
How the Researchers Used the $15 Tool to Unlock Fingerprint Scanners on Smartphones
To unlock the smartphones, all the researchers had to do was to remove the back cover of the smartphones and attached the $15 circuit board. As soon as the attack begins, it only takes less than an hour to unlock each device. Once, the device is unlocked, they can also use it to authorize payments.
The time it took to unlock each phone varied among models. While the Oppo for example took about 40 minutes to unlock, the Samsung Galaxy S10+ took about 73 minutes to 2.9 hours to unlock. The most difficult Android smartphone to unlock was the Mi 11 Ultra. According to the researchers, it took about 2.78 to 13.89 hours to unlock it.
The iPhone is Quite Safe
In trying to unlock the iPhone, the researchers could not achieve their objective. This does not necessarily imply that Android fingerprints are less secure compared to those of the iPhone. It is mainly because Apple encrypts the data of users on the iPhone. With an encrypted data, the BrutePrint attack cannot be able access the fingerprint database on the iPhone. Apple also uses authenticated biometric methods like FaceID to protect user data. Due to this, there is no way this form of attack can be able to unlock the iPhone’s fingerprints.
How Can Android Smartphone Users Ensure the Security of Their Personal Data?
As a consumer, there is little you can do apart from using passwords and other forms of protections. However, it is up to the Android developers to take extra measures to ensure safety of user data. In view of this, the researchers, Yu Chen and Yiling made a few recommendations. They suggested that the development team will limit bypass attempts. They also urged Google to implement encryption for all data exchanged between the fingerprint scanner and the chipset.
Editor’s Opinion
You could notice that the researchers used old smartphones for this so-called BrutePrint attack. This is because modern Android smartphones are more secured with tighter app permissions and app safety data. Judging from the method used by these researchers, it will be very difficult for the BrutePrint attack to be able to penetrate most modern-day Android security.
Security Boulevard has also assured users of latest Android smartphones not to worry. This is because the BrutePrint attack may not work on Android smartphones that follow Google’s latest standards.
This form of attack requires the phone to be turned on. Also, it cannot work without opening the back of the phone. If the smartphone is on and the back is opened, manufactures could easily place a sensor that will detect that the back of the phone is opened. When this happens, they can quickly force the device into lockdown mode which will require extra password to access the smartphone.
Nevertheless, this attack seems to work on some few old Android smartphones. Hence, it may be possible but may not likely pose any form threats to users.