Fingerprint sensors are no longer secure on cell phones

New research reveals that smartphones protected only by fingerprints may not be as secure as previously thought. The mechanism that endangers this security is known as BrutePrint, a brute force access system. It was carried out by Yu Chen and Yiling HeChinese researchers working for Tencent and Zhejiang University. According to the study, this technique allows fingerprint authentication to be violated on smartphones, especially Android devices.

The worrying thing is that it does not require a copy of the device owner’s fingerprint. The process begins by exploiting the lack of encryption in the communication channel between the fingerprint sensor and the smartphone system. Using a device to intercept and emulate sensor signals, real fingerprint images are transmitted, selected and modified by artificial intelligence. Thus, two specific vulnerabilities of this type of security are exploited:

1.- Cancel-After-Match-Fail (CAMF): This mechanism allows you to restart a series of authentication attempts without locking the device.

2.- Match-After-Lock (MAL): If the device locks due to multiple failed attempts, the system still allows sending fingerprint images, making it easier to collect information about valid fingerprints.

According to Yu Chen and Yiling He, the time needed to carry out a successful attack varies between 2.9 and 13.9 hours for a device with a single registered fingerprint. On devices with the maximum number of registered fingerprints (usually five), the time is considerably reduced, ranging between 0.66 and 2.78 hours.

It is worth mentioning, that they have also tried other methods on devices Manzanawhich, although slower, manage to have the effect of eventually unlocking.

Via: Arxiv

Author’s note: I still use the key with numbers until now, I think it is less easy for them to decipher the password because of all the existing figures. We will have to wait and see if the phone creators manage to find a solution.