Skip to main content

Hackers Can Break Fingerprint Unlocking on Phones Within Hours

 


A recent report from cybersecurity researchers at Tencent Labs and Zhejiang University reveals a potential method to “brute-force” fingerprints on Android devices. If a hacker has physical access to the smartphone and sufficient time, they may be able to unlock the device.

CAMF and MAL

The report highlights the presence of two zero-day vulnerabilities named Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), which affect not only Android devices but also those running Apple’s iOS and Huawei’s HarmonyOS.

Through the exploitation of these vulnerabilities, the researchers successfully accomplished two objectives. Firstly, they bypassed the limit on the number of fingerprint scanning attempts allowed by Android, enabling an unlimited number of tries. Secondly, they leveraged databases sourced from academic datasets, biometric data leaks, and similar sources to enhance their attack methodology.

How it Works

In order to carry out these attacks, the perpetrators required a few key elements: physical possession of an Android smartphone, a sufficient amount of time, and hardware costing approximately $15.

The researchers coined the attack as “BrutePrint” and asserted that, for devices with a single fingerprint enrolled, it would take approximately 2.9 to 13.9 hours to breach the device’s security. Devices with multiple fingerprint records were found to be notably easier to compromise, with an average time for successful “brute-printing” ranging from 0.66 to 2.78 hours.

The researchers conducted their experiment on ten “popular smartphone models,” including a few iOS devices. Although the specific vulnerable models were not disclosed, the researchers reported that they were able to bypass the attempt limit and perform unlimited tries on Android and HarmonyOS devices.

iOS is Safer

However, for iOS devices, they were only able to gain an additional ten attempts on iPhone SE and iPhone 7 models, which proved insufficient to successfully carry out the attack. Consequently, while iOS may have potential vulnerabilities related to these flaws, the current method of brute-force entry is inadequate.

The researchers concluded that while this form of attack may not be appealing to typical hackers, it could be of interest to state-sponsored actors and law enforcement agencies.

Comments

Popular posts from this blog

Meta Creates New AI Tool That Recognizes Over Than 4,000 Languages

  Introduced as the Massive Multilingual Speech (MMS) project, the AI tool is built with the goal to protect and preserve languages and is now available to the public Imagine a tool that can translate whatever you write into over 4000 different languages, sounds unreal right? Well, Meta, the parent company of Facebook and Instagram has announced that its AI tool named the Massive Multilingual Speech (MMS) project can now recognize over 4000 languages. According to Meta, the Massive Multilingual Speech (MMS) AI tool is created with the goal to preserve and protect languages, and their diversity and foster research. Data suggests that there are around 573 known extinct languages in the world, some of which were major languages used by massive communities in the ancient world. Access to these languages would have helped us decipher lost knowledge and historical facts. Earth is home to more than 7,000 languages, however, around 2,900 or 41% of these languages are endangered, which means th

Bank of Punjab Offering Multiple Job Opportunities in Pakistan

  The Bank of Punjab, a leading financial institution in Pakistan, has recently announced several job openings, providing an exciting opportunity for individuals seeking employment. With its commitment to excellence and innovation in the banking sector, the Bank of Punjab is looking to recruit qualified candidates who can contribute to the bank’s ongoing growth and success. The bank follows a fair and unbiased selection process, ensuring equal opportunity employment without any discriminatory bias. Equal Opportunity Employment: The Bank of Punjab prioritizes Equal Opportunity Employment, emphasizing a selection process that is free from discrimination. The bank considers candidates’ academic qualifications, skills, experience, and talent to select and appoint staff members. This approach ensures that all individuals, regardless of their background, have an equal chance to pursue a career at the bank. Career Development Programs: To prepare its employees for the challenges of the workpl

TikTok is Testing Its Own AI Chatbot Named ‘Tako’

  Named ‘Tako’, the AI chatbot will reportedly converse with users about short videos and help them find one’s more inclined to their liking Short-form video hosting service TikTok is reportedly developing its own AI chatbot named ‘Tako’, which will converse with users about short videos and help them discover more content and suggest videos more inclined towards their liking. Watchful Technologies, a competitive intelligence and data platform company based out of Israel, was the first one to find out news about the TikTok AI chatbot dubbed “Tako”, saying that it is available on some versions of the TikTok app on Apple mobile devices. Screenshots of the AI chatbot feature show it to be a ghost-shaped icon that stays on the screen while a user continues to scroll through videos and once a user needs help finding any particular type of content or a specific video, they can simply initiate a conversation with the AI and ask it to find the content for them. “In select markets, we’re testin