Jun 3, 2023
Like brute force but with fingerprints
Fingerprint authentication on smartphones isn't as foolproof as we thought. The smartphone industry may have implemented liveness detection and attempt limits to tackle some threats, but there’s a new attack that takes it to a whole new level.
Researchers dug deep into the impossible: a fingerprint brute-force attack on regular smartphones. They even came up with a fancy name for it: BrutePrint. This attack acts as a middleman, bypassing attempt limits and hijacking fingerprint images.
Here's the deal: they found two zero-day vulnerabilities in the smartphone fingerprint authentication framework. And they used the simplicity of the SPI protocol to hijack those precious fingerprint images.
They put their attack to the test on 10 different smartphones from the top vendors. And guess what? Almost all of them were vulnerable in some way. But here's the twist: the iPhone stood strong and resisted their attempts. It took them a whopping 40 minutes to unlock it without any prior knowledge about the victim. Not bad, Apple, not bad.
Now, before you start freaking out, there's hope. This isn’t a common attack method and the researchers suggest some software and hardware mitigation measures to strengthen your defenses. Biometric authentication is convenient, but it's not invincible. So keep your software up to date and install patches when they’re available.