Search
Close this search box.

Unlocked: How Fingerprints Fail to Protect Android Devices

Share:

BrutePrint Unveiled: A New Wave of Cyber Threats 

A brand-new assault, ‘BrutePrint,’ has been brought to light by scientists from Tencent Labs and Zhejiang University. Intriguingly, it’s specifically designed to decode smartphone fingerprint protection, seizing control of devices by bypassing users’ authorisation. 

Decoding the Attack Strategy 

BrutePrint, the new attack, hinges on a brute-force method. Simply put, it relentlessly attempts trials until successful. What’s unique about this team’s approach is how they’ve bypassed usual smartphone safeguards. These include attempt limits and liveness detection. 

Their breakthrough came from exploiting two unknown vulnerabilities: Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL). These gaps in security allowed them to override traditional protection measures, adding a new dimension to cybersecurity threats. 

The Security Gap 

Here’s where it gets even more concerning. They discovered fingerprint sensor data was poorly shielded. This puts it in the crosshairs for middle-man attacks, making it easy prey for hijacking attempts. So, while the technology might be advancing, it’s clear there are still areas we need to secure. 

Rethinking Breaches 

Attacks on fingerprints deviate from conventional password breaches. Instead of relying on an exact value, fingerprint hacks exploit a reference threshold. In simpler terms, hackers can play around with the False Acceptance Rate (FAR) to enhance their success rate. Further tests revealed that BrutePrint could take advantage of the CAMF flaw to manipulate the fingerprint authentication process, enabling unlimited attempts without setting off any alarms. 

The Neural Style Transfer  

One of the unique aspects of BrutePrint is its use of ‘neural style transfer.’ This nifty tool effectively modifies all fingerprint images to appear as if the target device’s sensor scanned them. Consequently, it significantly boosts the likelihood of a successful breach. 

In a series of tests, it was found that both Android and iOS devices are vulnerable. Despite the security of iOS appearing more robust, all tested Android devices allowed unlimited fingerprint attempts. Evidently, given enough time, this opens the door wide open for successful attacks. 

The Balancing Act: Security vs. Privacy Rights 

BrutePrint brings notable risks. Stolen devices, once in the wrong hands, can compromise our privacy.

It could also present law enforcement with tough choices in the pursuit of justice, potentially stirring ethical discussions. It’s essential that we strike the right balance – prioritising safety while upholding privacy. Addressing these issues calls for clear, thoughtful action.

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.

Contact

Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.
Company

Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →

Services

Services

Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl
360

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution

Solutions
Resources

Resources

A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →