With modernization and technological advancement, humanity’s personal data has become available in digital media. As a result, the increase in cases of hackers stealing information and leaking it to the public has become a concern for companies that produce cell phones, for example.
One strategy used to restrict physical access to these devices was to use fingerprint user authentication. This is already present in almost all smartphones and is widely used.
But can we completely trust this type of security? Is it really impossible to bypass this system? That is what Chinese researchers wanted to answer.
Researchers bypass Android biometric authentication
Android users won’t be happy to learn that their device’s security could be at risk. Even with the confidence that these devices’ security methods bring, it’s still necessary to be careful, as a new discovery could completely change our outlook.
Researchers from Zhejiang University in China, together with Tencent Labs, which belongs to the world’s largest game producer, have discovered a new type of brute force attack on Android smartphones.
The attack, known as “BrutePrint”, is capable of bypassing user permissions granted by providing biometrics and invading device systems, causing enormous damage to consumers.
How was the discovery made?
Researchers have found flaws in two Android protection systems: CAMF (“Cancel-After-Match-Failure”) and EVIL (“Match-After-Lock”). They discovered that our fingerprint data is stored in a “serial peripheral interface” (SPI).
SPI exchanges information between devices to provide biometric information and authenticate user input. However, this exposes the device to a type of attack called “Man-in-the-Middle” (MITM), which is basically the interception by an external agent of data exchanged between devices.
Our cell phones have a “false acceptance rate” (FAR) that allows a fingerprint to match even with a small flaw. All thieves need to do is change this rate, increasing the acceptance rate and making it easier for a print to match.
This can only happen if hackers have physical access to the phone. In addition, a biometric database is required, which is not too difficult to find, and a device that costs between $15 and $75.
What about iOS?
Well, these are also susceptible to these errors, however, according to the study’s analysts, iOS devices were able to resist the attack a little more. But in any case, it is still possible to hack these devices using BrutePrint.
This attack is even capable of changing the phone’s settings to accept as many attempts as thieves want, without permanently blocking it.