FB pixel

Android biometric safeguards fail to withstand brute-force attack

Android biometric safeguards fail to withstand brute-force attack
 

A team of Chinese scientists has bullied its way past fingerprint authentication protections on smartphones, exposing significant vulnerabilities, reports TechXplore.

The operation, conducted by researchers at Zhejiang University and Tencent Labs, was codenamed “Bruteprint: Expose Smartphone Fingerprint Authentication to Brute-force attack.” The attack exposed a weakness in the phones’ lockout features (Match After Lock, or MAL), gained the team easy access to biometric fingerprint data stored on the devices or acquired through online databases, and circumvented Cancel-After-Match-Fail (CAMF), a feature designed to limit the number of unsuccessful fingerprint matches.

Of ten tested phones, models from Android and Huawei were found to be vulnerable, whereas Apple’s iOS devices were able to withstand the brute-force attack. For vulnerable devices, says a report detailing the attack, “the shortest time to unlock the smartphone without prior knowledge about the victim is estimated at 40 minutes.”

The report says that the more familiar presentation attack, which “impersonates a target victim by presenting artefacts (e.g. silica gel fingers) to the fingerprint sensor,” has “long been identified as a severe threat to the security of fingerprint authentication systems.” Manufacturers rely on tools such as liveness detection and attempt limits to combat presentation attacks. But, with attacks like BrutePrint, there are new risks to consider when assessing fingerprint authentication on smartphones.

Global biometric data marketplaces, such as the recently shut down Genesis market, provide low-barrier access to millions of credentials mined from data breaches. Moreover, the Chinese team discovered “insufficient protection of fingerprint data on the Serial Peripheral Interface (SPI) of fingerprint sensors,” which enabled “a hardware approach to man-in-the-middle (MITM) attacks for fingerprint image hijacking.”

This is not the first time that Tencent Labs has taken a jab at smartphone fingerprint scanners. At a conference in 2019, a Tencent team claimed it could easily hack its way into almost any Android or iOS device in 20 minutes, through a presentation attack using a 3D-printed finger based on photographs. The fake finger worked on devices with capacitive, optical and ultrasonic sensors.

Article Topics

 |   |   |   |   | 

Latest Biometrics News

 

Liquid identity verifications surge past 60M as Japan leans into chip-scanning

Liquid has reached the 60 million digital identity verification milestone with its online KYC service, with a surge in verifications…

 

Car dealerships rev up digital ID verification to counter rise in identity fraud

Whether it’s a fake credit history, a phony license or a test driver with a stolen identity who makes tracks…

 

GovTech to deliver $10 trillion in value by 2034, says WEF

At the meeting of the World Economic Forum (WEF) in Davos this week, tech is front and center – and…

 

Davos discusses digital wallets, AI economy

This year’s Davos World Economic Forum (WEF) is bringing not only tense trade talks between the U.S. and Europe but…

 

ASEAN updates guidance on deepfakes

The threat of deepfakes is entering high-level discussions from Southeast Asia to Davos. The Association of Southeast Asian Nations (ASEAN)…

 

Philippines faces 36 million backlog in ID cards

The Philippines are still facing a 36 million backlog in distributing the country’s national ID cards which will need additional…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events