Are Fingerprint Scanners on Android Phones Really Safe? New Research Says No

You may agree with me that fingerprint Scanners have grown in popularity amongst most android smartphone owners. Almost every single Android smartphone has a fingerprint scanner. In most cases, you will find fingerprint scanners at three different locations of Android smartphones. We have side-mounted fingerprint scanners, back-mounted and under display fingerprint scanners. Irrespective of its location, they all serve one main purpose, that is security.

Since every human on earth has a different fingerprint, there is no denying that fingerprint scanners on smartphone should be one of the most secured ways of keeping private data away from a third eye. In as much as this statement is a valid one, is that really the case? Do fingerprint scanners on smartphones provide the best form of security?

Well, the answer to this may depend on how you would like to unlock the fingerprint protected phone. If you are trying to unlock with a different fingerprint that is not registered on the smartphone, then you sure have the best form of protection. What if you try to unlock with a hacking tool? That should be quite difficult to do right? Even if it is possible, then, that tool should surely cost a fortune. Expensive enough for government security agencies like the FBI and the rest to be able to afford for investigation purposes.

The fact is that there is a new tool that can break through the fingerprint protection of Android device but does not cost a fortune. It is a$15 tool that does all the magic.

A $15 Tools Breaks Smartphones Fingerprint Scanners Protection

New research by Tencent's Yu Chen and Zhejiang University's Yiling He has indicated that there are two unknown vulnerabilities in almost all smartphones. These vulnerabilities are located in the fingerprint authentication system, and they are termed as zero-day vulnerabilities. By taking advantage of these vulnerabilities, they can launch an attack called BrutePrint attack to unlock almost any smartphone fingerprint scanner.

To achieve this, they used a $15 circuit board with a microcontroller, analog switch, SD flash card, and board-to-board connector. All the attackers need is to spend 45 minutes with the victim's phone and of course, the database of fingerprints.

Android Smartphones Fingerprints Scanners Were Hacked Within 45 Minutes

The researcher tested eight different Android smartphones and two iPhones. The Android phones include xiaomi Mi 11 Ultra, vivo X60 Pro, oneplus 7 Pro, oppo Reno Ace, samsung Galaxy S10+, OnePlus 5T, huawei Mate30 Pro 5g and Huawei P40. The iPhones also include iPhone SE and iPhone 7.

All smartphones fingerprint protections have limited number of attempts, but the BrutePrint attack can bypass this limitation. In actual fact, fingerprint authenticators do not require the exact match between the input and the stored fingerprint data to work. Instead, it uses threshold to determine if the input is close enough to be a match. This means, any malicious system can take advantage and try to match the stored fingerprint data. All they have to do is to be able to bypass the limit placed on the fingerprint attempts.

How the Researchers Used the $15 Tool to Unlock Fingerprint Scanners on Smartphones

To unlock the smartphones, all the researchers had to do was to remove the back cover of the smartphones and attached the $15 circuit board. As soon as the attack begins, it only takes less than an hour to unlock each device. Once, the device is unlocked, they can also use it to authorize payments.

The time it took to unlock each phone varied from one phone to the other. While the Oppo for example took about 40 minutes to unlock, the Samsung Galaxy S10+ took about 73 minutes to 2.9 hours to unlock. The most difficult Android smartphone to unlock was the Mi 11 Ultra. According to the researchers, it took about 2.78 to 13.89 hours to unlock it.

The iPhone is Quite Safe

In trying to unlock the iPhone, the researchers could not achieve their objective. This does not really mean that Android fingerprints are weaker than that of the iPhone. It is mainly because apple encrypts the data of users on the iPhone. With an encrypted data, the BrutePrint attack cannot be able access the fingerprint database on the iPhone. Due to this, there is no way this form of attack can be able to unlock the iPhone's fingerprints.

How Can Android Smartphone Users Ensure the Security of Their Personal Data?

As an end user, there is little you can do apart from using passwords and other forms of protections. However, it is up to the Android developers to take extra measures to ensure safety of user data. In view of this, the researchers, Yu Chen and Yiling made a few recommendations. They suggested that the development team will limit bypass attempts. They also urged google to encrypt all data sent between the fingerprint scanner and the chipset.

Conclusion

You could notice that the researchers used old smartphones for this so-called BrutePrint attack. This is because modern Android smartphones are more secured with tighter app permissions and app safety data. Judging from the method used by these researchers, it will be very difficult for the BrutePrint attack to be able to penetrate the modern-day Android security.

Security Boulevard has also assured users of latest Android smartphones not to worry. This is because the BrutePrint attack may not work on Android smartphones that follow Google's latest standards.

Via: gizchina.com