"Android Phones Are Vulnerable to Fingerprint Brute-Force Attacks"

A team of researchers from Tencent Labs and Zhejiang University has presented a new attack dubbed 'BrutePrint,' which brute-forces fingerprints on modern smartphones to circumvent user authentication and seize control of the device. Performing brute-force attacks involves numerous trial-and-error attempts to crack a code, key, or password in order to gain unauthorized access to accounts, systems, or networks. Using what they say are two zero-day vulnerabilities, namely Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), the researchers were able to bypass existing protections on smartphones, such as attempt limits and liveness detection, which protect against brute-force attacks. The authors of the technical paper also discovered that biometric data on the Serial Peripheral Interface (SPI) of fingerprint sensors were inadequately protected, allowing a man-in-the-middle (MITM) attack to steal fingerprint images. Ten popular smartphone models were used to test BrutePrint and SPI MITM attacks, with unlimited attempts on all Android and HarmonyOS (Huawei) devices and ten additional attempts on iOS devices. This article continues to discuss the new BrutePrint attack. 

Bleeping Computer reports "Android Phones Are Vulnerable to Fingerprint Brute-Force Attacks"