This is how BrutePrint works, the attack that unlocks the fingerprint of a mobile phone

Fingerprint recognition is believed to be a fairly secure authentication method and we trust it because the chance of a match is one in millions. The fingerprint locking system of many phones is based precisely on this probability. Despite this, the Cybercriminals try to circumvent this barrier using, mainly, the physical imitation of the finger of the person who owns the phone, either using a silicone pad or a conductive ink print. But a study has discovered another option: BrutePrint.

Led by Chinese scientists and published on Arxiv, the analysis describes how to break into almost any fingerprint-protected Android smartphone. He method is based on a sensor failure: None of the models tested in the study encrypted the communication channel between the sensor and the system. Thus, using a device connected to the phone, it is possible to intercept incoming messages from the fingerprint sensor and send your own messages emulating the fingerprint sensor.

This is the first part. The second requires artificial intelligence in order to carry out a brute force attack. The authors, Yu Chen and Yiling He, an AI creates a “fingerprint dictionary” which bombards the sensor until the smartphone is unlocked. The study does not reveal how they created the fingerprint database, just limited to general speculation on how the attackers could obtain it (research collections, leaked data, proprietary database).

The results showed that it is possible to unlock any Android smartphone without exception. According to the study, it took a maximum of 14 hours (and a minimum of 3) to unlock the phone, if they had only one fingerprint registered. If they had the maximum possible (5 in most cases), the time was reduced to less than an hour.

The good news for iPhone users is that the Touch ID system used in iPhones turned out to be more resistant to BrutePrint. According to the study, the main advantage of the iPhone is that the communication between the fingerprint sensor and the rest of the system is encrypted. Therefore, there is no way to intercept or feed the system with a prepared fingerprint on a Touch ID-equipped device.