A brute force attack basically consists of try many combinations until you find the right one and enter. It’s what they can do to break a numeric key, for example. They are trial and error attempts to gain unwanted access to a protected account, device, network, or any platform.
Brute force against fingerprints
A group of security researchers from Tencent Labs and Zhejiang University have devised an attack method, which they have named BrutePrint, to use brute force against fingerprints on mobile phones. They wanted to demonstrate how they could bypass this authentication method to access and take control of the device.
To achieve this, as indicated, they have exploited two zero-day vulnerabilities. This allowed them to test as many times as they wanted. They also discovered that the biometric data of the fingerprint sensors were not properly protected. This allowed a Man in the Middle attack to hijack those fingerprints and use them.
These two attacks, BrutePrint and the one known as SPI MITM, tested them on a total of 10 popular Android mobile phone models. They achieved unlimited attempts on all of these devices. In the case of iOS, they indicate that they managed to try 10 times to try to break that footprint.
But how exactly does the BrutePrint attack work? What it does is send an unlimited number of fingerprint images and find the right one. It is the same as it would happen with a traditional password, but in this case with fingerprints. The good news is that the attacker needs physical access to the device. In addition, it requires a fingerprint database.
A point to note is that in the case of fingerprints there is a error threshold. That is, a normal password you have to put it exactly to be able to log in. Instead, a fingerprint has a margin of error.
Regarding the SPI MITM attack, Android devices were also vulnerable, while iOS did resist the attack. The latter is so since iPhone phones encrypt fingerprints in SPI.
It only takes a few hours
This same report indicates that it only takes a few hours to break a fingerprint using BrutePrint. Specifically, against vulnerable devices it takes between 2.9 and 13.9 hours. Logically it is necessary for the user to have registered a fingerprint on the phone, since otherwise they would not be able to access.
But be careful if you have registered several fingerprints and not just one on the phone. In this case, as they indicate, the brute force time is even reduced to less than an hour. By having more probabilities, the time is reduced considerably.
In short, as you can see, mobile phones can be vulnerable to brute force attacks against fingerprints. You should always prevent them from hacking the phone. It is important to always keep them updated, since vulnerabilities of this type can appear at any time. It is key to use a good antivirus too, to detect any malware.
