Researchers from Tencent Labs and Zhejiang University have unveiled BrutePrint, a new attack that exploits fingerprint vulnerabilities in modern smartphones to bypass user authentication and gain control of the devices. The attack relies on brute-forcing fingerprints through an unlimited number of attempts until a match is found. By exploiting two zero-day vulnerabilities, Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), the researchers were able to overcome existing safeguards and manipulate the fingerprint authentication process.
BrutePrint and SPI MITM attacks were tested on ten popular smartphone models, revealing vulnerabilities in all Android and HarmonyOS devices, allowing for unlimited fingerprint attempts. Although the attack requires physical access to the target device, its potential implications for thieves and law enforcement should not be underestimated. Criminals could unlock stolen devices and extract private data, while the ethical considerations and privacy rights involved in using such techniques during investigations raise concerns, particularly in oppressive regimes where individuals’ safety may be compromised.