Inexpensive tool can be used to easily break into Android phones
The researchers have discovered that two zero-day vulnerabilities which are present in the fingerprint authentication framework of nearly all smartphones can be exploited to unlock Android handsets.
Android phones can be hacked in as little as 45 minutes
Smartphones allow for a limited number of fingerprint attempts but BrutePrint can bypass that limit. The fingerprint authentication process doesn’t need a direct match between the inputted values and the database value. It uses a reference threshold to determine a match. A bad actor can take advantage of this by trying different inputs until they use an image that closely resembles the one stored in the fingerprint database.
The entire process can take anywhere between 40 minutes and 14 hours, depending on factors such as the fingerprint authentication framework of a particular model and the number of fingerprints saved for authentication.
The Galaxy S10+ took the least amount of time to give in (0.73 to 2.9 hours), whereas the Mi 11 took the longest (2.78 to 13.89 hours).
iPhone is safe because iOS encrypts data
Smartphone fingerprint authentication uses a serial peripheral interface to connect a sensor and the smartphone chip. Since Android does not encrypt data, BrutePrint can easily steal images stored in target devices.