It Only Takes A $15 Circuit Board To Bypass An Android Smartphone’s Fingerprint Security, According To Researchers

Fingerprint sensors on Android smartphones are likely the most common addition to these portable pieces of tech, and while it is convenient that a single placement of a finger or thumb can grant the handset owner access to the device, there is a security risk involved. Some researchers have demonstrated that hijacking fingerprints stored on various devices running Android is possible through an inexpensive $15 circuit board.
iPhones are apparently immune to this exploit, as demonstrated in a new test that involves various Android smartphone models
The $15 circuit board is called BrutePrint by researchers, and it can take as little as 45 minutes to accumulate the stored fingerprints of an Android smartphone. To show that it works, these researchers tested it on 10 smartphones, two of which were the iPhone SE and the iPhone 7, while the remaining were high-end models running Google’s mobile OS and were a few years old.
BrutePrint comprises of an STM32F412 microcontroller from STMicroelectronics, a bidirectional, dual-channel analog switch called RS2117, an SD card with 8GB of internal memory, and a connector that connects the smartphone’s motherboard to the circuit board of a fingerprint sensor. BrutePrint exploits a vulnerability in Android smartphones that allows for unlimited fingerprint guesses, with the device getting unlocked as soon as the closest match is found in the database.
Image shows how BrutePrint can connect to an Android smartphone and exploit fingerprint data
However, each Android smartphone is created differently, with Ars Technica reporting that the researchers found that it took anywhere from 40 minutes to 14 hours to unlock a handset. Of all the 10 models tested, the Galaxy S10 Plus took the least amount of time to unlock, ranging between 0.73-2.9 hours, whereas the Xiaomi Mi 11 Ultra took between 2.78-13.89 hours to unlock. The researchers had no success bypassing the security of the two iPhone models tested because iOS encrypts that security data, whereas Android does not, which can cause some concern for consumers.
Fortunately, those researchers believe that this security exploit can be mitigated in the operating system, as the individuals hope that its latest findings will encourage people to take careful measures to encrypt fingerprint data. Furthermore, these researchers state that such a security threat can be addressed if smartphone and fingerprint sensor manufacturers work together in a collective effort. Now all that remains is future Android smartphones shipping with enhanced security.
Here is how long BrutePrint takes to unlock the fingerprint of various Android smartphones
It is likely that under normal circumstances, bypassing an Android smartphone’s fingerprint security is insanely difficult, but that does not mean manufacturers outright ignore this exploit, which is possible through an inexpensive piece of circuitry.
Written by Omar Sohail