BrutePrint

Almost every modern smartphone has a fingerprint scanner. They are easy to find on the back cover, on the right side or under the display. In most cases, they regularly perform their main task, which is to unlock the smartphone only for their owner and no one else. The essence of the technology is very simple and is based on the fact that every person on Earth (according to various sources, the world’s population crossed the threshold of 8 billion in mid-2022) has a unique papillary pattern.

Research on this topic began to be carried out so long ago that they have already gone down in history and everyone forgot about them. I assume that the case was not without the participation of prehistoric fortune-tellers and other palmists, but in the end, the method of identifying a person using fingerprinting turned into practice on September 13, 1902, when law enforcement officers in England managed to identify the identity of a certain Harry Jackson, who was involved in a burglary and leaving his “fingers” on the freshly painted window sill. This method of personal identification, comparable in reliability to genetic analysis, could not pass by modern electronics.

Nowadays, electronic fingerprint scanners are used wherever there is a need to provide access to a limited circle of people to front doors, smartphones, bank cells, cars, to use a fingerprint instead of a signature, to control the movement of persons, at customs, and so on. We are so accustomed to this that we consider modern scanners to be reliable. But is it really so?

BrutePrint

In simple terms, the research of Yu Chen of Tencent and Yiling He of Zhejiang University led to the fact that a penny board was assembled and tested, with which you can hack and unlock the fingerprint scanner of almost any smartphone. The price is surprising, which is only 1200 rubles of the Russian Federation (15 US dollars at the exchange rate). Yes, you heard right, friends, you can lose your billions within one day if you do not see your phone for three hours. How does it work?

The core of the hardware required for BrutePrint is the circuit board, which contains the following (pictured above):

1. microcontroller STM32F412 from STMicroelectronics;
2. a bi-directional two-channel analog switch, known as RS2117;
3. SD flash card with 8 GB of memory;
4. plume

Most interesting is that successful hacking still requires opening the back cover of the smartphone in order to connect the hacker board to the system board of the recipient device. But when the jackpot can be a really impressive amount, such things are insignificant.

This topic has proved so popular among specialists that many people have tried to “hack” either their own or legally obtained another person’s phone. There are quite a few smartphones under the knife of electronic executors, but to understand the essence of the issue, we will take only a few – Xiaomi Mi 11 Ultra, Vivo X60 Pro, OnePlus 7 Pro, OPPO Reno Ace, Samsung Galaxy S10+, OnePlus 5T. According to the results, it turned out that the price of a smartphone has practically no effect on the result.

Signature: Fingerprint scanner hacking time is indicated by E(T) and is indicated in hours. So, for example, Galaxy S10 took the least amount of time (from 0.73 to 2.9 hours), and Mi11 took the longest (from 2.78 to 13.89 hours).

I want to reassure the owners of the Apple iPhone, their smartphones were never hacked, but if we talk about any smartphones on Android, then the success of using BrutePrint was at least 71%. Concerned public can see the results report Yu Chen and Yiling He.

How smartphone and operating system manufacturers should respond to the BrutePrint threat

The recommendations of the researchers are understandable, to mitigate the shortcoming of CAMF, they recommended an additional setting to limit the number of attempts to resolve errors and, more importantly, urged fingerprint sensor manufacturers to encrypt the key data. And it’s not just about smartphones, they warned that BrutePrint could be applied to other biometric systems as well. “The unprecedented threat must be addressed through the cooperation of both smartphone manufacturers and fingerprint sensor manufacturers, while problems can also be mitigated in the operating systems themselves. We hope this work will inspire the community to improve the security of the SFA,” they wrote.

In simple terms, the user should press his finger to the scanner more precisely, and not as it is now. And smartphone manufacturers should get the whim out of their heads, achieving user convenience at any cost.

Methods of dealing with BrutePrint

For a simple person, everything is so obvious that the recommendations are extremely simple.

1. Reset your phone to factory settings and never use the fingerprint scanner again.
2. Do not tie bank cards to the phone, but carry them separately.
3. Do not store content compromising the owner and his friends on the phone (pictures from the corporate party do not count).
4. Understand and accept the fact that reliable methods of secure identification do not exist. Always carry your phone with you.

conclusions

Practice has shown that any phone security system can be hacked, alas, this is a fact. If an influential organization or a particularly offended society needs attackers, they will stop at nothing .. But should we be discouraged? It is better to think with your own head and enjoy life. Which is what I wish for everyone.