The fingerprint reader has become one of the central pillars that support the security of your smartphone, although some models have been betting on more advanced solutions for some time, such as the Apple iPhone which, as our regular readers already know, uses a 3D facial recognition system that cannot be fooled using photos or videos.
There is no doubt that both security systems have their advantages and disadvantages when used on a smartphone, and that in the end there is no perfect solution, but the truth is that getting past a fingerprint reader is much easier than you think. it seems, and it is not necessary to use advanced or especially expensive technology.
A group of experts has shown that it is possible to overcome the fingerprint reader of different terminals based on Android and iOS, among which are the Galaxy S10 +, the iPhone SE, the OnePlus 7 Pro and the Xiaomi Mi 11 Ultra , using a brute force fingerprinting attack known as “BrutePrint”.
In order to carry out this type of attack , a board has been used that has a cost of only 15 dollars , and that integrates an STMicroelectronics STM32F412 microcontroller, a dual-channel bidirectional analog switch known as RS2117, an SD flash card with 8 GB of storage capacity that contains a huge database of fingerprints , and a board-to-board connector that connects the phone’s motherboard to the flexible printed card of the fingerprint sensor.
This type of attack takes advantage of vulnerabilities that allow unlimited fingerprint identification attempts , and from there it begins to use the database of fingerprints that the plate contains to send them to the smartphone until it is unlocked. I know what you are thinking, how can my fingerprint leak? You may be surprised by the answer, but the truth is that they don’t really need your fingerprint for this attack to work.
The crux of the matter is that the fingerprint authentication system has a margin or reference threshold that is relatively wide, which means that it does not require an exact match at the fingerprint level, but it is enough that the image of this be considered an acceptable approximation. In other words, if a fingerprint similar to ours is found in that database, the attack will be successful and the security of our smartphone will be compromised.
On the other hand, it should also be noted that with “BruteForce” a manipulation is carried out so that the false acceptance rate is higher , which greatly facilitates the margin of success when using those images similar to our real fingerprint. Obviously, in order to carry out these types of attacks, it is not only necessary to have that board, but also to connect it to the smartphone and turn its fingerprint database into a kind of usable “dictionary” , but this is not particularly complicated for People with minimal knowledge.