Based on a research paper from cybersecurity researchers at Tencent Labs and Zhejiang University, there is a means to "brute-force" fingerprints on Android smartphones, and with physical access to the smartphone and enough time, a hacker would be able to unlock the device.
According to the report, two zero-day vulnerabilities known as Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL) exist in Android devices (as well as those powered by Apple's iOS and Huawei's HarmonyOS).
The researchers were able to accomplish two things by exploiting these flaws: make Android enable an infinite number of fingerprint scanning attempts; and leverage databases obtained in academic datasets, biometric data dumps, and other comparable sources.
The attackers needed a few things to pull off the attacks: physical access to an Android-powered smartphone, enough time, and $15 in hardware.
The attack was dubbed "BrutePrint" by the researchers, who claim that it would take between 2.9 and 13.9 hours to break into an endpoint with only one fingerprint set up. They claimed that devices with numerous fingerprint recordings are substantially easier to break into, with the average time for "brute printing" ranging from 0.66 hours to 2.78 hours.
The experiment was carried out on ten "popular smartphone models" as well as two iOS devices. It's currently unknown which models were affected, however, they claimed to have achieved infinite tries on Android and HarmonyOS devices.
However, they only managed to gain an extra 10 attempts on iPhone SE and iPhone 7 models, which was insufficient to successfully carry out the attack. As a result, while iOS may be exposed to these weaknesses, the present approach of breaking into the device by brute force will not work.
While this form of attack may not be appealing to the average hacker, the researchers believe it may be utilized by state-sponsored actors and law enforcement organizations.