It doesn't work on iOS devices:
We tend to believe that if our Android phones are lost or stolen, a fingerprint lock will ensure that the sensitive data they hold stays safe. But Chinese researchers have found a way to break through this protection by using a brute-force attack.
[...] To protect against brute-force attacks, Android phones usually have safeguards such as limiting the number of attempts a user can make, as well as liveness detection. But the researchers bypassed these by using two zero-day vulnerabilities dubbed Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL).
As per Bleeping Computer, it was also discovered that biometric data on the fingerprint sensors' Serial Peripheral Interface (SPI) lacked comprehensive protection, thereby allowing a man-in-the-middle (MITM) attack to steal the fingerprints.
The researchers tested the brute-force attack, called BrutePrint, on ten popular smartphone models. They were able to perform an unlimited number of fingerprint login attempts on the Android and HarmonyOS (Huawei) phones. iOS devices fared much better, allowing just ten additional attempts on the iPhone SE and iPhone 7, bringing the total to 15, which isn't enough for a brute-force attack.
[...] The good news is that this isn't the easiest attack to pull off. Not only would someone need physical access to a target phone and a some time, but they'd also require access to a fingerprint database from either biometric data leaks or academic datasets. Some hardware is also required, though it only costs around $15. However, the technique could find use with law enforcement and state-sponsored actors.
(Score: 5, Insightful) by Fnord666 on Wednesday May 31 2023, @05:13AM (2 children)
We do? I don’t believe that at all. What about you?
(Score: 3, Insightful) by Mojibake Tengu on Wednesday May 31 2023, @05:26AM
Even false sense of security is still well marketable.
Respect Authorities. Know your social status. Woke responsibly.
(Score: 2, Insightful) by Anonymous Coward on Wednesday May 31 2023, @11:30AM
If I wanted security I would be using passwords not my fingerprint.
I leave my fingerprints "everywhere" after all, so if some TLA wanted to break into my phone they should be able to even without this brute forcing trick. Heck my phone might even have my fingerprints on it.
As for thieves they seem to be able to wipe and resell phones - so far few of them seem to care about unlocking the phone.
(Score: 3, Interesting) by VLM on Wednesday May 31 2023, @11:58AM (2 children)
What data is that, specifically?
If everything is on the cloud including the backups and the backups of the 2FA apps etc, and all governments and most corporations have unrestricted total access to everything you store on the cloud, this is all security theater to pretend nobody has access.
AFAIK the average phone has no sensitive data stored on it; its all REST API calls to online servers. I guess if my phone were broken into, "they" could change my screen brightness, that's about it.
(Score: 3, Touché) by bloodnok on Wednesday May 31 2023, @03:52PM
Apart from the passwords your browser helpfully keeps for you?
__
The Major
(Score: 2) by KritonK on Thursday June 01 2023, @09:30AM
May be so, but you don't have such access to your data!
(Score: 3, Interesting) by ShovelOperator1 on Wednesday May 31 2023, @04:52PM
The general approach in the key derivation is to use something like biometrics, hash it some way, and then pass the hash to kdf. This gives at least two more points for a bruteforce (as e.g. simulating the reader itself will be another one), and using these points has been already pointed probably by McAfee. I don't know why there is still the push to add these vulnerable points, i.e. to add more layers between the secret and the key. Now it's SPI, the bus good for TVs to exchange tuning info between digital remote and digital tuner, or maybe, in industrial-grade form, in some simple automotive gadgets.
Generally, each of these layers can be some kind of funnel which makes the guesswork more narrow.
Embedding these things into more and more complex pieces of the single silicon square makes it even easier with current draw analysis. It is not cheaper unfortunately, as you may need precise timing analysis hardware.
(Score: 2) by KritonK on Thursday June 01 2023, @09:37AM
Brute force has always worked in this case: use brute force to make the user swipe their finger over the fingerprint sensor; or use even more brute force, to detach said finger from its owner, so that you don't have to lug the rest of the user around.