This $15 hacking device could be your fingerprint scanner's worst nightmare

Android Police

By Arol Wright

Published May 26, 2023

You probably shouldn't rush to disable fingerprint unlocking, though

Your fingerprint is probably one of the safest methods to unlock your phone without inputting a password. It's quick, as you only need to touch the device, and no one can really access it unless their fingerprint is also enrolled. They've been commonplace in our smartphones for several years, and besides a few hardware makers trying out other biometric methods occasionally, it's by far the most used. But, of course, it's not completely bulletproof. And a hacker who really wants to get into your phone can now just brute-force the fingerprint scanner, just as if it were a password. All they need is $15 of equipment and a little bit of elbow grease.

Through an attack called BrutePrint (via Ars Technica), a hacker can literally brute-force their way through your smartphone's fingerprint authentication process. The attacker would need to gain physical access to the device while it's left unattended by the owner to then hook up a small circuit board to the motherboard of the device to be attacked. Then, the hacker, with a database of fingerprints, would attempt to spam different fingerprints using the equipment until one is accepted by the phone, which will then be unlocked. Android has restrictions in place to attempt to curb this by giving you a time-out after a few failed attempts, but the attack also takes advantage of a number of vulnerabilities to bypass this restriction.

How effective is the attack? As it turns out, it is very effective. The attack was tested on a number of smartphones, and they were all brute-forced successfully. The phone that took the least amount of time was the Samsung Galaxy S10+, which can take 0.73 to 2.9 hours to be unlocked using this method. On the other hand, the Xiaomi Mi 11 Ultra can take up to 14 hours to be unlocked. Really, though, they eventually all give out.

Now, before you go and disable fingerprints on your phone, you should also know that it's actually extremely unlikely for you to be attacked this way. An attacker needs physical access to your phone for long enough to hook up a circuit board to the motherboard and attempt to brute-force it for hours. So it's likely that you're in the clear. Still, there's no denying this is really cool, but also a little worrying.