Now there is a new hack that allows hackers to access your phone using a brute-force fingerprint attack.
Using your fingerprint to open your phone or even unlock your computer is convenient. I use it myself. But as I’ve said hundreds (Thousands?) of times, “Convenience is the antithesis of security.”
Before we go any further, let me tone down the rhetoric a little. This is not a common attack. The chances of it being used against you are slim, and the attacker needs access to your cell phone. BUT, if you keep sensitive information on your phone, and your phone gets stolen or lost, your probability of a breach skyrockets.
The attack is called "BluePrint" and it bypasses security measures that are supposed to stop attackers from being able to continue to attempt to unlock your phone after multiple failed fingerprint unlock attempts.
What has been done is the equivalent of a hardware “Man In The Middle” attack. Using this attack, a bad agent uses a fingerprint database and exploits some zero-day flaws in some routines called “Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL)”. Using this, a hacker can run thousands, or millions, of fingerprint encodings past your phone at the speed of computers.
The hack requires the bad agent to be in possession of your phone (which could happen if it is stolen or lost), be in possession of a fingerprint database (which they can get easily on the dark web), and have a specialized microcontroller board with an auto-clicker (that you can put together for about $15 if you know what you are doing.)
Researchers tested the hack against 10 different phones including Apple, Huawei, OnePlus, OPPO, Samsung, Xiaomi, and Vivo. They were able to achieve infinite attempts at unlocking the phone on Android and Harmony OS-equipped phones and were able to get 10 additional attempts at unlocking iOS phones.
The issues that make this hack possible have been acknowledged by Apple, Google, AMD, Intel, Nvidia, and Qualcomm. We can only hope that future updates to the OS correct some of these issues, although to be completely honest, manufacturers sometimes de-prioritize fixes if they believe that the probability is too low to bother with. In other words, yes, your phone manufacturer frequently releases operating systems with known flaws and exploits in it because they are willing to let a few people get hacked rather than spend the money to close the vulnerability.
Is this something you should worry about? Not really. Is this something of which you should be aware? Absolutely. Knowledge is power. If you know what CAN be done, you know what precautions to take if your phone is lost or stolen. Assuming that no one can get into your phone because it is locked is not a good strategy.
If your phone is ever lost or stolen, and you can't locate it using whatever tools you have available (find-my-phone or other tools) you should take these immediate steps: