Android smartphones can be hacked with the help of a small handkerchief for 1,200 rubles. It is equally powerless to protect both flagships and budget phones, and it does not matter the brand of the smartphone itself. For Russians it is a big threat, because at the beginning of 2023 Android accounted for about 90% of all smartphones sold in the country.
Safety at zero
Android-based smartphones, the popularity of which in Russia is sharp in early 2023, can be hacked in less than an hour, writes ArsTechnica. Moreover, there is no difference how much the mobile costs, and who made it – it is equally easy to penetrate the depths of memory and flagship Xiaomi, and smartphone cheaper than 10 thousand rubles from an unknown Chinese brand. There is also no clear dependence on model year – super-modern flagships and devices six years old are hacked the same way.
The hacking takes place using a new methodology BrutePrint, thanks to which the process takes only within 45 minutes. Biometrics is not able to protect the personal data of the device owner – if the phone is fingerprint-activated, it will be hacked, as the BrutePrint principle is based on bypassing this method of protection.
The fact that BrutePrint does not require spending hundreds of thousands of rubles on special equipment increases the risk of giving away the entire content of a smartphone against one’s will. Of course, they will have to make some investments, but the total cost of the hardware will only be about $15, or around 1200 rubles at the Central Bank exchange rate on May 25, 2023. In addition, the hacking device is literally pocket-sized – it is a tiny printed circuit board, which not only fits into a small pocket, but on the palm of your hand as well.
Classic of the genre
The name of the BrutePrint methodology in this case is telling – it is based on the principles of the classic password search for account access (BruteForce method), only instead of passwords it searches fingerprint scans. For it to be successful (for the cracker, not for the device owner), it is necessary to use a database of such fingerprints, many of which can be found almost freely in Google, given a proper request. This is a consequence of the fact that the fingerprints, as well as regular passwords, regularly leaked to the Web, writes Android Authority.
The essence of the method of hacking is that, unlike the password authentication, which requires an exact match, fingerprint authentication determines the match, taking into account some kind of reference threshold. In other words, a partial match between the fingerprint stored in the device and the one in the database would be sufficient to successfully gain access to the phone’s memory.
The protection will not work
Many modern smartphones will prompt the user to enter a PIN or password after several unsuccessful fingerprint unlock attempts. But a vulnerability has been found in Android that allows such attempts to be made an unlimited number of times, and it is the basis of the BrutePrint technique. All you have to do is connect your smartphone to a special circuit board, which costs about $15, run a fingerprint scan and wait for a while.
But that’s also the disadvantage of this hacking method – a hacker or a representative of a specialized agency will need to gain physical access to the device, which isn’t always possible. BrutePrint does not function remotely.
The brand does not matter
Experts who evaluated the effectiveness of BrutePrint tested the technique on Android smartphones from Xiaomi, Samsung, OnePlus, Huawei, Oppo and Vivo. All these brands are widely known in Russia – most of them were sold in the country until February 24, 2022 in the official retail, many are available in it to this day.
The Xiaomi Mi 11 Ultra, Vivo X60 Pro, OnePlus 7 Pro, Oppo Reno Ace, Samsung Galaxy S10 Plus, OnePlus 5T, Huawei Mate 30 Pro 5G and Huawei P40 mobiles participated in the tests. There are both brand new models, such as the Mi 11 Ultra 2021 model year, and relatively outdated models, such as the OnePlus 5T, which was released in November 2017.
According to the test results, the flagship Samsung Galaxy S10 Plus was the worst performer – it took from 0.73 to 2.9 hours to crack it. The leader was Xiaomi Mi 11 Ultra – from 2.78 to 13.89 hours.
There’s nothing wrong with the iPhone
For the sake of purity of the experiment, the authors tested the BrutePrint hacking capability of Apple smartphones. Current models did not participate in the tests, because Apple dropped the Touch ID fingerprint scanner in favor of Face ID facial unlocking.
The iPhone SE, which came out in 2016, and its age-matched iPhone 7 were chosen as test subjects. Both passed the test with flying colors and did not surrender their memory contents to the hackers. But in Russia, neither these devices nor Apple smartphones in general have been in demand lately. Because of Apple’s not the friendliest policy towards the Russians, they have stopped buying iPhones – according to statistics from GS Group research division, while Apple used to be in the top three, in the first quarter of 2023 it slipped to fifth place, taking only 11% of the Russian mobile market. During this period the country had imported only 700 thousand iPhones, and all through parallel or “gray” imports – Apple has ceased official shipments back in March 2022
Add to favorites