Fingerprint brute-force attacks threaten Android phones.

Researchers have discovered a new attack called 'BrutePrint' that can bypass user authentication on modern smartphones by brute-forcing fingerprints. The attack exploits two zero-day vulnerabilities, Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), and can be launched with physical access to the target device and a fingerprint database. The attack was tested against ten popular smartphone models, achieving unlimited attempts on all Android and HarmonyOS (Huawei) devices and ten additional attempts on iOS devices. The attack could allow criminals to unlock stolen devices and extract valuable private data, while its use by law enforcement raises questions about privacy rights and ethics.