Chinese researchers have discovered a way to hack Android phones by brute-pressing the fingerprint scanner. In addition, an infinite number of attempts were possible by exploiting certain vulnerabilities.

Attackers must have physical access to the device for a long time to carry out the attack, The researchers report in their paper on Arxiv. It also requires dedicated hardware to insert the fake fingerprint into the scanner. Researchers estimate that these devices cost a total of about $15.

All Android devices examined were vulnerable to the attack. In all cases, these are the Android phones from a few years ago. Since the vulnerabilities may be fixable through updates, it is likely that this exploit will not work. The researchers say nothing about it. On iPhones, the attack allows researchers to increase the number of attempts from five to fifteen, but the exploit isn’t really possible.

Most phones are vulnerable to Cancel-After-Match-Fail, a vulnerability in which the device generates a checksum error, so that the phone checks if the fingerprint is correct, but does not report the error. This allows unlimited attempts.

For some phones, the researchers combined this with Match-After-Lock, a method of still being able to make attempts if the phone is temporarily locked due to too many wrong attempts. Then the researchers can enter the correct fingerprint of the phone when the lockout period is over.

The impact of the vulnerabilities is limited, as it requires long access to the device. This makes remote exploitation impossible. In addition, it is not clear if the smartphones have already been patched. The researchers are from Zhejiang University in China and tech giant Tencent’s Xuanwu Lab. They call the exploit Bruteprint.