Hackers use fingerprints on a drinking glass to break into smartphones
A Tencent team demonstrated how to break into smartphone fingerprint scanners in just 20 minutes
Are you sure you want to drink that glass of water? Because that glass will have your fingerprints all over it. And that, apparently, is enough to crack your smartphone.
Tencent Security's X-Lab team demonstrated this at a hacking event in Shanghai by inviting members of the audience to touch a glass. Then the team's leader, Chen Yu, took out his phone, snapped a photo of the fingerprints, and ran it through their new app to extract accurate data. That was used to create a physical version of the fingerprints in just 20 minutes.
The result? The "cloned" fingerprints were able to fool three smartphones and two attendance machines equipped with fingerprint scanners.
“For this attack, the hardware cost more than RMB 1000 (US$140) in total, and the software is just one phone and one app," X-Lab’s researcher Chen Yu told media after the event.
Tencent declined to elaborate further on the exact method they used.
X-Lab claimed to be the first to crack an ultrasonic fingerprint sensor, along with two other common types used in smartphones: Capacitance and optical sensors.
But that claim isn't entirely true. The ultrasonic fingerprint sensor in the Samsung Galaxy S10 was actually cracked earlier this month... by a woman in the UK who happened to purchase a £2.70 (US$3.40) screen protector on eBay. The screen protector enabled any fingerprint to unlock the phone, which didn't exactly do wonders for Samsung’s reputation.
The company has since released a patch for the Galaxy S10 and Note 10’s fingerprint reader, but not before both WeChat Pay and Alipay, two of China’s biggest mobile payment platforms, disabled the use of fingerprint recognition on some Samsung handsets.
Developed by Qualcomm, ultrasonic fingerprint sensors were hailed as a more reliable and faster option for in-screen fingerprint sensors. They bounce sonic waves off your fingertip to create a three-dimensional image. Xiaomi has also used them in some handsets.
Last year, Chen’s team uncovered a design flaw affecting older in-display fingerprint sensors that put half a dozen smartphone models at risk, including Huawei’s Mate 20 Pro. The only thing that was needed to carry out the attack was an opaque reflective material. If you're wondering where to get something like that, perhaps you'd recognize it if I said it in more familiar terms: Aluminum foil.
Another security research team under Tencent, Keen Lab, exposed a number of flaws in the advanced driver-assistance system of Tesla this year, tricking a Model S to veer into an opposing lane.
For the latest hack, X-Lab researchers said they've been developing the app for months. They also noted that extracting a fingerprint is even easier from your phone's glass than from a drinking glass.
But X-Lab says you shouldn’t worry too much about it. Chen says all you need to do is remember to wipe your fingerprints regularly whenever you touch anything.