Such was seen at the GeekPwn conference held in Shanghai recently where the X-Lab security team from a firm named Tencent gave a demonstration of how to bypass fingerprint security.
It started with the leader – Chen Yu – asking people randomly to touch glass with their finger. Once done, those fingerprints were captured using a smartphone and then entered into an internally developed app by the group.
Afterward, they unlocked two event fingerprint scanning machines and three different smartphones using three different scanning technologies – capacitive, optical and ultrasonic – with the help of the earlier captured fingerprints along.
Although their exact method has not been revealed and speculation exists around how the fingerprints were converted to physical models, they have stated that the equipment costs approximately $140 equivalent to £108.
Moreover, the software component exists of only one phone and an app in its entirety. What’s even more astonishing than the low cost is that the entire process took only 20 minutes, a period sufficient for one’s phone to be out of one’s sight with anyone(at least these hackers) being able to take advantage.
However, we still do not know as to how easily can someone else replicates the method used by X-Lab since they haven’t disclosed important process details. Yet, an alarming aspect is that other ways excluding this can also be used and in fact have been used in the past.
Earlier this year in April, a hacker by the handle of darkshark9 successfully cloned a fingerprint for bypassing a Samsung Galaxy S10 in a lowly 13 minutes. If we go in the years before 2019, instances also exist of certain iPhone models also being compromised along with other smartphone manufacturers.
Nonetheless, should you abandon the use of fingerprints in the wake of this? Not so quick. You see, firstly, the chances of someone who knows fingerprint cloning being around us is pretty slim unless you’re in the cybersecurity sector. No layman would have the expertise to conduct such an attack, much less the required equipment.
Secondly, there’s a fine line between convenience and security that needs to be maintained otherwise you risk end up getting stuck with an outdated blackberry (apologies if you’re a fan). We could also attribute this lesson to the classical security triangle which contains the three elements of security, ease of use and functionality.
As one moves towards a particular feature such as security, the other two automatically decrease and vice versa. Thirdly, unless you own a smartphone such as the iPhone X which has entirely replaced fingerprint technology in favor of face recognition, you may not have access to any more secure features either.
On the other hand, Passwords could be susceptible to keyloggers or something as innocent as shoulder surfing as well. Hence, it is recommended that one continue with using fingerprints – just stay away from the guy who wants your phone and also happens to have a 3D printer.