Fingerprint recognition is a great form of authentication for your smartphone because it's fast, accurate and relatively tough to spoof. Or so we thought.
It turns out the latest generation of optical fingerprint sensors — the kind used for in-display fingerprint reading technology in the OnePlus 6T and Huawei Mate 20 — have a very serious vulnerability, and one that seems glaringly obvious in hindsight.
Chinese researchers at Tencent's Xuanwu Lab discovered earlier this year that they were able to unlock handsets simply by placing a piece of opaque reflective material — i.e., aluminum foil — over the in-screen fingerprint readers.
"This is a not big problem for previous capacitance sensors, but for optical sensors, it's lethal,” Xuanwu Lab founder and researcher Yang Yu told Threatpost.
Patches for the flaw have been pushed out to user handsets by at least a few vendors, but it's not clear exactly how many devices are affected because many vendors seem to be keeping quiet about it.
The attack is simple. If you took a highly reflective opaque material, such as aluminum foil, a Mylar bag or a mirror, and pressed that material down on the display glass with force, the optical module could be tricked into reading the reflection of a residual fingerprint left on the glass by the phone's owner.
The researchers found the flaw in February, and reportedly notified phone makers immediately. Huawei was the only vendor specifically mentioned in the report (and the only one that's posted a security advisory following an update designed to patch the issue).
But devices from OnePlus and Vivo — two pieces of the Chinese BBK Electronics conglomerate — are expected to be affected by this flaw, as they use optical technology similar to Huawei's for their in-display sensors. They're likely not the only ones.
"We have tested many cellphones with in-display fingerprint from different vendors, they all had the same problem, even if the modules they were using were from different chip manufacturers," Yu told Threatpost. "This vulnerability is a design fault of in-display fingerprint sensors."
We may never know how many other vendors' phones were affected.
"Vendors differ greatly in the attitude to security issues," Yu told Threatpost. "Some vendors strongly hope us to keep the voice down on this."
Old-school electrical-capacitance-based modules, such as the iPhone's Touch ID or the fingerprint readers in most Android phones, are not affected.
We tried to unlock our OnePlus 6T using a piece of aluminum foil, as well as a clean packaged food wrapper, and came away unsuccessful after several attempts. Perhaps OnePlus has already patched the flaw via its regular software updates; we've reached out to the company for comment.
Fortunately, Yu told Threat Post that because many hardware manufacturers acted swiftly to fix this oversight, there's no reason the flaw should persist in future phones that are expected to implement in-display fingerprint readers, like Samsung's upcoming Galaxy S10.
"Manufacturers have fixed this issue from the root," said Yu, who previously found serious flaws in Windows. "There won’t be vulnerability in later cellphones — in theory."