Fingerprint sensors are rapidly becoming the standard tool for securing mobile devices. Synaptics believes that these sensors typically aren't as safe as users think, however, especially in laptops. To prove its point, the company recently set up a demo in which it quickly gained access to a notebook and a smartphone by means of a tiny $25 device.
The folks over at HotHardware were on the scene for the demo, and report that Synaptics pulled off this hack by compromising the fingeprint sensors on two commercially-available notebooks. The company cobbled together a tiny device out of a microcontroller and a Bluetooth transmitter, and placed it between the fingerprint sensor and host of a pair of notebooks. For one of the notebooks, Synaptics simply placed the device in line with the fingerprint sensor. For the other, Synaptics had to expose pads on the notebook's motherboard and attach the device.
Because the links between the fingerprint sensors and host machines weren't encrypted, the device Synaptics constructed was able to act as a man-in-the-middle and capture an image of the user's fingerprint. From that point on, the company could simply resend the same data to the host machine to unlock the notebook at will. The shenanigans weren't over yet, though. By printing a copy of the stolen fingerprint on photo paper with conductive ink, Synaptics was able to gain access to a smartphone that had been locked by the same user.
Now, most people shouldn't panic about this vulnerability. It requires would-be hackers to gain physical access to a notebook and install a device without being noticed, and once an attacker has physical access to a device, all bets are off to begin with. However, Synaptics thinks that the existence of this vulnerability should make consumers wonder why end-to-end encryption isn't used more commonly for fingerprint authentication, and suggests that they look for products that employ its SentryPoint anti-spoofing technology. It's hard to argue against more robust security practices and more secure biometric devices, considering how much damage malicious parties could do with not only users' personal data, but also their fingerprints.