Synaptics shows how some fingerprint sensors can’t be trusted

Fingerprint sensors are rapidly becoming the standard tool for securing mobile devices. Synaptics believes that these sensors typically aren't as safe as users think, however, especially in laptops. To prove its point, the company recently set up a demo in which it quickly gained access to a notebook and a smartphone by means of a tiny $25 device.

A compromised fingerprint sensor. Source: HotHardware.

The folks over at HotHardware were on the scene for the demo, and report that Synaptics pulled off this hack by compromising the fingeprint sensors on two commercially-available notebooks. The company cobbled together a tiny device out of a microcontroller and a Bluetooth transmitter, and placed it between the fingerprint sensor and host of a pair of notebooks. For one of the notebooks, Synaptics simply placed the device in line with the fingerprint sensor. For the other, Synaptics had to expose pads on the notebook's motherboard and attach the device.

Because the links between the fingerprint sensors and host machines weren't encrypted, the device Synaptics constructed was able to act as a man-in-the-middle and capture an image of the user's fingerprint. From that point on, the company could simply resend the same data to the host machine to unlock the notebook at will. The shenanigans weren't over yet, though. By printing a copy of the stolen fingerprint on photo paper with conductive ink, Synaptics was able to gain access to a smartphone that had been locked by the same user.

Now, most people shouldn't panic about this vulnerability. It requires would-be hackers to gain physical access to a notebook and install a device without being noticed, and once an attacker has physical access to a device, all bets are off to begin with. However, Synaptics thinks that the existence of this vulnerability should make consumers wonder why end-to-end encryption isn't used more commonly for fingerprint authentication, and suggests that they look for products that employ its SentryPoint anti-spoofing technology. It's hard to argue against more robust security practices and more secure biometric devices, considering how much damage malicious parties could do with not only users' personal data, but also their fingerprints.

Comments closed
    • blahsaysblah
    • 2 years ago

    What? The front door is still open but we made the backdoor more secure. Who thought it was good idea to remind users that print outs bypass all security?

    • psuedonymous
    • 2 years ago

    Alternatively: a bit of tape (to lift a print), a scanner, a laser printer, and a Gummy bear (to mould to the laser printout negative). Fools all capacitive sensors thus far (even ‘life test’ sensors if you use a thin layer and put it on your fignertip to scan).

    • DragonDaddyBear
    • 2 years ago

    Still better than username/passwords as credentials. You don’t forget or share “who you are” and this is much harder to do than a key logger.

    • stdRaichu
    • 2 years ago

    Using fingerprints as a substitute for a password is like sticking a post-it note with your password written on it to everything you touch (or just being within range of a half-decent camera [url=http://www.bbc.co.uk/news/technology-30623611<]so someone can take a picture of your hand[/url<]).

      • flip-mode
      • 2 years ago

      Where as the alternative for most people I have noticed is to use no password at all, or else a ridiculously simplistic password.

        • tipoo
        • 2 years ago

        12345, like my luggage

      • BabelHuber
      • 2 years ago

      A fingerprint scanner is not really secure, because you leave your fingerprints everywhere. Duh!

      But it is well-suited for making sure that nobody can use your phone easily when you leave the room. You know, people like your kids, wife/ husband, friends, colleagues…

      So using it for my notebook with sensitive corporate data on it would be downright insane, but it’s OK for my private phone.

        • soccergenius
        • 2 years ago

        And for smartphones it’s a good theft deterrent. iPhones for a good stretch of time were the most stolen item in NYC, right out of people’s hands. TouchID (and other fingerprint solutions) removed the friction of inputting passcodes on every device unlock, so more people now use them.

      • christos_thski
      • 2 years ago

      For most people it’s an amazing improvement on their current “password1” security practices.

      Edit : flipmode beat me to it, sorry for repeating the obvious. Though it does bear repeating.

      People shouldn’t keep assessing home security methods with corporate security criteria. Fingerprints are freaking great as long as you exercise caution and common sense where you use them. Passwords suck even if you do. Fingerprints are a great complementary method for securing *some* logins. My bank allows me to check my balance with a fingerprint login, but to actually do anything at all (even so much as see my full credit card number, let alone send money) I need the random pin authenticator thingymadood along with my full ebanking password. I don’t really care about hackers seeing my pathetic bank balance (Greek economic “bailout” for teh lose) if they go to all the trouble of faking a fingerprint AND stealing my iphone. What are they gonna do, send me cash? They’ll probably return the iphone too, out of fucking pity. 😛

      But I digress. All I mean to say is that when the stakes are low, fingerprinting into certain logins may be acceptable. My steam account is worth more than my bank account. I have it better secured. 😀

Pin It on Pinterest

Share This