We have all seen spies in the movies take a person’s fingerprints from any object, a glass of water, for example. But is this actually possible? Well, information security experts say that it is, and that it can even be used to access a smart device.
X-Lab, a team of researchers from the security firm Tencent, has just demonstrated a method to take a person’s fingerprints from a glass of water and, by just using an app to extract accurate data, create physical recreations of the samples to unlock any smartphone that include ultrasonic fingerprint sensor in just twenty minutes.
“To create this attack scenario we invest less than $150 USD, plus we needed a smartphone and the app,” said Chen Yu, an information security specialist in charge of research. This team of experts claims to be the first to ‘crack’ these fingerprint sensors.
However, this is not the first time these fingerprint sensors have failed. A few months ago, a British woman bought online a screen protection for her Samsung Galaxy S10. After placing it on her smartphone, she discovered that the device could be unlocked with anybody’s fingerprint, a serious failure on the part of the company.
These ultrasonic sensors, developed by Qualcomm, are considered a safer option than fingerprint sensors embedded in smartphone screens. According to information security experts, they work by bouncing sound waves against your fingertips to create a three-dimensional image of your fingerprint.
Researchers say they’ve been working on developing the app to record accurate data for months, adding that it’s even easier to take a fingerprint from a user’s smartphone than from a glass of water. For security reasons, experts refused to report further details about the method used.
Although the exploitation of this attack is highly complex in real environments, information security specialists from the International Institute of Cyber Security (IICS) mention that constantly cleaning our mobile devices to reduce the likelihood of a threat actor taking a sample of our footprints is a good advice, as well as never leaving our equipment within reach of a stranger.