In-Display Fingerprint sensors seem like an upcoming trend in smartphones. Conventional fingerprint sensors have become quite reliable over the years, but it’s still limited by design. With conventional fingerprint sensors, you need to locate the sensor and then unlock your phone. With the scanner placed under the display, unlocking the device feels much more natural. The technology is still in its infancy and hasn’t really matured yet, but a few companies like OnePlus have already put out phones with In-Display fingerprint sensors.
Optic sensors used in most of the In-Display fingerprint scanners these days aren’t very accurate and some researchers even discovered a big vulnerability in them, which was patched recently. The vulnerability discovered by Tencent’s Xuanwu Lab gave attackers a free pass, allowing them to bypass the lock screen completely.
Yang Yu, a researcher from the same team stated that this was a persistent problem present in every In-Display Fingerprint scanner module they tested, also adding that the vulnerability is a design fault of In-display fingerprint sensors.
Threatpost reports that Huawei patched the vulnerability in September along with other manufacturers.
How Does The Exploit Work?
Many of the In-Display Fingerprint sensors use optic sensors. These sensors usually take low resolution pictures to resolve data. Whenever a finger is placed on the scanner, the display’s backlight lights the area up and the optic sensor traces the fingerprints.
Touching that specific place on the display will definitely leave fingerprints, so the researchers found out, putting an opaque reflective material over the in-display sensor unlocked the given device. This reflective material when put in contact with the scanner, reflected a lot of light back into it. This tricks the optical scanner which unlocks the phone taking the fingerprint residue as an actual fingerprint.
Normal Fingerprint scanners based on capacitance sensors aren’t vulnerable. It’s true that both optic and capacitance sensors are based on image generation, but their methods differ. Capacitance scanners actually use electrical current instead of light.
Fix For The Issue
Researchers while talking to Threatpost stated that they discovered the vulnerability in February and immediately notified the manufacturers. Since then phone makers have improved their identification algorithm to patch the exploit.
For average users this shouldn’t be a problem as the exploit isn’t a remote one. The attackers would need access to your phone, but this exploit can concern people with sensitive data.