At a demonstration in China, a team of hackers working with Tencent used an unorthodox method to unlock a stranger’s smartphone (via South China Morning Post). The team was able to trick the smartphone fingerprint sensor using a legitimate fingerprint lifted from a glass of water.
The team demonstrated this hack on stage during a hacking event, using its method to unlock three smartphones and two attendance machines equipped with fingerprint sensors.
The hack is fairly simple: a subject touches a drinking glass with their fingers and the hacker uses a smartphone to photograph the fingerprint left behind on the glass. The hacking team produced an app that can then scan that photograph and create a cloned fingerprint that can then be scanned by the subject’s smartphone fingerprint sensor and unlock the device.
However, the team did not demonstrate the entirety of the hack on stage. Notably, they did not go over how the app is able to lift the appropriate fingerprint data from just a photograph nor did they demonstrate how they were able to make a physical copy of the fingerprint to then use on the sensor.
Although their methods aren’t entirely clear, the hackers did claim that they were able to use this method successfully on the three most popular smartphone fingerprint sensors: capacitance (a physical sensor, such as the one on the back of the Google Pixel 3), optical (an in-display sensor such as the one on the OnePlus 7T), and ultrasonic (a specialized in-display sensor, such as the one used in the Samsung Galaxy S10 family).
Recently, the Galaxy S10 and Samsung Galaxy Note 10 ultrasonic sensors have been in the news due to a different hack that allowed anyone to access the phone. Samsung has since rolled out a patch to those devices to fix this flaw.
The Chinese hacking team says they’ve been developing their “fingerprint lifting” app for months. They recommend that you wipe your fingerprints from anything you touch — including your smartphone — in order to stay safe from this hack. Or just, you know, wear gloves all the time.