Fingerprint scanners have long become the norm for modern smartphones. Needless to say, even if state employees with a price of less than $100 today have a fingerprint scanner and even an NFC module that allows them to be used as payment instruments. However, such prevalence has led to the fact that many manufacturers began to consider fingerprint recognition technology a thing of the past and tried to either replace it altogether, like Apple, or improve it by integrating it directly into the display, like Chinese manufacturers. Guess who was right?
A fingerprint sensor is not the best way to protect a smartphone
Probably everyone who watched “National Treasure” with Nicolas Cage in the title role remembers how easily his hero took possession of the fingerprint of an employee of the national archives. To do this, he needed the glass she touched and the tape onto which the drawing was transferred. Of course, these manipulations are just a figment of the writers’ imagination, and it is impossible to do something similar in real life. At least, it was impossible before, but experts from the Chinese company Tencent, specializing in cybersecurity research, managed to repeat this trick, even in a more technologically advanced way.
Using Masterprints
Just like physical locks have master keys that can unlock anything, fingerprint scanners have what are called “fingerprints.” These are custom made fingerprints that contain all the standard features that everyone has on their fingers.
Hackers can use master fingerprints to infiltrate devices that use subpair scanning. While the right scanners will block the master fingerprint, a less powerful scanner found in a mobile phone may not be as stringent with its checks. Thus, masterfingerprinting is an effective way for a hacker to gain access to devices that are not vigilant in scanning.
How to avoid this attack
The best way to avoid these types of attacks is to use a fingerprint scanner that doesn't skimp on scanning. Masterprints use less accurate scanners that produce a "good enough" scan to verify identity.
Give it some time before you trust the fingerprint scanner. Ideally you want FAR statistics. The FAR percentage is the probability that unapproved fingerprints will gain access to the system. The lower this percentage, the more likely it is that your scanner will reject the master print.
Setting up face unlock for Samsung Galaxy A51 smartphone
It is better to register your face indoors so that your face is not exposed to direct sunlight.
1 On the Settings screen, tap Biometrics & security → Face recognition. 2 Read the onscreen instructions and select Continue . 3 Set the screen lock method. 4 Select whether you wear glasses or not, and then select Continue . 5 Turn your device so that the screen is facing you and look directly at the screen. 6 Position your face inside the frame on the screen. The camera will scan your face.
✓ If unlocking the screen using face recognition does not work, select Delete face data to delete the registered data and try again. ✓ To improve the quality of face recognition, select Alternative Appearance and add an alternative appearance.
Deleting a registered person's data
The registered person's data can be deleted.
1 On the Settings screen, tap Biometrics & security → Face recognition . 2 Unlock the screen using your selected screen lock method. 3 Select Delete face data → Delete . Once a registered person's data is deleted, all related functions are also disabled.
Face unlocking
You can unlock the screen with your face instead of using a pattern, PIN, or password.
1 On the Settings screen, tap Biometrics & security → Face recognition. 2 Unlock the screen using your selected screen lock method. 3 Tap the Face unlock to turn it on.
✓ To set your device to unlock the screen without swiping on the locked screen after recognizing your face, tap the Stay on lock screen toggle to disable the feature. ✓ If you want to reduce the likelihood of faces being recognized in photos or videos, tap the Accelerated recognition to enable the feature. Face recognition speed may be reduced. ✓ To improve recognition speed in low light conditions, tap the Increase screen brightness to turn on the corresponding function.
4 Look at the locked screen to unlock it. When the face is recognized, the screen will unlock without any additional procedures. If your face is not recognized, use the preset screen unlock method.
Read in full: Instructions for using the Samsung Galaxy A51 mobile phone. Reboot, update...
Collecting unprotected images
Image Credit: tarik_vision/DepositPhotos
If a hacker captures your fingerprint image, they hold the key to breaking into your scanners. People can change the password, but the fingerprint remains the same for life. This consistency makes them a valuable tool for hackers who want to get past the fingerprint scanner.
Unless you're very famous or influential, it's unlikely that a hacker will dust everything you touch to get their fingerprints. Most likely, a hacker will target your devices or scanners in the hope that it contains your raw fingerprint data.
For the scanner to identify you, it needs a basic image of your fingerprint. During setup, you provide your fingerprint to the scanner and it stores an image of it in its memory. It then calls up this image every time you use the scanner to ensure that the finger scanned matches the one you specified during setup.
Unfortunately, some devices or scanners store this image without encryption. If a hacker gains access to the storage, he can easily capture the image and collect your fingerprint data.
How to avoid this attack
To avoid these types of attacks, you need to consider the security of the device you are using. A well-made fingerprint scanner should encrypt the image file to prevent prying eyes from getting your biometric data.
Double check your fingerprint scanner to make sure it stores your fingerprint images correctly. If you find that your device does not resolve to securely store your fingerprint image, you should stop using it immediately. You should also look into deleting the image file to prevent hackers from copying it for themselves.
How to remotely unlock a Samsung phone
If you are a Samsung user, you can use the Find My Mobile account, if you do not have an account, register one.
The steps to unlock your Android device using this method are as easy as 1-2-3.
Note. If you decide to select this feature, all information related to your lock (Pattern, Password, PIN and Biometrics) will be deleted. If you are sure that you have forgotten your password, follow these steps:
- Log in to the service using your Samsung account.
- You are taking "Unlock screen“.
- Your device will be unlocked.
Using fake fingerprints
If a hacker can't obtain an unprotected image, they can create a fingerprint instead. This trick involves taking the target's fingerprints and recreating them to bypass the scanner.
You probably won't see hackers targeting members of the public using this method, but it's worth keeping in mind if you're in a management or government position. A few years ago, The Guardian reported how a hacker managed to recreate the fingerprint of the German Defense Minister!
There are many ways a hacker can turn a collected fingerprint into physical entertainment. They can create a wax or wooden replica of the hand, or print it on special paper and silver conductive ink and use it on a scanner.
How to avoid this attack
Unfortunately, this is one attack that you cannot avoid directly. If a hacker intends to hack your fingerprint scanner and they manage to get a hold of your fingerprint, there is nothing you can do to stop them from making a model of it.
The key to defeating this attack is to stop the fingerprinting in the first place. We don't recommend that you wear gloves like a criminal all the time, but it's good to know that your fingerprints may be exposed to the public eye. We have seen many leaks of confidential information from the database.
560 million old passwords leaked online
560 Million Old Passwords Leaked Online It might be time to change your passwords again. Because a huge database of 560 million credentials was found online, waiting for new people to discover it. Read more recently, so it's worth thinking about.
Make sure you only share your fingerprint information with trusted devices and services. If a less than stellar service suffers from a database breach and they haven't encrypted their fingerprint images, this would allow hackers to link your name to your fingerprint and compromise your scanners.
Ways to bypass the sensor
It's not easy to fool the Touch ID system, but it is possible. To do this, you will need to create a three-dimensional model of your finger. It is important to use the right material. Things are much simpler with older models. Their sensors are easier to bypass. For example, there was a case where hackers from Germany bypassed the sensors on the iPhone 5s in just a few days. To do this, they printed out the original print.
Before you start simulating a fingerprint, you need to save all the data on the device. There is very little time to bypass the scanner. All actions must be performed quickly and accurately. You must proceed in the following sequence:
- It is important, as soon as you pick up the phone, not to touch the Touch ID button. The phone will be 90% locked. If you touch the sensor, one of the unlock attempts will be lost. And there are only five of them. It's very easy to check the phone's condition. To do this, just press the power button.
- If the gadget is blocked, it must be hidden from the influence of all radio networks. At home, a switched off microwave is suitable for this. Be sure to charge your phone using an external battery. All these steps are necessary in order to prevent Find My iPhone commands from occurring. With their help, you can block the gadget remotely, as well as completely destroy all data stored on it.
- If the gadget is not locked, you need to prevent the screen from being locked. To do this, you will need to disable automatic blocking. This action is different from removing the code. You do not need to enter any code to disable automatic locking.
If the smartphone has been locked, then the user has only two days to deceive the biometric data sensor. But in practice this time is less.
All activities must be carried out in a room that is completely protected from radio waves. There should be no cellular networks or Wi-Fi networks. Because of this, the Find My iPhone system will work. And it only takes a few seconds for her to block the gadget remotely.
If you successfully try to fool the sensor, you need to disable the screen lock. It is important to note that adding a new fingerprint or changing the lock code will not work. In all cases, the system will require you to enter a code.
Once the sensor is fooled, a new problem arises. The device memory will be encrypted. There are several options to resolve the issue:
- Extract data. This method is only possible if jailbreak is installed. Then the user will be able to extract the bulk of the data, except for the keychain, which cannot be decrypted. If there is no jailbreak, then nothing can be done with the data. To install, the system will again ask for a code.
- After unlocking the gadget, you can save a backup copy to iCloud. But to receive data from the cloud, you will need a password, and if your account has two-factor authentication installed, you will also need access to the second factor. There is one more problem: to make a copy, you need to connect the gadget to Wi-Fi. And this can lead to the appearance of a blocking command.
The only suitable option in this case is to make an iTunes backup. It is easy to connect an unlocked gadget to it. Using iTunes, you can create a copy of all the data stored in the gadget’s memory and transfer it to your computer.
Exploiting Software Vulnerabilities
Some password managers use fingerprint scanning to identify the user. While this is useful for protecting your passwords, its effectiveness depends on how secure your password management program is. If a program has ineffective attack protection, hackers can use it to bypass fingerprint scanning.
This issue is similar to improving airport security. They can place metal detectors, security guards and CCTV systems along the entire front of the airport. However, if there is a long-forgotten back door where people can sneak in, all that extra security will be for nothing!
Gizmodo recently reported on a flaw in Lenovo devices in which the fingerprint-activated password manager had a hard-coded password. If a hacker wants to gain access to the password manager, they can bypass the fingerprint scanner by using a hard-coded password, rendering the scanner useless!
How to avoid this attack
Generally, the best way to avoid these types of attacks is to buy well-received and popular products. Despite this, Lenovo is a popular name and they too suffered from the attack.
So, even if you only use equipment made by reputable brands, it is essential to keep your security software up to date to fix any issues that are discovered later.
What to do if you forgot your password, code or pattern
We've looked at the ideal situation where you have all your passwords, PINs and patterns. But how to remove the protection if the screen is locked and you don’t remember the password or key? Methods may vary depending on the manufacturer and model, so we will briefly go through the most popular methods.
- Entering data from your Google account. On most older firmware (before Android 5.0), after entering the password or key incorrectly five times, a window appeared asking you to restore access through your Google account. On new firmware, the phone locks and asks you to wait 30 seconds, after which it asks for a code or password again.
- Reset settings via Recovery. Along with the configuration, the files stored on the Android internal memory will be erased.
- Deleting files with passwords on smartphones with root access or custom Recovery.
- The graphic password can be reset using the ADB utility, and Chinese phones with an MTK processor are unlocked through the SP Flash Tool program - first you install a custom Recovery, and then delete individual files with passwords without affecting personal data.
- Erasing settings and content through the service "Find phone».
This is interesting: Life without a wallet: why does your smartphone need NFC support
I only recently learned about the latter method. The service is available at . If your phone is connected to the Internet, you can connect to it and remotely erase settings to remove the lock. Information from the internal memory will also be erased, and this is the main drawback of this method. Otherwise, it is good, since it allows you to remove protection from your phone without Recovery and other not very simple things.
Reusing residual fingerprints
Image Credit: lucadp/DepositPhotos
Sometimes a hacker doesn't need to perform any advanced techniques to get your fingerprints. Sometimes they use leftover residue from a previous fingerprint scan to bypass security.
You leave fingerprints on objects as you use them, and your fingerprint scanner is no exception. Any prints taken from the scanner are almost guaranteed to be the same ones that open it. It's like forgetting the key in the lock after you open the door.
Even then, the hacker may not need to copy the fingerprints from the scanner. Smartphones detect fingerprints by shining light onto the finger and then recording how the light bounces off the sensors. Threatpost reported on how hackers can trick this scanning method to obtain a residual fingerprint.
Researcher Yang Yu tricked a smartphone's fingerprint scanner into accepting fingerprint scans by placing an opaque reflective surface over the scanner. The reflective surface fooled the scanner into believing that the remaining fingerprint was a real finger and gave it access.
How to avoid this attack
This one is simple; wipe the fingerprint scanners! The scanner naturally carries fingerprints, so it is very important that there are no fingerprints on it. This will prevent hackers from using your scanner against you.
Factory reset
If the above methods for unblocking are not suitable, you will have to use the most radical method - a complete reset:
- Turn off the phone and start it in Recovery mode. Possible combinations (you need to press and hold the keys until a special menu appears): “Power” button + increase (or decrease) volume;
- power key + increase and decrease sound level at the same time;
- “Power” button + “Home” button + increase (or decrease) volume;
- "Home" key + volume controls.
Select the option “Factory reset”, “Wipe data” or “Clear data” from the menu (the names differ on different phones). It is important to note that along with the digital lock key, all personal data of the owner is also deleted from the device.
Note: find out how to apply protective glass to your smartphone yourself to protect your gadget’s screen from damage.
Sources used:
- https://fixim.ru/problem/q64829-forgot_fingerprint_security_password
- https://flackgames.ru/instrukcii/zavodskaya-razblokirovka.html
- https://tarifkin.ru/mobilnye-sovety/kak-snyat-otpechatok-paltsa-dlya-razblokirovki-telefona
- https://usvinternet.ru/razblokirovat-telefon-esli-zabyl-parol/