Hackers unlock any smartphone using photographed fingerprints in just 20 minutes

Jesus Diaz for Tom’s Guide:

Hackers working for Chinese security company Tencent claim that they have developed a method to photograph a fingerprint on any glass surface and use it to unlock any smartphone, no matter their fingerprint reader technology — in just 20 minutes…

Each of those phones used one of the three existing fingerprint scanning technologies: capacitive, optical. and ultrasonic, like the one in the Samsung Galaxy S10.

Talking to the media after the demonstration, [X-Lab’s leader Chen] Yu said that the hardware they used to clone the fingerprint only costs about $140. Yu believes that the only defense against this is to clean everything you touch, including all of your phone.

In other words: fingerprint security sucks.

MacDailyNews Take: Hackers unlock any smartphone using photographed fingerprints in just 20 minutes? Not our iPhones (or iPad Pros), they don’t! 🙂

[Thanks to MacDailyNews Reader “Fred Mertz” for the heads up.]


    1. Yes I would be interested to see an objective test before accepting this, for Chinese engineers tend to exaggerate their abilities, the latest being that they have perfected a deadly laser rifle for which beyond a picture there is no evidence whatsoever it can do what’s claimed. So much is China, as Russia dId before it, politically trying to convince the masses that it is at the forefront of technology. In some cases it is in others very much less so.

  1. MDN conveniently stopped quoting the article right before it says face recognition isn’t much better:

    “In other words: fingerprint security sucks. And facial identification is not that much better, really. If you are really worried about security, the only thing you can do is probably use a longer password.” with a link to an August 2019 Forbes article showing Apple’s FaceID bypassed in 2 minutes.

    In other words: Better to just give us a device that requires both TouchID AND FaceID! Because a 1 in 50,000 chance, combined with a 1 in 1,000,000 chance, equals a 2e-11 (1 in 50,000,000,000) chance of getting hacked.

    1. But, of course, the linked Article about facial ID security problems talks about a very unlikely scenario with access to both the iPhone and a “sleeping victim” who owns the iPhone AND a pair of glasses with tape and a hole in that tape to fool the iris detection. Unlikely. In my view, if you and your iPhone are in the same place as someone trying to rob you, you have bigger problems than the security of your iPhone.

      Obviously, if you have credit cards in your Apple wallet on your iPhone, along with apps like Amazon, banks, other financial organizations, and your email and then you loose your iPhone you need to immediately act to mitigate the damage. Apple’s wipe feature is real helpful in this case.

      In addition, If you think that your iPhone will protect your privacy when the government REALLY wants to see what is on your iPhone, you are sadly mistaken.

      All in all the iPhone’s security for a consumer is pretty darn good- probably better than any off-line security procedures that nearly all consumers are willing to follow- and certainly at the top for consumers compared to other companies. Apple deserves credit for leading in this area.

      1. well in all fairness their claim of faceID is not detailed in the article only linked in. Additionally the other method to spoof face id required a sleeping phone owner to be fitted with glasses etc etc and then they were able to spoof the “attention function. So unless you are in another country being held down against your will its a heck of alot better than pulling your fingerprints off of any surface including the phone people are trying to hack which undoubtly has your fingerprints on it. IMHO

    2. That linked FaceID spoof assumes that their target sleeps like the dead. They are going to put a pair of specially prepared glasses on with “open eye images” of his own eyes that have holes for the irises, so they can spoof the awake and looking routine in FaceID. . . And it only worked about one out of ten or so tries on the owner of the iphone. I think it would fail on the “let’s sneak the glasses on his face” step, without waking up their target. . . Not to mention the failed attempts requiring waiting times between tries after the fifth stab at it. Incidentally, to get at any specific banking apps, or even open password protected sites, they’d have to do it all over again to populate the username and password accesses to those sites and data. Oops!

      Too much work involved.

  2. It is not made clear if an iPhone was hacked in their demonstration. I did not see a link to avideo of the event but the article makes no specific mention of an iPhone.

    1. It couldn’t have been, because the iPhone TouchID system really doesn’t use fingerprints at all, it reads the valleys and ridges of the subcutaneous fat pads under the skin, a unique pattern of each individual which does not leave any trace of its pattern in any transferred fingerprint. That’s why you can’t lift a fingerprint and make a model of it in any method, 3D, photograph, clay, wax, rubber, latex, silicone, etc., and use it to unlock an iPhone. The data required simply isn’t there.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.