Fingerprint sensors are the new favorite in physical security. They’re fast, require little input, and minor setup. Unfortunately, they’re not as foolproof as some think.
Synaptics is a long-time creator of touchpad technology and, more recently, fingerprint identification. Yesterday, it revealed to VentureBeat just how easy it is to bypass some of the tech.
The fault usually comes from manufacturers trying to save money. By integrating cheap mobile phone sensors in laptops, they save around 25 cents per device but also open it up to spoofing.
“Fingerprint identification has taken off because it is secure and convenient when it’s done right,” said Synaptics’ vice president of marketing Godfrey Cheng to VentureBeat. “When it’s not secure all of the way through, then that’s an exposure that an attacker can exploit.”
Lack of Encryption
The vulnerability with these sensors lies primarily in the fact that they’re unencrypted. Some smartphone scanners send your fingerprint to the CPU in the open, making it vulnerable to attacks.
A hacker can, for example, intercept the transmission via Bluetooth and later unlock it remotely:
Encryption makes it far harder for hackers to copy that data, and thankfully many manufacturers do use secure sensors. However, most users believe fingerprint scanning to be a safer than a password, and that’s not always the case.
The attack method can extend to power control, turning laptops on remotely, unlocking it, and copying over any data. This opens up many businesses and users to attacks.
So, if you do use one on your laptop, now’s a good time to check for encryption. Naturally, Synaptics is pushing its own technology, SentryPoint, as one secure alternative.
However, Microsoft also does a lot to protect this data with Windows Hello. According to its documentation:
“The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor.”
Whatever your choice, it pays to research your fingerprint sensor before relying on it. There are few things easier to exploit than a false sense of security.