Attack/APT Hot news Weekly news WORLD

Phone fingerprint scanner fooled by chewing gum packet

Nokia’s funky new phone, known as the Nokia 9 PureView, has some very cool features.

Five of them, in fact – five cameras, arranged on the back of the phone like a spider’s eye, capturing 12 megapixels each to make the device a snapper’s delight.

The Nokia 9 also includes a fingerprint scanner – a feature that Apple recently ditched from its smartphone range so that the screen could reach right to the edges of the device, as modern style dictates, but that several modern Android devices have retained by building the fingerprint detector into the screen itself.

That sounds like the best of both worlds: a good-looking screen plus convenient biometric security that is based on more than just a picture of your face.

Fingerprint scanners, however, aren’t perfect, with the result that we’ve written several stories over the years about the tricks that hackers have found to bypass them.

Positives and negatives

A fingerprint sensor bypass is what’s known in the jargon as a false positive, where an invalid fingerprint is incorrectly recognised as genuine, and the device is wrongly unlocked.

The opposite misbehaviour is a false negative, where even the genuine owner of the device can’t get in because their own fingerprint is wrongly rejected.

Good cybersecurity practice says that, in theory at least, false negatives are much better than false positives when it comes to fingerprint detection.

After all, the legitimate owner can always enter the PIN code instead and get in anyway, albeit less conveniently, so the cost of a false negative is a small amount of time.

In contrast, a false positive pretty much means that an imposter just got into your device, so the cost is that you’re compromised.

In practice, however, fingerprint scanners don’t aim to eliminate every possible false positive at the cost of a huge false negative rate – some sort of compromise is called for.

After all, fingerprint scanners (and other biometric identifiers, such as those based on eyes or faces) are often safer to use than having to type in an unlock code all the time.

Firstly, if you have to type in a PIN every time you want to use your phone, it’s tempting to choose a shorter, simpler PIN that’s more likely to be guessed or hacked.

Secondly, you often need to unlock your phone when you’re in view of a security camera, so your PIN may end up left behind in visual form on CCTV recordings you can’t control.

In other words, a nearly perfect fingerprint scanner is still a worthwhile cybersecurity tool.

A bit of trouble…

Back to Nokia 9s, then: as far as we can tell, Nokia has had a bit of trouble with the fingerprint scanner on the 9, with false negatives being an annoying issue for some legitimate users.

That’s necessitated some reworking of the recognition system.

Generally speaking, re-tuning the system to bring false negatives down to a tolerable level involves a corresponding increase in false positives.

Indeed, this is what intuition suggests – the more easy-going you are about letting people in, the less strict you end up being about keeping others out.

And an imbalance in fingerprint recognition accuracy is what seems to have happened in the brief history of the Nokia 9.

An early reviewer who loved the cameras nevertheless complained that the device “has an in-display fingerprint reader that’s finicky”.

Another Android enthusiast had the opposite experience and tweeted a video of his phone accepting someone else’s fingerprint:

And following Nokia’s latest software update, someone else claims to be able to unlock their own device with the edge of a packet of gum:

(Exactly what was printed on the part of the gum packet that got scanned, or how it was folded back on itself, and how it came to be misrecognised as a fingerprint at all, is not clear from the video.)

What to do?

The bottom line seems to be that Nokia hasn’t quite got its Nokia 9 PureView fingerprint firmware tuned up properly yet.

So our recommendation is simple: stick to a PIN code on your Nokia 9 until the company finds a reliable balance between false positives and false negatives on the device.

Even when you have fingerprint recognition turned on, some phone actions still require you to put in your PIN, so PIN security is important anyway.

Therefore, whether you’re a fan of PIN-only, PIN+fingerprint or, for that matter, PIN+face:

  • Pick a proper PIN. Go for as many digits as you can handle – 4 is too few; 6 will just about do; more is better – and don’t choose an obvious pattern just because it’s easy to type, or remember, or both.
  • Be aware of your surroundings. Be careful when you’re entering your PIN – those few characters are more valuable for crooks to snoop on that most of the rest of what you type, so watch out for cameras and shield your keypad while entering security codes.