Image: Screengrab from Decoded Pixel video

A buggy update for Nokia 9 PureView handsets has apparently impacted the smartphone model's in-screen fingerprint scanner, which can now be bypassed using unregistered fingerprints or even with something as banale as a pack of gum.

Multiple users have complained about this problem over the weekend [1, 2, 3, 4], after installing an OS update (v4.22) released on April 18 [1, 2].

The update was meant to improve the phone's in-screen fingerprint scanner module --so that users won't have to press their fingers too hard on the screen before the phone unlocks-- yet it had the exact opposite effect the company hoped for.

Video of the fingerprint sensor unlocking phone with a packet of chewing gum and someone else's finger pic.twitter.com/jwY4ZG7uCh — Decoded Pixel (@decodedpixel) April 21, 2019

While initially, the reported issues appeared to be new, a video recorded by another user showed the same problem (unlocking phones with unregistered fingerprints) even before the v4.22 update, meaning that the update just made the unlocking bug worse than it already was.

This means that rolling back the faulty v4.22 firmware update, or waiting on v4.21, won't fix the fingerprint scanner problems, as even before this patch, the scanner appeared to have a pretty high false negatives rate, allowing strangers to bypass the phone's screenlock.

A Nokia representative has not returned a request for comment, most likely due to the Easter extended holiday. It is unclear how long would Nokia take to roll out a proper fix.

In the meantime, users are advised to switched to another mode of authentication, such as using facial recognition, a PIN code, or a password.

This incident isn't Nokia's first problematic firmware update either. Last month, Nokia accidentally shipped a firmware update to Nokia 7 Plus devices that collected users' data and sent it to a server located in China. At the time, Nokia said the data collection component was designed for the Chinese market (to comply with local data collection laws), and was accidentally included in the firmware version deployed to EU users.

More vulnerability reports: