A design flaw affecting all in-display fingerprint sensors – that left over a half-dozen cellphone models vulnerable to a trivial lock-screen bypass attack – has been quietly patched. The flaw was tied to a bug in the popular in-display fingerprint reader technology used for user authentication.

In-display fingerprint reader technology is widely considered an up-and-coming feature to be used in a number of flagship model phones introduced in 2019 by top OEM phone makers, according to Tencent’s Xuanwu Lab which is credited for first identifying the flaw earlier this year.

“During our research on this, we found all the in-display fingerprint sensor module suffer the same problem no matter where it was manufactured by whatever vendors,” said Yang Yu, a researcher at Xuanwu Lab. “This vulnerability is a design fault of in-display fingerprint sensors.”

Impacted are all phones tested in the first half of 2018 that had in-display fingerprint sensors, said Yu.

That includes current models of Huawei Technologies’ Porsche Design Mate RS and Mate 20 Pro model phones. Yu said that many more cellphone manufacturers are impacted by the issue.

However, Yu would not specify other impacted vendors or models: “Vendors differ greatly in the attitude to security issues, someone have open attitudes, like Huawei, and in contrast, some vendors strongly hope us to keep the voice down on this,” he told Threatpost. He noted Huawei has been forthcoming, issuing patches to address the issue.

Other phones that use the feature include Vivo Communication Technology’s V11 Pro, X21 and Nex ; and OnePlus’ 6T and Xiaomi Mi 8 Explorer Edition phones. Vivo, OnePlus and Xiaomi did not respond to requests for comment from Threatpost.

In-display fingerprint readers based on optical fingerprint imaging, experts believe, will soon replace conventional authentication based on capacitance-sensor fingerprint scanners. In-display readers allow for a user to place a finger on the screen of a smartphone where a scanner from behind the display can verify a fingerprint, authenticate the user and unlock the phone.

Design-wise the feature allows phones to be sleeker and less cluttered, supporting infinity displays. Usability advantages include the ability to unlock the phone simply by placing your finger on the phone’s screen at any angle, whether it’s sitting on a table or in a car mount.

The vulnerability, which Huawei issued a patch (CVE-2018-7929) for in September, can be exploited in a matter of seconds, researchers said. In an exclusive interview with Threatpost on the flaw Yu said all an attacker needs to carry out the attack is an opaque reflective material such as aluminum foil. By placing the reflective material over a residual fingerprint on the phone’s display the capacitance fingerprint imaging mechanism can be tricked into authenticating a fingerprint.

Capacitance Sensors vs. Optical

The difference between capacitance and optical technologies is, while optical fingerprint readers use an image sensor to capture the imprint of the surface of the fingertip, capacitance scanners use a pixel array of capacitors to create the image of fingerprints. The sensor only works with OLED displays (requiring a backlit display) and reads fingerprints via peering through the gaps between pixels.

Using in-display fingerprint reading technology, when a finger touches the screen, the screen will emit light and highlight fingerprint traces on the screen, and at the same time, the sensor underneath the screen will capture the image of the fingerprint.

However, Yu found there is a weakness in the way sensors handle residual fingerprints. In a test placing an opaque reflective material over the in-display sensor, Yu was able to trick it and unlock the phone.

“This is a not big problem for previous capacitance sensors, but for optical sensors, it’s lethal,” said Yu. “[That’s] because [even through] the fingerprint residual is nearly transparent, the sensor will be aware of this in normal situations.”

According to Yu, the reflective material amplifies the residual fingerprint, which makes the sensor think the residual print is real. “If the attacker can physically access a locked phone with a fairly good quality fingerprint residual on it, the attacker can unlock this phone in just one second with no problem,” said Yu.

The Rise of In-Display Sensors

In-display fingerprint sensors first generated consumer buzz at the Consumer Electronics Show this past January with the rollout of a Vivo phone, which used a Synaptics in-display fingerprint sensor. The month before, Synaptics said it had struck a deal with a “top five OEM” that would integrate its Clear ID optical in-display fingerprint sensors.

When Threatpost asked Synaptics for a comment on the flaw, a spokesperson for the company said Synaptics is “not currently participating in this market and is instead investing in other technologies with better ROI” due to competition from China.

One of those companies is China-based Goodix, a company that makes the in-display sensors for Huawei’s Porsche Design Mate RS along with baking its tech into Xiaomi’s 8 Explorer Edition, and Vivo NEX and Vivo X21 UD. The company did not respond to Threatpost inquiries for comment for this story.

Samsung is also keen on the technology and recently filed a patent for an in-display fingerprint sensor. There are reports that an upcoming Galaxy S10 might utilize the patent, but nothing has been confirmed.

Fixes

Although this is a design fault, researchers said, it can be fixed by simply updating the identification algorithm. Huawei has released software updates to fix the flaw in September and other vendors have similarly addressed the issue, according to Yu.

“After we found this vulnerability in February, we notified cellphone vendors immediately,” he said.

Yu did not disclose the names of the specific manufacturers, other than Huawei, who were impacted.

“What I can say is: we have tested many cellphones with in-display fingerprint from different vendors, they all had the same problem, even if the modules they were using were from different chip manufacturers,” he said. “Those manufacturers have fixed this issue from the root, there won’t be vulnerability in later cellphones – in theory.”