This year in the world of smartphone fingerprint sensors, Qualcomm’s ultrasonic in-display fingerprint reader, the 3D Sonic Sensor, is expected to get widespread adoption. The first phone with the new sensor, the Samsung Galaxy S10, has been in the wild for about a few weeks now, and users are already figuring out ways to defeat it.
Imgur user “darkshark” presents a pretty convincing way to thwart the sensor: take a picture of a fingerprint off of an object like a wine glass, add some depth to it in 3D editing software, and then print it out on a 3D printer. Specifically, darkshark used the Anycubic Photon 3D printer, a resin stereolithography printer that can be had for under $450. (You could buy two of these for the cost of a Galaxy S10+!) A video in the Imgur post shows the S10 unlocking with the printed finger facsimile, which looks a bit like a glass microscope slide.
Fingerprint sensors work by measuring and storing the ridges and valleys in your finger, and various types have come to mainstream smartphones over the years. The most common is a “capacitive” sensor, which is an opaque, case-mounted sensor that sits on the back of most Android phones. These sensors would measure the electrical capacitance of your fingertip, allowing it to sense the ridges and valleys of your finger by the change in the electrical charge on the pad. Since it’s difficult to replicate the electrical qualities of human skin at home, especially with the level of detail in a fingerprint, capacitive fingerprint sensors are the most logistically challenging to crack.
The move to in-display fingerprint readers means we have two new sensor technologies on the market: optical and ultrasonic. An optical fingerprint sensor, which most notably ships in the OnePlus 6T, works exactly how the name suggests: there is a CMOS chip under the display that takes a picture of your finger. Since this is a picture, it’s a 2D representation of your fingerprint, and most people have the means to replicate 2D images at home. Ultrasonic fingerprint readers blast your finger with sound and measures what returns to the phone. The technology is touted as more secure than optical since it takes a 3D scan of your fingertip.
Apparently Qualcomm’s sensor doesn’t do that much with the third dimension, since darkshark claims a 2D photograph of a fingerprint left on a wine glass contained all the dimensionality needed to trick the sensor. It makes sense that the third dimension can’t be that important: it’s going to constantly change as you squish your finger against the display glass with various levels of pressure.
All biometric technology can be fooled; it’s just a matter of how difficult it is to get the source data and replicate it. Snapping a picture of a fingerprint and replicating it with a cheap consumer printer is on the more plausible end of these Mission Impossible-style heists. On the less-plausible end, we have something like the dubious claims of building an entire life-size head to fool Apple’s Face ID. Whether these sophisticated, targeted spoofing attacks can fool these technologies isn’t the point—that not what biometrics are for. They are just here to strike a balance between security and convenience, enough to deter common street thefts or keep a prying associate out of your private data. If you actually think there is a chance of someone using this advanced spycraft on your phone in real life, just use a really long password instead.