The new OnePlus 7 Pro is a stunning phone, of that there can be little doubt. The pop-up camera and all-screen display with a great refresh rate show that OnePlus is still pushing forward with the form and functionality of its devices. One area where it has been pretty static is device security though, and so it should come as no surprise that someone has already managed to hack the fingerprint reader. Which doesn’t necessarily mean that you should be running around the room pulling your hair out, the ability to hack the fingerprint security lock and the opportunity to exploit this ability are two very different things.
OnePlus 7 Pro biometrics
The fingerprint sensor is the same optical “under the screen” one that users of the OnePlus 6T will already be very used to. This is no bad thing as far as accuracy and speed are concerned; the OnePlus 7 Pro has one of the fastest finger to phone unlock routines I have seen, coupled with a decent target area meaning your finger (or thumb) will hit a lot more than miss. Indeed, Forbes contributor Ewan Spence says he will “be using the fingerprint unlocking a lot more on the 7 Pro than the 6T” as the pop-up camera makes facial recognition too slow by comparison. I am not suggesting he, or you, should change your mind in light of the revelation that the fingerprint reader can be fooled pretty easily.
The fingerprint hack explained
Earlier this week a video appeared on the Max Tech YouTube channel that showed how easily the OnePlus 7 Pro fingerprint reader could be fooled and the device unlocked using just a hot-glue gun, tinfoil and some white school glue. This methodology is nothing new, truth be told, and similar print molding techniques have fooled many a biometric security system in the past. The Chaos Computer Club (CCC) famously bypassed the iPhone 5S Touch ID system back in 2013 by photographing a fingerprint, laser-printing to a transparent sheet using a thick toner laying over this with latex milk to produce a fake finger. The Max Tech method was even easier and a lot quicker; from finger to phone access was accomplished in a matter of minutes. It involves putting a blob of hot-glue onto some tinfoil, wetting your finger and dabbing it into the glue to make an impression and then filling over the top with some white school glue. As soon as the white glue dries, which only takes minutes, this is carefully peeled away to reveal a fake fingerprint that can be used to successfully and instantly unlock the OnePlus 7 Pro time and time again. The cloned fingerprint could also open a OnePlus 6T but didn’t fool the ultrasonic reader used by the Samsung S10. Not that the Samsung S10 cannot be fooled, as I reported here on Forbes back in March.
Why it really doesn’t matter that much
Across the years I have seen fingerprints cloned using everything from clay to Gummi Bear sweets. Yet I still use the fingerprint reader on my phone as the primary unlock method. Am I mad? Nope, I am just realistic. As ethical hacker John Opdenakker told me earlier today, “it sounds very scary because this attack could give criminals access to your entire digital life. But it would be very difficult to realize because it requires a fingerprint of the victim and physical access to the device.” And there is the reason I still use fingerprint unlocking and so should you. For the hack to be effective the attacker would have to not only already have physical access to your OnePlus 7 Pro device but to your finger as well. Why bother forcing you to dab your finger in hot glue when they could just as easily force you to dab it onto the phone screen instead? My advice is to keep on using that OnePlus 7 Pro fingerprint biometric to unlock your phone. It provides ample security for most use cases and the risk of someone being able to bypass it is very small for the vast majority of people. Oh, and if anyone asks you to just pop your finger into a blob of hot glue, politely decline…
Fortune 100 passwords, email archives, and corporate secrets left exposed on unsecured Amazon S3 server
Fortune 100 passwords, email archives, and corporate secrets left exposed on unsecured Amazon S3 serverSome of the world’s biggest companies have had 750GB worth of their innermost secrets revealed on unsecured Amazon S3 buckets, available for anybody to download – no...
New Microsoft Excel Attack SurfacesResearchers have identified a security hole in Microsoft Office’s Excel spreadsheet program that allows an attacker to trigger a malware attack on remote systems. A feature in Microsoft Office’s Excel spreadsheet program called Power...
Malicious URL attacks using HTTPS surge across the enterpriseCyberattacks launched against the enterprise which makes use of the HTTPS protocol are increasing alongside spoofing and cloud-based threats, new research suggests. According to FireEye's Q1 2019 Email...
Stay Up to Date With The Latest News & Updates
Join Our Newsletter
Get weekly tech updates and immediate alerts when there is a zero-day or security issue!