Fingerprint security can be one of the best ways to keep your smartphone safe, as it both relies on something that’s unique to you, the phone’s owner, and when it works well, its operation can be nearly seamless. But key to its security is making sure that it only recognizes your fingerprints as authorized – if another user could easily add their own, that protection goes right out the window. That’s why we’re paying attention to a new video that highlights a security breakdown in the LG V10’s fingerprint scanner, one that has the potential to bypass a key authorization step in how the phone saves new fingerprints.
Let’s get a few things out of the way right up front: this attack has a few requirements for it work, and that could make it seem like not a big deal to plenty of V10 owners. That said, it’s still possible that the stars manage to align just right, and if you’re not careful you may find your phone opening itself up to attack.
Specifically, we need a V10 that has Nova Launcher on it, and the attacker has to briefly have access to the unlocked handset – maybe they borrowed it for a moment under some other pretense, or picked it up when you left it unattended.
Normally, when you go to add a new fingerprint, you have to enter your PIN or password first – a sensible security precaution, since assigning a new fingerprint affords that user the same level of access as knowing your secret code. But with the way Nova Launcher gives users access to “Activities” – shortcuts to screens within apps – an attacker can bypass that step and jump right into the part where they add a new fingerprint, no PIN needed.
Like we said, a lot needs to go right for this attack to work. But it shouldn’t be possible in the first place, which is a problem LG is going to need to deal with.
For now, you can stay safe by not sharing your unlocked phone, not running Nova Launcher, and maybe the easiest way: filling all four fingerprint slots with your own prints so an attacker has no room to add his own.