Fingerprints alone are simply a number that is generated by your finger on a reader, and then sent to some other system.
Think of a fingerprint reader as a USB keyboard that types out your fingerprint number for you when you touch it. While an attacker can steal the finger and put it on the reader they are more likely to steal the number and type it in with a regular keyboard.
Border controls are about building a (passport, face, fingerprint) tuple under human (or remote human) supervision on trusted hardware to control physical movement. It feels like one of the few cases where fingerprint readers do actually work as an application.
Now that the border police have your magic finger number they can indeed unlock your phone too. It’s an offline attack though — they need to get logic probes between the reader and the CPU — so if the phone locks with a PIN after reboot, magic key press, or a period of time then that’s the appropriate defence.
> It’s an offline attack though — they need to get logic probes between the reader and the CPU — so if the phone locks with a PIN after reboot, magic key press, or a period of time then that’s the appropriate defence.
I'm expecting that if you want to do it at scale (like once a day per airport), you can 3d print them within an hour
Think of a fingerprint reader as a USB keyboard that types out your fingerprint number for you when you touch it. While an attacker can steal the finger and put it on the reader they are more likely to steal the number and type it in with a regular keyboard.
Border controls are about building a (passport, face, fingerprint) tuple under human (or remote human) supervision on trusted hardware to control physical movement. It feels like one of the few cases where fingerprint readers do actually work as an application.
Now that the border police have your magic finger number they can indeed unlock your phone too. It’s an offline attack though — they need to get logic probes between the reader and the CPU — so if the phone locks with a PIN after reboot, magic key press, or a period of time then that’s the appropriate defence.