With a modified smart lock, it is possible to steal fingerprints. Picking up a device already makes theft of biometric data possible. That's according to research by Steve Kerrison of James Cook University in Singapore.
Inexpensive IoT devices are increasingly equipped with fingerprint sensors. A malicious person can steal a fingerprint image via a less secure IoT device. In this way, he can gain access to another device or account. In his publication, Kerrison calls this a droplock attack.
According to the researcher, there are two scenarios. The first is as follows: when someone picks up a device equipped with a fingerprint scanner, it scans their fingerprint and transmits it. This happens without the victim noticing. The second scenario involves smart locks with a fingerprint sensor. Kerrison managed to use a debug interface to overwrite the firmware of a smart lock. This allowed him to scan fingerprints and send them via bluetooth to a nearby device or attacker.
Protection against these attacks is possible by disabling debug interfaces and accepting only signed firmware updates. Also, end users should be more alert to rogue IoT devices, Kerrison said.
Click here (1) for Steve Kerrison's paper.
https://arxiv.org/pdf/2208.13343.pdf