How Secure is Xiaomi Redmi Note 3's Finger Print Scanner | Rahul Tyagi | Lucideus

From past few years one Chinese company is hitting the smartphone world like anything, Yes I am talking about Xiaomi Inc. founded in 2010 , is a privately owned Chinese electronics company headquartered in Beijing. It is the world’s 5th largest smartphone maker; in 2015 Xiaomi sold 70.8 million units and accounted for almost 5 percent of the smartphone global market share. Founded by Hong Feng and fellows, in 2015 company crossed revenue of 20 billion USD. 
 According to IDC, in October 2014. Xiaomi was the third largest smartphone maker in the world, following Samsung and Apple Inc., and followed by Lenovo and LG. Xiaomi became the largest smartphone vendor in China in 2014, having overtaken Samsung, according to an IDC report. -Source

 Xiaomi and Privacy Issues in Past

  • In October 2014, Xiaomi announced that it was setting up servers outside of China for international users citing improved services and compliance to regulations in several nations.Around the same time, the Indian Air Force issued a warning against Xiaomi phones, stating that they were a national threat as they sent user data to an agency of the Chinese government (Source)
  • According to the PhoneArena report, looking up the website of the company owning the IP address in the range– reveals that the website owner is CNNIC is the administrative agency responsible for Internet affairs under the Ministry of Information Industry of People’s Republic of China. It is based in the Zhongguancun high tech district of Beijing.
  • Taiwanese Government underlined similar concerns before Xiaomi’s launch in India. Xiaomi is facing an investigation in Taiwan for alleged cyber security threat, as a result of which last month the Taiwanese government decided to ban the company due to several privacy controversies. (Source)
  • In 2014 again Chen Haung named independent security researcher from Taiwane claimed that Xiaomi phones have been sending device data and personal data of Xiaomi phone user to Chinese Servers.Researcher also took this thing to next level by announcing to demonstrate the Proof of concept in one of the conferences in India, but later Xiaomi came to picture and in pressure Chen Haung backout from the conference.
     Later Xiaomi reacted to this news and released a press release in revert to this news which is shown below in this image.

After facing several privacy controversies, Xiaomi has pledged to open a local data center for user data in India by 2015., away from its servers in Beijing due to performance and privacy considerations, but in my research I was unable to found any sound public domain news that its opened. (Let us know if you know any data center in India of Xiaomi). 
 About Xioami Note 3 (Made in India)

Xiaomi Redmi Note 3 smartphone was launched in November 2015. The phone comes with a 5.50-inch touchscreen display with a resolution of 1080 pixels by 1920 pixels at a PPI of 403 pixels per inch. 
 The Xiaomi Redmi Note 3 is powered by 1.4GHz/1.8GHz hexa-core Qualcomm Snapdragon 650 processor and it comes with 2GB/3GB of RAM. The phone packs 16/32GB of internal storage that can be expanded up to 128GB via a microSD card. As far as the cameras are concerned, the Xiaomi Redmi Note 3 packs a 16-megapixel primary camera on the rear and a 5-megapixel front shooter for selfies, the best part about phone it was the first phone which is manufactured in India and have finger print scanner security.
 The Xiaomi Redmi Note 3 runs Custom MI UI Android 5.1 and is powered by a 4050mAh non removable battery. It measures 150.00 x 76.00 x 8.65 (height x width x thickness) and weighs 164.00 grams. — Source
 How Fingerprint Scanner works

There are mainly three types of scanners available today to perform the required task.

  • Optical Scanner : Optical fingerprint scanners are the oldest method of capturing and comparing fingerprints. As the name suggests, this technique relies on capturing an optical image, essentially a photograph, and using algorithms to detect unique patterns on the surface, such as ridges or unique marks, by analysing the lightest and darkest areas of the image.
  • Just like smartphone cameras, these sensors can have a finite resolution, and the higher the resolution.
     Much like the early days of the resistive touchscreen, you won’t find optical scanners used in anything but the most cost effective pieces of hardware these days. With increasing demand for tougher security, smartphones have unanimously adopted superior capacitive scanners.n, the finer details the sensor can discern about your finger, increasing the level of security.
  • Capacitive Scanner : Instead of creating a traditional image of a fingerprint, capacitive fingerprint scanners use arrays tiny capacitor circuits to collect data about a fingerprint. As capacitors can store electrical charge, connecting them up to conductive plates on the surface of the scanner allows them to be used to track the details of a fingerprint. The charge stored in the capacitor will be changed slightly when a finger’s ridge is placed over the conductive plates, while an air gap will leave the charge at the capacitor relatively unchanged. An op-amp integrator circuit is used to track these changes, which can then be recorded by an analogue-to-digital converter.
  • Once captured, this digital data can be analyzed to look for distinctive and unique fingerprint attributes, which can be saved for a comparison at a later date. What is particularly smart about this design is that it is much tougher to fool than an optical scanner. The results can’t be replicated with an image and is incredibly tough to fool with some sort of prosthetic, as different materials will record slightly different changes in charge at the capacitor. The only real security risks come from either hardware or software hacking.
     Due to the number larger number of components in the detection circuit, capacitive scanners can be a little pricey. Some early implementations attempted to cut the number of capacitors needed by using “swipe” scanners, which would collect data from a smaller number of capacitor components by quickly refreshing the results as a finger is pulled over the sensor. As many consumers complained at the time, this method was very finicky and often required several attempts to scan the result correctly. Fortunately, these days, the simple press and hold design is far more common.
  • Ultrasonic Scanner : The latest fingerprint scanning technology to enter the smartphone space is an ultrasonic sensor, which was first announced to be inside the Le Max Pro smartphone. Qualcomm and its Sense ID technology are also a major part of the design in this particular phone.To actually capture the details of a fingerprint, the hardware consists of both an ultrasonic transmitter and a receiver. 
     An ultrasonic pulse is transmitted against the finger that is placed over the scanner. Some of this pulse is absorbed and some of it is bounced back to the sensor, depending upon the ridges, pores and other details that are unique to each fingerprint.
     There isn’t a microphone listening out for these returning signals, instead a sensor that can detect mechanical stress is used to calculate the intensity of the returning ultrasonic pulse at different points on the scanner. Scanning for longer periods of time allows for additional depth data to be captured, resulting in a highly detailed 3D reproduction of the scanned fingerprint. The 3D nature of this capture technique makes it an even more secure alternative to capacitive scanners.

Video about Ultrasonic Scanner :

Xioami Note 3’s Finger Print Scanner
 Xioami uses the new Qualcomm Snapdragon 650 SoC which is based on Qualcomm SecureMSM hardware-based foundation. Plus, integration with FIDO (Fast IDentity Online) Alliance biometrics enables the device to keep fingerprint data on the device, not in the cloud, and to connect more securely to FIDO-enabled websites, online accounts and devices. So, Redmi Note 3 is actually one of the best phones for the price not only because of the performance but also because of the security.

The FIDO (Fast IDentity Online) Alliance has developed strong cryptographic protocols that use these protected hardware zones to enable password-less authentication handshakes between hardware and services. So you can log into a website or online shop using your fingerprint without your unique data ever having to leave your smartphone. This is accomplished by passing digital keys rather than bio metric data to servers. (Source)

Attacks in Public Domain on Qualcomm

Conclusion : Fingerprint scanners have become quite a secure alternative to remembering countless user-names and passwords, and the further roll out of secure mobile payment systems means that these scanners are likely to become a more common and crucial security tool in the future.
 The only problem with fingerprint scanners is that if your bio metric information has been compromised, you can’t change it

PS: Lucideus Training : Starting our new cyber security training batches for August:

Weekend Batch for Students and Corporate Professionals: 28th August 2016

Weekdays Batch for Students : 5th September 2016

To Know more about Call/Whatsapp : +91–9717083090

Location: Lucideus Labs, New Delhi, India
Special Arrangements for Students outside India.

Know Lucideus Training :