How to disable the fingerprint sensor physically?

Hello,

Would it be possible to somehow physically disable the fingerprint sensor? I am not talking about disabling biometric security settings within android, I mean actually physically disabling the fingerprint sensor. This is currently the only thing holding me back from purchasing a Fairphone 5.

I know the fingerprint scanner is part of the core module, and that it is impossible to remove / replace (it also doubles as the on button). Perhaps a sticker of some kind would work? Then again, what kind of sticker would stick after thousands of touches over the years? I wouldn’t mind replacing the sticker once / twice a year, but weekly / monthly would be too much. Perhaps scratching it would be a solution? Then again, I think this would not do any good to the warranty. Or perhaps there is some soldering / wiring that can be undone?

Any suggestions / help would be appreciated

Welcome to the Community Forum.

My first idea would be that you add Fairphone’s Protective Case to the FP5 and then add a small simple layer in between the FP5 and the case (right where the cutout for the button is) that is thick enough to obfuscate any fingerprint, but still lets you use the button to activate and deactivate the screen etc.

A second thought: You might already know that the FP5 comes with an OLED display. Its energy saving quality makes it possible that the FP5 settings offer you the option to activate an “always-on” functionality of the display (only a limited area of the display will actually stay on, e.g. for displaying the time) and a “tap to wake” option. The latter should allow you to significantly reduce the general need and usage of the traditional power button. This might also help with evading the fingerprint sensor a lot.

You might just carefully paint the button with nail polish. But would you mind saying why? If you don’t activate the sensor in the first place, it should do nothing.

I just wanted to ask the same question.

And furthermore, even if you use the fingerprint reader: There is no such thing like an image of a fingerprint stored on the phone that could be stolen, only hashed and encrypted information that no one else could use anyway (and that is additionally secured inside the TEE as well)

Here is a good article about those technical details and all the security layers involved:

Have a look at this discussion

Thanks, Yvonne! That other thread covers the topic very well. Nothing there convincing me, that a fingerprint reader poses any danger, if one doesn’t use fingerprint logins in the first place. But of course, everybody can be as cautious as they want.

Okay, first of all I’d like to thank all of you for your replies.

Now, regarding the given solutions. The case & cutout cover idea I had thought of earlier. I am afraid that a (loose) layer between the case and phone is really impractical, because the layer could potentially move, revealing the sensor, resulting in me accidentally pressing it. The layer would need to be adhesive, if I want to prevent it from sliding to the side. That’s why I came up with the sticker idea. I’ve read about the duct tape idea in the linked thread, looks interesting, and will investigate (perhaps tape my current phone in the same way to check its practicality.

Second idea, the nail polish. Would it void warranty? if not, the problem is, if the polish slowly erodes, the scanner might start working again, without a clear indication of when. It would start to read my print again, without me knowing for I don’t know how long. And reading it once is enough. Unless you have some evidence that it permanently disables the scanner somehow?

Now, regarding the safety aspect. First and foremost, I find it annoying that every phone collects more and more personal information as the years pass. I would gladly enter a pin instead of a fingerprint, and I see fingerprint scanning, or any use of biometric data as unethical and superfluous (or any kind of bulk data harvesting for that matter).

A fingerprint is unique, and can only be used once. You cannot change it over the course of your life. Sure, it might get stored in isolation onto the chip encrypted*. But, given the history of hardware backdoors (think of intel IMEI, as a crude example), and the extreme difficulty in exposing them (who will put every manufactured hardware chip architecture under an electron microscope to verify that it has no built-in backdoor structures), I find it hard to believe that the isolation of the validation data onto the chip itself is the standard across all devices de facto. It is only standard if the standard is implemented (correctly). Even if it were secure, I simply do not care. I just don’t want my fingerprint to be used. Is that too much to ask?

I know there’s a lot of alternative fingerprinting methods already in use for data harvesting, such as behavioral uniqueness and browser fingerprinting. I know that if I buy a smartphone, I am feeding the ever-hungry data beast. I know I am hypocritical in a sense. I just want to minimize the data that is collected, especially if it is biometric.

It just frustrates me to no end when I google “physically disable fingerprint sensor”, for example. Instead I seem to only get answers on how to enable the sensor or how to repair it. Another solution given is disabling the drivers, but this is on the software level, not on the physical hardware level. Any backdoor architecture baked into a hardware component of the phone might circumvent the whole ordeal.

There was a time that there were many (or at least more relevant) posts about how to undo a phone’s tracking capabilities. It seems that over time, posts about this are not to be found anymore. Perhaps I am looking in the wrong place. Maybe people have given up on the fight for privacy (convenience won)? Or maybe (puts on tinfoil hat) Google does not like anti-tracking measures taken by people, as it would drop their revenue (A.I. driven data collection optimization reflecting in the search results, maybe?) Perhaps relevant information is only to be found on the deeper layers of the web these days. Whatever the reason, it frustrates me to no end.

I will remove the front camera of the phone, as I have no use for it. I would just like to be able to remove the fingerprint scanner as well. Sadly, now it is part of the core module. I do not suspect Fairphone will look into decoupling the fingerprint scanner (and other sensors e.g. GPS, accelerometer and gyroscope) from the core module, but it is something that I would appreciate very much, and I would like to voice this opinion in my post.

[*] It might not be an image of your print that gets stored, but the bare validation data, resulting from your print is as unique as a picture of a fingerprint is. Once the isolation layer is broken, and this validation data is harvested, in a sense the hacker still has a unique fingerprint identifier. He just has to throw a picture of your fingerprint through the same algorithm used in your phone, and match it with the obtained validation data to confirm it is you.

Ok, now you are mixing up things that are not connected at all.
I don’t want to repeat everything that has been said here and in the thread linked by @yvmuell, but I think some things can’t stand here uncorrected.

If you don’t enable/use the fingerprint sensor, no fingerprints are “collected” in the first place because the fingerprint reader is disabled.

No one collects your fingerprints. This hashed information is stored in TEE and can never leave this area.

Since Fairphone ships with Google Mobile Services (GMS) (and a lot of other Google bloatware), Fairphone has to support a lot of (security) features that are required by Google in order to be certified and ship the FP5 with all Google stuff in the first place. One of those requirements is TEE. And this is the de-facto standard since Android 8.

Well, no: just don’t use it on the first place. btw: except for iPhones, fingerprint authentication is not very secure on many phones, also known as fingerprint brutforce attacks. But this has nothing to do with stealing fingerprints.

Browser fingerprinting is basically the opposite of what we are discussing here: It has nothing to do with our real fingerprints.
It’s more of an analogy to the uniqueness of our fingerprints: Big companies like Google and Meta are trying to achieve this unique identifier by collecting our Internet behavior, our browser settings, our operating system settings, and so on. Their goal is to sell more personalized ads and thus make more profit.
So a very different story from this topic here.

Once again, we are not talking about tracking here. Fingerprint authentication has nothing to do with tracking as you have described it here.
And no, you are in the right place if you are concerned about tracking. But then I would recommend you don’t use a phone with GMS installed to begin with, like I do, for example. There are a lot of other great aftermarket OS for the FP4 and soon also for the new FP5. See oslist

Apart from that this is very very theoretical, since the TEE is designed so that this information can never leave it, and besides, these hackers must have overcome a total of three layers of security: Additionally, they must somehow have access to your phone, and even if that were ever possible (which is highly unlikely): What do they want to achieve with this data? It’s stored locally and only on your phone, and it’s unique to each phone - they can’t use it to unlock anything else. And if they already have physical access to your phone, fingerprint spoofing is much more likely than this approach.

This is a matter of trust, since the sensor is disabled through the software. There’s no airgap, which requires me to blindly trust the software, which I do not want to do, as stated earlier.

If implemented correctly. You bring forward the argument that Google has strict certification requirements. Perhaps you are forgetting Google is also subject to higher authorities, including governmental bodies with policies kept secret from the public (see Edward Snowden). Again you require me to blindly trust Google, which I obviously cannot do.

See above.

How? It doubles as the on / off button. This is what I want to prevent in the first place.

I know, the point of my story about other ways of “fingerprinting” was that I know I am being tracked in other ways, and that it is hypocritical of me to be railing against fingerprinting alone, while other methods of tracking with different purposes exist. I was just trying to prevent the argument “just don’t by a smartphone at all, if you value privacy” from people. I know I am seceding my right to privacy when I buy a smartphone.

Semantics. I do not mean tracking as much as I mean data harvesting. I will change the wording in my first post to reflect this. Also, another OS is yet again, software. And software has potential vulnerabilities.

You’ve missed my point about hardware backdoors. This relates to the earlier part I mentioned about government agencies. You are talking about garden variety hackers. I am talking about capable bodies. You are probably in the right by saying that it is not unsafely implemented at this moment in time. But as the tech landscape evolves, and hardware becomes smaller and capabilities become ever greater, I worry about the normalization of biometric use, or data harvesting in general. That’s why I said I do not care whether the implementation is genuinely safe or not. I just do not want to use my fingerprint scanner at all, and prevent the normalization of it.

It all boils down to: you either scan your print, or you don’t. If you scan it, it might be harvested. How, why, by whom and at what point in time is irrelevant. The point is that the probability your fingerprint being harvested is greater than zero, while when you do not scan your fingerprint, it becomes 0 (barring external factors outside of your smartphone use), which is my goal. Again, the rest is irrelevant to me.

If you were to ask people 30 years ago whether they would allow their fingerprints to be scanned, you’d run into way more resistance than today. The fact that it is normalized is weird in itself (which annoys me )

The probability of your fingerprint being scanned is also greater than zero if you simply go outside without gloves. What exactly is the risk you are trying to protect yourself from?

Am I not making myself clear?

And you must know the difference between a person that’s specifically targeting you, looking in a trash can for your fingerprint on some soda can versus mass collection of fingerprints from all phones and hoarding them in a central location, no?

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.