[theclaw]

Yeah agreed. It's almost certainly some code that needs to change from this:

  testResult = TestFingerprint(fingerprint);
  if(testResult)
    return UNLOCK_OK;
  else
    return UNLOCK_FAIL;

to this:

  testResult = TestFingerprint(fingerprint);
  if(testResult == RESULT_OK)
    return UNLOCK_OK;
  else
    return UNLOCK_FAIL;

[kalleboo]

My initial guess was something like the fingerprint is stored as a bunch of samples of where there are "hills" on the finger, and verifying the fingerprint consisted of checking that those hills are present - another human will have valleys where the first person had hills. The gel screen protector presented 100% hills so all the checks passed. What they needed to fix was to check for the non-presence of some "valleys" as well.

Of course the fact that they're using hashes of the fingerprint means this theory is bogus and the issue is probably a lot more complex/involved.

[mfgs]

That seems unlikely. They surely would've done the most basic testing that would've found a bug like that. The issue here seems to be the addition of the screen cover is making all fingerprints appear similar enough to pass as the same one.