Menu
German researchers hack Galaxy S5 fingerprint login

German researchers hack Galaxy S5 fingerprint login

The integration with Paypal makes the weakness of Samsung's implementation extra serious

It took just four days for German researchers to trick the Samsung Galaxy S5's fingerprint scanner into accepting a mold of a fingerprint instead of a real finger.

Despite fingerprint authentication being one of the headline features on Samsung's new flagship model, the company's implementation of it "leaves much to be desired," SRLabs said in a video demonstration of the hack posted on Youtube.

The researchers enrolled a fingerprint from a real finger on the S5, then used a mold of a fingerprint to unlock it -- the same one used last year to spoof Apple's TouchID. The video shows how Samsung's implementation can be bypassed using a mold made under laboratory conditions, but it is based on nothing more than a camera phone photo of a latent print from a smartphone screen, SRLabs said.

Latent prints aren't immediately visible to the naked eye, but "can be visualized using magnesium powder, which is gently brushed over hard and shiny surfaces in order to illuminate them," according to the Explore Forensics website.

The weakness of Samsung's implementation is made even more serious because of the integration with Paypal, which allows users to authenticate transactions and money transfers using the fingerprint scanner, according to SRLabs. The integration gives a would-be attacker an even greater incentive to hack a phone, it said.

PayPal played down the risks, saying that it is not the fingerprint that provides access to its service: "PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one."

Fingerprint authentication has become a hot smartphone feature since Apple's inclusion in the iPhone 5S of Touch ID, a fingerprint sensor built into the home button.

Touch ID was hacked last year by German Chaos Computer Club using a latex copy of a fingerprint. The hack of Samsung's fingerprint scanner again raises questions about the effectiveness of the technology.

Using fingerprints has two shortcomings when compared to passwords, according to SRLabs. Once a fingerprint gets stolen, there is no way to change it. To offset this, digitized fingerprints need to be very hard to steal. Also, users leave copies of their fingerprints everywhere; including on the devices they protect, the organization said on its website.

"While biometrics will always carry with them a tradeoff of security for convenience, it's the manufacturer's responsibility to implement them in a way that doesn't put users' crucial data and payment accounts at risk," SRLabs said.

Even though the hack is serious, it is unlikely to affect sales of the Galaxy S5.

"The majority of consumers aren't at this stage very aware of smartphone security issues. Whet they go to buy a new smartphone, it isn't the first question that come to their mind," said Malik Saadi, practice director at ABI Research.

Samsung didn't immediately reply to requests for comment.

Send news tips and comments to mikael_ricknas@idg.com

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags consumer electronicssecuritysmartphonesSamsung ElectronicsbiometricsAccess control and authenticationAndroid

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments