Menu
German researchers hack Galaxy S5 fingerprint login

German researchers hack Galaxy S5 fingerprint login

The integration with Paypal makes the weakness of Samsung's implementation extra serious

It took just four days for German researchers to trick the Samsung Galaxy S5's fingerprint scanner into accepting a mold of a fingerprint instead of a real finger.

Despite fingerprint authentication being one of the headline features on Samsung's new flagship model, the company's implementation of it "leaves much to be desired," SRLabs said in a video demonstration of the hack posted on Youtube.

The researchers enrolled a fingerprint from a real finger on the S5, then used a mold of a fingerprint to unlock it -- the same one used last year to spoof Apple's TouchID. The video shows how Samsung's implementation can be bypassed using a mold made under laboratory conditions, but it is based on nothing more than a camera phone photo of a latent print from a smartphone screen, SRLabs said.

Latent prints aren't immediately visible to the naked eye, but "can be visualized using magnesium powder, which is gently brushed over hard and shiny surfaces in order to illuminate them," according to the Explore Forensics website.

The weakness of Samsung's implementation is made even more serious because of the integration with Paypal, which allows users to authenticate transactions and money transfers using the fingerprint scanner, according to SRLabs. The integration gives a would-be attacker an even greater incentive to hack a phone, it said.

PayPal played down the risks, saying that it is not the fingerprint that provides access to its service: "PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one."

Fingerprint authentication has become a hot smartphone feature since Apple's inclusion in the iPhone 5S of Touch ID, a fingerprint sensor built into the home button.

Touch ID was hacked last year by German Chaos Computer Club using a latex copy of a fingerprint. The hack of Samsung's fingerprint scanner again raises questions about the effectiveness of the technology.

Using fingerprints has two shortcomings when compared to passwords, according to SRLabs. Once a fingerprint gets stolen, there is no way to change it. To offset this, digitized fingerprints need to be very hard to steal. Also, users leave copies of their fingerprints everywhere; including on the devices they protect, the organization said on its website.

"While biometrics will always carry with them a tradeoff of security for convenience, it's the manufacturer's responsibility to implement them in a way that doesn't put users' crucial data and payment accounts at risk," SRLabs said.

Even though the hack is serious, it is unlikely to affect sales of the Galaxy S5.

"The majority of consumers aren't at this stage very aware of smartphone security issues. Whet they go to buy a new smartphone, it isn't the first question that come to their mind," said Malik Saadi, practice director at ABI Research.

Samsung didn't immediately reply to requests for comment.

Send news tips and comments to mikael_ricknas@idg.com


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags smartphonesAndroidconsumer electronicsbiometricsSamsung ElectronicsAccess control and authentication

Featured

Slideshows

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments