Menu
German researchers hack Galaxy S5 fingerprint login

German researchers hack Galaxy S5 fingerprint login

The integration with Paypal makes the weakness of Samsung's implementation extra serious

It took just four days for German researchers to trick the Samsung Galaxy S5's fingerprint scanner into accepting a mold of a fingerprint instead of a real finger.

Despite fingerprint authentication being one of the headline features on Samsung's new flagship model, the company's implementation of it "leaves much to be desired," SRLabs said in a video demonstration of the hack posted on Youtube.

The researchers enrolled a fingerprint from a real finger on the S5, then used a mold of a fingerprint to unlock it -- the same one used last year to spoof Apple's TouchID. The video shows how Samsung's implementation can be bypassed using a mold made under laboratory conditions, but it is based on nothing more than a camera phone photo of a latent print from a smartphone screen, SRLabs said.

Latent prints aren't immediately visible to the naked eye, but "can be visualized using magnesium powder, which is gently brushed over hard and shiny surfaces in order to illuminate them," according to the Explore Forensics website.

The weakness of Samsung's implementation is made even more serious because of the integration with Paypal, which allows users to authenticate transactions and money transfers using the fingerprint scanner, according to SRLabs. The integration gives a would-be attacker an even greater incentive to hack a phone, it said.

PayPal played down the risks, saying that it is not the fingerprint that provides access to its service: "PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one."

Fingerprint authentication has become a hot smartphone feature since Apple's inclusion in the iPhone 5S of Touch ID, a fingerprint sensor built into the home button.

Touch ID was hacked last year by German Chaos Computer Club using a latex copy of a fingerprint. The hack of Samsung's fingerprint scanner again raises questions about the effectiveness of the technology.

Using fingerprints has two shortcomings when compared to passwords, according to SRLabs. Once a fingerprint gets stolen, there is no way to change it. To offset this, digitized fingerprints need to be very hard to steal. Also, users leave copies of their fingerprints everywhere; including on the devices they protect, the organization said on its website.

"While biometrics will always carry with them a tradeoff of security for convenience, it's the manufacturer's responsibility to implement them in a way that doesn't put users' crucial data and payment accounts at risk," SRLabs said.

Even though the hack is serious, it is unlikely to affect sales of the Galaxy S5.

"The majority of consumers aren't at this stage very aware of smartphone security issues. Whet they go to buy a new smartphone, it isn't the first question that come to their mind," said Malik Saadi, practice director at ABI Research.

Samsung didn't immediately reply to requests for comment.

Send news tips and comments to mikael_ricknas@idg.com


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Tags securitysmartphonesAndroidconsumer electronicsbiometricsSamsung ElectronicsAccess control and authentication

Featured

Slideshows

Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments