Menu
German researchers hack Galaxy S5 fingerprint login

German researchers hack Galaxy S5 fingerprint login

The integration with Paypal makes the weakness of Samsung's implementation extra serious

It took just four days for German researchers to trick the Samsung Galaxy S5's fingerprint scanner into accepting a mold of a fingerprint instead of a real finger.

Despite fingerprint authentication being one of the headline features on Samsung's new flagship model, the company's implementation of it "leaves much to be desired," SRLabs said in a video demonstration of the hack posted on Youtube.

The researchers enrolled a fingerprint from a real finger on the S5, then used a mold of a fingerprint to unlock it -- the same one used last year to spoof Apple's TouchID. The video shows how Samsung's implementation can be bypassed using a mold made under laboratory conditions, but it is based on nothing more than a camera phone photo of a latent print from a smartphone screen, SRLabs said.

Latent prints aren't immediately visible to the naked eye, but "can be visualized using magnesium powder, which is gently brushed over hard and shiny surfaces in order to illuminate them," according to the Explore Forensics website.

The weakness of Samsung's implementation is made even more serious because of the integration with Paypal, which allows users to authenticate transactions and money transfers using the fingerprint scanner, according to SRLabs. The integration gives a would-be attacker an even greater incentive to hack a phone, it said.

PayPal played down the risks, saying that it is not the fingerprint that provides access to its service: "PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one."

Fingerprint authentication has become a hot smartphone feature since Apple's inclusion in the iPhone 5S of Touch ID, a fingerprint sensor built into the home button.

Touch ID was hacked last year by German Chaos Computer Club using a latex copy of a fingerprint. The hack of Samsung's fingerprint scanner again raises questions about the effectiveness of the technology.

Using fingerprints has two shortcomings when compared to passwords, according to SRLabs. Once a fingerprint gets stolen, there is no way to change it. To offset this, digitized fingerprints need to be very hard to steal. Also, users leave copies of their fingerprints everywhere; including on the devices they protect, the organization said on its website.

"While biometrics will always carry with them a tradeoff of security for convenience, it's the manufacturer's responsibility to implement them in a way that doesn't put users' crucial data and payment accounts at risk," SRLabs said.

Even though the hack is serious, it is unlikely to affect sales of the Galaxy S5.

"The majority of consumers aren't at this stage very aware of smartphone security issues. Whet they go to buy a new smartphone, it isn't the first question that come to their mind," said Malik Saadi, practice director at ABI Research.

Samsung didn't immediately reply to requests for comment.

Send news tips and comments to mikael_ricknas@idg.com


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags smartphonesAndroidconsumer electronicsbiometricsSamsung ElectronicsAccess control and authentication

Events

Featured

Slideshows

Channel kicks 2021 into gear as After Hours returns to Auckland

Channel kicks 2021 into gear as After Hours returns to Auckland

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Pantry at Park Hyatt in Auckland to kick-start 2021.

Channel kicks 2021 into gear as After Hours returns to Auckland
The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Show Comments