It took just four days for German researchers to trick the Samsung Galaxy S5’s fingerprint scanner into accepting a mold of a fingerprint instead of a real finger.
Despite fingerprint authentication being one of the headline features on Samsung’s new flagship model, the company’s implementation of it “leaves much to be desired,” SRLabs said in a video demonstration of the hack posted on Youtube.
The researchers enrolled a fingerprint from a real finger on the S5, then used a mold of a fingerprint to unlock it—the same one used last year to spoof Apple’s TouchID. The video shows how Samsung’s implementation can be bypassed using a mold made under laboratory conditions, but it is based on nothing more than a camera phone photo of a latent print from a smartphone screen, SRLabs said.
Latent prints aren’t immediately visible to the naked eye, but “can be visualized using magnesium powder, which is gently brushed over hard and shiny surfaces in order to illuminate them,” according to the Explore Forensics website.
The weakness of Samsung’s implementation is made even more serious because of the integration with Paypal, which allows users to authenticate transactions and money transfers using the fingerprint scanner, according to SRLabs. The integration gives a would-be attacker an even greater incentive to hack a phone, it said.
PayPal played down the risks, saying that it is not the fingerprint that provides access to its service: “PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one.”
Fingerprint authentication has become a hot smartphone feature since Apple’s inclusion in the iPhone 5S of Touch ID, a fingerprint sensor built into the home button.
Touch ID was hacked last year by German Chaos Computer Club using a latex copy of a fingerprint. The hack of Samsung’s fingerprint scanner again raises questions about the effectiveness of the technology.
Using fingerprints has two shortcomings when compared to passwords, according to SRLabs. Once a fingerprint gets stolen, there is no way to change it. To offset this, digitized fingerprints need to be very hard to steal. Also, users leave copies of their fingerprints everywhere; including on the devices they protect, the organization said on its website.
“While biometrics will always carry with them a tradeoff of security for convenience, it’s the manufacturer’s responsibility to implement them in a way that doesn’t put users’ crucial data and payment accounts at risk,” SRLabs said.
Even though the hack is serious, it is unlikely to affect sales of the Galaxy S5.
“The majority of consumers aren’t at this stage very aware of smartphone security issues. Whet they go to buy a new smartphone, it isn’t the first question that come to their mind,” said Malik Saadi, practice director at ABI Research.
Samsung didn’t immediately reply to requests for comment.