It’s no secret that consumer-grade fingerprint unlocking mechanisms aren’t the most secure things ever. They’re easily spoofed, something we learned with the iPhone 5S’ own implementation late last year.
The Samsung Galaxy S5 is not an exception to the rule, unfortunately, with one security researcher from successfully able to use a lifted print to bypass the Galaxy S5’s fingerprint security without the original finger that set it up. SRLabs has demonstrated it here on video:
They used a latex molding of an actual print to swipe the authenticated “finger” over the Galaxy S5’s embedded fingerprint scanner, successfully gaining access to the device. The researcher acknowledges that Apple’s implementation is subject to the same spoofing, but it’s Samsung’s lack of added security layers that makes theirs especially troubling:
- The device allows you to make as many attempts as you need to unlock it, so being locked out after a number of incorrect tries is one nonexistent layer of added security.
- The device doesn’t require a password after you first set it up, even if you reboot it.
Even more troubling is the fact that the built-in Paypal integration is subject to the same pitfalls, so if someone has access to your phone, they potentially have access to your funds. All it’d take is a few minutes (after doing whatever they do to get the image if your fingerprint) to have your bank account wiped out.
Paypal’s already responded to the claims, though, stating that they have taken great measures to ensure consumers are protected in the event of a malicious attack.
While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards. PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5.
The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy.
Long story short, Paypal is well-equipped to help you if any of this happens after the fact. For what it’s worth, not many people will be knowledgeable enough to be able to mold your fingerprint, and if you happen to know someone who is then chances are they won’t be able to get access to your actual phone.
And if they do, well, you’d be one very odd apple out of a whole bunch of them. Still, the likelihood of the risk not applying to you doesn’t mean it doesn’t exist, so be careful. Watch the video above for a quick demonstration, and stay tuned as we reach out to Samsung to see if they have anything to say about these claims.
[via Heise.de]
So, keep your phone away from people who work at fingerprint labs…
This is no different than keeping your phone away from people who takes pictures if you use Face Unlock. LoL!!
Sorry Quentyn, but you’ve given some false information. After 5 failed swipes, the phone requires a password to unlock. So stating that there is no added security is inaccurate. I’m not sure if you have the S5 or not, but there is definitely a lockout after 5 failed tries..
Correct, it does require a password after 5 unsuccessful attempts. Then, you just simply reboot the phone and you’re attempts are reset back to zero, giving you an unlimited amount of retries if you rinse and repeat.
No reboot required I’ve found, you can just press the back button and have another go. I’d literally just deactivated the fingerprint unlock on mine before seeing this story in my news feed – my first reaction? Jealousy that he’d managed to get it to work at all! Beautiful phone and I’m loving it, but the fingerprint scanner is not a great implementation.
Good thing this is out there, they’ll probably patch is A.S.A.P
Patch what? Some type of after-this-many-tries?
OMG! I was just walking down the street with my shiney new S5 and some random guy was like” Hey would you like to get fitted for the new Galaxy Glove coming out this year?” I said “SURE.” I put my phone in my pocket and stuck my hand in some kind of mold kit. He asked for my email and told me he would contact me when it’s ready. Then he vanished.Good thing my S5 is safe in my pocket……….Checks pocket…………S5 GONE!!!!!!! !!…..NOOOOOOOOOO. THAT BASTARD.
Yeah, or you could just look over someone’s shoulder to see their password. If anything, it’s harder to fool a fingerprint scanner than an old-fashioned password.
Retinal scans up this motherf$&%er!
*in this*
No “duh” if you get access to someone’s fingerprint, you can get around the finger print scanner. Just like if you get access to someone’s password, you get around the password lock… it’s about striking a balance between security and convenience that you are comfortable with.
I find it funny when hacking into something requires the use of something belonging to the authorized user. I’m like, how does that make it less secure if you still need something that belongs to the authorized user?
Though, I still must be missing something. I’m guessing it’s safe to assume there are finger-print scanners that don’t work with molds?
So why is the galaxy S5 taking heat for this, using a molded finger print would work on the iPhone 5s as well.