Researchers Hack Galaxy S5's Fingerprint Scanner
Reseachers at Germany's Security Research Labs sneaked past Samsung's fingerprint security by using a fingerprint spoof.
In a video of the hack, a researcher from Security Research Labs demonstrated how he was able to bypass the fingerprint security by using a "wood glue spoof" made from a mold taken from a photo of a fingerprint smudge left on a smartphone screen. It is actually the same technique used to hack past the fingerprint scanner in Apple's iPhone 5S last year.
But the S5's fingerprint scanner allows for multiple incorrect attempts without requring a password. So someone could potentially keep trying one fingerprint spoof after another until access is finally achieved.
The Galaxy S5's fingerprint scan can also be associated with apps such as PayPal, and the video shows a person that managed to log in to access a Paypal account.
"Despite being one of the premium phone's flagship features, Samsung's implementation of fingerprint authentication leaves much to be desired," the researcher in the video said. "The finger scanner feature in Samsung's Galaxy S5 raises additional security concerns to those already voiced about comparable implementations."
PayPal issued the following statement:
"While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards. PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy."
But the S5's fingerprint scanner allows for multiple incorrect attempts without requring a password. So someone could potentially keep trying one fingerprint spoof after another until access is finally achieved.
The Galaxy S5's fingerprint scan can also be associated with apps such as PayPal, and the video shows a person that managed to log in to access a Paypal account.
"Despite being one of the premium phone's flagship features, Samsung's implementation of fingerprint authentication leaves much to be desired," the researcher in the video said. "The finger scanner feature in Samsung's Galaxy S5 raises additional security concerns to those already voiced about comparable implementations."
PayPal issued the following statement:
"While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards. PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy."