When Samsung unveiled the latest in its Galaxy series of Android smartphones, gadget reviewers focused on the Galaxy S5’s fingerprint scanner, a feature that the rival iPhone 5s has done much to popularize.
Samsung’s positive buzz over the Galaxy S5 didn’t last long – security researchers from SRLabs soon posted a video on YouTube demonstrating how they were able to trick the scanner with a fake fingerprint made of wood glue.
Indeed, the same approach allowed a similar and well-publicised hack of the iPhone 5s Touch ID last year, the researchers from SRLabs said in their video.
To use SRLabs’s fake fingerprint, an attacker simply places the wood glue replica over the tip of his finger and swipes as usual over the scanner, which is embedded in the Galaxy S5’s home button.
The wood glue is poured into a mold made out of a laser printout created from a photo of the victim’s fingerprint.
With the right image contrast and printer settings, the buildup of toner on the printout creates a 3D representation of the fingerprint that is accurate enough to “cast” a replica that will fool the phone.
According to the researchers, a latent fingerprint left behind by the owner on a stolen phone can be snapped with another phone’s camera, giving an image of sufficient quality to print out a usable mold.
“Despite being one of the premium phone’s flagship features, Samsung’s implementation of fingerprint authentication leaves much to be desired,” one of the researchers said in the video.
What’s worse, Samsung’s implementation is even less secure than Touch ID that Apple unveiled in September 2013, which is ironic given the former Samsung CEO’s contention that “beating Apple is no longer merely an objective, [but] our survival strategy.”
SRLabs claimed in its video:
Samsung does not seem to have learned from what others have done less poorly. Not only is it possible to spoof the fingerprint authentication, even after the device has been turned off, but the implementation also allows for seemingly unlimited authentication attempts without ever requiring a password.
It’s not just Samsung that has egg on its screen due to the ease of the Galaxy S5’s fingerprint scanner hack – electronic payments company PayPal partnered with Samsung to make the PayPal app accessible “with the swipe of a finger,” as Samsung boasted on its website.
PayPal responded to the video in a statement:
PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5.
The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one.
PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, your eligible transactions are covered by our buyer protection policy.
Is a fingerprint more secure than a password?
The fingerprint scanner is not a new concept – think back to laptops that offered the supposed convenience of a fingerprint scanner instead of typing a password.
But Apple and Samsung have fine-tuned fingerprint authentication to the point that it’s super-fast and simple – just what smartphone users want.
If we ignore the speed and convenience, however, is this kind of biometric technology really more secure than passwords, as Apple and Samsung claim?
Security folks often talk about the limitations of passwords.
People can’t be relied upon to use hard-to-guess, unique passwords, and also leave their passwords written down to remember them.
Worse still, even passwords you might have relied on a service provider to store securely for you can be stolen and recovered electronically due to data breaches.
Yet stealing fingerprints is pretty easy – we leave our prints on almost anything we touch.
What’s especially inconvenient about fingerprint authentication is that we’re pretty much stuck with the fingerprints we have.
If someone steals a photo of your fingerprint to use for identity theft, you can’t change it like you can your password.
In fact, in the SRLabs video showing the Galaxy S5 being tricked, the researchers say that the wood glue replica they used was left over from last October when they were having a crack at the iPhone 5s.
Given these well-known drawbacks, one wonders why Samsung and Apple went through such enormous expense to add this flawed technology to their “phones of the future”?