Galaxy S5 fingerprint scanner can easily be fooled, hacked

[Scorpus]

One of the marquee features found on the Samsung Galaxy S5 - the fingerprint scanner integrated into the home button - can easily be fooled by hackers looking to gain access to the device, according to a report from Germany's Security Research Labs.

To bypass the fingerprint scanner's security lock, the team created a wood glue spoofed fingerprint from an etched PCB mold, using a latent print on a smartphone display photographed by an iPhone 4S. With very little effort this spoofed fingerprint can be swiped across the sensor, with the Galaxy S5 believing it's a real finger and giving immediate access.

Even more concerning is that the fake fingerprint can be used to access a victim's PayPal account, as the app found on the Galaxy S5 supports authentication through fingerprint. The Security Research Labs team was able to access a PayPal account, transfer funds and make purchases using their wood glue spoofed fingerprint; a process made easier by the fact you're allowed unlimited swipe attempts, giving hackers plenty of time to perfect their spoof if it was rejected the first few times.

The system would be made more secure if it required a password after a number of failed attempts to use a fingerprint, like is the case on the iPhone 5S. With that said, the iPhone 5S' fingerprint scanner is still vulnerable, falling to hackers in under 48 hours after its release.

Responding to security concerns, a PayPal spokesperson said that each fingerprint scan "unlocks a secure cryptographic key that serves as a password replacement for the phone [...] We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy."

Some people criticized the fingerprint hacking method used as unrealistic in the real world, however Security Research Labs dismissed these claims, stating that a hackers have "incentive to steal digital fingerprint scans and learn how to mass-produce spoofs" when fingerprint security is implemented poorly. Anyone that steals a device may have access to a high quality fingerprint on the handset itself, and the method to produce a spoof isn't highly complex.

Permalink to story.

https://www.techspot.com/news/56406-galaxy-s5-fingerprint-scanner-can-easily-be-fooled-hacked.html

 

[Guest]

Apple paid these guys to say it. Ignore it. Only apple has security issues. Android is the most secure system ever.

 

[Jad Chaar]

This comes as no surprise. Until it can detect materials, this will be the usual case.

 

[Guest]

Could it have been that they mentioned (unnecessarily) that they used an iPhone 4S to accomplish this? Not even trying to be inconspicuous.
Sorry, but how many people are going to go as far to make a PCB mold to do this? Jeebus... write about something more useful.

 

[wastedkill]

Give it 5-10years before phones can actually manage fingerprints as even fingerprint machines are bigger than a phone and they are only their to scan your fingerprint so obviously its a fake thing when its on phones....

 

[RenGood08]

I can tell ya a few things that could make this more secure. Not only having a password, but having the fingerprint technology to detect a pulse so that the use of PCB isn't even possible. But investing into that kind of technology for a phone would be remarkable though. Isn't there an option in the phone's settings to be able to change the amount of failed attempts before it prompts for some kind of passcode? That would be a smart move.

 

[Guest]

The writer of this article needs to do more research before posting.
I have the Samsung galaxy S5 and it does ask for a password after three
attempts of trying the fingerprint scanner. You should really get your facts
straight before releasing this. Further more it will give you the strength of
the password your trying to use.

 

[highlander84]

After reading the article and now the comments...seems like a troll article. I seriously doubt after X failed attempts it would not ask for a password... Fingerprint tech is still to immature to be taken seriously. Its just a toy...

 

[Guest]

It's right in the settings on the Galaxy S5 Fingerprint Scanner and look it up.
Before you spout this nonsense.

 

[9Nails]

I'd like to believe that this spoof would only work if you have access to the owners fingers. If you found a phone lying around at a bar, I doubt this spoof is of any interest. Until they show me that they can use any random finger print I'm just going to consider this as plausible, but an unlikely way to access a phone. You might take my phone away from me, but you'll never take away my fingers!

 

[Guest]

Another victory for Samsung innovation of others' ideas!