Security Research Labs hacks Galaxy S5 fingerprint reader

Is the integrated fingerprint reader on the new Galaxy S5 a sufficient password replacement?  In other words: is the fingerprint reader secure?

The answer is an astounding no.

In my mind, the Galaxy S5 fingerprint reader is just another bullet point on a feature list.

As forensic scientists at Security Research Labs discovered, the fingerprint reader isn’t ready for prime time.

In 2013, the Chaos Computer Club exposed a flagrant flaw in the TouchID fingerprint reader built into the iPhone 5s.  You can relive the moment in this 60 second Youtube demo.

Given how egregious the error was and the concomitant stinky press directed toward Apple, you would think Samsung would make its version of the fingerprint reader – indomitable.

But – oh my friend, you’re way too optimistic.

The fingerprint reader on the Galaxy S5 is beset with problems.

With relatively little effort, a motivated attacker can spoof a valid fingerprint by brushing magnesium powder on paper, door knobs, or smartphone screens.  The prints, known as latent prints, are invisible to the naked eye but easily emerge when dusted with fine powders.

Since every human being on the planet has a unique fingerprint (even identical twins who share the same DNA), using fingerprints to unlock smartphones and make online payments might seem like a good idea. As far as biometrics are concerned fingerprint readers are a good thing; however, they must never be used in isolation.

I think fingerprint readers are a prudent addition to authentication systems but only when coupled with something you know such as a PIN or password.  The innate immutability of fingerprints is what makes them both a blessing and a curse.

The fact that they never change means if someone successfully forges your fingerprint there’s no way to change it.

Think about it: how would you change your fingerprint?  Get a finger transplant? Burn your fingertips?  Seriously, this is one of the biggest issues but still it’s not the biggest.  In my mind the biggest problem is that people constantly leave copies of print evidence everywhere.

Smartphones, deskphones, and keyboards are obvious places where we unwittingly leave behind print evidence.  Here’s my question: how easy is it to lift prints from these common places?

Well, if you have a chemical called Cyanoacrylate, which is ubiquitous in Krazy Glue and other strong adhesives, you can use the vapors to display the print.  This works because Cyanoacrylate is a catalyst that reacts to the oils and salts of a human fingerprint.  You can then take a high-resolution photo of the print and use it to make a mold slab which you can use to gain unauthorized access to the victims phone.

Most criminals may not go through the effort of doing this; however, if you’re a high-profile individual like a politician or president then you could be the target of such machinations.

I’m getting the notion that big brands such as Apple and Samsung are more concerned about selling products than they are about securing them.  Security is invariably an afterthought.  Instead of implementing a software and hardware development life cycle that bakes security into every phase of development, it gets slapped on the end and then touted as a cogent reason for buying the product.

I’m actually disappointed in both Samsung and Apple but mainly Samsung.  I wouldn’t go so far as to indict Samsung as being duplicitous but the fingerprint reader should not be marketed under the rubric of security.

Admittedly, biometric systems aren’t perfect and there are advantages and disadvantages to each system; however, the onus is on Samsung to get it right.

In summary, I exhort you NOT to trust the fingerprint reader alone as the singular key for unlocking your smartphone.  If you’re going to use the fingerprint reader always use it in tandem with something else like a secure password.

Another issue is that businesses are eager to flaunt app integration with fingerprint readers and yet forgo the rigorous testing required before selling the product.  Paypal is a case in point.

On the Galaxy S5, Paypal authenticates money transactions with that notorious fingerprint scanner.  The ramifications are obvious: now there’s even more reason to steal and mold fingerprints.

In response, Sophie Curtis reports that Paypal told The Telegraph:

PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one

That’s fine but still doesn’t obviate the phone manufacturers responsibility for securing the biometric devices on their phones.  The bottom line is that Samsung abdicated its responsibilities by mass producing something that isn’t ready to market.

I love Samsung but it really missed the ball this time.


Connect with Vonnie on Twitter

Posted in Mobile, News Tagged with: ,