Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

Security Research Labs hacks Galaxy S5 fingerprint reader - fixedByVonnie

Security Research Labs hacks Galaxy S5 fingerprint reader

Is the integrated fingerprint reader on the new Galaxy S5 a sufficient password replacement?  In other words: is the fingerprint reader secure?

The answer is an astounding no.

In my mind, the Galaxy S5 fingerprint reader is just another bullet point on a feature list.

As forensic scientists at Security Research Labs discovered, the fingerprint reader isn’t ready for prime time.

In 2013, the Chaos Computer Club exposed a flagrant flaw in the TouchID fingerprint reader built into the iPhone 5s.  You can relive the moment in this 60 second Youtube demo.

Given how egregious the error was and the concomitant stinky press directed toward Apple, you would think Samsung would make its version of the fingerprint reader – indomitable.

But – oh my friend, you’re way too optimistic.

The fingerprint reader on the Galaxy S5 is beset with problems.

With relatively little effort, a motivated attacker can spoof a valid fingerprint by brushing magnesium powder on paper, door knobs, or smartphone screens.  The prints, known as latent prints, are invisible to the naked eye but easily emerge when dusted with fine powders.

Since every human being on the planet has a unique fingerprint (even identical twins who share the same DNA), using fingerprints to unlock smartphones and make online payments might seem like a good idea. As far as biometrics are concerned fingerprint readers are a good thing; however, they must never be used in isolation.

I think fingerprint readers are a prudent addition to authentication systems but only when coupled with something you know such as a PIN or password.  The innate immutability of fingerprints is what makes them both a blessing and a curse.

The fact that they never change means if someone successfully forges your fingerprint there’s no way to change it.

Think about it: how would you change your fingerprint?  Get a finger transplant? Burn your fingertips?  Seriously, this is one of the biggest issues but still it’s not the biggest.  In my mind the biggest problem is that people constantly leave copies of print evidence everywhere.

Smartphones, deskphones, and keyboards are obvious places where we unwittingly leave behind print evidence.  Here’s my question: how easy is it to lift prints from these common places?

Well, if you have a chemical called Cyanoacrylate, which is ubiquitous in Krazy Glue and other strong adhesives, you can use the vapors to display the print.  This works because Cyanoacrylate is a catalyst that reacts to the oils and salts of a human fingerprint.  You can then take a high-resolution photo of the print and use it to make a mold slab which you can use to gain unauthorized access to the victims phone.

Most criminals may not go through the effort of doing this; however, if you’re a high-profile individual like a politician or president then you could be the target of such machinations.

I’m getting the notion that big brands such as Apple and Samsung are more concerned about selling products than they are about securing them.  Security is invariably an afterthought.  Instead of implementing a software and hardware development life cycle that bakes security into every phase of development, it gets slapped on the end and then touted as a cogent reason for buying the product.

I’m actually disappointed in both Samsung and Apple but mainly Samsung.  I wouldn’t go so far as to indict Samsung as being duplicitous but the fingerprint reader should not be marketed under the rubric of security.

Admittedly, biometric systems aren’t perfect and there are advantages and disadvantages to each system; however, the onus is on Samsung to get it right.

In summary, I exhort you NOT to trust the fingerprint reader alone as the singular key for unlocking your smartphone.  If you’re going to use the fingerprint reader always use it in tandem with something else like a secure password.

Another issue is that businesses are eager to flaunt app integration with fingerprint readers and yet forgo the rigorous testing required before selling the product.  Paypal is a case in point.

On the Galaxy S5, Paypal authenticates money transactions with that notorious fingerprint scanner.  The ramifications are obvious: now there’s even more reason to steal and mold fingerprints.

In response, Sophie Curtis reports that Paypal told The Telegraph:

PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one

That’s fine but still doesn’t obviate the phone manufacturers responsibility for securing the biometric devices on their phones.  The bottom line is that Samsung abdicated its responsibilities by mass producing something that isn’t ready to market.

I love Samsung but it really missed the ball this time.


Connect with Vonnie on Twitter

Posted in Mobile, News Tagged with: ,