A crude fake fingerprint molded using wood glue, and based on a photo taken by a smartphone was enough to fool the much-hyped fingerprint sensor in Samsung’s new Galaxy S5.
SR Labs, the German company behind the hack, used the same equipment – and fingerprint – they used in a hack of Apple’s iPhone 5S last year. The researchers point out, however, that the Galaxy S5 carries its own risks, “Including highly sensitive apps such as PayPal gives an attacker an even greater incentive to learn the simple skill of fingerprint spoofing. This includes making purchases and unsolicited purchases from the victim’s account.”
“Samsung does not seem to have learned from what others have done, less poorly,” the researchers said.
The implementation seems to allow a limitless number of attempts to access the device via the biometric sensor (although whether this applies to all Galaxy S5s is unclear, as ESET testers have found that the device forces a six-digit password after a number of failed attempts.)
SR Labs said, “While biometrics will always carry with them a trade-off of security for convenience, it is the manufacturer’s responsibility to implement them in a way that does not put their user’s crucial data and payment accounts at risk.”
PayPal were quick to play down the risks, although there is considerably more opportunity for theft using the Galaxy S5’s sensor. Any store or shopping site that accepts PayPal’s S5 system is vulnerable.
“While we take the findings from Security Research Labs [SRL] very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards.”
PayPal told the BBC that it would reimburse customers for any losses caused by hacks directed against the scanner.
“While we take the findings from Security Research Labs [SRL] very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards,” it said.
It added that even if users were hacked it would cover their losses.
A spokesman for Samsung was unavailable for comment.
Apple’s Siri voice control has been the target of various hacks against the device, both on the current iOS 7, and on previous versions, as reported by We Live Security at the time. Andy Greenberg of Forbes described the new hack as a “reminder to turn Siri off on your lockscreen.”
At launch, Apple’s Senior VP of marketing, Phil Schiller, described iPhone 5S as “most forward-thinking smartphone in the world.” Apple’s handsets are often targeted by hackers who vie to “jailbreak” each new operating system first – but the Fingerprint ID system in iPhone 5S has drawn a truly enormous amount of attention.
ESET Senior Researcher Stephen Cobb says that such hacks do not “prove” that biometric security cannot work.
“Bear in mind the effort required to defeat the biometric, and also to crack your iPhone password, then ask yourself how many people want your iPhone data that badly,” Cobb says.
“There is a constant tension between claims of security and efforts to undermine that security. It is clearly true that having to supply a fingerprint as well as a password to access the iPhone 5S, or anything else, makes the data on the device more secure against certain types of attack than only requiring one form of authentication. Whether that added level of security is enough for you to trust “sensitive” information to your iPhone is a question for each user to answer. Would I put priceless IP on a mobile phone? No. But read what it takes to beat the fingerprint reader and ask yourself who would go to that trouble for the stuff you do have on your phone.”
Author Rob Waugh, We Live Security