Samsung fingerprint hack creates little concern for customers

A demonstration by Berlin company Security Research Labs (SRL) has shown that a skilled hacker can fool the fingerprint sensor on the Samsung Galaxy S5. But this news, following hot on the heels of the S5 release, may not be the big problem some customers fear.

Phone hacking Mission Impossible style

SRL’s hack is like something out of a spy thriller. Rather than meddle with the phone’s software they created a fake fingerprint using graphite spray and glue. This fingerprint was then laid over the hacker’s one fingertip to create a false identity, like a small scale version of the implausibly convincing rubber masks used in the Mission Impossible films. Disguised as the finger of the phone’s real owner, the hacker’s fingertip was recognised by the scanning software and unlocked the phone.

But SRL’s concerns for the S5 are not about how easily they copied the fingerprint. They have pointed out that, while they unlocked the phone first time, less competent thieves might take several tries. But the safeguard against this, in which the phone requires a password after five failed security attempts, can be circumvented by turning the screen off and back on. According to SRL this makes it easier for thieves to successfully imitate the hack.

A history of hacks

Attempts to hack fingerprint sensors are as old as the technology itself. A sensor included in the Apple iPhone 5S was also hacked by SRL using the same technique. While the iPhone proved better able to deal with repeated failed hacks, the sensor itself proved hackable in the same way as the S5. While these publicly published tests have been conducted by security firms, it seems certain that thieves and fraudsters have been working on the same tricks.

Not as bad as it looks

But while talk of a new hack might ring alarm bells for owners of these phones, this hack may not be a big immediate threat.

While the fake fingerprint may sound simple, few street thieves will have the resources, time and skill needed to make it work. The security experts who demonstrated the hack are exactly that – experts in their field, dedicating their time to finding and beating problems like this.

Even for professional hackers, this is a time consuming exercise. There are various stages of preparation, printing and etching just to create the mould from which the fake is made, and two layers have to dry on the mould before the fake fingertip can be removed and used. This gives the owner time to contact their provider and lock or remotely wipe the contents of the phone.

While fingerprint security is only currently used for a limited number of activities on phones, this demonstration provides a reminder that we should be cautious about taking it further. Fingerprints are being touted as the most secure way to protect services such as online payment. But SRL have shown that they are far from fool proof, and that other measures will be needed if we are to put our phones, and our wallets, in the care of this technology.

No comments yet.

Add a comment

(it will not be shared)