Samsung’s Galaxy S5 fingerprint scanner spoofed, PayPal compromised

Samsung Galaxy S5 fingerprint

The new fingerprint lock system on Samsung’s Galaxy S5 has been defeated, a few days after the device’s release, thanks to a group of crafty researchers at Germany’s Security Research Labs (SRL).

This hack comes seven months after the Apple iPhone 5S’ Touch ID was spoofed a mere 48 hours after its launch. The recent Samsung spoof now places biometric systems of all phones under the security spotlight. The initial iPhone 5S hacker, known as Starbug from the Chaos Computer Club, fooled the system by using a lifted photograph of the print captured from the phone, using a high-resolution camera.

SRL however, according to the primer video released on its website, “improves” on Starbug’s method by using a wood glue mould and a graphite spray. The resultant false fingerprint originally from a seemingly innocuous smudge on the device’s screen was used to bypass Samsung’s system. Fairly easily.

This spoof is indeed more disturbing than the 5S, due to Samsung’s lack of a second security layer. Once the Samsung lock system is broken, the hacker can continuously exploit the PayPal app as the device allows “unlimited authentication attempts,” without the need for a password. This allows the hacker to transfer money at will, without needing additional passwords or security keys.

The process of producing this false fingerprint, although relatively complicated for amateurs, can be done – and this perhaps is most important. SLR also notes the ease at which fingerprints (which are on every device we touch) can be taken.

Users leave copies of their fingerprints everywhere; including on the devices they protect. Fingerprints are not fit for secure local user authentication as long as spoofs (“fake fingers”) can be produced from these pervasive copies.

Although the iPhone 5S was hacked in the same way, it does provide a second layer of protection. The Samsung Galaxy S5, however, does not require a password re-entry when the phone is rebooted, nor does it require activation using a pass-key. Once the biometric sensor is activated, all a user requires is a fingerprint.

Samsung responded to these security flaws by suggesting that the process poses “no critical risk for general consumers.”

“This artificial experiment requires a rare combination of highly specialised equipment, materials and conditions. Samsung takes security matters very seriously. We are continuously taking measures to vigorously enhance the security of the device,” adds the company.

PayPal has agreed with Samsung, in their statement, and reiterated the security of fingerprint scanners as well.

Andy Walker, former editor


Sign up to our newsletter to get the latest in digital insights. sign up

Welcome to Memeburn

Sign up to our newsletter to get the latest in digital insights.