Samsung Galaxy S5 fingerprint scanner already hacked using ‘faux fingerprint’

by: Andrew GrushApril 15, 2014
467

After Apple released the iPhone 5S with a fingerprint reader, there were quite a few mixed opinions. The problem with fingerprint readers is that while they can add an extra layer of security, they also have security flaws and often don’t work quite as well as intended.

Fingerprint readers on mobile devices are nothing new, but Apple’s latest handset revived the concept and it was only a matter of time before other manufacturers followed suit. First, it was HTC with the One Max, and more recently, Samsung’s Galaxy S5 has landed.

The GS5 utilizes a fingerprint reader embedded in the home button, and, like Apple’s solution, it is apparently pretty easy to ‘hack’ using a lifted fingerprint. The video above is from SRLabs and shows how a fake fingerprint can be used to gain unauthorized access to the Galaxy S5. Once you’re in, not only do you have full access to the phone, you can also use your fake fingerprint to initiate Paypal transactions.

While Apple’s iPhone 5S requires an actual password the first time you boot a device, Samsung has no such security method in place at this time. In other words, if someone steals your phone and has the knowledge to lift a latent fingerprint off your device — they can pretty much do whatever they want with your GS5.

Of course, if your phone is lost or stolen, one of your first courses of actions should always be to use Android Device Manager — or whatever security software you utilize on your device — to lock out or wipe your handset remotely. Still, it would be nice if Samsung addresses this ‘hack’ method by at least occasionally requiring a traditional password in between boots.

What do you think, does the existence of this ‘hack’ turn you off from using a fingerprint reader in the GS5 or any other device for that matter? Conversely, do you feel that the risk is relatively small and it’s worth the added convenience of (arguably) quicker log-ins via a fingerprint?

  • RarestName

    Reminds me of this.

    “My friend left his Facebook profile logged in, I’m a hacker!”

  • ehndrew

    couldn’t you have the lockscreen as pin/pw/pattern and still pay through paypal using the finger print scanner???? problem solved.

  • MasterMuffin

    The risk is really small, to be honest I wouldn’t care if I was an S5 user

  • Android Developer

    Maybe Samsung should have merged the fingerprint feature with the heart-pulse sensor, so that it would allow only live-fingers to actually access the fingerprint features.
    Wonder if it’s possible.

    • Phil

      I don’t think this would work at all, SAS all the thief would have to do is put his fingers on the heart beat sensor.

      • Android Developer

        but the finger print won’t match . I meant merge them together – fingerprint AND a live-finger (with a pulse) must be sensed at the same time.

        • mobilemann

          Go watch mythbusters. Sigh.

          • Android Developer

            Are you talking about this:
            https://www.youtube.com/watch?v=3Hji3kp_i9k
            It might work, but still it takes a lot of effort.
            Remember that any kind of lock can’t prevent anyone from entering your house, they only delay it, which makes it harder and therefore have less chance of have stuff stolen from you.
            For any lock that has a key, there is a way to hack it. Question is, how hard and how long will it take.

          • mobilemann

            getting the print, i agree, their method was awesome but impractical. On the application though, they hyped up the lock which was then in the end beaten with a paper photocopier.

            they licked it to fool the sensors moisture and heat sensors.

            I agree with your last sentence, i was pointing out how it was fooled, as that surprised me as well.

          • Android Developer

            moisture and heat can be fooled by licking, but what about heart-beat? this is quiet tricky, no?
            Not sure how the heart beat sensor of Samsung works (maybe by sound, as it asks you to be quiet when using it), but you could always add more things to make it harder…

          • Fred Chiang

            it uses a mini camera, similar to an oxidizer at a hospital. it uses the light to illuminate your finger then the camera can actually see your veins pulse. it probably can’t do this fast enough for it to efficiently unlock your lock screen every time

          • Android Developer

            but according to videos i’ve seen, it asks you to be quiet while it checks the hear beat. how come?

  • Ali

    First I wouldn’t use thumbs or pointers as my unlock and if someone with finger print lifting talent wants into my phone and he already has my phone, then go crazy cuz there are easier ways to get data off a phone you have in your possession than fool the scanner.

  • Ricky

    hmmm so its the same with the iphone who has the time to lift a usable finger print to unlock a phone id just force re install softaware so i coul use the device lifting finger prints is too cumbersome.

  • #stophating69

    Everyone who has seen a spy movie knows this can happen, how exactly was this hacked? We got different definitions of ‘hacked’.

    • Android Developer

      that’s what I thought. I mean. people who need to hack this way will need the proper equipment and the proper time to copy the fingerprint of the user.
      However, maybe because the screen is filled with the fingerprint of the user , it won’t be that hard …
      That’s why I offered something else: Samsung should have merged it with the heary-beat sensor, so that whatever is scanned should also have a heart-beat.

  • Milton

    Gosh! Android has got the worst security levels ever

    • mobilemann

      please be more obvious with your trolling.

    • Brian Shieh

      As if iOS didn’t had the fingerprint sensor problem too. I’m pretty sure current bio metric security isn’t super good..yet.

    • MasterYoda

      Correction!

      Not Android it’s Samsung!!

      • Milton

        Not really, this kind of things are always related to android, security flaws always involve android

        • MasterYoda

          I guess you did not even red the article.. It’s SAMSUNG!!!

          • Milton

            Ok, but it’s also a software problem

  • Marcus Winchester

    That ladies in gentlemen is why you don’t tie a fingerprint to a PayPal account

  • how2fixthis

    This can be fixed with the exact same method I suggested when apples touchID was announced.. Fingerprint only authentication should only be valid for a short ammount of time. Eg. 30 min. After that you can request PIN , or pin + finger. And maybe once a day or if the phone is rebooted a min 8 character password. Having 1 simple unchanging method of authentication is really dumb.

  • Darcy Poe

    Let me see…
    * National secrets-None
    * Secret identity-None [Well I’m catwoman!]
    * Psychopathic torture videos-Nope
    * Nudity-Nope [umm let me think…Nope..ummm]

    So why would I be paranoid if my phone can be hacked? Damn!

    • oh yeah

      Really no nudity on your phone. I don’t understand why you would even have a smart phone then. My phone is basically a porn device that can text and make calls.