Skip to main content

Samsung Galaxy S5's Fingerprint Scanner Hacked

Credit: Laptopmag.com

(Image credit: Laptopmag.com)

The Samsung Galaxy S5 hasn't been on sale for a week, and already a German security firm has hacked its fingerprint reader. The Berlin-based firm, called SRLabs, employed the exact same trick used to hack the iPhone 5's own fingerprint reader.

The hack only needs a cameraphone photo of the fingerprint of the S5 owner, a printer, and a type of liquid rubber. SRLabs' researchers merely inverted the photo's colors, then printed out the photo using a thick toner setting, so fingerprint's indentations would appear as thick black lines. 

MORE: Samsung Galaxy S5 Features: What to Enable and Disable

The researchers then coated the printout with a type of fast-drying liquid rubber, such as pink latex milk or white wood glue, which took the shape of the original fingerprint as it dried. The hackers then placed the mold on their own finger and used it to successfully unlock the S5. 

This is the same technique that German hacking group Chaos Computer Club (CCC) used last September to hack the iPhone 5s, also less than a week after the phone first went on sale. However, the Galaxy S5 doesn't limit the number of times a person can try to enter a fingerprint, meaning any would-be hackers can repeat the somewhat delicate process of creating a fingerprint mold and trying it out as many times as necessary.

The Galaxy S5's fingerprint authentication can also be linked to other sensitive accounts on the phone, such as Paypal, making a potential hack even more serious.

The experiment caused SRLabs to conclude that "fingerprints are not fit for secure device unlocking," as the researchers titled their blog post on the hack. However, the firm did add that fingerprints might be better suited as a form of secondary authentication instead of replacing passwords entirely.

Samsung was much more nonchalant. "This is a scenario that is widely regarded in the industry as posing no critical risk for general consumers. This artificial experiment requires a rare combination of highly specialized equipment, materials and conditions," the tech giant said in a statement. 

There have been no reported instances of a criminal using this technique to hack a fingerprint-locked phone outside a laboratory setting.

Paypal also vouched for the S5's fingerprint security. "While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards," the company told Android Community in a statement

The company went on to assure users that "We can simply deactivate the key from a lost or stolen device, and you can create a new one." Paypal's purchase protection policy also offers refunds in the case of fraud.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+. Follow us @TomsGuide, on Facebook and on Google+.

  • neon neophyte
    this isnt a hack and it is a problem with 99 percent of finger print readers, including door locks.

    this isnt news.
    Reply
  • clonazepam
    rofl be wary of anyone trying to take photos of your fingertip! Whatever their reason, dont believes it ;)
    Reply
  • ChillsandThrills
    this isnt a hack and it is a problem with 99 percent of finger print readers, including door locks.

    this isnt news.

    Note to the moderators, this is Otacon72. He is banned under many accounts and is trying to circumvent the ban. He is a highly abusive poster. Remove him.

    Typical fan boy response. Apple requires a password after every reboot before users can unlock their iPhone 5S with fingerprint scanner also, no such requirement with the S5. Linking your PayPal account to simply a finger print scan? Even Apple wasn't that stupid.
    Reply
  • ChillsandThrills
    this isnt a hack and it is a problem with 99 percent of finger print readers, including door locks.

    this isnt news.

    Typical fan boy response. Apple requires a password after every reboot before users can unlock their iPhone 5S with fingerprint scanner also, no such requirement with the S5. Linking your PayPal account to simply a finger print scan? Even Apple wasn't that stupid.

    Note to the moderators, this is Otacon72. He is banned under many accounts and is trying to circumvent the ban. He is a highly abusive poster. Remove him.
    Reply
  • mach7
    Seriously??? If you are worried about anyone going to this sort of trouble I would re-think any situation, in which, you think this might occur. Occam's Razor would suggest it is far more likely you will have your finger cut off, or get beaten until you unlock it for whomever might be that interested in your phone.
    Reply
  • Immaculate
    I hate these fingerprint scanners. I will try my hardest not to buy a phone with one, I just feel like I'm practically handing away my prints to the system.
    Reply
  • olaf
    I hate these fingerprint scanners. I will try my hardest not to buy a phone with one, I just feel like I'm practically handing away my prints to the system.

    No one is forcing you to use it, its not working properly anyway. And for that matter neider do the myriad of fingerprint readers used for locks and so on. And like the poster above me said : all fingerprint readers are susceptible to that circumvention. If something is meant to be open one way , someone will always find a way to open it in another way.
    Reply
  • house70
    Typical fan boy response. Apple requires a password after every reboot before users can unlock their iPhone 5S with fingerprint scanner also, no such requirement with the S5. Linking your PayPal account to simply a finger print scan? Even Apple wasn't that stupid.
    This means Apple was pretty stupid in plenty other ways. Bwahahaha!

    I would not use any form of fingerprint scanning for my devices, but that doesn't mean the feature should be removed entirely; others may be more adventurous than me in that respect. ANY fingerprint scanner can be fooled like that, the "hacker" is basically creating a finger with the correct print on it. This is NOT a security feature by any means, and actually Apple was the greatest fool for implementing something so easy to crack to begin with.
    Reply
  • cenobite9
    Neon is right, I remember there was a Mythbusters episode where they beat a fingerprint scanner on a door lock using the same method. They also discovered that the scanner on the door lock was less sensitive than the test scanner on the laptop they were using as they only needed to swipe the paper photocopy of the print on the door lock to get it to open. I guess it all comes down to the manufacturer of the print reader.
    Reply
  • 10tacle
    The Disney theme parks use a finger scanner as well. Most people think it is reading their fingerprint. It is not. It is capturing their biometrics (bone density for example). Of course it only works for a few years as we all change over time, and it may mess up if you break your finger, lose weight, gain weight, etc. But let's see a hacker trying to get around Capacitive Fingerprinting, as it is called.
    Reply