Samsung Galaxy S5's Fingerprint Scanner Hacked
The Samsung Galaxy S5 hasn't been on sale for a week, and already a German security firm has hacked its fingerprint reader. The Berlin-based firm, called SRLabs, employed the exact same trick used to hack the iPhone 5's own fingerprint reader.
The hack only needs a cameraphone photo of the fingerprint of the S5 owner, a printer, and a type of liquid rubber. SRLabs' researchers merely inverted the photo's colors, then printed out the photo using a thick toner setting, so fingerprint's indentations would appear as thick black lines.
The researchers then coated the printout with a type of fast-drying liquid rubber, such as pink latex milk or white wood glue, which took the shape of the original fingerprint as it dried. The hackers then placed the mold on their own finger and used it to successfully unlock the S5.
This is the same technique that German hacking group Chaos Computer Club (CCC) used last September to hack the iPhone 5s, also less than a week after the phone first went on sale. However, the Galaxy S5 doesn't limit the number of times a person can try to enter a fingerprint, meaning any would-be hackers can repeat the somewhat delicate process of creating a fingerprint mold and trying it out as many times as necessary.
The Galaxy S5's fingerprint authentication can also be linked to other sensitive accounts on the phone, such as Paypal, making a potential hack even more serious.
The experiment caused SRLabs to conclude that "fingerprints are not fit for secure device unlocking," as the researchers titled their blog post on the hack. However, the firm did add that fingerprints might be better suited as a form of secondary authentication instead of replacing passwords entirely.
Samsung was much more nonchalant. "This is a scenario that is widely regarded in the industry as posing no critical risk for general consumers. This artificial experiment requires a rare combination of highly specialized equipment, materials and conditions," the tech giant said in a statement.
There have been no reported instances of a criminal using this technique to hack a fingerprint-locked phone outside a laboratory setting.
Paypal also vouched for the S5's fingerprint security. "While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards," the company told Android Community in a statement
The company went on to assure users that "We can simply deactivate the key from a lost or stolen device, and you can create a new one." Paypal's purchase protection policy also offers refunds in the case of fraud.