Anyone can fingerprint unlock a Galaxy S10—just grab a clear phone case

[Karlston]

Anyone can fingerprint unlock a Galaxy S10—just grab a clear phone case

Samsung says it is developing a fix for "malfunctioning" fingerprint reader.

First image of article image gallery. Please visit the source link to see all images.

 

Samsung is once again in hot water for a shoddy biometrics implementation. This time the culprit is the Galaxy S10 and its ultrasonic in-screen fingerprint reader, which apparently can be unlocked by anyone as long as there is a screen protector or some other piece of transparent plastic between a finger and the sensor.

 

British tabloid newspaper The Sun originally reported the news, saying a British woman discovered she could unlock her husband's phone just by adding "a £2.70 screen protector bought on eBay." After reporting the issue to Samsung, the couple says Samsung "admitted it looked like a security breach," and a spokesperson told The Sun, “We’re investigating this internally. We recommend all customers to use Samsung authorised accessories, specifically designed for Samsung products.”

 

Days later when the BBC picked up the story and contacted Samsung again, the company said it is "aware of the case of S10's malfunctioning fingerprint recognition and will soon issue a software patch."

 

 

It all sounds like an unbelievable story, but now that the word has gotten out, there are already videos on the Internet of the method working. Examples from @Sta_Light_ on Twitter and the meeco.kr forum show 2019 Samsung phones failing to unlock with an untrained fingerprint as they should, but then, when the user places a clear silicone phone case over the top of the sensor, that finger can unlock the phone. The user on Meeco uses a Galaxy S10, as previously reported, but Sta_Light_'s phone is actually a Galaxy Note10, which uses the same fingerprint technology as the Galaxy S10.

 

Samsung has known for some time that screen protectors could interfere with the ultrasonic fingerprint reader. Early S10 screen protectors actually featured a giant hole over the top of the fingerprint reader sensor location, as there was concern that an air gap between the cover and sensor could stop the sensor from working. Eventually, Samsung and the industry huddled up and started producing screen covers that were "compatible" with the sensor, avoiding an air gap by using some kind of glue or gel backing on the screen protector.

 

There is currently a split in under-display fingerprint reader technology in the smartphone market. Most phones use optical in-screen fingerprint readers, which place a CMOS chip under the display and take a 2D picture of your finger. Samsung is pretty much the only vendor that doesn't use an optical reader, instead opting for Qualcomm's ultrasonic fingerprint reader technology. Qualcomm and Samsung touted the ultrasonic sensor as more secure than optical, since it uses sonic waves to take a 3D scan of your finger, supposedly providing more detail than the 2D image of a CMOS sensor. Qualcomm also made the claim that the sensor can "detect blood flow within the finger and actually prevent hackers from spoofing the device with a photo or a mold," though that statement seems to have been proven false with several hacks now.

 

Failed Samsung biometric solutions are not new. Last time, it was 2017's Galaxy S8, which shipped with a Samsung-built facial recognition system that had flaws other vendors had addressed in 2011—you could unlock the phone with a photo of someone. This also isn't the first time someone has broken the S10's fingerprint reader—it was previously defeated with a $450 3D printer. Failing biometrics on a phone are a bigger deal than ever, as they give attackers access not only to your messages, photos, and contacts but, thanks to NFC payment apps, expose your credit cards, too.

 

Listing image by Ron Amadeo

 

 

Source: Anyone can fingerprint unlock a Galaxy S10—just grab a clear phone case (Ars Technica)

 

(To view the article's image gallery, please visit the above link)

[zanderthunder]

Samsung issues statement following reports of fingerprint vulnerability on S10/ Note10

 

Last week, a report surfaced that British Galaxy S10 user, Lisa Neilson discovered a fingerprint scanner vulnerability that would let anyone access her device through a vulnerability with the ultra-sonic fingerprint sensor.

 

Cheap silicone screen protectors have dot matrices so the clear protector wouldn’t stick to the smooth glass. This caused a malfunction with the ultra-sonic in-display fingerprint sensor. In practice, enrolling your fingerprint doesn’t work through such a case, except it did. It was enrolling the pattern on the silicone cover and not from a user’s finger, so when anyone else tried to unlock the device, it recognized the patterns in the cover and opened right up.

 

Samsung acknowledged that it was looking into the issue and the first device patched for this was the Galaxy S10 5G, just earlier today. Samsung has since released an statement regarding the phone’s security in relation to these silicone screen covers.

 

Quote

This issue involved ultrasonic fingerprint sensors unlocking devices after recognizing 3-dimensional patterns appearing on certain silicone screen protecting cases as users’ fingerprints. To prevent any further issues, we advise that Galaxy Note10/10+ and S10/S10+/S10 5G users who use such covers to remove the cover, delete all previous fingerprints and newly register their fingerprints

 

A software update is planned to be pushed next week to Galaxy S10/S10+/S10 5G/Note10/Note10+ users. Until then, customers are advices to stop using these protectors, delete all enrolled fingerprints, and re-enroll them without using the case.

 

The update will let users continue to use these silicone cases and (presumably) it would not allow you to enroll your finger with such a case installed.

 

After the update, Samsung recommends users thoroughly scan the entirety of their fingerprints to ensure security of their devices. Check the Source link to see Samsung’s full statement.

 

Source:

1. Samsung issues statement following reports of fingerprint vulnerability on S10/ Note10 (via GSMArena)

2. Statement on Fingerprint Recognition Issue (via Samsung Newsroom)

[zanderthunder]

Samsung Galaxy S10 and Note10 receiving a fix for fingerprint flaw

 

A serious security flaw on the Galaxy S10 came to light last week when a British user found that her phone could be unlocked with unregistered fingerprints. Later, it was discovered that the Galaxy S10+ and Note10 series were also marred with this issue.

 

Samsung claimed the issue was caused by third-party, silicon screen protectors, but it turned out that's not the case. The company promised to fix this issue soon and it's now rolling out software updates for the S10 and Note10 series with a patch.

 

 

The update will reach only those units that have fingerprints registered. And, once you've installed the update, Samsung advises you delete previously registered fingerprints and re-register without a screen protector installed.

 

Samsung is currently seeding the update in its home country South Korea, but the company said it will be expanded to other countries in 24 hours.

 

Source:

1. Samsung Galaxy S10 and Note10 receiving a fix for fingerprint flaw (via GSMArena) - main article

2. Samsung updates software to fix fingerprint recognition problem (via Reuters) - 1st reference to the main article

3. Samsung to fix Galaxy Note 10 and S10 fingerprint flaw within 24 hours (via SamMobile) - 2nd reference to the main article