This week, hackers showed off how to break into someone else’s Samsung Galaxy S5, by bypassing the oh-so-secure biometric fingerprint sensor. There’s real cause for concern here, for a variety of reasons.
The first is that the method used was remarkably simple. The German crew, known as Security Research Labs (SRLabs), used the same fingerprint they’d used towards the end of last year to get past the biometrics of the Apple iPhone 5S.
All they needed to kick off the hack was a camera phone photo of the target’s print. Presuming they used exactly the same techniques, they would then invert the image and print it using a thick toner setting, before smearing pink latex milk or white woodglue into the pattern created by the toner. That would give them their fake finger.
This highlights how easily exploitable fingerprint sensors are. We leave fingerprints everywhere (often in places we shouldn’t), so taking a suitable photo should not be too much of a task for a hacker. Admittedly this is more effort than most crooks will expend, given they could just threaten the victim with a weapon, but it goes to show the insecurities that come with this supposedly more secure technology.
But Samsung did some other stupid things, namely allowing as many attempts at logging in as possible. So even if the hacker cocked the process up the first time, they could keep trying until they cracked the phone. This is a basic oversight, or it’s Samsung’s way of saying, “we care more about usability than security”.
Even more concerning was Samsung’s blasé reaction. Here’s what the tech titan had to say in reaction to SRLabs hack of its new device, “This is a scenario that is widely regarded in the industry as posing no critical risk for general consumers. This artificial experiment requires a rare combination of highly specialised equipment, materials and conditions. Samsung takes security matters very seriously. We are continuously taking measures to vigorously enhance the security of the device.”
I’m not going to deny Samsung takes security seriously, every modern organisation has to. If you lose people’s information these days, it’s going to hurt the coffers, especially where the breach sees masses of sensitive data go missing.
But to say it poses no critical risk and not promising any update to the mechanism implemented in the Galaxy S5 is more than a little perturbing. Yes the process is a little elaborate, but it’s a real, genuine security issue.
If someone had just shown you how they could break into your home because of a weakness in the lock, wouldn’t you at least want that lock replacing? I would and I’m sure the same goes for others.
To at least show some sensitivity here, Samsung could make some basic changes, such as limiting the number of login attempts by default.
It may also want to rethink what apps can use the fingerprint sensor. The PayPal app can use the biometric tech to authenticate payments, meaning that a hacker with a fake finger could pilfer funds or make payments on their victim’s behalf.
The app developers should also consider whether they want to risk integrating fingerprint functionality. But PayPal, despite its decent security history, took much the same line as Samsung.
“We are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords and PINs,” it said.
At least if your PayPal account is compromised, you can get your money back. For other apps, recovering from a fingerprint hack might have more serious ramifications.