Cell Phones

Galaxy S5′s fingerprint scanner can be easily hacked

  • Last Updated:
  • Apr 21st, 2014 9:04 pm
Tags:
None
Deal Fanatic
Jan 18, 2004
6433 posts
1239 upvotes
Canada

Galaxy S5′s fingerprint scanner can be easily hacked

http://www.sammobile.com/2014/04/15/gal ... ly-hacked/

Just three days after the launch of the Galaxy S5, it has been discovered the device’s fingerprint scanner suffers from the same issues that have plagued earlier implementations by Apple and others. A security research firm from Germany called SRLabs has successfully hacked the fingerprint sensor on the Galaxy S5 using a similar method that was used to spoof the Touch ID sensor on the iPhone 5S. First, the team took a photo of a latent fingerprint using a iPhone 4S and then processed it into a wood-glue mold. The mold is then used to bypass the fingerprint authentication mechanism of the Galaxy S5 successfully.

What is disturbing about this mechanism is that SRLabs used the same mold that they used to hack the Touch ID sensor. Even more disturbing is the fact that after logging into the device, the fingerprint hack allows hackers to authenticate digital payments via PayPal without ever having to enter a password. If a hacker does not successfully authenticate a fingerprint in the first attempt, he gets multiple tries to scan the fingerprint, after which he would be able to transfer money from a user’s linked bank account. The additional functionality offered by the finger scanner makes it convenient to authenticate digital purchases, but is susceptible to hacking.
50 replies
Deal Expert
Mar 25, 2005
22706 posts
3697 upvotes
Exactly why fingerprints suck as authentication.
Deal Guru
Sep 28, 2010
10950 posts
3262 upvotes
It's the same vulnerability that the iPhone had, it's just that Samsung also added lots of new ways to take advantage of the exploit. I can't believe they completely missed the concept of a reset after repeated failed attempts, which is a basic and fundamental consideration of almost any security system these days. That's almost as bad as transmitting username/passwords in plain text...(they did that too). A reset isn't always necessary, but in this case it seems like a no-brainer.

The problem is that these aren't just bugs or limitations of the technology. It's just really a piss poor implementation and shows a decided lack of competencies when it comes to security. These were decisions they made and they made really bad decisions.
Deal Guru
User avatar
Feb 10, 2007
13940 posts
5439 upvotes
lolol

everything that's not created by apple is "piss poor implementation and shows a decided lack of competencies when it comes to security"

LOL
ceredon wrote: It's the same vulnerability that the iPhone had, it's just that Samsung also added lots of new ways to take advantage of the exploit. I can't believe they completely missed the concept of a reset after repeated failed attempts, which is a basic and fundamental consideration of almost any security system these days. That's almost as bad as transmitting username/passwords in plain text...(they did that too). A reset isn't always necessary, but in this case it seems like a no-brainer.

The problem is that these aren't just bugs or limitations of the technology. It's just really a piss poor implementation and shows a decided lack of competencies when it comes to security. These were decisions they made and they made really bad decisions.
The sweetest gyal
Sr. Member
User avatar
Dec 20, 2012
728 posts
120 upvotes
Vancouver, BC
ANYTHING that is electronic CAN/WILL be hacked...


/discussion
Fido $45
Unlimited Canada Calling, Unlimited Global Texting/MMS, 5GB Data
Twilight 128GB Hauwei P20 Pro
Deal Guru
Sep 28, 2010
10950 posts
3262 upvotes
sexyj wrote: lolol

everything that's not created by apple is "piss poor implementation and shows a decided lack of competencies when it comes to security"

LOL
Nope, Samsung did a great job with waterproofing the S5. They just don't seem to have put much thought into security considerations.

Much like most of your posts, as far as lack of thought LOL
Deal Guru
Sep 28, 2010
10950 posts
3262 upvotes
gd6noob wrote: ANYTHING that is electronic CAN/WILL be hacked...


/discussion
Of course it will. That doesn't mean they shouldn't even try.
Banned
Jan 11, 2004
19816 posts
572 upvotes
ceredon wrote: Of course it will. That doesn't mean they shouldn't even try.
they did just like apple..and just like apple..fingerprint scanner for phones aren't secure
Deal Guru
Sep 28, 2010
10950 posts
3262 upvotes
gilboman wrote: they did just like apple..and just like apple..fingerprint scanner for phones aren't secure
Then it was probably a bad idea to expose the API to apps...like paypal. Or allow unlimited failed attempts. That in particular was just ***** .

There is a big difference between not as secure and stupid.
Deal Expert
Mar 25, 2005
22706 posts
3697 upvotes
ceredon wrote: Then it was probably a bad idea to expose the API to apps...like paypal. Or allow unlimited failed attempts. That in particular was just ***** .

There is a big difference between not as secure and stupid.
Nothing a little software cannot fix. I mean Apple's goto failure was stupid.
Deal Guru
Sep 28, 2010
10950 posts
3262 upvotes
Kasakato wrote: Nothing a little software cannot fix. I mean Apple's goto failure was stupid.
Sure it was and that's the nature of bugs. Bugs are different than poor design. Heart bleed was a bug. Goto fail was a bug. Plain text password transmission is poor design. Unlimited failed attempts is poor design.

Imagine if your bank card allowed unlimited attempts with a bad PIN. There is a reason it locks eventually. This isn't a new concept.
Deal Expert
Mar 25, 2005
22706 posts
3697 upvotes
ceredon wrote: Sure it was and that's the nature of bugs. Bugs are different than poor design. Heart bleed was a bug. Goto fail was a bug. Plain text password transmission is poor design. Unlimited failed attempts is poor design.

Imagine if your bank card allowed unlimited attempts with a bad PIN. There is a reason it locks eventually. This isn't a new concept.
There is a limit. The bug allows you to remove the limit.
Deal Guru
Sep 28, 2010
10950 posts
3262 upvotes
Kasakato wrote: There is a limit. The bug allows you to remove the limit.
How did they remove it? All I saw was them swiping over and over. Was there something they did?
Deal Expert
Mar 25, 2005
22706 posts
3697 upvotes
ceredon wrote: How did they remove it? All I saw was them swiping over and over. Was there something they did?
Did you watch the video? You reset it/turn it off and reset the limit to 0. Rinse and repeat for unlimited attempts.
Deal Guru
Sep 28, 2010
10950 posts
3262 upvotes
Kasakato wrote: Did you watch the video? You reset it/turn it off and reset the limit to 0. Rinse and repeat for unlimited attempts.
That was showing two different problems.
1) rebooting the device doesn't wipe the stored prints or require re-authorization of the prints. It should.
2) API allows unlimited failed swipes. It shouldn't.

There is no mention of a reboot being necessary to reset a limit or a limit even existing or being enforced without a reboot.
Deal Expert
Mar 25, 2005
22706 posts
3697 upvotes
ceredon wrote: That was showing two different problems.
1) rebooting the device doesn't wipe the stored prints. It should.
2) unlimited failed swipes allowed. It shouldn't.

There is no mention of a reboot being necessary to reset a limit or a limit even existing or being enforced without a reboot.
I suggest picking up an S5 and iP5s and learning more about the implantation of each system.
Deal Guru
User avatar
Feb 10, 2007
13940 posts
5439 upvotes
why would a apple fanboy buy a s5 ? ;) ;) ;) ;)
Kasakato wrote: I suggest picking up an S5 and iP5s and learning more about the implantation of each system.
The sweetest gyal
Deal Guru
Sep 28, 2010
10950 posts
3262 upvotes
Kasakato wrote: I suggest picking up an S5 and iP5s and learning more about the implantation of each system.
I've used a 5S and am familiar with their implementation. I'll see if anyone I know ends up with a S5, but from what I've seen so far, it needs work.
Deal Guru
Sep 28, 2010
10950 posts
3262 upvotes
sexyj wrote: why would a apple fanboy buy a s5 ? ;) ;) ;) ;)
Good question.

two completely off topic posts out of two posts in the thread. Hard to stay focused?
Deal Expert
Mar 25, 2005
22706 posts
3697 upvotes
ceredon wrote: I've used a 5S and am familiar with their implementation. I'll see if anyone I know ends up with a S5, but from what I've seen so far, it needs work.
Then you should know rebooting a 5s does not wipe stored prints.

...and with the power of the Internet that the S5 only allows unlimited attempts due to a "bug."

Top

Thread Information

There is currently 1 user viewing this thread. (0 members and 1 guest)