back to article Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS

The much-hyped fingerprint scanner on Samsung’s flagship handset the Galaxy S5 can be fooled just days after the device was launched. Researchers at Germany’s Security Research Labs (SRLabs) publicised their findings in a YouTube clip. According to the narrator, the scanner was hoodwinked "under lab conditions, but is based on …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

iSuppli estimates

These are a bit of a joke.

Within Apple, almost nobody knows what they pay for parts. This is super secret info. If there are more than 5 people in Apple who know what the iphone BOM cost is, I would be suprised.

5
1
Silver badge

Re: iSuppli estimates

The same is true in any hardware company. The details of parts supplier deals are always deep secrets, because both the competitors and competing suppliers could take advantage of them.

6
0
Silver badge

Re: iSuppli estimates

The same is true in any hardware company. The details of parts supplier deals are always deep secrets, because both the competitors and competing suppliers could take advantage of them.

You're right, but for the wrong reasons. BOM are uncannily difficult beasts for a "real" all-encompassing tech company like Samsung. At Apple it's mostly a matter of trade secrecy, because Apple is mostly a product _designer_; for companies like Samsung (and, to a smaller extent, Moto for example) you have to factor in the fact that they actually make a lot of the parts in their devices themselves... but in different branches, branches which bill each other almost as if they were different companies. But only almost. Now factor in the cross-licensing deals that Samsung (and Apple, but to a staggeringly smaller extent, because they don't hold as much IP in the electronics or manufacturing departments) have with external manufacturing companies, most of which are not per-piece or even per-product and you may -just may- approach the complexity of the thing. And now remember all these Branches in Samsung? well, if they are remotely as retorse as Western companies they have internal "intellectual property" deals as well.

Now I need to stop and grab a beer, because if I go on I'll need an Aspro instead and that's much less fun.

2
0
Silver badge

Re: iSuppli estimates

"The same is true in any hardware company. ". Nope, you are wrong.

I've been in the embedded systems industry for 30 years, of which I worked for a year at Apple.

Engineering is the art of compromise. Many of those compromises are things like speed vs amount of RAM, cost of FPGA vs cost of microcontroller. Engineers need this info to make good design trade-offs.

Most companies share this information within the company so that engineers can use it in their decision making.

Not Apple. People with very real reasons to have access to numbers, even ballpark numbers, don't get them.

1
0
Anonymous Coward

While the BOM cost is not accurate given that they do not know what each company is paying for components, it is still a good guide to see an approximate cost of the electronic device. When the same parts are used, the same price is used and generally all of the prices IHS uses for components would be the worst case scenario. You don't need a super accurate price to compare the component cost of two handsets; both have the same correction factor.

10
1
Silver badge

both have the same correction factor

A lot of the parts in the iPhone and the Galaxy are manufactured by Samsung.

You're taking for granted and evident that Samsung and Apple pay the same for these parts. It may be the case, but it's not an obvious (or safe) assumption to make.

1
2
Anonymous Coward

Sure Apple pays Samsung to make the Ax line of processors, but the majority of Samsung phones also use a processor manufactured from another company; in the case of Samsung this would be Qualcomm.

1
1
Silver badge

As has been proved time

and time again, fingerprint scanners are easily fooled with a bit of ingenuity.

Yet *still* its touted as some uber secure access system....

Its not, never has been and in its current guise, never will be.

Its a convienience over security battle and as most of us are lazy bastards, the former will always triumph.

There is nothing to replace a good strong password (at the mo) but i dont want to type in a 30 CHR$ pass phrase just to check some message......

15
1

Biometrics...

A password that you cannot change, and leave written everywhere you go. I can't fathom why people think it's a good idea.

22
1
Bronze badge
Stop

Re: Biometrics...

I think it is a case of selecting the correct biometric parameter; a retina scan would certainly be more secure since you don't tend to leave that everywhere you go. Sure, someone could grab the retina photo from your optician (if they really wanted to) or could dupe you into scanning your retina on a compromised device - with the latter dodge this is already the case with PINs and the like.

Perhaps, at least for mobiles, an ear swipe would be good - other devices not so much :)

Alternatively randomly (and infrequently) use double authentication, asking for a second swipe with a specified digit (or alternative eye/ear/whatever) or requiring entry of a PIN too. A bit like how supermarkets with self-scan occasionally request the re-scanning of random items from the shopping by the cashier.

0
0
Silver badge

Re: Biometrics...

Exactly, and they are using it for ePassport gates?

Sure IRIS was not perfect, BUT its much harder to fake at border control (i.e. you can't just stick a fake iris on your eyeball like you can a fake fingerprint).. the technology needed some updating, to avoid the need for multiple cameras at different heights which often had the wrong one activated I noticed.... Surely some form of eye tracking technology as you walked into the gate, with a high magnification lens would allow the eye to be scanned at a distance...

0
1
Silver badge
Boffin

Re: Biometrics...

"Sure IRIS was not perfect, BUT its much harder to fake at border control (i.e. you can't just stick a fake iris on your eyeball like you can a fake fingerprint)"

IRIS wasn't retina scanning though. You're correct, retinal scanning is very hard to fake given it's an image of the back of your eye, but also less user-friendly to use.

It's relatively trivial to fake an iris scan though - coloured contact lenses effectively have a fake iris on them. Commercial scanners are even fooled by a high quality photograph being held up to them.

1
1
JDX
Gold badge

Re: As has been proved time

Hopefully the time it takes someone to do this is longer than the time it takes to report your phone stolen and have it deactivated.

3
1
Bronze badge

Re: Biometrics...

People can't just look over your shoulder to copy it, they have to exercise more ingenuity than the average criminal is capable of to exploit it. I'm surprised nobody has developed a method of scanning and 3D printing to produce fake fingers ... oh look, they did already (PDF).

1
0
Silver badge

Re: Biometrics...

"A bit like how supermarkets with self-scan occasionally request the re-scanning of random items from the shopping by the cashier."

Occasionally?

After 6 out of 10 shops, I gave up. It was faster to use the cashier lane.

0
0
Silver badge

Re: It was faster to use the cashier lane.

The cashier is always faster processing a checkout. It's only the queue time to get to the cashier that can make self-checkout faster.

I only use them when I have a handful of items and usually don't have a problem with needing to rescan something. BUT, I do pay close attention to the voice instructions it gives me and wait for the next prompt. If you get ahead of the automated process it all goes to hell.

On the rare occasion my roommate is with me, she does not do that. She tries to scan multiple items or bag them or scan the next item before the weight for the previous item has registered. Always ends in disaster. Because the cashier lane doesn't have the same restrictions, they can do those things (especially scanning 1 carton of diet coke 4 or 5 times instead of each one individually).

1
0
Silver badge

Re: Biometrics...

A password that you cannot change, and leave written everywhere you go. I can't fathom why people think it's a good idea.

I have 2 reasons for you:

-It takes days to counterfeit for a team dedicated to the task with expensive hardware, a dedicated lab and specialized skills. Most passwords can be cracked in a matter of minutes by a script kiddie with a 200 bucks laptop from eBay.

-you can't possibly forget it. Most "hard-to-guess" passwords end up written on a post-it, which is demonstrably worst than holding them at your fingertips (litterally). And most of them aren't hard to guess at all anyway, cue the obligatory xkcd reference: http://xkcd.com/936/

1
0

Re: Biometrics...

Not quite exactly. That's a username not a password... For user names, fingerprints are dandy.

Are we ever asked for a password at border control ?

101:

Something YOU have and something YOU know

0
0
Silver badge

Re: As has been proved time

and time again, fingerprint scanners can be fooled by a dedicated team with heavy equipment. In a lab. Set up specifically for that purpose. With previous knowledge of both the "key" and the target. Within FOUR DAYS, assuming the target did not notice their ultra-hush-hush device went missing. FOUR DAYS AGO.

Bah humbug.

Meanwhile, "good" passwords are cracked almost instantl by the million every single day by virtually anyone on the planet, leading to numerous kinds of frauds, costing real money.

Kids these days.

0
0
Anonymous Coward

Re: Biometrics...

Consider a password something like gQ9#dL consisting of 6 randomly chosen symbols from a set of 64, none the same, something most people could learn with reasonable effort.

Is it safe from someone who has the hash and a few minutes to compute and test? Certainly not.

Is it safe from someone who has three or four chances to enter it correctly before the entry device locks? Very likely so.

0
0

Re: Biometrics...

"Something YOU have and something YOU know"

... AND something you ARE.

We are not yet quite there with mobile devices, but soon...

0
0

Re: Biometrics...

I'd say the same. I use self service tills regularly and have never been asked to re-scan a barcode.

0
0
Silver badge

Re: As has been proved time

Exactly. It's a concerted effort, beyond the ken of most drug-addled thieves. By the time they get it to someone who can do it, the owner has hopefully realised it's gone and had it locked down or tracked.

Security is never 100% foolproof in stopping people getting in. The point is to slow people down enough that they are likely to be noticed.

0
0
Anonymous Coward

Re: Biometrics...

"I'd say the same. I use self service tills regularly and have never been asked to re-scan a barcode."

It's not self-service tills, it's self-scan where you have a barcode reader you carry around with you. A sort of "scan as you shop", assuming you have bags in your trolley.

Security wise, they ask you to re-scan it every so often. If your re-scan is deemed to match your initial scan, you won't be asked again for a while. So to the "6 out of 10" person, I suspect you've been carelessly scanning. Scatty friend of mine was eventually barred from the system for continuously messing up :-D

0
0
Silver badge

Missing on the obvious business opportunity

Starprints!

Fingerprints of the stars! You too could unlock your iBling/SBling with the same fingerprint as KIM KARDASHIAN. Be the envy of your Facebook Friends, be the envy of your real friends (Real friends not supplied!). Protect your most private selfies with the same built in security used by such luminaries as Paris Hilton, Scarlett Johansson and Jude Law.

PleasenotethatshouldyoulosepossessionofyourphonetherearechancesofitbecingunlockedwithsimilarStarprint(tm)bytotherperson(s).

11
0
Anonymous Coward

Re: Missing on the obvious business opportunity

Brilliant.

0
0
Anonymous Coward

Remind me

Why did Samsung need to put a finger print scanner on their phone anyway? Oh yeah that is right because Apple had one...

7
11
Anonymous Coward

Re: Remind me

Samsung had them on laptops before Apple had them on phones.

That aside, by the ad-hoc standards of the Apple Fanatic, the Samsung scanner is objectively better. It took longer to crack, so it must be.

4
3
Anonymous Coward

Re: Remind me

And HP/Compaq had them on their iPaq range before them.

Notice any similarities? Who's copying who, now?

2
0
Anonymous Coward

Re: Remind me

And, Motorola Atrix had a fingerprint scanner WAYYYY before iPhone did.

1
1

Is this worse than the iPhone 5S fingerprint scanner?

Not technically worse I mean, but it seems to me that it's a worse vulnerability. The iPhone sensor only allows you to unlock the phone, and to sign in to (and purchase from) the Apple stores. Sure, that's not ideal if someone's got your phone and can circumvent the fingerprint reader....

....but, your passcode is required when you switch the phone on (and it's likely they'll have switched it off to avoid being tracked after the theft) or after ~5 failed attempts (as the article mentions) and even if they get past it all, all they can do is buy you music and apps. Which Apple will refund you for when you report it stolen etc.

If the Samsung one doesn't need your passcode, AND you can have infinite attempts AND you can spend real money through PayPal (and other apps?) then that seems a lot worse to me.

11
3
Silver badge

Re: Is this worse than the iPhone 5S fingerprint scanner?

It does seem that this is a very poor implementation of fingerprint security. Even Samsung's draw-a-figure security system has a time-out (short, but, if I recall, user configurable) after five failed attempts. It is elementary to have a lockout (with an option to use another option if necessary).

On the other aspect - one-factor authorisation for financial transactions - how silly! Even if you use PayPal's two-factor (SMS) authorisation, the message is going to go to the phone that the thief has (though could be the case with the PayPal app on any phone if security is inadequate). Personally, I never use my phone for anything to do with finance, except as the second factor of authorisation.

0
1
Bronze badge
Trollface

Barcode anyone?

Maybe we all need barcode tattoos at birth, say on our forearm, and then biometric scanning that detects the changes in the barcode tattoo with age?

It's OK, I don't have a big brother.

5
0
Silver badge

Re: Barcode anyone?

Someone at the thread about luggage beacons posited everyone getting an RFID tag like they make for pets. Embed in the back of the hand and all.

Then again, like with the barcodes, someone's always gonna try to clone them. I think the concern is that anything man-made can be cloned, so they're trying to use something biological and thus innate.

0
0
DJO
Bronze badge

Lizard People?

"We can simply deactivate the key from a lost or stolen device, and you can create a new one."

So that would mean chopping off a finger and growing a new one with a different fingerprint, to the best of my knowledge mammals can't do that, reptiles can. Perhaps David Ike was right all along.

3
3
Silver badge
Coat

Re: Lizard People?

When I was at school I burnt the fingerprint off my left index finger by dragging it gently along a wall every day.

It grew back. Not sure if it was exactly the same, but I presume so.

A few months back I also managed to slice a good chunk of the flesh part of my thumb off whilst chopping veg. Again, it's still healing but I can see the fingerprint growing back in and all the lines seem to join up with the undamaged skin.

So yes, we can grow replacement fingerprints, but they are the same as the old ones.

4
1
Silver badge

Re: Lizard People?

So, do you have a carer, or some other responsible person, who takes care of you? If so, they need to be sacked.

3
6
Silver badge

Re: Lizard People?

You know that these systems let you register the prints from more than just one finger right?

1
1
Silver badge

Re: Lizard People?

"So, do you have a carer, or some other responsible person, who takes care of you? If so, they need to be sacked."

I can't sack my wife, that's immoral. Hmm, on second thoughts...

3
0

Re: Lizard People?

Maybe you're joking and your sense of humour eludes mine. Generally, I only understand it's a joke if it's actually funny.

It's not the fingerprint that is revoked but the cryptographic key held protected by the fingerprint.

The biometric stuidd is strictly between the owner and their S5, the Crypro key is between S5 and paypal. Simples.

2
6
Silver badge
Joke

Re: Lizard People?

"Generally, I only understand it's a joke if it's actually funny."

Really? What about things that are a joke but aren't meant to be funny, like how our government spunks money up the wall on useless brain-dead projects with no earthly value and yet takes money away from people who can't afford to live with schemes like the bedroom tax?

Seriously, our government is a joke, but I'm not laughing. Perhaps you should refine your sense of humour?

2
1
Silver badge

Re: Lizard People?

quote: "So, do you have a carer, or some other responsible person, who takes care of you? If so, they need to be sacked."

What is this I don't even

0
0
Silver badge

Re: Lizard People?

It was meant to be humor in response to Sir Runcible Spoon's history of self mutilation.

It was obviously funnier in my head.

2
0

Re: Lizard People?

What is funny? It's not to do with the seriousness of the subject matter, for me. I'm open to laughing about all sorts of serious or even tragic things if there is an ironic twist.

Where the funniness of the lizard thing is lost is that it's based on a misunderstanding on the technical point: You don't revoke the fingerprint!

Make a comical point about some crap policy like the bedroom tax: bring it on.

If you're driven into rent arrears and debt because you can't afford your council house any more and there is no smaller one to move into, you may be upset about it, but it doesn't take the "funny" away.

0
0
Silver badge

Re: Lizard People?

I believe the OP based his comment on a *deliberate* misunderstanding on the technical point and ran with with (you know, like with scissors).

1
0
Silver badge

Re: Lizard People? @DJO

I can't work out if you are being serious, but, just in case you are, I'll explain. Fingerprint readers don't store (the image of) the fingerprint. It creates a key - basically a password. Cancelling a fingerprint key and then re-enrolling the same one will create a different key (at least in a decent system - I don't know about the Samsung or Apple ones). However, as someone else mentioned, most people have more than one finger, and the centrally placed ones on phones make it easier to to use either hand, unlike the offset one on my Thinkpad which almost guarantees that most users will use the right hand ...

0
0

Re: Lizard People?

"Where the funniness of the lizard thing is lost is that it's based on a misunderstanding on the technical point: You don't revoke the fingerprint!"

You do realise humour is often based on a misunderstanding? See the Four candles sketch from The Two Ronnies for an example.

1
0

Don't know about International model

But here in the states my Verizon version of the S5 does prompt for password after several failed attempts.

1
0

Re: Don't know about International model

Thats when you just reboot the handset

0
0

Fingerprint scanner

Don't know about the International version but here in the US, my Verizon model of the Galaxy S5 does ask for your password after several failed attempts to unlock the phone with your fingerprint.

0
0

Page:

This topic is closed for new posts.

Forums