back to article Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS

The much-hyped fingerprint scanner on Samsung’s flagship handset the Galaxy S5 can be fooled just days after the device was launched. Researchers at Germany’s Security Research Labs (SRLabs) publicised their findings in a YouTube clip. According to the narrator, the scanner was hoodwinked "under lab conditions, but is based on …

COMMENTS

This topic is closed for new posts.
  1. Charles Manning

    iSuppli estimates

    These are a bit of a joke.

    Within Apple, almost nobody knows what they pay for parts. This is super secret info. If there are more than 5 people in Apple who know what the iphone BOM cost is, I would be suprised.

    1. MacroRodent

      Re: iSuppli estimates

      The same is true in any hardware company. The details of parts supplier deals are always deep secrets, because both the competitors and competing suppliers could take advantage of them.

      1. ElReg!comments!Pierre

        Re: iSuppli estimates

        The same is true in any hardware company. The details of parts supplier deals are always deep secrets, because both the competitors and competing suppliers could take advantage of them.

        You're right, but for the wrong reasons. BOM are uncannily difficult beasts for a "real" all-encompassing tech company like Samsung. At Apple it's mostly a matter of trade secrecy, because Apple is mostly a product _designer_; for companies like Samsung (and, to a smaller extent, Moto for example) you have to factor in the fact that they actually make a lot of the parts in their devices themselves... but in different branches, branches which bill each other almost as if they were different companies. But only almost. Now factor in the cross-licensing deals that Samsung (and Apple, but to a staggeringly smaller extent, because they don't hold as much IP in the electronics or manufacturing departments) have with external manufacturing companies, most of which are not per-piece or even per-product and you may -just may- approach the complexity of the thing. And now remember all these Branches in Samsung? well, if they are remotely as retorse as Western companies they have internal "intellectual property" deals as well.

        Now I need to stop and grab a beer, because if I go on I'll need an Aspro instead and that's much less fun.

      2. Charles Manning

        Re: iSuppli estimates

        "The same is true in any hardware company. ". Nope, you are wrong.

        I've been in the embedded systems industry for 30 years, of which I worked for a year at Apple.

        Engineering is the art of compromise. Many of those compromises are things like speed vs amount of RAM, cost of FPGA vs cost of microcontroller. Engineers need this info to make good design trade-offs.

        Most companies share this information within the company so that engineers can use it in their decision making.

        Not Apple. People with very real reasons to have access to numbers, even ballpark numbers, don't get them.

  2. Anonymous Coward
    Anonymous Coward

    While the BOM cost is not accurate given that they do not know what each company is paying for components, it is still a good guide to see an approximate cost of the electronic device. When the same parts are used, the same price is used and generally all of the prices IHS uses for components would be the worst case scenario. You don't need a super accurate price to compare the component cost of two handsets; both have the same correction factor.

    1. ElReg!comments!Pierre

      both have the same correction factor

      A lot of the parts in the iPhone and the Galaxy are manufactured by Samsung.

      You're taking for granted and evident that Samsung and Apple pay the same for these parts. It may be the case, but it's not an obvious (or safe) assumption to make.

      1. Anonymous Coward
        Anonymous Coward

        Sure Apple pays Samsung to make the Ax line of processors, but the majority of Samsung phones also use a processor manufactured from another company; in the case of Samsung this would be Qualcomm.

  3. Anonymous Coward
    Anonymous Coward

    As has been proved time

    and time again, fingerprint scanners are easily fooled with a bit of ingenuity.

    Yet *still* its touted as some uber secure access system....

    Its not, never has been and in its current guise, never will be.

    Its a convienience over security battle and as most of us are lazy bastards, the former will always triumph.

    There is nothing to replace a good strong password (at the mo) but i dont want to type in a 30 CHR$ pass phrase just to check some message......

    1. Filippo Silver badge

      Biometrics...

      A password that you cannot change, and leave written everywhere you go. I can't fathom why people think it's a good idea.

      1. sorry, what?
        Stop

        Re: Biometrics...

        I think it is a case of selecting the correct biometric parameter; a retina scan would certainly be more secure since you don't tend to leave that everywhere you go. Sure, someone could grab the retina photo from your optician (if they really wanted to) or could dupe you into scanning your retina on a compromised device - with the latter dodge this is already the case with PINs and the like.

        Perhaps, at least for mobiles, an ear swipe would be good - other devices not so much :)

        Alternatively randomly (and infrequently) use double authentication, asking for a second swipe with a specified digit (or alternative eye/ear/whatever) or requiring entry of a PIN too. A bit like how supermarkets with self-scan occasionally request the re-scanning of random items from the shopping by the cashier.

        1. Alan Brown Silver badge

          Re: Biometrics...

          "A bit like how supermarkets with self-scan occasionally request the re-scanning of random items from the shopping by the cashier."

          Occasionally?

          After 6 out of 10 shops, I gave up. It was faster to use the cashier lane.

          1. Tom 13

            Re: It was faster to use the cashier lane.

            The cashier is always faster processing a checkout. It's only the queue time to get to the cashier that can make self-checkout faster.

            I only use them when I have a handful of items and usually don't have a problem with needing to rescan something. BUT, I do pay close attention to the voice instructions it gives me and wait for the next prompt. If you get ahead of the automated process it all goes to hell.

            On the rare occasion my roommate is with me, she does not do that. She tries to scan multiple items or bag them or scan the next item before the weight for the previous item has registered. Always ends in disaster. Because the cashier lane doesn't have the same restrictions, they can do those things (especially scanning 1 carton of diet coke 4 or 5 times instead of each one individually).

          2. Stuart Castle Silver badge

            Re: Biometrics...

            I'd say the same. I use self service tills regularly and have never been asked to re-scan a barcode.

            1. Anonymous Coward
              Anonymous Coward

              Re: Biometrics...

              "I'd say the same. I use self service tills regularly and have never been asked to re-scan a barcode."

              It's not self-service tills, it's self-scan where you have a barcode reader you carry around with you. A sort of "scan as you shop", assuming you have bags in your trolley.

              Security wise, they ask you to re-scan it every so often. If your re-scan is deemed to match your initial scan, you won't be asked again for a while. So to the "6 out of 10" person, I suspect you've been carelessly scanning. Scatty friend of mine was eventually barred from the system for continuously messing up :-D

      2. MrXavia

        Re: Biometrics...

        Exactly, and they are using it for ePassport gates?

        Sure IRIS was not perfect, BUT its much harder to fake at border control (i.e. you can't just stick a fake iris on your eyeball like you can a fake fingerprint).. the technology needed some updating, to avoid the need for multiple cameras at different heights which often had the wrong one activated I noticed.... Surely some form of eye tracking technology as you walked into the gate, with a high magnification lens would allow the eye to be scanned at a distance...

        1. Annihilator
          Boffin

          Re: Biometrics...

          "Sure IRIS was not perfect, BUT its much harder to fake at border control (i.e. you can't just stick a fake iris on your eyeball like you can a fake fingerprint)"

          IRIS wasn't retina scanning though. You're correct, retinal scanning is very hard to fake given it's an image of the back of your eye, but also less user-friendly to use.

          It's relatively trivial to fake an iris scan though - coloured contact lenses effectively have a fake iris on them. Commercial scanners are even fooled by a high quality photograph being held up to them.

        2. Zacherynuk

          Re: Biometrics...

          Not quite exactly. That's a username not a password... For user names, fingerprints are dandy.

          Are we ever asked for a password at border control ?

          101:

          Something YOU have and something YOU know

          1. danbi

            Re: Biometrics...

            "Something YOU have and something YOU know"

            ... AND something you ARE.

            We are not yet quite there with mobile devices, but soon...

      3. Pookietoo

        Re: Biometrics...

        People can't just look over your shoulder to copy it, they have to exercise more ingenuity than the average criminal is capable of to exploit it. I'm surprised nobody has developed a method of scanning and 3D printing to produce fake fingers ... oh look, they did already (PDF).

      4. ElReg!comments!Pierre

        Re: Biometrics...

        A password that you cannot change, and leave written everywhere you go. I can't fathom why people think it's a good idea.

        I have 2 reasons for you:

        -It takes days to counterfeit for a team dedicated to the task with expensive hardware, a dedicated lab and specialized skills. Most passwords can be cracked in a matter of minutes by a script kiddie with a 200 bucks laptop from eBay.

        -you can't possibly forget it. Most "hard-to-guess" passwords end up written on a post-it, which is demonstrably worst than holding them at your fingertips (litterally). And most of them aren't hard to guess at all anyway, cue the obligatory xkcd reference: http://xkcd.com/936/

        1. Anonymous Coward
          Anonymous Coward

          Re: Biometrics...

          Consider a password something like gQ9#dL consisting of 6 randomly chosen symbols from a set of 64, none the same, something most people could learn with reasonable effort.

          Is it safe from someone who has the hash and a few minutes to compute and test? Certainly not.

          Is it safe from someone who has three or four chances to enter it correctly before the entry device locks? Very likely so.

    2. JDX Gold badge

      Re: As has been proved time

      Hopefully the time it takes someone to do this is longer than the time it takes to report your phone stolen and have it deactivated.

      1. Psyx

        Re: As has been proved time

        Exactly. It's a concerted effort, beyond the ken of most drug-addled thieves. By the time they get it to someone who can do it, the owner has hopefully realised it's gone and had it locked down or tracked.

        Security is never 100% foolproof in stopping people getting in. The point is to slow people down enough that they are likely to be noticed.

    3. ElReg!comments!Pierre

      Re: As has been proved time

      and time again, fingerprint scanners can be fooled by a dedicated team with heavy equipment. In a lab. Set up specifically for that purpose. With previous knowledge of both the "key" and the target. Within FOUR DAYS, assuming the target did not notice their ultra-hush-hush device went missing. FOUR DAYS AGO.

      Bah humbug.

      Meanwhile, "good" passwords are cracked almost instantl by the million every single day by virtually anyone on the planet, leading to numerous kinds of frauds, costing real money.

      Kids these days.

  4. Anonymous Coward
    Anonymous Coward

    Missing on the obvious business opportunity

    Starprints!

    Fingerprints of the stars! You too could unlock your iBling/SBling with the same fingerprint as KIM KARDASHIAN. Be the envy of your Facebook Friends, be the envy of your real friends (Real friends not supplied!). Protect your most private selfies with the same built in security used by such luminaries as Paris Hilton, Scarlett Johansson and Jude Law.

    PleasenotethatshouldyoulosepossessionofyourphonetherearechancesofitbecingunlockedwithsimilarStarprint(tm)bytotherperson(s).

    1. Anonymous Coward
      Anonymous Coward

      Re: Missing on the obvious business opportunity

      Brilliant.

  5. Anonymous Coward
    Anonymous Coward

    Remind me

    Why did Samsung need to put a finger print scanner on their phone anyway? Oh yeah that is right because Apple had one...

    1. Anonymous Coward
      Anonymous Coward

      Re: Remind me

      Samsung had them on laptops before Apple had them on phones.

      That aside, by the ad-hoc standards of the Apple Fanatic, the Samsung scanner is objectively better. It took longer to crack, so it must be.

      1. Anonymous Coward
        Anonymous Coward

        Re: Remind me

        And HP/Compaq had them on their iPaq range before them.

        Notice any similarities? Who's copying who, now?

        1. Anonymous Coward
          Anonymous Coward

          Re: Remind me

          And, Motorola Atrix had a fingerprint scanner WAYYYY before iPhone did.

  6. Paw Bokenfohr

    Is this worse than the iPhone 5S fingerprint scanner?

    Not technically worse I mean, but it seems to me that it's a worse vulnerability. The iPhone sensor only allows you to unlock the phone, and to sign in to (and purchase from) the Apple stores. Sure, that's not ideal if someone's got your phone and can circumvent the fingerprint reader....

    ....but, your passcode is required when you switch the phone on (and it's likely they'll have switched it off to avoid being tracked after the theft) or after ~5 failed attempts (as the article mentions) and even if they get past it all, all they can do is buy you music and apps. Which Apple will refund you for when you report it stolen etc.

    If the Samsung one doesn't need your passcode, AND you can have infinite attempts AND you can spend real money through PayPal (and other apps?) then that seems a lot worse to me.

    1. Intractable Potsherd

      Re: Is this worse than the iPhone 5S fingerprint scanner?

      It does seem that this is a very poor implementation of fingerprint security. Even Samsung's draw-a-figure security system has a time-out (short, but, if I recall, user configurable) after five failed attempts. It is elementary to have a lockout (with an option to use another option if necessary).

      On the other aspect - one-factor authorisation for financial transactions - how silly! Even if you use PayPal's two-factor (SMS) authorisation, the message is going to go to the phone that the thief has (though could be the case with the PayPal app on any phone if security is inadequate). Personally, I never use my phone for anything to do with finance, except as the second factor of authorisation.

  7. sorry, what?
    Trollface

    Barcode anyone?

    Maybe we all need barcode tattoos at birth, say on our forearm, and then biometric scanning that detects the changes in the barcode tattoo with age?

    It's OK, I don't have a big brother.

    1. Charles 9

      Re: Barcode anyone?

      Someone at the thread about luggage beacons posited everyone getting an RFID tag like they make for pets. Embed in the back of the hand and all.

      Then again, like with the barcodes, someone's always gonna try to clone them. I think the concern is that anything man-made can be cloned, so they're trying to use something biological and thus innate.

  8. DJO Silver badge

    Lizard People?

    "We can simply deactivate the key from a lost or stolen device, and you can create a new one."

    So that would mean chopping off a finger and growing a new one with a different fingerprint, to the best of my knowledge mammals can't do that, reptiles can. Perhaps David Ike was right all along.

    1. Sir Runcible Spoon
      Coat

      Re: Lizard People?

      When I was at school I burnt the fingerprint off my left index finger by dragging it gently along a wall every day.

      It grew back. Not sure if it was exactly the same, but I presume so.

      A few months back I also managed to slice a good chunk of the flesh part of my thumb off whilst chopping veg. Again, it's still healing but I can see the fingerprint growing back in and all the lines seem to join up with the undamaged skin.

      So yes, we can grow replacement fingerprints, but they are the same as the old ones.

      1. Anonymous Coward
        Anonymous Coward

        Re: Lizard People?

        So, do you have a carer, or some other responsible person, who takes care of you? If so, they need to be sacked.

        1. Sir Runcible Spoon

          Re: Lizard People?

          "So, do you have a carer, or some other responsible person, who takes care of you? If so, they need to be sacked."

          I can't sack my wife, that's immoral. Hmm, on second thoughts...

        2. NumptyScrub

          Re: Lizard People?

          quote: "So, do you have a carer, or some other responsible person, who takes care of you? If so, they need to be sacked."

          What is this I don't even

          1. Anonymous Coward
            Anonymous Coward

            Re: Lizard People?

            It was meant to be humor in response to Sir Runcible Spoon's history of self mutilation.

            It was obviously funnier in my head.

      2. Steve Todd

        Re: Lizard People?

        You know that these systems let you register the prints from more than just one finger right?

    2. Sebastian Brosig

      Re: Lizard People?

      Maybe you're joking and your sense of humour eludes mine. Generally, I only understand it's a joke if it's actually funny.

      It's not the fingerprint that is revoked but the cryptographic key held protected by the fingerprint.

      The biometric stuidd is strictly between the owner and their S5, the Crypro key is between S5 and paypal. Simples.

      1. Sir Runcible Spoon
        Joke

        Re: Lizard People?

        "Generally, I only understand it's a joke if it's actually funny."

        Really? What about things that are a joke but aren't meant to be funny, like how our government spunks money up the wall on useless brain-dead projects with no earthly value and yet takes money away from people who can't afford to live with schemes like the bedroom tax?

        Seriously, our government is a joke, but I'm not laughing. Perhaps you should refine your sense of humour?

        1. Sebastian Brosig

          Re: Lizard People?

          What is funny? It's not to do with the seriousness of the subject matter, for me. I'm open to laughing about all sorts of serious or even tragic things if there is an ironic twist.

          Where the funniness of the lizard thing is lost is that it's based on a misunderstanding on the technical point: You don't revoke the fingerprint!

          Make a comical point about some crap policy like the bedroom tax: bring it on.

          If you're driven into rent arrears and debt because you can't afford your council house any more and there is no smaller one to move into, you may be upset about it, but it doesn't take the "funny" away.

          1. Sir Runcible Spoon

            Re: Lizard People?

            I believe the OP based his comment on a *deliberate* misunderstanding on the technical point and ran with with (you know, like with scissors).

          2. Stuart Castle Silver badge

            Re: Lizard People?

            "Where the funniness of the lizard thing is lost is that it's based on a misunderstanding on the technical point: You don't revoke the fingerprint!"

            You do realise humour is often based on a misunderstanding? See the Four candles sketch from The Two Ronnies for an example.

    3. Intractable Potsherd

      Re: Lizard People? @DJO

      I can't work out if you are being serious, but, just in case you are, I'll explain. Fingerprint readers don't store (the image of) the fingerprint. It creates a key - basically a password. Cancelling a fingerprint key and then re-enrolling the same one will create a different key (at least in a decent system - I don't know about the Samsung or Apple ones). However, as someone else mentioned, most people have more than one finger, and the centrally placed ones on phones make it easier to to use either hand, unlike the offset one on my Thinkpad which almost guarantees that most users will use the right hand ...

  9. kg4zxk

    Don't know about International model

    But here in the states my Verizon version of the S5 does prompt for password after several failed attempts.

    1. craigj

      Re: Don't know about International model

      Thats when you just reboot the handset

  10. kg4zxk

    Fingerprint scanner

    Don't know about the International version but here in the US, my Verizon model of the Galaxy S5 does ask for your password after several failed attempts to unlock the phone with your fingerprint.

  11. Anonymous Coward
    Anonymous Coward

    FIDO Fail

    What you missed to comment on is that the S5 is the first phone to incorporate / be FIDO compatible using it's flawed fingerprint reader to open itself up to a whole world of applications that assume a stronger / high-quality authentication of the the user! Doh!

  12. Tony Paulazzo

    It issued the following statement in a bid to head of a potential consumer backlash

    I think you seriously over estimate the power of a 30 second news report on BBC's Click.

    Also, most people will turn off this security features after a few hours as the drag fingerprint sensor (or the one I tried to use at least on an HP laptop), was notoriously crap unless you dragged your finger at precisely the same speed and angle as when it was learning - which probably explains the unlimited tries thing. I mean, if you're going to copy Apple, do it better not worse.

  13. Conor Turton

    Yet another crack that has almost no real world application.

    So they have to take a photo of a perfect finger print from either the digit in question or from the screen of the phone.

    Look at the screen of your phone. Tell me how many complete fingerprints you can see on it. The answer will be somewhere between zero and none because you typically use the tip of your fingers and then it gets smudged as you swipe your fingers across the screen.

    Personally I'm not worried by this.

  14. Aristotles slow and dimwitted horse

    Why so slow...

    MacGuyver would have done it in 3.

  15. Anonymous Coward
    Facepalm

    Would work fine on old BlackBerries

    All Samsung need to do is bring out a version of the S5 with no touchscreen, and the problem is largely solved.

  16. Corborg

    Double up

    Why don't they make it so you type a password in, but it reads your fingerprint as you're typing it in? Password and fingerprint aren't secure, but combined it's a little better.

    1. Semtex451
      Thumb Up

      Re: Double up

      I reckon that feature will probably be appear in a couple of years.

      But can you imagine how frustrating the beta would be?

      "Did I mistype or did it misread?"

  17. Rick Brasche

    kids these days!

    four whole days? Why back when I was a youth we'd have done this in two, with nothing more than some store shelf gelatin and some back copies of "2600"...

    But even back then, just like now, people still believe things are "secure" even when the press is open about the problems. Just like locks, only the honest crooks are deterred.

    Complacency is the second biggest security threat, next only to the criminal element itself. Never assume you're smarter or "better" than the thieves. The moment you do that, you're only defense is not being a juicy enough fruit to pick. Though with modern bot harvesting methods, simply being on the tree is enough to get nailed for a pittance (to scale) these days.

  18. unwarranted triumphalism

    Article is incorrect

    Only Apple products fail.

  19. Mussie (Ed)

    Why not use multiple factor authentication

    Finger Print

    Facial Recognition (i don’t know if it can be done but 3D facial recognition taking into account the sides of the face by turning your head)

    A voice phrase (easily recorded but useless by itself when combined with the above)

    Would make sense to me

    1. NumptyScrub

      Re: Why not use multiple factor authentication

      I employ a crack team of highly trained medical professionals to also perform blood and DNA testing, alongside the facial recognition, voice analysis, fingerprint, iris and retina scanners, all feeding in to the security guard who presses the "open door" button for my volcano lair.

      Note that in this scenario, your PayPal password (or the crypto cert used by the phone to authenticate to PayPal, after it assesses the biometric data) is the "open door" button, which is still your single point of failure ^^;

      Much like placing a 50cm thick steel door with multiple locking mechanisms on a vault whose walls are made of brick; any smart criminal will go for the weakest link, so you need to make that highly secure door the weakest link.

    2. Anonymous Coward
      Anonymous Coward

      Re: Why not use multiple factor authentication

      Lost the digit.

      Got acid splashed on the face.

      Have a cold that left me with laryngitis.

      Yes, I'm that accident-prone

  20. Anonymous Coward
    Anonymous Coward

    Re, HP sensors

    I have four of these here, can someone think of a use?

    For anything "fun" like a linear radiation sensor it would require reading back the raw data somehow.

    Answers on a postcard to +4940978814931979089

    (remove '9" to message)

  21. FreeBSD

    Give Samsung a Break

    "Most notably, the Touch ID fingerprint scanner on Apple’s iPhone 5S was hacked by Chaos Computer Club just 48 hours after its launch last September, using a similar method to SRLabs."

    Well Samsung achieved a 100% improvement over Apple. What's wrong with that?

  22. Mookster
    Paris Hilton

    Most fingerprint scanners have this problem - that's why they're only used under supervision e.g. border control.

    Paris, cos she likes unsupervised fingering

This topic is closed for new posts.

Other stories you might like