back to article Any finger will do? Samsung Galaxy S10 with a screen protector reportedly easy to fool

Samsung is investigating a critical issue with its Galaxy S10 and Note 10 smartphones after reports that it fails to discriminate between different fingerprints if a screen protector is fitted. The Galaxy S10 features what Samsung calls "a revolutionary new biometric authentication feature... an in-display fingerprint sensor …

  1. TechnicalBen Silver badge

    Smudges?

    Possible the smudges left behind are an imprint and thus a match? Where as on glass only it's wiped off on each attempt. If the protector is put over some grease/hand creme imprint of the ... um, print, then it's forever there to be reused.

    1. DougS Silver badge

      Re: Smudges?

      If it is "ultrasonic" the smudges shouldn't matter, and those smudges would be replaced by other smudges when someone else touched it so even if that was it it would only work once. I'm sure the article would have mentioned if it was a one shot deal.

      My guess is that she trained it with her "fingerprint" with the screen protector on, so basically a flat thumb without any ridges at all has been registered for her. That would explain why anyone else can open it - I'll bet the handle of a broom could open it in that case.

      Not sure how Samsung thinks they can fix this via software, that's the limitation of using ultrasonics is that sound moves differently through different materials. A "gel" screen cover is going to be too similar to human flesh for there to be any way to distinguish. The only solution will be a warning to not using a gel type cover.

      1. TechnicalBen Silver badge

        Re: Smudges?

        Yeah. I guess that's the more possible/plausible option. That it allows registration of a "flat" fingerprint is both a security risk, but thankfully, also hopefully an easy fix.

        1. DougS Silver badge

          Re: Smudges?

          They can avoid registration of a 'flat' fingerprint, but instead of having everyone able to unlock their phones no one will be able to unlock their phones if they are using a screen cover. I guess it is secure, but then might as well not have a fingerprint sensor as far as all those people who use screen covers are concerned.

          Not sure why they abandoned the rear fingerprint unlock, other than everyone was talking about an under-display sensor and Samsung didn't want to seem behind the Chinese companies (even though they are probably using the same Qualcomm solution Samsung is) I think a rear sensor would be less convenient but it is better than a partially functional front sensor.

          1. Dave 126 Silver badge

            Re: Smudges?

            Shame that on the S8 the rear fingerprint sensor was right next to the camera. Still, even without finger grease, the camera lens benefits from being wiped clean of dust with my shirt so every often. Camera lens still unscratched, but bizarrely the metal bezel around it is starting to lose its black coating. No complaints in practice.

            The side-mounted fingerprint sensor on the S10 E sounds good, but I've not tried it in practice. Sony had fingerprint sends mounted on the power buttons on some models, strangely disabled in some territories due to some patent dispute.

  2. Andy Non Silver badge
    Thumb Down

    Not pointing a finger but

    "Vault-like security"

    Must be a thumb down, quite literally.

    1. the Jim bloke Silver badge
      Thumb Up

      Re: Not pointing a finger but

      It IS vault like security - it is as secure as any other vault that has its door open and swinging in the breeze...

  3. andy 103
    Boffin

    The concept is already flawed

    That's very worrying but one explanation I can think of is this. On the video where they demonstrate the issue his wife first unlocks the phone. It's possible that there's a grease outline (not suggesting she has dirty hands, but you get the point!) which would affect it. So he is essentially pressing a copy of her fingerprint on to the sensor.

    Of course that shouldn't work but I'd be interested to see what would happen if they either cleaned the screen protector or fitted another clean version of the same one between attempts. Pretty sure that would rule out whether it is what I've suggested.

    It's alarming that people don't really understand that fingerprint or even facial recognition is simply the device saying "yes" or "no" to the question - is this the person we think it is? That yes or no is then passed to apps. People seem to think that's a problem with apps. When in fact it's all down to what answer the device gives to that question. Which can then go on to have a whole load of implications.

  4. David Gosnell

    In other words....

    Samsung blamed the screen protector until they realised that the same (obviously) happened with their own, not being endowed with magical qualities. What's the betting you could unlock such a phone with a pork chipolata, keeping it clean?

    1. Anonymous Coward
      Anonymous Coward

      Re: In other words....

      Looking at it another way, Samsung admitted their phones could be completely compromised with the aid of a simple screen protector.

      1. This post has been deleted by its author

        1. Wayland Bronze badge

          Re: In other words....

          When you register the 'finger print' you are just registering the pattern produced by the screen protector not the finger. Any finger will do because it's only scanning the same screen protector once again.

    2. Flocke Kroes Silver badge

      Re: Technology distinguishable from magic

      The magical property of Samsung's screen protectors is some goo that fills the air gap between the sensor and the screen protector. Ultrasound can pass through the goo and the screen protector to reach a thumb/finger. With an air-gap, the ultrasound will reflect off the screen protector and the sensor will register a flat surface. The obvious software fix is not to allow people with adermatoglyphia to unlock their phones.

      1. Benson's Cycle

        Re: Technology distinguishable from magic

        AFAIK all screen protectors have something soft between them and the surface that fills any gaps. It's why air bubbles are so obvious.

  5. DonL

    The sensor essentially has to "see" through the screen protector, making it essential that the screen protector is optimized for this. So when someone isn't using an authorized (tested) screen protector, then this isn't really a suprise.

    Perhaps the update is going to rule out any "fingerprints" that are too flat?

    1. Dave 126 Silver badge

      Ultrasound will pass through the screen protector happily. What it won't do is pass through a boundary of materials of radically different properties, such as glass and air. You've got a sporting chance of applying a plastic screen protector without leaving an airgap, but not so a a glass protector unless you apply a resin to the screen first.

    2. Gordon 10 Silver badge
      FAIL

      I beg to differ

      Its a major frikken surprise. And its a giant bag of samsung fail.

      No way the addition of a protector should cause a fail to an unlocked state. It should fail to a locked state.

      The flaw here is not the hardware its the software that was coded to fail to unlocked. And thats a massive fail for a piece of code dealing with security.

      Its like your front door opening when you stick a lolly stick in the lock.

      1. Dan 55 Silver badge

        Re: I beg to differ

        Its a major frikken surprise. And its a giant bag of samsung fail.

        Is there an other size bag of Samsung fail?

      2. Muscleguy Silver badge

        Re: I beg to differ

        I once got back in the house after closing the front door in the wrong trousers using a metal card scraper on the Yale lock. The film credit card did not work. Locks in films must be new and very well lubed.

        I did have to use a chisel to pry a gap in the piece of wood there to prevent this AND tap the scraper with a hammer to make it work though.

        New door is metal frame into metal frame multipoint locking but needs a key to lock it when leaving. You may have noticed the police these days use the ram to go through the centre panels instead of trying to bust the locks.

        BTW none of the neighbours did anything but then the site of me doing some sort of diy is not usual either. The door also had a separate deadlock which got locked when leaving.

    3. gnasher729 Silver badge

      "So when someone isn't using an authorized (tested) screen protector, then this isn't really a suprise."

      So when your phone gets stolen, the thief uses an unauthorised screen protector to get access that is also not a real surprise?

  6. Kieran 2

    Presumably the screen protector had a bubble when the fingerprint was registered in the first place, so the "recorded" fingerprint was detail-free and should have been rejected.

  7. Stevie Silver badge

    or that it too much distorts the ultrasonic image

    Remove the screen protector you must if to use security feature you want.

  8. Anonymous Coward
    Anonymous Coward

    Oh dear!

    Samsung's policy of letting their early adopters do their basic testing for them has been exposed once again.

    Last time it was bendy screens which broke after a handful of flexes, now it's a security flaw that leaves users' data wide open to anyone that might pinch their phone.

    Not good. Not good at all!

    1. LeahroyNake Silver badge

      Re: Oh dear!

      Yes a few bends if you get some crumbs behind the hinge or trying to remove what obviously looked like a screen protector.

      I can't remember if ElReg managed to break one?

  9. Dave 126 Silver badge

    S10 E

    The lower priced model in the S10 range, the E, always seemed like the one to get. I swear by tempered glass screen protectors on my S8, but they are generally incompatible with an ultrasonic sensor due to the inevitable air gap. The S10 E has a traditional fingerprint sensor mounted on the side of the phone.

    There is a company that fits tempered glass screen protectors to S9 / S10 phones with ultrasonic fingerprint sensors, but they charge a lot of money for it. Their trick is to use a resin to ensure there is no air gap twixt screen and protector, just as medics use a gel between an ultrasound sensor and a baby bump. It may be that someone has posted instructions online to do this in a DIY fashion, but I haven't yet found any.

  10. DougS Silver badge

    No way this is limited to just Samsung

    They are using Qualcomm's ultrasonic fingerprint scanner, so pretty sure every Android phone with under screen fingerprint reading is vulnerable to the same issue. Maybe Huawei designed their own, but if it is ultrasonic it is going to suffer the same problems - a gel screen cover and human skin are almost identical in how they react to sound waves so there's no way for the sensor to distinguish them.

    1. Gordon 10 Silver badge

      Re: No way this is limited to just Samsung

      The hardware invites the same risk. The risk only materialises if Qualcomm not Sammy wrote the code that responds to the hardware wrongly. If Huawei do a separate implementation then they have a 50/50 chance of not being impacted. Rising to a 100% if they have proper code reviews and think about default error states.

      1. DougS Silver badge

        Re: No way this is limited to just Samsung

        The only thing they can avoid in code is registering a 'flat' print because the gel cover was your fingerprint. If you register your actual fingerprint without the cover then it will only unlock without the cover. And who knows how the various types/thicknesses of covers are affected?

        It wouldn't be a problem for me if Apple had this since I don't use a case, let alone a cover, but many people do and all phone makers need to allow for that possibility. Having a fingerprint unlock that only works properly without a cover is not a good solution. How they didn't catch this in testing I have no idea, I suppose people don't buy cases/covers for phones when they are beta testing!

        1. Anonymous Coward Silver badge

          Re: No way this is limited to just Samsung

          I'm not sure how you would buy a case/cover for an unreleased phone? Buy a bigger one and cut it to fit maybe?

          1. DougS Silver badge

            Re: No way this is limited to just Samsung

            Unless it is a very different form factor it shouldn't matter if it isn't a 100% perfect fit. And surely a company as large as Samsung has the resources to make their own screen protector if they have to!

  11. Simon 15

    Simple solution

    Just set a pin code, they've been used for decades without such problems. Is it really that onerous for snowflakes to remember a four digit number? Biometrics always prove to be either unreliable, inaccurate or insecure.

    1. Foxglove

      Re: Simple solution

      I'm not sure snowflake means what you think it means. But leaving that aside, If a major manufacturer sells a feature as secure most people will believe it.

      El Reg readers not so much.

      So I think it's a little harsh to blame the users.

      I do agree with you about biometric security, I use (what I believe to be) a fiendishly difficult unlock pattern. It surprised me how complicated I was able to make it.

      1. Wayland Bronze badge

        Re: Simple solution

        Snowflake in this context means young person who never had a phone without a fingerprint reader and thinks Steve Jobs invented the Internet way back in 2009.

    2. Mike007

      Re: Simple solution

      When he unlocked his phone his finger went top right, middle, top right, bottom right... OK, I now know his PIN. Probably the same one as his bank card.

      Fingerprint scanners were to get around the fact that you can probably assume that your entire family have the ability to order themselves a Christmas present...

    3. Intractable Potsherd Silver badge

      Re: Simple solution

      *Four* digits?? I use more than that, so I assumed everyone else does - naïve, I know...

  12. Borg.King

    Have you asked Apple if 'protected' fingerprints fail for them too?

    I'm sure they're jumping up and down with glee in Cupertino. Perhaps El Reg should ask them if they would like to decline to comment.

  13. Anonymous Coward
    Anonymous Coward

    and then there is the Pixel 4

    You can unlock it even if your eyes are shut.

    https://www.bbc.co.uk/news/technology-50085630

    I'm sure that if either of these cases had been on an iPhone we'd be hearing about the class actions already.

    Guess who has ALL the money!

  14. RichUK

    Graham Cluley did a piece on it (which is in line with the screen protector posts above): https://link.grahamcluley.com/l/Fku892rtaF4c1FFL2OOBPiOQ/sBYbWSfMYyV892F3kfHUaGQg/sQgiT9RXOZfUVgU6DXBaIw

  15. low_resolution_foxxes

    Ugh I just had a Samsung work phone thruster on me, it's embarrassing trying to remove all the crapware of these pieces of crap. Facebook AND Instagram? Force loaded on a commercial work phone with no ability to delete? A-holes.

    Back to Huawei if possible.

    1. Dave 126 Silver badge

      Your workplace did give you a 'commercial work phone', as you put it. Likely because it has Samsung Knox on it, allowing them to manage work apps and data without interfering with your personal apps and data, should they choose.

      Samsung Knox predates Android Enterprise, which offers some of the same functionality to corporate customers on handsets from many vendors. However, Huawei aren't included in the Google Enterprise program. Funny that.

      Don't log into Facebook. Go to Setting, Apps, disable it. All you'll have lost is 100MB of storage space and a minute of your time. I appreciate preloaded apps are offensive on principal, but are insignificant compared to other factors.

  16. Ian Joyner Bronze badge

    Marketing over technology

    Yet again marketing wins over technology at Samsung and a 'revolutionary' technology is raced to market without sufficient testing.

  17. Anonymous Coward
    Anonymous Coward

    Next

    Ultra vault like security:

    - fingerprints

    - iris scan

    - blood test

    - DNA swab

    - Scan your first born child (fur baby if no issue)

    - Pray to TFSM

  18. canthinkofagoodname
    Thumb Up

    What's the match-score threshold?

    Most fingerprint scanners (capacitive, optical etc.) still operate on match scoring based on the fingerprint and stored match points from initial enrollment of the users print. Maybe Ultra-sonic scanning uses a different comparison method, but if not it sounds like the score threshold was too low, or the initial enrollment allowed for a data set small enough that more than one print could successfully authenticate.

    Either way, bravo to Mrs Neilson for the find :)

  19. Damo t

    No issue

    Since I read about the issue yesterday I have tried without success to replicate the 'any fingerprint unlock' method.

    Don't know what the original finder did but my Note10 seems to know the difference between mine and others finger and thumprints both with and without a protector....

  20. James 51 Silver badge

    Never enabled biometric security features on any of my equipment. They are usernames, not passwords and if you can fool the system to give you the username you want there's no password to stop you.

    1. Anonymous Coward Silver badge
      Paris Hilton

      It's a convenience feature. Much like browsers remembering passwords.

      As long as you understand the risks associated with it, it's a trade-off many choose to make.

      But then there are a lot of users who simply don't understand and trust it with anything, assuming the device will magically know whether they want it to do something or now.

    2. Wayland Bronze badge

      A fingerprint is your ID you cannot change and which you leave copies of on everything you touch. Not a good choice for your secret password.

  21. Wayland Bronze badge

    It's not detecting a fingerprint

    It's detecting the screen protector each time a finger is placed on the sensitive area. Since it's the same screen protector it scanned when it was set then of course it matches.

  22. j.bourne
    Paris Hilton

    A patch soon - If we can figure out how to fix this in software

    They haven't got a clue how to fix it, or even if it can be fixed have they? 'Issuing a patch soon' is one of those wishful marketing phrases. Meanwhile there's some smartypants developer laughing his head off in a back office somewhere repeatedly saying 'I told them so..' to anyone within range.

  23. joshimitsu

    I still have the original glass screen protector from when my phone was shipped 6 months ago, so my registration and verification was probably fine. But I've disabled fingerprint login for now just in case ...

  24. ter63

    I suspect they'll now revert to the software version on launch that everyone complained was too hard to unlock. I love my S10 with the one exception of the the fingerprint sensor. I was very happy with the one on the back which was extremely reliable and feel the S10's was a big step backwards.

  25. Maximum Delfango
    Facepalm

    Somehow this feels typical Samsung...

    They never really get the technology and software right do they?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019