Samsung’s Galaxy S5 falls to the same fingerprint hack as the iPhone 5S
The fingerprint sensor in the Samsung Galaxy S5 has been spoofed with a fake fingerprint made of wood glue.
Announced shortly after the phone hit the market, the circumstances of this latest hack are almost identical to that of the iPhone 5S last year.
Showed in a video from SRLabs (below), a finger is enrolled on the device, which is then unlocked with the dummy print. In addition to unlocking the phone, the same dummy fingerprint was used to access a PayPal wallet and show that money could even be transferred using the fake print.
SRLabs is a Berlin-based security research and consulting think tank.
As we reported previously in BiometricUpdate.com last year, German hacker collective, Chaos Computer Club claimed that it had spoofed the iPhone’s Touch ID sensor shortly after the phone’s launch and posted a similar video showing the spoof and explaining how it was done.
Though both the S5 and the 5S are easily fooled with dummy fingerprints, there are a few differences in terms of how the phone treats the embedded sensor. On the iPhone, once it’s turned off, a fingerprint alone can’t unlock the device – it requires a password input. On the S5, a fingerprint is all you need.
The iPhone’s Touch ID sensor can only be used to unlock the device or to authorize iTunes purchases. Samsung’s device uses the sensor to perform unlocks and also to make purchases and transfers through PayPal.
In a statement to Business Insider, a PayPal spokesperson acknowledged the spoof, but said the company was still confident in the security of the fingerprint sensor.
“While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards,” the statement reads. “PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a passwords replacement for the phone. We can simply deactivate the key from a lost or stolen devices and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy.”
Article Topics
Galaxy S5 | Hack | iPhone | iPhone 5S | Samsung | spoof
Is this a failure of #biometrics or is it still better than just passwords? http://t.co/xU789WXiiE via .@BiometricUpdate .@adamvrankulj
Samsung’s Galaxy S5 falls to the same dummy print hack as the iPhone 5S | Biometric Update http://t.co/2X4RtyHwmA #biometrics
While Apple validated the convenience of fingerprint authentication on mobile devices, the spoof of the iPhone 5S should have sent a signal to other device manufacturers that while providing users with convenient authentication, the current level of security is vulnerable to spoofing. The layers of security for unlocking mobile devices and their applications needs to be stronger to properly meet the needs of users, and facilitators of mobile commerce and BYOD policies. Now that the two largest distributors of mobile devices in the world have had their solutions spoofed, they will hopefully add liveness detection solutions to mitigate this vulnerability and thereby instil confidence in the use of mobile device fingerprint authentication.
While Apple validated the convenience of fingerprint authentication on mobile devices, the spoof of… http://t.co/YDPuGf1ROs