Hack of Samsung Galaxy S10 ultrasonic fingerprint sensor suggests no liveness detection
The ultrasonic biometric fingerprint scanner on a Samsung Galaxy S10 has been hacked with a 3D-printed copy of the phone owner’s thumbprint taken from a photograph of a latent print on a wine glass, Forbes reports. A security researcher going by the handle darkshark on Imgur says the technique could be replicated to steal latent prints from a distance and break into a stolen smartphone, as well as biometrically-secured accounts.
The researcher used the photograph to create an alpha mask in Photoshop, and then rendered it into 3D using 3ds Max software. The fake print was printed with an AnyCubic Photon LCD resin printer with 10 micron-accuracy in 13 minutes, and with three attempts to set the correct ridge height, a fake was generated which consistently opens the flagship Samsung smartphone.
The ultrasonic sensor is supposed to detect liveness by sensing blood flow, which darkshark points out seems not to be the case, perhaps due to changes made when Samsung updated the software for the in-display sensor to deal with performance issues a few weeks ago. The face authentication system of the Samsung Galaxy S10 has also been criticized as too easy to hack after images from the web or of siblings were found to unlock the device.
“The whole biometric authentication movement at consumer level of electronics is never going to be very secure” Ian Thornton-Trump, head of cybersecurity at AmTrust Europe told Forbes. “I’m not a fan of facial recognition, voice recognition or fingerprint authentication but consumers are and that’s not a bad thing.”
The same researcher said in a Reddit thread that the ultrasonic scanner is probably safer than other sensor types, and noted that some optical sensors can be spoofed with a paper printout.