Sophos Cloud Optix
When Samsung unveiled the latest in its Galaxy series of Android smartphones, gadget reviewers focused on the Galaxy S5’s fingerprint scanner, a feature that the rival iPhone 5s has done much to popularize.
Samsung’s positive buzz over the Galaxy S5 didn’t last long – security researchers from SRLabs soon posted a video on YouTube demonstrating how they were able to trick the scanner with a fake fingerprint made of wood glue.
Indeed, the same approach allowed a similar and well-publicised hack of the iPhone 5s Touch ID last year, the researchers from SRLabs said in their video.
To use SRLabs’s fake fingerprint, an attacker simply places the wood glue replica over the tip of his finger and swipes as usual over the scanner, which is embedded in the Galaxy S5’s home button.
The wood glue is poured into a mold made out of a laser printout created from a photo of the victim’s fingerprint.
With the right image contrast and printer settings, the buildup of toner on the printout creates a 3D representation of the fingerprint that is accurate enough to “cast” a replica that will fool the phone.
According to the researchers, a latent fingerprint left behind by the owner on a stolen phone can be snapped with another phone’s camera, giving an image of sufficient quality to print out a usable mold.
“Despite being one of the premium phone’s flagship features, Samsung’s implementation of fingerprint authentication leaves much to be desired,” one of the researchers said in the video.
What’s worse, Samsung’s implementation is even less secure than Touch ID that Apple unveiled in September 2013, which is ironic given the former Samsung CEO’s contention that “beating Apple is no longer merely an objective, [but] our survival strategy.”
SRLabs claimed in its video:
Samsung does not seem to have learned from what others have done less poorly. Not only is it possible to spoof the fingerprint authentication, even after the device has been turned off, but the implementation also allows for seemingly unlimited authentication attempts without ever requiring a password.
It’s not just Samsung that has egg on its screen due to the ease of the Galaxy S5‘s fingerprint scanner hack – electronic payments company PayPal partnered with Samsung to make the PayPal app accessible “with the swipe of a finger,” as Samsung boasted on its website.
PayPal responded to the video in a statement:
PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5.
The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one.
PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, your eligible transactions are covered by our buyer protection policy.
Is a fingerprint more secure than a password?
The fingerprint scanner is not a new concept – think back to laptops that offered the supposed convenience of a fingerprint scanner instead of typing a password.
But Apple and Samsung have fine-tuned fingerprint authentication to the point that it’s super-fast and simple – just what smartphone users want.
If we ignore the speed and convenience, however, is this kind of biometric technology really more secure than passwords, as Apple and Samsung claim?
Security folks often talk about the limitations of passwords.
People can’t be relied upon to use hard-to-guess, unique passwords, and also leave their passwords written down to remember them.
Worse still, even passwords you might have relied on a service provider to store securely for you can be stolen and recovered electronically due to data breaches.
Yet stealing fingerprints is pretty easy – we leave our prints on almost anything we touch.
What’s especially inconvenient about fingerprint authentication is that we’re pretty much stuck with the fingerprints we have.
If someone steals a photo of your fingerprint to use for identity theft, you can’t change it like you can your password.
In fact, in the SRLabs video showing the Galaxy S5 being tricked, the researchers say that the wood glue replica they used was left over from last October when they were having a crack at the iPhone 5s.
Given these well-known drawbacks, one wonders why Samsung and Apple went through such enormous expense to add this flawed technology to their “phones of the future”?
“Something you know, something you have, something you are. Pick two.”
Seems to me that phones should use the almost instant fingerprint scanner PLUS the short PIN. This combination should be more secure than a longish password, and harder to forge. Do Samsung and Apple support this mode?
Not sure about iOS, but I don’t think so. I think the whole idea of the swipe-to-enter is to obviate the need for any and all typing.
Yes there is a password requirement after a number of failed requirements on iPhone 5s as well as after a reboot. This proves that Apple also understands that the passcode is more secure.
The whole point of swipe-to-enter is that it is more convenient.
If your phone gets stolen, you can remotely wipe it or, at the very least, lock it – and guess what ? You can only unlock it with your passcode…
Let me be cynical here: this is the current state of the art. Smartphone longevity is what ? 2 years or so… By then, I’m sure there will be other technologies. In the mean time, until there’s evidence that people are actively harvesting fingerprints and molding them, I’m not worried.
BTW, if it was such a bad idea, why would Samsung be copying Apple (yet again). I’m only half-surprised their implementation is actually worse.
IIRC, Apple’s system also inhibits the use of a swipe after 48 hours of unsuccessful login-by-swiping (whether you have tried or not).
As for the system being “good enough” until fingerprint harvesting becomes a well-known activity amongst cybercrooks…I get your point, and it’s a fair one (a sort of risk-benefit analysis).
But there’s still that question, “Is this fingerprint stuff really so much *better*, or is it just *quicker*, and thus a compromise for people who would otherwise take no precautions at all?”
Indeed, there’s also the 48-hour timeout.
And yes, I do think the fingerprint stuff is so much better. My phone auto-locks every minute (I am security-minded after all ;-)) and I need to unlock my phone 10s of times a day – my Company enforces a 6-digit passcode minimum so time saved alone is a huge plus.
The fingerprint also currently can replace the iTunes / App store password (which is a pain to type on a smartphone) – I’m sure they’re will be other applications in the future. For the paranoid, you can disable Touch ID for unlocking but keep it for your iTunes password.
I have a personal (5) and a company iphone (5s) – once you’re used to the convenience of Touch ID, it’s a pain to go back.
….. like the morning-after pill.
I think the crucial point here is pragmatic security in the real world.
Substantial proportion of people use no security at all – no PIN, no password, no dot-lock … nothing.
A theoretically imperfect fingerprint reader that is quick enough to use so people actually use it is a major increase in security – even if there is some obscure myth-buster style hack that might someday be used in the real world. … i.e. the fingerprint reader is flawed but better than the alternative – no security at all.
It might also be better in the real world than a PIN that everyone just looks at as you enter it or a dot lock that leaves greasy residual smears on the screen.
Passwords are better, in my opinion. But am I really going to have a PHOTO of the victim’s fingerprint on hand? And even if so, then go through the trouble of making it to get into their phone? If they’re dumb enough to allow me to get a photo of their fingerprint, they don’t have anything worth stealing.
“The wood glue is poured into a mold made out of a laser printout created from a photo of the victims’s [sic] fingerprint.”
“Victims’s” – now THAT’S a Grocer’s Apostrophe! (Fixed, thanks.)
As for whether you might have a photo of the victim’s [sic] fingerprint on hand (groan)…check the article, and also take a look at the Chaos Computer Club article linked to above.
(A 15-second version is here: http://nakedsecurity.sophos.com/2013/09/28/copying-fingerprints-firefox-trusted-facebook-not-yahoo-recycles-60-sec-security-video/)
Thing is, if your phone is lost or stolen, a crook may be able to acquire sufficiently accurate photo *off the glass of the phone itself*.
The hackers in this article claim that even a mobile phone camera may produce a good enough image, though they admitted their wood-glue print was made “under lab conditions.”
What happens if you accidentally cut your finger tip and you can’t use it for a while? And you get a permanent scar on your finger?
That’s why I won’t use it.
First, you can retrain the sensor… I’m pretty sure it’ll accept a scarred finger.
Second, you can disable the feature at any time (and it falls back to passcode in a number of scenarios too).
It’s a convenience if you choose to enable it – you’re not being locked into anything.
On the iPhone, you always have the option to type the passcode instead, so even if you are unfortunate enough to lose both hands (or, at least, all the fingers you enrolled in Touch ID), the device can still be unlocked, and you can retrain or remove and re-enroll fingers should their biometrics change enough to affect recognition. You can also enroll up to 5 fingers, so worthwhile doing at least one from each hand.
I believe that all the paranoia about the use of Touch-ID is a little bit overblown.
Yes, someone may copy your fingerprint and use it to unlock your phone. Or they might just coerce you to swipe your finger on the sensor to unlock the phone, in which case the use of a password (even a complex one) is no mor secure – if someone forces you to type or disclose your password by use of threats or force, you will comply. At least I would – I’m sorry, but even my most private personal data or even any data from my employer (emails, etc) which might reside on my device are not valuable enough to put my health or life at risk protecting them.
If you ask me – and you haven’t, but I’ll tell you anyway 😉 I would be much more worried about other potential uses of these methods for copying fingerprints than unlocking phones. What about framing people for crimes by artificially leaving their copied fingerprints on crime scenes? Or forging any official documents (including forms of ID) that include or rely on the use of fingerprints?
I think that unlocking my phone is the least interesting thing someone could do with my fingerprints to screw me over, even if they would go for a shopping spree on the App Store…
There isn’t any “paranoia.” Just a reminder that if someone steals your S5 and it’s locked with a fingerprint, you might want to consider that _less_ secure (not more secure, as a lot of marketing material indeed seems to imply) than if it were locked with a decent passphrase. That is all. In short: “biometric is not necessarily better.”
Note also that this hack doesn’t so much copy your fingerprints as create an articifical fingerprint good enough to fool the sensor in the phone, so it’s not a generic “fingerprint hack.” (I think you might struggle to get through US immigration with wood-glue replicas, for example 🙂
I think the main confusion between Samsung/Apple marketing and what you find on security-minded blogs is over what is being discussed with regards to “more secure”. I think everyone agrees that a twelve-character passcode is more secure than a four-digit PIN, which is debatably more secure than a fingerprint. However, everyone actually using the fingerprint and keeping their phone’s contents encrypted is more secure than people not using auto-lock on their phone because typing in a decently secure passcode takes too long and smartphones are all about convenience.
Maybe the fingerprint scanner should be paired up with face recognition — if the fingerprint matches, the camera turns on and snaps a photo of the person’s face (with the option for PIN instead, for people who don’t want their photo taken for any reason), and if there’s a reasonable enough match, the phone unlocks.
This would still be pretty quick, not involve broadcasting your PIN to anyone who is shoulder surfing, use two factors (even if they’re both something you have) and raise the bar on information needed for a phone thief to break into your phone — they’d need to take a picture of you, then take a picture of a decent latent print, OR figure out your password.
I have to admit, just as an experiment, one day on the train I decided to see how many phone dotcodes and pins I could notice from a single stationary position — the result was that six (two dotcodes, four PINs). Nobody used a decent-length passcode, there was one PIN I was unable to notice, three phones with no lock and two people used prints. Yes, that’s a total of nine smart devices within my field of vision that were unlocked at least once during my train ride.
The point to that anecdote is that while in principle, a passcode is more secure, in practice, people appear to use the easier PIN lock, which isn’t secure at all if the person who’s going to take the phone happens to see you enter the code before they take it. The print scan is a definite improvement on this, as they have to actually do a bit of work to retrieve the “code” — even if the second line of defense is a PIN (that only gets entered once in a blue moon).
Though, in theory, if you steal a phone, the print you need to photograph to break in might be available on the phone body, whereas the PIN wouldn’t. So a phone stolen from a bag or a table (where the crook wouldn’t have seen you enter the PIN) might just have what that crook needs to get in…
Stormycat –
You read my mind and bring up an excellent point that I have yet to see anywhere else at all. Although this point you make about fingerprints being used for tasks that are of much graver danger.
I just need to ask the community here now that Stormycat has got me thinking……
Am I the only one that thinks its just a BIT odd that when you (in general) take a step back and look at the big picture it has basically been playing out like a poor science fiction movie. First, many mobile companies offer cell phones that act, for the most part, only as phones, In only 20 LONG years (to the general public and their tunnel vision) but 20 very very short years in the grand scheme of things the cell phones that were once just PHONES now are able to collect telephone numbers, social security numbers, credit cards numbers, passport/birth cert. info, names, addresses, family members names, etc etc etc and NOW FINGERPRINTS. Now that every bit of hard data has been collected phones now collect images of the users body parts. And anyone who says “oh my info is safe on my phone” or ” noone has access to that information”…..is totally NAIVVE or bullshitting themselves or both.
I dont tend to bore myself with conspiracy theories and their cult like following but just the cold hard facts that a few worldwide corporations are slowly yet surely gaining not only every bit of personal info but also our habits/routines/schedules/temperments is pretty scary. Any thoughts.?
Everyone who blames Samsung for this is DUMB. This is entirely a software issue which means that it is an Android problem, NOT Samsung…
All it would take for a fix is an OTA update. Someone notify Android devs 🙂
The fingerprint reader is specific to the Samsung phone, along with the firmware and software to make it all work.
So I don’t see how (or why) a software update to tighten up the fingerprint matching for this particular phone could (or would) come from Google – seems like a Samsung thing to me.
hi im not looking to take any information or anything , I just need help getting into my husbands files/ camera to c y he is never home with me and his new born child, I found dating sites, and meet local ppl sites on his history now every time itry to touch his galaxy tablet he will delete the history and whatever else he does. I would just like to know the truth. And it seems tht this is the only way that I wil get it, Please somebody help me…