The fingerprint reader on Samsung’s flagship S10 and Note10 smartphones can be spoofed with a $3 screen protector.
That’s according to a British woman who claimed that after fitting the screen protector she was able to unlock her S10 using any one of her fingerprints, including ones not enrolled in the phone’s authentication system.
Then she reportedly asked her husband to try the same thing, and his thumbprints worked too, as did the same trick on her sister’s Samsung. Obviously, something was up.
She called Samsung:
The man in customer services took control of the phone remotely and went into all the settings and finally admitted it looked like a security breach.
The company’s initial response:
We’re investigating this internally. We recommend all customers to use Samsung-authorised accessories, specifically designed for Samsung products.
Then, last week in comments to Reuters, Samsung admitted the problem was real and said it would release a software patch:
We are investigating this issue and will be deploying a software patch soon. We encourage any customers with questions or who need support downloading the latest software to contact us directly.
South Korean online bank KaKaobank has reportedly told its customers to stop using the S10 and Note fingerprint system until the issue is fixed.
The issue of the S10 and screen protectors was first noticed when the smartphone was launched in February 2019.
Unlike older designs which use a dedicated sensor, the Qualcomm ultrasonic technology used by Samsung is embedded under the screen. It measures sound waves caused by the pressure of a user’s finger to analyse the fingerprint.
It was noticed, however, that covering the screen with a protector could in some circumstances create a minute air gap that could interfere with these sound waves – hence Samsung’s advice to use its branded screen protectors that use special adhesives that remove the possibility of that gap.
What to do
If you own an S10 or Note 10, we’d recommend turning off fingerprint security and using a PIN until the promised patch becomes available.
It’s not clear whether that will arrive as an out-of-band patch or will be part of November’s Android security update.
It’s not the first time the S10’s fingerprint reader has been in the spotlight. In April we reported the anonymous researcher who appeared to show themselves unlocking a Samsung S10 using a 3D printed-fingerprint.
But it could be worse – as Naked Security reported in April, the Nokia 9 PureView’s fingerprint reader was fooled by… a chewing gum packet.
All of which tells us, more than ever, that one form of identification might not be enough.