A researcher from Security Research Labs has used a pretty simple method of fingerprint spoofing to bypass the Samsung Galaxy S5′s fingerprint scanner, allowing him to sign in and control the device with a fake fingerprint. The “wood glue spoof” is made from a mold taken from a photo of a fingerprint smudge left on a smartphone screen.
While fingerprint scanners have been used in smartphones before, such as the iPhone 5s, they may not be as secure as we think. The same technique was used to hack past the fingerprint scanner in Apple’s iPhone 5s last year.
However, as Research Labs points out, it’s not necessarily the fingerprint scanner that is the problem with the Galaxy S5, but more of how Samsung has implemented it. The GS5 allows users unlimited login attempts, allowing the fake fingerprint to be scanned multiple times to unlock the device. Also, once a user has unlocked the GS5 with a fingerprint, they are given access to security sensitive apps like PayPal’s new app. Security Research Labs was able to access all of PayPal’s features, including the ability to access the account, to send money or even make purchases.
Apple’s implementation of the iPhone 5S’s fingerprint scanner is a bit different. Users that sign in using TouchID must also enter a password to activate TouchID, and asks for the password upon reboot. Using this method, a hacker would need to use the traditional fingerprint spoofing method as well as have access to said user’s numerical or text passcode.
“Despite being one of the premium phone’s flagship features, Samsung’s implementation of fingerprint authentication leaves much to be desired. The finger scanner feature in Samsung’s Galaxy S5 raises additional security concerns to those already voiced about comparable implementations.” – Security Research Labs researcher.
SRLabs is a Berlin-based security research and consulting think tank that has investigated mobile networks, SIM cards, payment terminals, and other systems for security issues.
Source: cnet