Fingerprint lock in Samsung Galaxy 5 easily defeated by whitehat hackers

The heavily marketed fingerprint sensor in Samsung's new Galaxy 5 smartphone has been defeated by whitehat hackers who were able to gain unfettered access to a PayPal account linked to the handset.

The hack, by researchers at Germany's Security Research Labs, is the latest to show the drawbacks of using fingerprints, iris scans, and other physical characteristics to authenticate an owner's identity to a computing device. While advocates promote biometrics as a safer and easier alternative to passwords, that information is leaked every time a person shops, rides a bus, or eats at a restaurant, giving attackers plenty of opportunity to steal and reuse it. This new exploit comes seven months after a separate team of whitehat hackers bypassed Apple's Touch ID fingerprint scanner less than 48 hours after it first became available.

"We expected we'd be able to spoof the S5's Finger Scanner, but I hoped it would at least be a challenge," Ben Schlabs, a researcher at SRLabs, wrote in an e-mail to Ars. "The S5 Finger Scanner feature offers nothing new except—because of the way it is implemented in this Android device—slightly higher risk than that already posed by previous devices."

Schlabs, who was assisted by a whitehat-hacking colleague who goes by the moniker Dexter, said the Samsung bypass was more concerning because, unlike the iPhone, the S5 has no mechanism requiring a password when encountering a large number of incorrect finger swipes. Simply by rebooting the device, he was able to cause the handset to accept an unlimited number of incorrect swipes without requiring users to enter a password. More troubling still, the S5 fingerprint authenticator can be associated with sensitive banking or payment apps such as PayPal. Once Schlabs used a spoof fingerprint to bypass the lock, he was able to gain complete control of the account, including access to money transfers and purchases.

"Perhaps most concerning is that Samsung does not seem to have learned from what others have done less poorly," Schlabs said in a video demonstrating the hack. "Not only is it possible to spoof the fingerprint authentication even after the device has been turned off, but the implementation also allows for seemingly unlimited authentication attempts without ever requiring a password. Incorporation of fingerprint authentication into highly sensitive apps such as PayPal gives a would-be attacker an even greater incentive to learn the simple skill of fingerprint spoofing."

A PayPal spokesman issued a statement that said company officials take the SRLabs findings seriously and that the integration with the fingerprint reader is designed to guard against hacks.

"The scan unlocks a secure cryptographic key that serves as a password replacement for the phone," the statement read in part. "We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy."

As was the case with last September's Touch ID hack, the attack on Samsung's fingerprint reader used a "wood glue spoof" made from an etched PCB mold. The spoofed fingerprint was crafted by taking a camera-phone photo of an unprocessed latent print smudge left on a smartphone screen. Interestingly, the spoof was left over from work Schlabs did when researching Apple's Touch ID. For reasons he has yet to precisely determine, the spoof doesn't work against an iPhone, but it had no problem unlocking the S5.

For someone who has medium-resolution pictures of their fingerprints in databases around the world (or even pre-made spoofs lying around the office) like I do, the attack is already very practical. For others, the use of fingerprint authentication on their phones and other devices makes the attack infinitely more likely. The incentive to steal digital fingerprint scans and learn how to mass-produce spoofs grows considerably with every new popular device that is introduced with poorly implemented fingerprint security.

He said Samsung could have done much more to secure its fingerprint reader, including building in a strict password lockout after a few failed swipes attempts. He also said company engineers should have implemented stricter anti-spoofing measures.

Schlabs's other criticism of fingerprint authentication from Samsung, Apple, Motorola, and others is the inability to change the information used to prove a person's identity. Once it leaks, the authentication keys are in the hands of attackers forever. He continued:

Passwords can be changed if they are leaked or stolen, and they can be kept completely secret (even from hostile foreign police that one might be unlucky enough to encounter while traveling, for example), but you can always be physically forced to unlock your devices with your finger. Users should be made aware that the security offered by fingerprints is not as easily measured as it is for passwords. Fingerprints can keep opportunistic snoops out, but do not protect well from targeted authentication fraud.

SRLabs is only one of several groups that is reporting a successful hack of the Samsung phone. This article may be updated with additional details from additional attacks.

Post updated to add PayPal comment.