Vulnerability Management

Galaxy S5 fingerprint scanner bypassed using old Apple Touch ID spoof

The Samsung Galaxy S5 was released on Friday and, similar to the release of the iPhone 5s back in late September 2013, it only took a few days before the fingerprint scanner was hacked.

Ben Schlabs, project manager with Security Research Labs, a group that also bypassed Apple's Touch ID, told SCMagazine.com on Wednesday that bypassing the fingerprint scanner on the Samsung device was even more seamless, and may open the door for more problems.

The Germany-based company posted a video demonstration on Tuesday.

Schlabs said he easily fooled the Galaxy S5 scanner by simply picking up a dried out fingerprint spoof – lying around since his tests on the iPhone 5s Touch ID – and swiping it over the fingerprint scanner of the brand new Samsung mobile device.

“The first spoof I swiped over the sensor worked immediately,” Schlabs said. “For whatever reason, that particular spoof was and is rejected by the iPhone, but works on the S5.”

The fingerprint spoof was made from a glue mold using a fingerprint that could effortlessly be lifted from the device, Schlabs said, explaining that anyone with $20 and a decent grasp of arts and crafts can pull this off in the amount of time it takes for the glue to dry.

The Galaxy S5 fingerprint hack may end up spelling more trouble for Samsung than the Touch ID hack did for Apple because the Galaxy, perhaps inadvertently, offers unlimited attempts to swipe a fingerprint, and also does not require a passcode when the device is powered up, Schlabs said.

“As it stands, turning off the screen and turning it back on allows for one additional swipe attempt every time,” Schlabs said. “This gives would-be spoofers unlimited attempts, greatly increasing their chances of success.”

Another concern about the Galaxy S5 fingerprint bypass is that it can be abused to authenticate transactions using PayPal. In a statement emailed to SCMagazine.com on Wednesday, a spokesperson said that eligible transactions are covered by PayPal's purchase protection policy should a related incident occur.

“PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5,” according to the statement. “The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one.”

These types of “biometric” features are so vulnerable to spoofing because fingerprints are left on every glossy surface we touch, and can easily be stolen and copied, Schlabs said, explaining fingerprint scanning as a safety feature may represent a step up in convenience, but it represents a step down in security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.