One of the big new feature announcements with the launch of the Samsung Galaxy S10 smartphone was the all new “in-display” fingerprint scanner for the S10 and S10+ models. It wasn’t just the convenience of having the scanner built into the screen that was being pushed by Samsung, but the additional security offered by the ultrasonic fingerprint sensor rather than a traditional optical reader. A security flaw in Samsung’s Glaxy S10 fingerprint sensor can be bypassed by just having the duped 3D Printed Fingerprint of the mobile owner.
The ultrasonic fingerprint scanner comes with S10 and S10+ models, it offers additional security and it captures a 3D image when the traditional security scanners capture only a 2D one.
Samsung claims this won’t let anyone compromise that smartphone ever they have a 3D map of your fingerprint. But now the researcher’s proven that fingerprint scanner can be fooled by using a 3D-printed fingerprint.
How does the ultrasonic fingerprint work?
The difference with the ultrasonic fingerprint scanner in the Galaxy S10 and S10+ smartphones compared to the more traditional capacitive scanners is that it can capture a 3D image rather than a 2D one. By using very high-frequency ultrasonic soundwaves, the scanner can map a fingerprint in quite astonishing detail. It includes things like ridges and pores as well as just the “flat” patterns we are more used to seeing. It does this by transmitting a pulse of ultrasonic sound against your finger and then analyzing the pressure of the pulse that gets bounced back from it.
This will be different for everyone as each fingerprint will absorb differing amounts of the wave pressure, for want of a simpler way of describing the process. And so a unique 3D map will be created. A map that captures depth data across different points on the scanner, making the resulting map very detailed in all dimensions. So far, so good. So, what went wrong? Let’s see how Galaxy S10 fingerprint sensor hacked.
How Galaxy S10 Fingerprint Sensor Hacked?
A user, go by name darkshark published this video explaining how he fooled the Fingerprint Sensor of Galaxy S10 to gain access to the phone.
He took a photograph of his fingerprint from the side of a wine glass with his smartphone. He then uses Photoshop to remove the areas and leave only the Fingerprint.
Then to create a 3D model of the fingerprint, he imported the image to 3DS Max software to create a 3D model and printed it on a piece of resin with the AnyCubic Photon LCD printer.
This resulted in a square piece of resin containing a 3D model of the fingerprint that successfully opened the Samsung’s Galaxy S10.
In order to execute the attack all you need is to have the physical access to phone and the fingerprint of the owner. The attack scenario poses a lot of security concerns, if someone steals the phone then they can unlock the device as the Fingerprints are already present.
“As most of the banking apps only require fingerprint authentication, all the information can be stolen and the money can be spent in less than 15 minutes if the phone is secured by fingerprint alone.” says darkshark.
Should I stop using my fingerprint?
No, that would not be advisable. There is always going to be a trade-off between convenience and security, which is why most folk don’t use a PIN or password. Both authentication methods are generally thought more secure than fingerprint biometrics by most security experts. But both are also more hassle in terms of remembering and inputting the code. Which is why many people have their phones unlocked all the time, requiring no such authentication in the first place. Biometrics such as face and fingerprint recognition overcome this by being “secure enough” for most people, without adding any user-inconvenience into the mix.
“The whole biometric authentication movement at consumer level of electronics is never going to be very secure” Ian Thornton-Trump, head of cybersecurity at AmTrust Europe agrees. I’d certainly always recommend a fingerprint protected device to one with no protection.
In fact, even darkshark9 himself says that the ultrasonic fingerprint sensor of the S10 is probably safer than the optical or capacitive sensors of other smartphones. He added that optical sensors can be tricked with a simple scan and paper printout of a fingerprint but ultrasonic can’t. It should be noted here that the fingerprint sensor is certainly more secure than the facial recognition. Because facial recognition can be beaten by a video of the owner placed in front of the smartphone.
What are the Risks of Getting Hacked on Galaxy S10 Fingerprint Sensor?
Well, that really depends who you are, what data is on your phone and just how much someone wanted to access it. While darkshark9 states that “there’s nothing stopping me from stealing your fingerprints without you ever knowing” and further that “if I steal someone’s phone, their fingerprints are already on it” the truth is that this would require a perfect alignment of circumstances.
For some very high-profile individuals then there is, indeed, a risk from such an attack scenario. Sure, if someone stole your phone they could in theory get access not only to your personal data but also your bank account, as most of these now rely upon fingerprint ID to authenticate the user to the app. That is assuming the person who stole it also has the 3D printer and technical skills to create the clone fingerprint, along with the desire so to do, which is quite the assumption to make.
Threat to viability of Samsung’s Fingerprint Sensor
In a post about the Scanner, Samsung says that “With the new ultrasonic fingerprint ID technology, there are no tradeoffs! but it also mentions that you don’t have to sacrifice user experience for security”.
To contrast, Samsung also claims in the same post that it uses “a machine learning algorithm to help detect the differences between real fingerprints and forged 3D replicas.”
But the method described by darkshark casts doubts on the viability of Samsung’s ultrasonic fingerprint scanner as a method of protecting the data.
Hopefully this will be addressed in future versions of these scanners or through software updates; for now, if your phone contains sensitive data, you should probably use a password instead.