Samsung is once again in hot water for a shoddy biometrics implementation. This time the culprit is the Galaxy S10 and its ultrasonic in-screen fingerprint reader, which apparently can be unlocked by anyone as long as there is a screen protector or some other piece of transparent plastic between a finger and the sensor.
British tabloid newspaper The Sun originally reported the news, saying a British woman discovered she could unlock her husband’s phone just by adding “a £2.70 screen protector bought on eBay.” After reporting the issue to Samsung, the couple says Samsung “admitted it looked like a security breach,” and a spokesperson told The Sun, “We’re investigating this internally. We recommend all customers to use Samsung authorised accessories, specifically designed for Samsung products.”
Days later when the BBC picked up the story and contacted Samsung again, the company said it is “aware of the case of S10’s malfunctioning fingerprint recognition and will soon issue a software patch.”
이슈가 되고 있는 갤럭시 S10, 노트10 기종 실리콘 케이스 지문인식 뚫리는 현상 테스트해봤습니다….
갤럭시 10시리즈 사용자분들 당장 지문잠금해제 푸세요 pic.twitter.com/tbmzErrmkP
— StaLight (@Sta_Light_) October 16, 2019
It all sounds like an unbelievable story, but now that the word has gotten out, there are already videos on the Internet of the method working. Examples from @Sta_Light_ on Twitter and the meeco.kr forum show 2019 Samsung phones failing to unlock with an untrained fingerprint as they should, but then, when the user places a clear silicone phone case over the top of the sensor, that finger can unlock the phone. The user on Meeco uses a Galaxy S10, as previously reported, but Sta_Light_’s phone is actually a Galaxy Note10, which uses the same fingerprint technology as the Galaxy S10.
Samsung has known for some time that screen protectors could interfere with the ultrasonic fingerprint reader. Early S10 screen protectors actually featured a giant hole over the top of the fingerprint reader sensor location, as there was concern that an air gap between the cover and sensor could stop the sensor from working. Eventually, Samsung and the industry huddled up and started producing screen covers that were “compatible” with the sensor, avoiding an air gap by using some kind of glue or gel backing on the screen protector.
There is currently a split in under-display fingerprint reader technology in the smartphone market. Most phones use optical in-screen fingerprint readers, which place a CMOS chip under the display and take a 2D picture of your finger. Samsung is pretty much the only vendor that doesn’t use an optical reader, instead opting for Qualcomm’s ultrasonic fingerprint reader technology. Qualcomm and Samsung touted the ultrasonic sensor as more secure than optical, since it uses sonic waves to take a 3D scan of your finger, supposedly providing more detail than the 2D image of a CMOS sensor. Qualcomm also made the claim that the sensor can “detect blood flow within the finger and actually prevent hackers from spoofing the device with a photo or a mold,” though that statement seems to have been proven false with several hacks now.
Failed Samsung biometric solutions are not new. Last time, it was 2017’s Galaxy S8, which shipped with a Samsung-built facial recognition system that had flaws other vendors had addressed in 2011—you could unlock the phone with a photo of someone. This also isn’t the first time someone has broken the S10’s fingerprint reader—it was previously defeated with a $450 3D printer. Failing biometrics on a phone are a bigger deal than ever, as they give attackers access not only to your messages, photos, and contacts but, thanks to NFC payment apps, expose your credit cards, too.