A place for all things security.

Samsung Fingerprint Security Features Easily Cracked by Hackers

Apr 15, 2014 // Andrew Stroup

As Ars Technica has reported, the security of Samsung’s heavily marketed fingerprint sensor in their new Galaxy S5 phone has been defeated by hackers, who were able to gain unfettered access to a PayPal account linked to the device.

The hack, which was initiated by researchers at Germany’s Security Research Labs, is the latest to show the drawbacks of using fingerprints, eye scans, and other physical features to authenticate a user’s identity. While some say that biometrics are a safer and easier alternative to passwords, the fact is that information is leaked every time a person shops, rides a train, or eats at a restaurant, which gives attackers plenty of opportunities to steal and reuse it. This new exploitation comes seven months after a separate team of hackers bypassed Apple’s Touch ID fingerprint scanner less than 48 hours after it first became available.

“We expected we’d be able to spoof the S5’s Finger Scanner, but I hoped it would at least be a challenge,” Ben Schlabs, a researcher at SRLabs, said. “The S5 Finger Scanner feature offers nothing new except—because of the way it is implemented in this Android device—slightly higher risk than that already posed by previous devices.”

While we at CommonKey are excited to see new security features come to market, this latest story is yet another example of the need to ensure that new technical features are fully vetted and made secure before they get introduced to the market.