UPDATE
Samsung has acknowledged that anyone can bypass the Galaxy S10 fingerprint sensor using a third-party case after a woman alleged that a $3 smartphone screen protector allowed unauthorized users to dupe her Samsung Galaxy S10’s fingerprint recognition sensor – giving access to her phone and banking apps.
Samsung is promising a future software update to resolve the issue, according to a Thursday report.
The U.K. woman, Lisa Neilson, told media reports this weekend that only her fingerprint was registered on her new Galaxy S10. However, after buying a third-party screen protector off eBay, Neilson’s husband was able to unlock her phone using his fingerprint – even though it wasn’t registered on the device.
Worse, the pair found that Neilson’s husband could log into her phone and access various private apps using the fingerprint biometrics security feature. The couple also put the case on Neilson’s sister’s Samsung phone and discovered that the same issue occurred.
“We called Samsung because we thought there was a fault with the phone,” Neilson told The Sun this weekend. “The man in customer services took control of the phone remotely and went into all the settings and finally admitted it looked like a security breach.”
Samsung did not respond to several requests for comment from Threatpost.
The company said in a media statement to the BBC that it is “aware of the case of S10’s malfunctioning fingerprint recognition and will soon issue a software patch.”
The fingerprint sensor was one of the centerpieces of Samsung’s Galaxy S10 model, released in March 2018. Samsung said that the new phone model touts an ultrasonic sensor, which it said both offers better security than optical fingerprint readers as it uses a “3D sonic sensor” to capture the different molds in a fingerprint, as opposed to the optical fingerprint reader, which reads prints in 2D, as if they were a photo.
However, it’s not the first time that the Galaxy S10 fingerprint sensor has been duped. Last year, a Samsung Galaxy S10 user said he was able to successfully bypass the phone’s fingerprint sensors using a 3D print of his own fingerprint.
The report leaves several issues unresolved – including whether it was an internal Samsung glitch that caused the incident, or residue from Neilson’s fingerprints left on the screen protector, or another reason. The brand of the third-party screen protector was not mentioned in media reports.
However, security experts that Threatpost talked to agree that the incident sheds light on issues that still exist when it comes to biometrics.
Chris Morales, head of security analytics with Vectra, told Threatpost that Android includes a biometric API that app developers can use to integrate biometric authentication into their applications in a device- and modality-agnostic fashion. However, biometric support is currently for fingerprint only and does not count for consistency in the fingerprint scanner itself.
“Third party hardware manufacturers have included biometric authentication for other forms such as facial recognition and for onscreen fingerprint scanners that have proven to be easier to bypass and weaken the device authentication,” he said. “This is unproven technology and will take time to get correct. This is the price to pay for fast development by third party hardware manufacturers that are not focused on security first.”
The utilization of biometrics on smartphones has been helpful for identity authentication – but it’s not foolproof. Biometrics have been at the center of attention this year as security experts wonder whether the new technology will create increased security or a new threat attack vector.
In August, researchers revealed vulnerabilities in the authentication process of biometrics technology that could allow bad actors to bypass various facial recognition applications – including Apple’s FaceID. In 2018, a design flaw affecting all in-display fingerprint sensors – that left over a half-dozen cellphone models vulnerable to a trivial lock-screen bypass attack – was quietly patched. The flaw was tied to a bug in the popular in-display fingerprint reader technology used for user authentication. New vulnerabilities in voice authentication have been uncovered as well.
For Shahrokh Shahidzadeh, CEO at Acceptto, the best way for smartphones to utilize biometrics applications is to use another behavioral authentication in addition to fingerprinting.
“I would go one step further and also suggest a continuous behavioral authentication solution as that will ensure that protection is not just done at authentication but continuous for as long as the session is in process as well,” he said. “This is the way forward.”
This article was updated on Oct. 17 at 9am EST with new information from Samsung.
What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.