Samsung has reportedly started rolling out a software patch for the Galaxy S10 and Note10, addressing glitches in both phone models that allow the bypass of their built-in fingerprint authentication sensors.
The fix comes after Samsung admitted last week that anyone can bypass the Galaxy S10 fingerprint sensor if a third-party silicon case is enclosing the phone. The acknowledgement led to widespread backlash from customers, while several U.K.-based banks have also started blacklisting impacted Samsung devices for their apps, as the issue also allowed users to access various apps on the impacted devices that were using the biometric function for authentication.
According to a Wednesday report by Android Police, Samsung is now rolling out patches to customers, urging its customers support app (Samsung Members) to update their phones to the latest software version, which will fix the biometric authentication glitch.
“Samsung is releasing a software patch to fix fingerprint issues on Galaxy Note10, Note10+, S10, S10+, and S10 5G devices,” Samsung said on a note on Samsung Members. “If you have registered a fingerprint on one of these devices, you will receive a notification with instructions. This update is being sent out gradually, so you may not receive the notification immediately.”
Samsung Galaxy S10 and Note10 users, for their part, are urged to look out for an update notification on their devices called “Biometrics Update.” Once they click on “Update,” they will be instructed to delete all previously registered fingerprints from their phone with covers on the phone, and re-register them without a cover applied to the phone.
The issue first came to light after a woman alleged that a $3 smartphone screen protector allowed unauthorized users to dupe her Samsung Galaxy S10’s fingerprint recognition sensor – giving access to her phone and banking apps. The U.K. woman, Lisa Neilson, told media reports earlier in October that only her fingerprint was registered on her new Galaxy S10. However, after buying a third-party screen protector off eBay, Neilson’s husband was able to unlock her phone using his fingerprint – even though it wasn’t registered on the device. Worse, the pair found that Neilson’s husband could log into her phone and access various private apps using the fingerprint biometrics security feature.
“This issue involved ultrasonic fingerprint sensors unlocking devices after recognizing 3-dimensional patterns appearing on certain silicone screen protecting cases as users’ fingerprints,” said Samsung in a press release last week. “To prevent any further issues, we advise that Galaxy Note10/10+ and S10/S10+/S10 5G users who use such covers to remove the cover, delete all previous fingerprints and newly register their fingerprints.”
On the heels of this report, several videos popped up of Galaxy S10 users trying the trick out successfully on their own phones (one such video is below).
NatWest and Royal Bank are among the banks that removed their apps from the Google Play store for customers with Samsung Galaxy S10 and Note 10 devices: “This is due to reports that there are security concerns regarding these devices,” according to a Royal Bank tweet. “We hope to have our app available again shortly once the issue has been resolved.”
Hi there Martyn. We've removed the app from the Play Store for customers with Samsung S10 devices. This is due to reports that there are security concerns regarding these devices. We hope to have our app available again shortly once the issue has been resolved. WL
— Royal Bank (@RBS_Help) October 22, 2019
The utilization of biometrics on smartphones has been helpful for identity authentication – but it’s not foolproof.
In fact, also in October Google came under fire for its Pixel 4 facial recognition unlock feature, which users said would unlock for users even if their eyes were closed. Google issued a media statement this weekend that the glitch will be fixed in a software update that will be delivered in the “coming months.”
Other privacy incidents have plagued smartphone vendors around biometric authentication. In August, researchers revealed vulnerabilities in the authentication process of biometrics technology that could allow bad actors to bypass various facial recognition applications – including Apple’s FaceID. In 2018, a design flaw affecting all in-display fingerprint sensors – that left over a half-dozen cellphone models vulnerable to a trivial lock-screen bypass attack – was quietly patched. The flaw was tied to a bug in the popular in-display fingerprint reader technology used for user authentication. New vulnerabilities in voice authentication have been uncovered as well.