A Samsung Galaxy S10 user said he was able to successfully bypass the phone’s fingerprint sensors using a 3D print of his own fingerprint.
The Samsung user posted on Imgur this weekend under the alias, “darkshark” saying he was able to fool the Galaxy S10’s fingerprint using a simple technique – in only 13 minutes. He first took a picture of his own fingerprint, then transferred that picture to Adobe Photoshop and created a 3D print. From there, he used the 3D print to physically sign on to his phone.
“This brings up a lot of ethics questions and concerns,” he said in a recent post which features a video outlining the hack. “There’s nothing stopping me from stealing your fingerprints without you ever knowing, then printing gloves with your fingerprints built into them and going and committing a crime.”
The Samsung user first took a photo of his own fingerprint on the side of a wine glass using a smartphone. He then pulled the image onto Photoshop and increased the contrast. From there the user exported the Photoshop image and created a 3D model of it using 3ds Max, which allowed him to create a geometry displacement of it.
“I popped that model into the 3D printing software and began to print it,” he said. “This was printed using an AnyCubic Photon LCD resin printer, which is accurate down to about 10 microns (in Z height, 45 microns in x/y), which is more than enough detail to capture all of the ridges in a fingerprint.”
From there, he was able to press the 3D printed image onto the phone and, after a few attempts with some tweaks, was able to log in.
The hack could lead to worse consequences: “Most banking apps only require fingerprint authentication so I could have all of your info and spend your money in less than 15 minutes if your phone is secured by fingerprint alone.”
Samsung did not immediately respond to a request for comment.
The fingerprint sensor was one of the centerpieces of Samsung’s most recent Galaxy S10 model, released in March.
Samsung said that the new phone model touts an ultrasonic sensor, which it said both offers better security than optical fingerprint readers as it uses a “3D sonic sensor” to capture the different molds in a fingerprint, as opposed to the optical fingerprint reader, which reads prints in 2D, as if they were a photo.
Ironically the phone maker boasted that the sensor can use sound waves to detect blood flow in a finger, protecting the device from hackers who want to use molds – which is exactly what “darkshark” was able to achieve.
“Darkshark” told Threatpost via message he has not tried this method for other phones, such as an iPhone; however, “phone fingerprint scanners are old tech and have been beaten in numerous ways,” he said.
Indeed, fingerprint and other biometric-related security concerns have popped up as viable ways for an attacker to physically bypass these measures to access a victim’s phone.
Earlier in November, a design flaw affecting all in-display fingerprint sensors – that left over a half-dozen cellphone models vulnerable to a trivial lock-screen bypass attack – was quietly patched. The flaw was tied to a bug in the popular in-display fingerprint reader technology used for user authentication.
Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.