Ah, security. Mobile device users want more of it in a world full of Heartbleed bugs, a hacking culture that can disrupt even the best of intentions, and growing concerns about government snooping. As we move deeper into the day when users and service providers want to use mobile devices for more and more interaction with the commercial world, security features become not just important and crucial for identity protection in that cold cruel world, but a major selling point for new devices in a very competitive race among device makers. A new security feature also becomes a ripe target to see if it can be hacked or broken. Apparently there is currency in proving that you can break security mechanism.
The Boy Genius Report is reporting this morning that the fingerprint scanner on Samsung’s brand new Galaxy S5 smartphone has been hacked. Apparently the fingerprint scanner can be spoofed with a lifted finger print.
“As noted by German-language security blog H Security, SRLabs has posted video evidence that the fingerprint scanner on Samsung’s Galaxy S5 can easily be spoofed using a lifted print. In mere minutes, the group was able to create a “dummy finger” using an actual fingerprint to gain unauthorized access to the phone.”
That’s certainly not good news. And a posted video shows how it was done.
GBM readers might well be asking themselves “Where have we heard this before?” When Apple launched the latest round of “fingerprint scanner as a feature” wars with Touch ID on the iPhone 5s there was great concern over how secure the Touch ID feature would be. There was all sorts of reports and speculation beforehand. And indeed, after the launch similar reports of hacking Touch ID surfaced relatively quickly. The difference is how Apple layered in its security versus how Samsung approaches it.
With the Apple iPhone 5s a user who wants to take advantage of Touch ID is still required to enter an alpha/numeric passcode. Each time an iPhone 5s is rebooted you need to enter that passcode again before you are allowed to use the fingerprint scanner to unlock your device going forward. Samsung’s Galaxy S5 does not require the same two-step method after a reboot. Simply put, that means if the spoof works as demonstrated, a thief who had access to your Galaxy S5 (and your fingerprint) could reboot the device, spoof the fingerprint scanner, and be off to the races with your device.
The BGR headline states that the hack puts PayPal accounts at risk. One of the features of Samsung’s approach was to integrate with PayPal so that users could access their accounts with the swipe of a finger. Integrated services that can use any onboard security mechanism is a touchy subject on any device. A fingerprint scanner, or facial recognition, or any other method that unlocks a third party service for user access extends the liability much further than just unintended access to the device. Apple’s Touch ID only works to unlock the device and allow purchases through iTunes. Both of which are controlled by Apple.
The vision of using a mobile device as a user’s ID is not only a powerful one, but one that I think many would welcome. But that will require some sort of security mechanism that has not only a reliable, capable and unhackable method of protecting that identity, but a technology that is perceived to have that reliability, capability and unhackability. This is an area where perception counts as much as reality. Note that in the settings screen in the picture to the right that Samsung lists “medium to high security” for PIN and Fingerprint, with only password listed as High Security. It’s a tough order to fill in a day and age where interacting with any service using a mobile device requires so many moving parts. Requests are sent to servers of all types to complete even the simplest transaction or communication.
And to be honest, could there really be a fool-proof method of providing any type of security that could replace the cumbersome and tired methods of using a password? So much is invested in trying to advance this kind of secure technology. But, those interested in cracking it seem to have endless patience, curiosity, and ability to send any latest advancement back to the drawing board.
Its obviously a delicate and tricky proposition to include fingerprint scanning capability as security feature because of the possibility of this kind of hacking. That said, a bad actor would need access to both the device and your fingerprint in order to make this kind of hacking work. As much as this kind of spoofing may indeed be possible the question becomes how much of a real world concern is this for the common user?
This isn’t the first wave of technology with fingerprint scanning offered as a security feature. Many laptop models included fingerprint scanners back in the day offered the feature. But unreliability led to that being more of a fad than a feature that hung on.
Samsung will obviously respond to this news and we’ll have to watch with interest how this plays out. Those remembering the similar incident with Apple will recall how that story surfaced, became hot, and then faded away.