Samsung Galaxy S5 fingerprint scanner hacked, PayPal reaffirms confidence in biometrics

Samsung Galaxy S5 fingerprint scanner hacked, PayPal reaffirms confidence in biometrics
Just like the Apple iPhone 5s, it has only taken a couple days after the release of the Samsung Galaxy S5 before the fingerprint scanner has been hacked. This will more than likely be a relatively common theme as biometric sensor technology matures; but it does seem to confirm that right now, fingerprint sensors are designed more for convenience than true security.

If you remember, soon after the release of the iPhone 5s, a European group had found a way to hack the fingerprint scanner, and just a couple days after release, there were videos showing the TouchID sensor being trained and unlocking the phone with nipples and paw prints. The latter is more for amusement, but the former was a real security concern. The best that could be said was that the method for hacking the scanner was somewhat involved and difficult. 

Unfortunately for Samsung, the method used to hack its sensor isn't quite as difficult. The difficulty in actually obtaining the fingerprint is still tough. The potential hacker would need to know which finger you use, obtain that fingerprint, and make a "dummy fingerprint" as shown in the video below by SRLabs. From there it is actually easier to hack the Galaxy S5, because right now Samsung's software allows for access to the device without ever needing to put in a password. Apple requires password input every time the device is rebooted. Worse, Samsung doesn't ever require a password input when using PayPal's new app either, meaning your PayPal account would be compromised. 


For its part, PayPal has reaffirmed its commitment to biometrics and the Galaxy S5 specifically. In a statement to BGR, PayPal said that its service never has access to your fingerprint and uses a generated cryptographic key for security. If your device is compromised, that key can be reset, and presumably (PayPal doesn't say) a new key could not be generated using a fingerprint scan from the same device. And, if fraud does occur, there is protection in PayPal's purchase protection policy.

All in all, biometrics may eventually lead to better security, but we're not quite there yet. As the Chaos Computer Club said after hacking the iPhone 5s, "It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token." It may be difficult for someone to obtain your fingerprints in order to perform this hack, but when it comes to security, "difficult" isn't good enough. 

source: H Security via BGR

Related phones

Galaxy S5
  • Display 5.1 inches
    1920 x 1080 pixels
  • Camera 16 MP (Single camera)
    2.1 MP front
  • Hardware Qualcomm Snapdragon 801, 2GB RAM
  • Storage 32GB, microSDXC
  • Battery 2800 mAh
  • OS Android 6.0 Marshmallow
    Samsung TouchWiz UI

FEATURED VIDEO

40 Comments

40. qudot

Posts: 1; Member since: Jan 12, 2015

thanks for this article, it proof us we are working on the right path, we are working on an authentication novel system generatin a 12 digit variable token based on optical fingerprint visit us at qudotphotonics.com

37. brasstax

Posts: 546; Member since: Apr 16, 2014

Looks like somebody's been watching jean claude van damme's fingerprint hack from the movie Double Team ;) on a more serious note, it makes sense for the phone manufacturer's to make their FP tech as fool proof as possible, before encouraging customers into using the same for authenticating payments online. this will prevent a lot of early anguish for sure.

36. mark_ray

Posts: 35; Member since: May 26, 2013

When they hacke the Face Unlock on Nexus phones, by using a picture of the owner, Google added security measure which is Blink Checker. Let's see how will they overtake this issue

31. edelxander

Posts: 58; Member since: Oct 01, 2013

yeah.. now that fingerprint is hackable next technology would be retina verification, blood sample and child sacrifice, demon summoning etc to unlock your smartphone.

25. flipjzn

Posts: 257; Member since: Jun 22, 2012

Samsung should c̶o̶p̶y̶ implement password after reboot just like on iPhone 5s for more security.

23. taz89

Posts: 2014; Member since: May 03, 2011

Just like touch id this isn't a proper hack.. Just look at how much trouble one has to go through, steel phone, get the right finger print somehow, do some high tech stuff and make a mold etc etc. This isn't like a security hole where anyone with little knowledge can break it, you need to have the right equipments etc..

24. jroc74

Posts: 6023; Member since: Dec 30, 2010

Exactly...the methods involved in the scanner exploits...if it takes all this to bypass it....its still doing its job. But...my concern is once its done on the GS 5...the phone is basically wide open. Apple has a 2 step approach. If there ever was a time to copy Apple....this would be it....

26. taz89

Posts: 2014; Member since: May 03, 2011

Yh I was thinking for those who want to be extra secure a 2 step verification would be nice as an option. Ie finger print and a 4 or 5 digit pin. I would definitely use that for payments.

17. solidsnake695

Posts: 132; Member since: Jan 04, 2013

I think some of the staff of phonearena died after reading this u know what I mean

34. refillable

Posts: 1071; Member since: Mar 10, 2014

Old boring joke.

14. AfterShock

Posts: 4147; Member since: Nov 02, 2012

I'd bet, it never happens.

11. JMartin22

Posts: 2429; Member since: Apr 30, 2013

Uh... This is an exploit, not a hack. We should stop throwing around the term "hacking" in such a loose context. No systematic altering, via compromise was involved here. Some people merely stumbled among a method (that anyone could recreate), that's all. For the record, this exploit is situational at best.

9. ianbbaa

Posts: 332; Member since: Mar 20, 2013

When somebody is watching you how you enter your pin via keyboard, or slide tha pattern - as soon as the other person remember that pin and will use it on your phone he will unlock it. (therefore you do not show your device while typing pin) So what should basically a FingerPrint scanner do when you have a copy of your finger??? If iPhone or S5 or somebody else - untill it wont meassure your DNA via touch, it will just unlock your fake finger. BUT - how easy is to obtain your finger copy??? So all in all, FingerPrint still can be considered as a safer way to lock your device.

8. ToxiD

Posts: 54; Member since: Feb 27, 2014

I didn't think the gimmick can be more useless until now.

20. bestmvno

Posts: 251; Member since: Mar 07, 2014

It's not a gimmick. Biometrics are here to stay. It's just an infant technology at this point that will continue to improve and evolve.

27. ToxiD

Posts: 54; Member since: Feb 27, 2014

It is. Instead of it they could work on better battery optimization resulting longer life on 1 charge as well as OS optimization that would be appreciated in Samsung case.

38. bestmvno

Posts: 251; Member since: Mar 07, 2014

They did work on better battery life. They have a deal with a company and are using that technology in the phone. They've also improved the os and cut back on some of the software gimmicks. Biometrics such as this may replace passwords altogether one day. The technology is not quite ready for that just yet though.

7. maherk

Posts: 7113; Member since: Feb 10, 2012

they make it sound as if it is easy to obtain and create a copy of someone's fingerprint. Smartphone thieves are usually not bank thieves, they aren't that smart. Btw, once you're logged into your paypal account, you won't need to retype the password unless the phone is rebooted. Still, if I had the S5, I don't see myself using the fp scanner other for unlocking the phone, surely not for my paypal or any other account.

6. doejon

Posts: 411; Member since: Jul 31, 2012

i would only use the fingerprintsensor on the s5 for loking up my pic/movie gallery

4. shuaibhere

Posts: 1986; Member since: Jul 07, 2012

NO one is going to use Fingerprint scanner....it's just for the sake of marketing...

5. jaytai0106

Posts: 1888; Member since: Mar 30, 2011

Yeah, when I had my Motorola Atrix 4G... never used the finger scanner.

10. PapaSmurf

Posts: 10457; Member since: May 14, 2012

Speak for yourself. I do, and it works 9/10 times. Faster than typing a password or a pattern.

12. jaytai0106

Posts: 1888; Member since: Mar 30, 2011

Swipe is my lock security o.O my phone never leaves my sight. I know it's very important... but for my situation locking my phone is just annoying.

13. Finalflash

Posts: 4063; Member since: Jul 23, 2013

I dont even have a lock screen because there is nothing on my phone I care that much about.

15. jaytai0106

Posts: 1888; Member since: Mar 30, 2011

Same here :D I have cerberus so I can erase my phone if I needed.

19. bestmvno

Posts: 251; Member since: Mar 07, 2014

I hope you don't have email on your phone and it never gets stolen or lost. Otherwise, all one would then have to do is go to sites you go to, claim "lost password", put in your email address and start collecting your passwords and financial information when the password reset gets sent to your email.

22. jaytai0106

Posts: 1888; Member since: Mar 30, 2011

Yeah I know. :P I like to gamble a little in life haha. However, a lot of sites that I have important information with do ask for security questions before they send out a reset password e-mail. Nevertheless, Cerberus is my last line of defense when the case of stolen or lost. I could send a command to it and wipe the entire phone clean.

28. shuaibhere

Posts: 1986; Member since: Jul 07, 2012

I'm talking for the majority..... Even those who use fingerprint scanner in ip5s...don't use it got security purpose....it makes unlocking the easier so they use it... From what I've heard...unlocking the phone with fingerprint scanner is hard so I see no use of it...

30. PapaSmurf

Posts: 10457; Member since: May 14, 2012

You heard wrong then. It takes less than a second on the iPhone 5S and about one or two on the S5. Don't go by what you hear because when you spread false information, your credibility goes down.

32. shuaibhere

Posts: 1986; Member since: Jul 07, 2012

I have seen ip5s fingerprint scanner in action...my friend has one.... He uses it unlock phone easily not for security.... But reviewers say it is hard to unlock in s5... I had a hands on s5...but didn't test fingerprint scanner...as I have ni interest in it.... S5 is really awesome though...the best display I have ever seen...

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.
FCC OKs Cingular's purchase of AT&T Wireless