Categories: Hacking

Samsung Galaxy S5 fingerprint sensor hacked

SRLabs researchers have published a video POC on YouTube to demonstrate how it is easy to bypass the fingerprint sensor on Samsung Galaxy S5.

SRLabs researchers have published a video Proof of Concept on YouTube to demonstrate that they were able to bypass the fingerprint authentication mechanism implemented by Samsung Galaxy S5. The researchers demonstrated to gain unauthorized access just by using a lifted fingerprint with wood-glue based dummy finger. Remind you of anything?

Principal mobile manufacturers tried to improve user’s security adding biometric authentication system based for example on Fingerprint feature. Months ago Apple proposed its Apple TouchID system that was easily hacked and today’s security experts have found a way to bypass also the Samsung Galaxy S5 Fingerprint feature. The feature implemented in the Samsung Galaxy S5 was also used to facilitate payments through PayPal and theoretically also to make it more secure.

Samsung Galaxy S5 also implemented a smart feature to allow users to easily transfer money via PayPal circuit just by swiping a finger on the fingerprint sensor, but considering the attack presented by the teamSRLabs could allow bad actors to access to victim’s PayPal account without providing any secret password. A few days after the official commercial launch of the Samsung Galaxy S5 security experts have successfully hacked Fingerprint sensor with a method quite similar to the one adopted to deceive the Touch ID sensor proposed by Apple.

SRLabs researchers exploited the poor security implementation in the handset fingerprint scanner, the Samsung Galaxy S5 fingerprint scanner in fact allows multiple incorrect attempts without requiring a password, this means that a bad actor could potentially make an infinite number of tries until the correct match.

Another concerning issue related to the hack presented by the researchers is that after mobile restart the Samsung Galaxy S5 doesn’t require user to enter a passcode before he can use his fingerprint to unlock the Smartphone, this means that in case of theft attackers could have complete access to the device. Despite attackers need to have physical access to the Samsung Galaxy S5 to exploit the vulnerability, it is clear that Fingerprint feature implemented by the giant lack of a proper security design. I’m sure Samsung will promptly fix it.

Pierluigi Paganini

(Security Affairs – Samsung Galaxy S5, mobile)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.