HiRes1

Mind Your Fingers. Samsung Galaxy S5 Fingerprint Scanner Exploited

Apr 22, 2014 By Sharon Solomon

Fingerprint scanners are becoming the rage in the smartphone industry. Apple introduced its proprietary sensor in its flagship 5s device last year and Samsung has done it recently with its new Galaxy S5 model. But its not all good news. The Korean manufacturer’s latest security solution can be rendered useless with a simple home-made PCB mould.

 

 

Mobile security has taken huge strides over the last few years. With more and more work being done via smartphones, manufacturers are addressing the security issues in a variety of ways. But unfortunately these solutions are still far from perfect.

 

The fingerprint spoofing has caused extra concern as large e-commerce websites are beginning to embrace this very mobile security solution. For example, PayPal accounts can easily be compromised with the aforementioned identity theft technique.

 

Samsung released its latest flagship, the Galaxy S5, with a unique fingerprint scanner. Just like the iPhone 5s, all the user needs to do to gain access is to swipe the screen with his unique fingerprint. But SRLabs researchers have found an easy way to bypass the latest security innovation from Samsung, rendering it completely useless.

 

Spoofing fingerprints is extremely easy. The tape with the stolen fingerprint pattern can easily fool the Galaxy S5, which is not capable of distinguishing between real fingers and dummy fingerprints. Samsung’s flagship device also does not limit the number of log-in attempts. Users depending solely on the fingerprint scanner login method are not safe by any means.

 

 [SRLabs Exposes Samsung Galaxy S5 Security Glitch – Watch]

 

PayPal, the world’s largest acquirer, has unknowingly collaborated with this dysfunctional security method. The Galaxy S5 fingerprint scanner now also doubles as a check-in method for the PayPal platform – a tempting proposition for the potential fraudster. Once in possession of a stolen device and the owner’s fingerprint, theft is just a swipe away.

 

Chinese e-commerce giant Alibaba will also soon be fully compatible with fingerprint scanning smartphones like the Galaxy S5, iPhone 5s and the HTC One Max. The risk factor is huge, taking into consideration that Alibaba has over 550 million registered users who average around 8.5 million transactions on a daily basis.

 

Due to the severity of the fingerprint authentication system vulnerability, Checkmarx recommends the use of multiple-layer security in all Galaxy S5 smartphones. This can cause some inconvenience in the login process, but the inclusion of a traditional password solution can make it very difficult for strangers and thieves to gain unwanted access to the phone.

 

Needless to say, e-commerce platforms need to beef up the security and provide customers with secure login options. Fingerprint biometric systems are not reliable and cannot be counted upon until the vulnerabilities are eliminated. It’s also recommended to limit the number of login attempts, regardless of the security technology involved.

 

Source 1 | Source 2

The following two tabs change content below.

Sharon Solomon

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.