The new Samsung Galax S5 launched with a fingerprint sensor like the iPhone 5S and, just like its iOS archrival, the Galaxy S5's fingerprint sensor has been hacked.
In just four days since the Samsung Galaxy S5's launch, German researchers have already managed to trick the smartphone's fingerprint sensor into granting unauthorized access by using a mold of a fingerprint instead of a real finger.
Security Research Labs (SRLabs) has posted a video demonstration of the hack on YouTube, noting that although fingerprint authentication is among the headline features of the new Galaxy S5, Samsung's implementation of the technology "leaves much to be desired."
To hack the Samsung Galaxy S5's fingerprint reader, the researchers used a fingerprint from a real finger on the smartphone, then used a mold of a fingerprint to unlock it. However, while the video demonstrates how using a mold made under laboratory conditions is able to bypass the Galaxy S5's fingerprint reader, the technique doesn't really require much expertise.
"The spoof was made under lab conditions but is based on nothing more than a camera phone photo of an unprocessed latent print on a smartphone screen," SRLabs explained. "Not only is it possible to spoof the fingerprint authentication even after the device has been turned off, but the implementation also allows for seemingly unlimited authentication attempts without ever requiring a password."
The iPhone 5S, meanwhile, requires users to enter a password before proceeding to the fingerprint authentication, as well as each time they reboot the device.
This vulnerability in Samsung's implementation of its fingerprint scanner raises even more red flags because the Galaxy S5 boasts PayPal integration, allowing users to authenticate transactions and move money using the fingerprint scanner. According to SRLabs, this integration with PayPal gives potential attackers even more reasons to hack a smartphone. PayPal, on its part, defended the biometric authentication.
"While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile device than passwords or credit cards," PayPal said in a statement to the media. "PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy."
Fingerprint authentication has been a hot and controversial topic ever since Apple first introduced the feature with its iPhone 5S, which sports a fingerprint sensor called Touch ID embedded into the smartphone's home button. The new hack of Samsung's Galaxy S5 fingerprint scanner raises even more concerns now regarding the effectiveness of the technology, especially since it's meant to provide an extra layer of security. While you can change a password that's been compromised, you can't change a fingerprint, and it is crucial for manufacturers to ensure their implementation of this technology doesn't put users at risk.
Samsung has yet to offer a statement in this regards, but it is expected to comment on the matter shortly. In the meantime, you can watch the video below and see how the Galaxy S5's fingerprint reader was spoofed.