Four days and a spoofed fingerprint later, security researchers made a joke of Galaxy S5 fingerprint authentication as they gained access to the phone and then to a PayPal account linked to the smartphone.
It only took two days for the Chaos Computer Club to bypass Apple’s Touch ID, tricking the iPhone 5S fingerprint scanner with a fake fingerprint made of wood glue. At that time, the CCC said, “It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token." Avoid fingerprint biometrics, CCC advised, as it is an unsuitable access control method. You might think smartphone makers would have learned something from that, but it only took four days after Samsung released the Galaxy S5 before the security feature was fooled by the same trick using the exact same fake fingerprint that defeated the iPhone S5.
“Fingerprints are not fit for secure device unlocking,” warned researchers from Security Research Labs. “Samsung does not seem to have learned from what others have done less poorly,” said SRLabs researchers. Apple, for example, requires a password after too many incorrect attempts to swipe in and limits fingerprint-authenticated payments to the App Store. But Samsung spent more money to build a smartphone which doesn’t provide even that amount of security.
After tearing down a 32GB version of the Galaxy S5, IHS Technology said Samsung’s “astronomical” total build cost for the device is $256.52. Apple’s build cost for a comparable version of iPhone 5S is about $207 per phone. Although most of the components are broken out by cost, the Galaxy S5 fingerprint scanner is not. IHS reported, “The S5 represents the latest escalation of the sensor war;” the S5 has more sensors “than IHS has ever detected in a smartphone design.”
Regarding Samsung’s S5 biometric authentication system, SRLabs said, “Not only is it possible to spoof the fingerprint authentication, even after the device has been turned off, but the implementation also allows for seemingly unlimited authentication attempts without ever requiring a password.” The researchers posted video proof, showing a fake fingerprint swipe granting access to the S5 home screen and then to “highly sensitive apps” like PayPal, which “gives a would-be attacker an even greater incentive to learn the simple skill of fingerprint spoofing.”
Once he has allowed the phone to connect to the internet, the attacker in this video is able to use PayPal’s new app to perform any task he wishes, including making purchases and unsolicited money transfers from the victim’s PayPal account.
Samsung’s Galaxy S5 fingerprint sensor uses the FIDO authentication standard and FIDO Ready software. Samsung and PayPal reportedly worked together so S5 owners can “use the fingerprint authentication to make payments; one swipe of a finger over the home button where the fingerprint scanner is embedded and a consumer is securely logged into PayPal in order to shop at any merchant that accepts PayPal on mobile and in stores.”
After SRLabs showed off the hack, PayPal quickly issued a statement:
While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards. PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy.
Even though it’s doubtful that an attacker might make a photo of your fingerprint and then turn it into a fake finger to exploit PayPal access on your phone, attackers may embrace fingerprint spoofing once ATMs have fingerprint scanners for authentication. SRLabs has a page devoted to spoofing fingerprints and the related security risks.