A U.S. senator Tuesday questioned Samsung on the privacy protections the company has in place for the fingerprint scanning technology on its recently released Galaxy S5 smartphone.
In a letter addressed to the South Korean and U.S. top executives of the company, Sen. Al Franken (D-Minn.) expressed concern over reports about security gaps in the technology and demanded to know what measures the company has for addressing them.
Samsung did not respond immediately to a request for comment.
Like Apple's TouchID, Samsung's fingerprint scanner was hacked by security researchers just a few days after the product was released, Franken noted in his letter to Samsung. In both cases, researchers were able to easily fool the scanners using a fake fingerprint lifted from a smartphone touch screen.
"Initial reports also suggest that the Galaxy S5 may raise security concerns that Touch ID does not," Franken noted. For instance, the scanner allows for unlimited authentication attempts without ever requiring a password. In contrast, the TouchID requires iPhone 5S users to enter a password after five failed fingerprint authentication attempts, Franken said.
Unlike the TouchID, which only allows users to unlock a phone and use a narrow set of applications, Samsung's technology lets users access the entire range of applications on the phone once they have been authenticated using a fingerprint.
"This means that you can use the Galaxy S5 fingerprint scanner to send money on PayPal" without needing to use a password, Franken wrote apparently referring to a demonstration of exactly that capability by security firm Chaos Computer Club last month.
"Unfortunately, it likely means that bad actors who spoof your fingerprints can do that too," he said.
While fingerprint-based authentication can be convenient, fingerprints are the opposite of private. They are easy to steal because people leave fingerprints on everything they touch. Hackers with a digital copy of a fingerprint can use it to impersonate another individual for the rest of that person's life, Franken said.
Franken asked Samsung to explain how it secures fingerprints generated by the scanner and whether the technology allows locally stored fingerprints to be converted to a digital or visual format that can be used by others.
He also asked Samsung to explain whether it would be possible for a third party to extract a fingerprint stored on a device and whether fingerprint images are backed up onto computers or to Samsung servers in the cloud. He wanted to know if Samsung plans on enabling fingerprint authentication on other device, such as its tablet computers.
In addition, Franken asked a series of detailed questions on Samsung's policies on whether it considers fingerprint data to be part of the contents of a communication message or as a subscriber number or identity as defined in the Stored Communication Act. Knowing the answers to such questions are important because it provides insight into how the company will treat fingerprint data when confronted with a demand for data by law enforcement and other government agencies.
"I am not trying to discourage adoption of fingerprint technology for consumer mobile devices," Franken said. Rather the goal is to get companies to deploy the technology in a measured and secure manner, he said.
This article, Senator seeks answers on Samsung's fingerprint scanner for Galaxy S5, was originally published at Computerworld.com.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.