
Samsung: Anyone's thumbprint can unlock Galaxy S10 phone - choult
https://www.bbc.co.uk/news/technology-50080586
======
dangus
It isn’t just Samsung making crappy biometrics: take a look at the face unlock
marketing copy on the Pixel 4.

It just says “simply look at your phone to securely unlock it.” They make no
claims about how secure it is.

In fact there are already articles showing how the unlock feature works while
you’re asleep: [https://9to5google.com/2019/10/16/pixel-4-tidbits-face-
unloc...](https://9to5google.com/2019/10/16/pixel-4-tidbits-face-unlock-
security/)

To my knowledge, Apple is the only vendor that actually made in-depth claims
about the security of their face unlock solution. They’re the only vendor that
assumed anyone cared.

Android OEMs are working off a feature checklist and that’s about it.

~~~
ahbyb
A fingerprint reader can also be operated while the victim is asleep,
unconscious, and even after you sever the thumb off (remote attack!!). Does
that mean a fingerprint reader cannot be ever be called secure?

~~~
petschge
A fingerprint is never a secure password. It is a username at best.

~~~
invalidusernam3
I can read your username once and remember it. I can't do the same with a
fingerprint

~~~
pennaMan
I'm sure you can produce a hash from fingerprint model data for your reading
pleasure

~~~
djsumdog
OpenSSH does that thing now where it can visually display ASCII art of your
key fingerprint.

------
zuminator
Forbes article has slightly more information, including the fact that the
Note10 should have the same vulnerability, and it explains that it's not just
any screen protector, but a particular type of wraparound screen protector
that manages to confuse the sensor. Samsung's reaction (a recommendation to
only use authorized accessories) is completely off the mark considering that
the real problem is someone could steal your device and then use an
unauthorized accessory to access your info.

[https://www.forbes.com/sites/gordonkelly/2019/10/15/samsung-...](https://www.forbes.com/sites/gordonkelly/2019/10/15/samsung-
galaxy-s10-note10-plus-fingerprint-reader-warning-upgrade-galaxy-s11)

~~~
fullstop
I read that differently -- that the scanning of a working finger leaves an
imprint in the gel, and this is what is read from the subsequent scan. This
would mean that you couldn't just grab somebody's S10, put a gel screen
protector on, and get into the device. You need to have them successfully
unlock the device first.

With this in mind, they would not be completely off the mark.

~~~
PrettyPastry
That does not appear to be the case.

There is a video circulating these comments. It shows someone register their
finger without the screen, slap the screen protector over top and unlock with
a different, previously rejected finger.

Edit:
[https://twitter.com/sta_light_/status/1184475413252210688?s=...](https://twitter.com/sta_light_/status/1184475413252210688?s=21)

~~~
cbuq
If the fingerprint somehow gets embedded into the screen protector, is it
possible that the screen protector is "tainted" with the fingerprint from
previous usage?

I'm not dismissing the claims, but I would like to see if the behavior can be
replicated with a brand new screen protector.

~~~
fullstop
Yes, 100% agreed.

------
tompccs
A bit of background on this (I am involved in the ultrasound industry):

\- The chip Samsung uses is by Qualcomm. Their big claim is that their
ultrasound fingerprint scanner is the only US government approved non-optical
way of electronically scanning a fingerprint (those sensors they have at
airports use basically the same technology)

\- It's supposed to be more secure than the capacitive technology Apple used
to use since it grabs a true image of the fingerprint and not just a low-res
representation

\- Given this, it's probably a problem with the software on Samsung's part,
not Qualcomm

\- However, it's interesting that adding the screen protector is what broke
it. It suggests that there could be any number of unintentional biometric
security holes

\- It demonstrates that consumer tech companies (with possible exception of
Apple) don't really have the expertise or motivation to properly implement
biometric authentication

(edit - newlines)

~~~
criddell
Is Samsung actually storing a hi res copy of a fingerprint, or just a hash?

I'm not sure I want any tech company storing high resolution scans of my
biometrics.

~~~
tompccs
Officially, they only store a hash, but this is only a software restriction -
I believe it is possible to obtain full images but this may not be possible
with the public APIs.

In practice it may be possible to reverse-engineer the stored hashes but this
has not been demonstrated (yet).

~~~
afandian
What kind of hash is used? I guess it has to be some kind of inexact match (I
doubt the fingerprint image is ever exactly the same)? Does it operate over
the image of the fingerprint or a vector of extracted features?

~~~
OkGoDoIt
Yeah, I never understood how you could hash fingerprints or face unlock data.
How do you do a fuzzy match on a hash? I guess you can make the original data
less detailed/precise, such that slight variations would still come out with
the same hash, but that seems to defeat some of the security.

~~~
MiroF
[https://en.wikipedia.org/wiki/Locality-
sensitive_hashing](https://en.wikipedia.org/wiki/Locality-sensitive_hashing)

------
saagarjha
Biometric authentication on Android phones has always seemed to be hit-or-
miss: companies looking to add it to their feature checklist either come up
with fundamentally flawed designs (storing a fingerprint as an unencrypted
image file, etc.) or you have bugs like these. There really needs to be some
sort of realignment that incentivizes companies to get this _right_ rather
than slap together something broken and try to sell it as “iPhone may have x
feature, but we have y (which is buggy, but you don’t know that)”.

~~~
StavrosK
You must not have used many Android phones. The fingerprint scanner has been
stellar and instant in every phone I've had, at least until people started
switching to this horrible under-display one which is a huge downgrade for no
reason.

~~~
Hurtak
You must have had better luck than me.

\- Xiaomi Redmi Note 4 - pretty good finger print scanner on the back

\- Samsung Galaxy S8 - absolutely terrible fingerprint scanner that was so bad
I switched to pin after a while

\- Samsung Galaxy S10 - new fingerprint scanner under display, works most of
the time but still unreliable, also it is not the quickest.

You would have thought that leading brand (Samsung) would have decent
fingerprint scanners on their flagships, but it is just not the case.

The thing with bad fingerprint scanners is that you cant rely on them, so I
rather choose reliable slower 3s unlock with pin than unreliable maybe faster
1-10s unlock with fingerprint.

~~~
test1235
3 seconds?!

~~~
Hurtak
Click the lock button, swipe up, enter the pin. Seems to be about 3s?

------
guyromm
Reminds me of a funny story: A few years back on a visit to Beijing, was
hustled on a street corner to purchase what appeared to be a brand new iPhone
(a 7, if memory serves), for a ridiculous price. The seller handed it to me to
play with, and proudly demoed the fingerprint unlock feature. The interface
looked flawless (given that it was Chinese). Naturally, it was a fake. Doing a
hard reboot brought the green Android bucket at boot.

As for the unlock feature, it took the user through all steps of fingerprint
setup only to work with any finger (or anything else warm toughing it, for
that matter).

~~~
droopyEyelids
next step: the power button triggers an animation of the iOS restart process,
and has nothing to do with how to power cycle the phone

~~~
CamperBob2
I think I saw that feature in the NSA TAO catalog.

------
fullstop
It looks like this works with the fingerprint set up _before_ the screen
protector is added. The catch here, I believe, is that the screen protector
needs to have some sort of gel adhesive and it only unlocks if you've pressed
a valid finger against the screen protector prior to using the invalid finger.

Pressing the valid finger against the protector leaves an imprint in the gel,
and this is what is read when it reads the invalid finger. I don't think that
this is a bug in Samsung's code but rather a flaw in the technology that they
chose to use.

------
robinson-wall
Is there any indication of whether this only happens if the screen protector
was present prior to training the fingerprint?

> After buying a £2.70 gel screen protector on eBay, Lisa Neilson found her
> left thumbprint, which was not registered, could unlock the phone.

This suggests that an attack of "put a malicious screen protector on phone to
unlock" is possible. I'm curious whether there was any re-training after
applying the protector.

~~~
robinson-wall
Ah, here's a video of a note 10, which has the same fingerprint sensor as an
s10, being fooled by a gel _case_ after being trained with a fingerprint
normally.

[https://twitter.com/Sta_Light_/status/1184475413252210688](https://twitter.com/Sta_Light_/status/1184475413252210688)

------
laktak
Press any finger to continue.

------
Multicomp
I've never used fingerprint scanners for paranoid reasons as this, so this
gives me both some undeserved smugness and renewed paranoia.

Are long pins and passwords still the most secure way to control access to
your phone? Is there U2F for phones as a 2nd factor?

~~~
DCKing
Long pins and passwords make you a lot more susceptible to casual attackers,
as they can be gotten from shoulder surfing and casual video, like e.g.
surveillance footage.

Fingerprint replicas (or your actual fingers) are obtainable by targeted
attackers of some sophistication. But if you're targeted by attackers willing
to go that length for you, you have other problems. IMO, fingerprints provide
the best practical security.

~~~
dillonmckay
Only one of those can unlock your phone while you are unconscious, or with a
body part that has been removed.

~~~
zelos
The kind of criminal prepared to knock you unconcious or remove a thumb is
pretty rare.

~~~
HeWhoLurksLate
I'd say finger removal is a few steps less likely than knocking someone
unconscious, esp. if you can knock them unconscious and then _clone their
fingerprint_.

Mind you, there are some quite dumb criminals, so "likely probability" besides
"how likely am I to get robbed?" likely goes out the window.

------
johnday
[[It's not 100% clear but it seems that the problem only occurs if you put the
screen protector on _before_ recording your fingerprint. If you record the
fingerprint and then add the protector it does not allow you to unlock the
phone as it sees a vastly different print.

In other words, a screen protector is not a "master key" for any S10!

Please correct me if I am wrong.]]

Edit: On second reading of the article it looks like a screen protector might
_actually be a master key_ for any S10 phone. That's a really big design flaw!
(Thanks to computerex for making me read the article more critically.)

~~~
env123
From what it seems, it records a "flat" fingerprint, because the screen
protector is obviously a flat layer on top of the device. So any haptic touch
only activates this flat fingerprint

~~~
HeWhoLurksLate
Good explanation. Makes sense.

------
andrew_
It should be noted that the S10E does not suffer from this flaw, as its
thumbprint sensor is a hardware button on the side of the phone that doubles
as the power button. Just picked one up a week ago and very pleased with it.

~~~
deaps
Assuming the flaw hasn't been discovered because no one logically puts a
protective cover over that button. What if you _did_ place the same protective
cover over that button and try? Could it be hijacked in that manner?

~~~
Nyra
The screen protector/case works on the S10 because (I'm assuming here) of some
flaw with how the ultrasonic fingerprint reader reads the fingerprint, whereas
the S10e uses a traditional capacitive scanner. Both are fundamentally
different approaches to generating a copy of your fingerprint so I don't think
it's likely this technique would work on the 10e.

------
tjpnz
Some kind of smudge attack from residue left on the screen protector?

~~~
johnday
Seems to be an artifact of how the EMF interacts with the additional layer.

------
jammygit
I’m astounded at how little testing companies do with their products. Most
high school students with nothing better to do could have hypothesized this
problem and tested for it if only somebody had bothered to ask them.

------
Havoc
Given that people report this works with a protector added AFTER registering
the print...I'd love to see how Samsung reckons they can fix this with
software. Because that sounds very much like a physical issue

------
repler
I guess now we know why Apple didn't roll this out on iPhones.

~~~
celeritascelery
Apple would (hopefully) test it before releasing it on a new product.

------
CivBase
Does this mean if the fingerprint scanner gets "confused", it just defaults to
unlocking the phone? That seems like a pretty terrible design.

~~~
vunie
The theory some are claiming is that the reader is restringing the adhesive
patterns of a screen protector rather than your fingerprint.

------
Mindwipe
This really is an unforgivably bad fuckup.

It's clear that Samsung and Google are scrabbling to catch up with Apple, and
I don't see why tbh. I don't think the general public dislike traditional
fingerprint readers nearly as much as they do finding out the unlock
mechanisms aren't secure.

------
Yizahi
Seeing how bad fingerprint scanner is on S10 even with correct fingers and no
protectors I can only wish luck to the thieves who'll try to do this trick. I
sometimes can't unlock damned thing in five tries and have to enter password.

------
usaphp
You can also show a video or a photo of a phone owner and it will be unlocked.
It’s a joke of a security and most people don’t Understand that and this it’s
as secure as IPhone’s face unlock, which is a totally different beast

------
dandare
Erring on the side of unlocking? Fascinating strategy for a lock.

------
prirun
First thing I did when I got my BLU R2 Plus Android phone was to put
electrical tape over the fingerprint reader.

------
al_be_back
10/10 for accessibility - worth mentioning that at next performance review.

------
lowlevel
Hmm... maybe someone elses will work better than mine... I can hardly get in.

------
JoeAltmaier
Biometrics makes the usual mistake of using the user identifier as a password.

As repeated here in HN, a good password is nothing like biometrics. A good
password should

\- be frequently changeable

\- not be left lying around

\- not be easily visible in public

\- if discovered, not be obviously associated with the user

\- have lots of entropy

Biometrics fails _all_ of these tests

~~~
celeritascelery
That may be true in principle, but in reality an average user password meets
none of those requirements either.

~~~
JoeAltmaier
Biometrics is often an order of magnitude less entropy than even an
8-character password. Your garage door opener code has more.

~~~
abandonliberty
Does that include the 3d scanning capabilities of the iphone?

------
excalibur
Has anybody tried this with the older in-button fingerprint scanners?

------
ahbyb
Can someone explain to me how something like this is technically possible? And
by "explain" I don't mean "ELI5", be all the technical you want. How can you
design a fingerprint reader that lets anybody in like this?

~~~
fl0wenol
[https://www.engadget.com/2019/10/17/samsung-patch-
fingerprin...](https://www.engadget.com/2019/10/17/samsung-patch-fingerprint-
reader/?guccounter=1#comments)

What is suspected here is that registering the finger with the screen
protector on is masking the shape of the finger while still registering the
touch action. As a result, it's enrolling a blank print. Then anyone else can
unlock it afterwards with the screen protector still on.

Consider that screen protectors are designed and tested only to make sure
touch actions work correctly, but this ultrasonic fingerprint ridge-shape
detection technology is new, so they're probably not mutually compatible.

I don't know what was wrong with the swipe sensor. They're discreet, easy to
keep clean, and hard to screw up. Maybe the only downside is they would keep
them too close to the camera lens for accidentally lens smudging.

~~~
Daniel_sk
The fingerprint is registered without the screen protector on - proof:
[https://twitter.com/Sta_Light_/status/1184475413252210688](https://twitter.com/Sta_Light_/status/1184475413252210688)

------
colorincorrect
there's an anecdote somewhere about how software security is almost never
directly "cracked", but instead bypassed

------
Geee
I'm pretty sure this is caused by a hack by Samsung to make the fingerprint
sensor work with screen covers.

    
    
        if (screencover) return true;

------
timvisee
`return true;`

------
matiszek23
Good

