Science and Tech


German Researchers Crack Samsung's Fingerprint Scanner

German researchers have used a fake fingerprint made from glue to bypass the fingerprint security system on Samsung's new Galaxy S5 smartphone.
Posted at 12:57 PM, Apr 16, 2014

​Samsung's sleek Galaxy S5 phone is no match for a few German hackers.

It took the experts at SRLabs, or Security Research Labs, just four days to crack the device's brand-new built-in fingerprint scanner.

To achieve the hack, the team used a "fairly elaborate process" to lift a real fingerprint from the smartphone's screen and then combine wood glue and graphite spray to create an exact copy, according to BBC.

A simple swipe across Samsung's Galaxy S5 reveals the false print does indeed work. (Via YouTube / SRLabs)

Now, your average hacker might not be a mold-making genius — Engadget says the lifted fingerprint needs to be flawless — but the results prove its vulnerability. When it comes to fingerprint security, the lab puts it more bluntly.

"Samsung's flagship model leaves much to be desired." (Via YouTube / SRLabs)

And it's not just talking about securing your vacation photos on the phone. Other features, like direct PayPal integration, have seemingly baited the smartphone for hackers. CBS explains:

"Once the initial scan gains entry to the phone, someone can open an app such as PayPal with no further security or identification required. As shown in the video, the person is able to log in to PayPal, giving him the ability to access the owner's account."

A fingerprint scanner is becoming the cherry placed on top of brand-new flagship devices such as the Galaxy handset as well as Apple's iPhone 5S. (Via Samsung, Apple)

However, no device's scanner is completely immune to hacking. The hackers used the exact same wood-glue print to carry out hacks on the iPhone last fall — they didn't even need a new mold. (Via YouTube / SRLabs)

But BGR explains Apple's smartphone has added an extra hacker-stopping feature not found on Samsung's S5.

"Users are required to input their password one time before using a fingerprint for authentication. The password must be used again once each time the device is rebooted. This extra step seems annoying, but it prevents the very spoof achieved by SRLabs."

Even SRLabs admits its best hacks have flaws. To foil its own design, it recommends smartphone makers design their scanners to capture more detailed prints and train them to know the signs of a fake, for example, looking for the tiny air bubbles that pop up in hacker glue prints.

As of this morning, Samsung has yet to comment on the security hack.