A lone security researcher just gave Samsung’s mobile phone cybersecurity technology the finger. According to a video posted on the Imgur site on Friday, it’s possible to bypass the biometrics on the new Galaxy S10 range in just a few minutes, using a 3D-printed fingerprint.
Released in February, almost every phone in the Galaxy S10 range features a fingerprint reader under the screen, contrasting with the previous generation of Galaxy S phones which put it on the back of the device. The only exception is the S10 Essential, which has a capacitive resistor on the side of the phone.
Capacitive technology is what most modern non-display fingerprint sensors use. It measures the electrical resistance between the tiny ridges and valleys of your fingerprint as they contact the sensor, creating a 2D image of it.
Under-display sensors take a different approach, using ultrasonic technology to bounce sound waves off the user’s finger. This creates a 3D ultrasound image of your fingerprint, containing information about the depth of its ridges and valleys.
Cool, right? Not according to Darkshark, an anonymous researcher who appeared to show themselves unlocking a Samsung S10 using a 3D printed-fingerprint.
In the description, Darkshark said that they photographed their finger on the side of a wine glass using their smartphone. Then they used Photoshop to increase the contrast and create an alpha mask (which is a fully-opaque version of an image). Using the 3DS Max 3D modeling software, they created a geometry displacement, which is a version of the alpha image with depth information from the original. Then, they used an Anycubic Photon resin-based 3D printer, which costs around US$500, to reproduce the print.
The whole process took around 13 minutes, and Darkshark said that it could take less time still:
If I steal someone’s phone, their fingerprints are already on it. I can do this entire process in less than 3 minutes and remotely start the 3d print so that it’s done by the time I get to it.
This isn’t something that would work with capacitive sensors, because a 3D print wouldn’t have the electrical resistance to mimic a human print. It’s also worrying because of the number of apps that are using fingerprint biometrics as a form of authentication, warned Darkshark:
Most banking apps only require fingerprint authentication so I could have all of your info and spend your money in less than 15 minutes if your phone is secured by fingerprint alone.
One such financial app? The cryptocurrency wallet that Samsung has released for its smartphones. The software, which supports at least Ethereum-related tokens, “features a secondary layer of authentication that includes PIN and fingerprint” according to Android Authority.
All of which tells us, more than ever, that one form of identification might not be enough. If you want to be extra careful, then defense-in-depth is a useful approach. It is possible to add a screen lock to your S10 that requires a PIN, password or pattern swipe for access.
Or you could just, um, wear gloves any time you touch anything?