The fingerprint reader on Samsung’s flagship S10 and Note10 smartphones can be spoofed with a $3 screen protector.
That’s according to a British woman who claimed that after fitting the screen protector she was able to unlock her S10 using any one of her fingerprints, including ones not enrolled in the phone’s authentication system.
Then she reportedly asked her husband to try the same thing, and his thumbprints worked too, as did the same trick on her sister’s Samsung. Obviously, something was up.
She called Samsung:
The man in customer services took control of the phone remotely and went into all the settings and finally admitted it looked like a security breach.
The company’s initial response:
We’re investigating this internally. We recommend all customers to use Samsung-authorised accessories, specifically designed for Samsung products.
Then, last week in comments to Reuters, Samsung admitted the problem was real and said it would release a software patch:
We are investigating this issue and will be deploying a software patch soon. We encourage any customers with questions or who need support downloading the latest software to contact us directly.
Screen protection
South Korean online bank KaKaobank has reportedly told its customers to stop using the S10 and Note fingerprint system until the issue is fixed.
The issue of the S10 and screen protectors was first noticed when the smartphone was launched in February 2019.
Unlike older designs which use a dedicated sensor, the Qualcomm ultrasonic technology used by Samsung is embedded under the screen. It measures sound waves caused by the pressure of a user’s finger to analyse the fingerprint.
It was noticed, however, that covering the screen with a protector could in some circumstances create a minute air gap that could interfere with these sound waves – hence Samsung’s advice to use its branded screen protectors that use special adhesives that remove the possibility of that gap.
What to do
If you own an S10 or Note 10, we’d recommend turning off fingerprint security and using a PIN until the promised patch becomes available.
It’s not clear whether that will arrive as an out-of-band patch or will be part of November’s Android security update.
It’s not the first time the S10’s fingerprint reader has been in the spotlight. In April we reported the anonymous researcher who appeared to show themselves unlocking a Samsung S10 using a 3D printed-fingerprint.
But it could be worse – as Naked Security reported in April, the Nokia 9 PureView’s fingerprint reader was fooled by… a chewing gum packet.
All of which tells us, more than ever, that one form of identification might not be enough.
Mr.G
What to.do is simple-do not.use cheap 3rd party screen protectors
Sean
If your phone can be fooled by a screen protector or a gum packet, your phone is a piece of garbage. Spend your grand on something better.
Anonymous
That would not fix the core security issue. As an attacker with physical access to the phone, I could replace that screen protector with a cheap 3rd party screen protector and gain access to your device.
Paul Ducklin
As mentioned, it seems that some screen protectors make lots of different fingerprints seem similar… but if you registered your fingerprint with a protector that preserves the detail needed, then adding a different protector later ought to reduce the chance of sneaking in, not to increase it. Have a got that bit right?
Anonymous
Um this just makes it worse it means thieves could just buy their own third party screen protector and steal a 10 and then change the password and wipe everything make the 10 cost half as the note 9 because it’s a downgrade for sure.
Cvnk
You left out a detail that helps explain the issue a little better. The problem occurs when you capture a model fingerprint while the screen protector is in place. The model is then of poor quality and gets matched to a wider range of prints.
However youv obviously can’t mitigate the risk by building models prior to applying the screen protector because then you’ll never get a match once you put the protector on.
Samsung needs to judge the quality of the model prints and reject them if they aren’t detailed enough.
Paul Ducklin
That was my thought, too. It seems a bit like letting someone submit a blurry and indistinct passport photo – a recipe for future misidentification.
Laurence Payne
Or to buy one to carry around if you anticipate wanting to break into a Samsung phone!
Paul Ducklin
I don’t think that adding screen protector *to a phone that doesn’t have one* will let you in. AFAIK, if I register my fingerprint on a protectorless phone then adding a protector later will pretty much stop *anyone’s* fingerprint working, including my own. It seems that the problem comes when you register with a protector on – the protector can make lots of different fingerprints look similar. (Presuambly if you register with a cheap protector and then remove it, you’ll lock yourself out, too?)
Laurence Payne
Ah, right! A bit of sense. Thank you.
kurt
It’s unclear whether the person programmed her phone with the cheap screen protector on or whether you can place the cheap screen protector on any phone that already had a fingerprint stored and be able to get in the phone.
nadeem5786com
It is amazing how a cheap screen protector can do it, for me, it takes two to three tries for it to recognize my fingerprint sometimes I ended up using either pin or face recognition. Luckily I can keep other log-in options along with fingerprint.
Winston Koval Hutchinson
People are stupid. You do not register your fingerprint with the gel protector on 😑. Never ever have I had an issue with this.
Andy Glenn
From what I understand, this headline got the whole issue wrong. The fingerprint reader isn’t beaten at all. The problem is people not following directions. There is a warning in the package when you buy the phone that says not to use normal screen protectors with it. It specifically points out that most protectors will interfere with the fingerprint reader. You use one of those, then register your print, all the phone sees is a giant blob. From that point on, any blob will unlock the phone. That doesn’t sound like Samsungs problem at all. It’s all user error.
Mark Stockley
Wisely, Samsung have decided to issue a patch rather than to explain to users they’re doing it wrong.