SRLabs researchers have released a new video demonstrating why fingerprints are not fit for secure device unlocking.
Fingerprint sensors on smartphones are certainly big step forward. But, are they good enough? Back in September last year, German researchers managed to crack the protection around Apple’s fingerprint sensor on the iPhone 5S. Researchers used “fake fingerprint”, which could be put onto a thin film and used with a real finger to unlock the device. And now, the fingerprint sensor on Samsung’s new Galaxy S5 has been cracked with the very same trick.
Germany-based SRLabs has released a video demonstrating the trick. Researchers used a “wood glue spoof”, made from mould of a fingerprint smudge left on smartphone screen. According to SRLabs, the fingerprint sensor in the S5 is more shoddy than what was found in the iPhone 5S.
Apple needs a password after every reboot before users can unlock their iPhone 5s with fingerprint scanner. The phone also needs a password after certain number of failed attempts with fingerprint scanner.
However, the Galaxy S5 allows users to make unlimited attempts to unlock the device with fingerprint scanner. Moreover, rebooting doesn’t lock the fingerprint scanning feature. Researchers showed how the Galaxy S5 fingerprint hack could allow hackers to access the PayPal app on the phone.
SRLabs points out that using fingerprint as credentials for local user authentication has two flaws as compared to the traditional password system.
First up is the limited revocation, which means once a fingerprint gets stolen, there’s no way to change it. Second is the credential spread. “Users leave copies of their fingerprints everywhere; including on the devices they protect. Fingerprints are not fit for secure local user authentication as long as spoofs (fake fingers) can be produced from these pervasive copies,” said the firm.
In the meanwhile, PayPal has issued a statement, saying the company has taken the SRLabs findings seriously.
“The scan unlocks a secure cryptographic key that serves as a password replacement for the phone,” the statement read. “We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, you are covered by our purchase protection policy.”