Screen protector defeats Samsung Galaxy S10 fingerprint reader

[porina]

Quote

A flaw that means any fingerprint can unlock a Galaxy S10 phone has been acknowledged by Samsung.

 

It promised a software patch that would fix the problem.

 

The issue was spotted by a British woman whose husband was able to unlock her phone with his fingerprint just by adding a cheap screen protector.

https://www.bbc.com/news/technology-50080586

 

Well, that's a bit of an oversight on Samsung's part. It will be interesting to understand the technical reasons why this happens, unless it is just a massive flaw in the software somewhere. We rely on technology like fingerprint readers to limit access to our devices and associated services like payment authorisation, so anything that breaks it is a concern. Owners of the affected phone may want to exercise caution until the fix is in place. It will also be curious to see if a similar attacks also work on other manufacturer's implementations.

[ZeouLs]

1 minute ago, VegetableStu said:

was the fingerprint registered before or after the screen protector? o_o

What I understand it , her right thumb was scanned before the protector. After the protector she could unlock it with her left thumb aswell as both thumbs of the husband

[Sauron]

I've said for years that if you care about security you should use a normal password.

[porina]

18 minutes ago, VegetableStu said:

hmm, so is this a resolution thing through an extra layer? like would it also bug out when it's registered after applying? o_o

Good questions.

 

Some other sites have also covered it but I've not reviewed them to see if they have different information.

 

One way I could speculate about is what if some fingerprint residue was left before the screen protector was applied. Could that still be picked up after? I might have to ask around the office to see if anyone has one of these phones. If you don't pick an iPhone you get a Samsung, so there is a fair chance.

[WereCatf]

2 minutes ago, porina said:

One way I could speculate about is what if some fingerprint residue was left before the screen protector was applied. Could that still be picked up after?

That is basically how fingerprints have been bypassed for decades now and it seems it still works to this day.

[mxk]

35 minutes ago, Sauron said:

I've said for years that if you care about security you should use a normal password.

yeah but privacy is dead d-_-b

[GenericFanboy]

at work one of my coworkers has the s10, he has a screen protector with just a cutout for the finger sprint scanner on it lmao

[Beef Boss]

So just don't use cheap screen protectors that are mushy? Haven't had any problems with mine, I've replaced my screen protector already,and will be a lot because of the inability to use a glass screen protector.

[TVwazhere]

47 minutes ago, veldora said:

So just don't use cheap screen protectors that are mushy? Haven't had any problems with mine, I've replaced my screen protector already,and will be a lot because of the inability to use a glass screen protector.

I really wanted a glass one, but there's only one of the market that works with the built in finger print reader and it's because it uses either thinner glass or no glass at the spot where the scanner is. Currently I'm running without one at all, because i find any non-glass protector to feel sticky and add friction to swipes compared to glass.

[Master Disaster]

Meanwhile the fp scanner on my Pixel 3 doesn't work with any prints at all, even ones registered.

[Beef Boss]

22 minutes ago, TVwazhere said:

I really wanted a glass one, but there's only one of the market that works with the built in finger print reader and it's because it uses either thinner glass or no glass at the spot where the scanner is. Currently I'm running without one at all, because i find any non-glass protector to feel sticky and add friction to swipes compared to glass.

Yeah they have a cut out where the scanner is, and to me that defeats the purpose of a screen protector. Even having a plastic screen protector seems trivial, because the oe one got scratched on everything.
 

Spoiler

We'll see how this gorilla one holds up. They have you spray the screen down with their water/detergent then apply the protector and squeegee the water out. Sounds like it'd void a warranty on the installation alone, but alright... The edges don't hold on well. Maybe I should've heated them up to adhere better. But it's too late now, they have lint in them.

 

[TechyBen]

And this is why I have a Note 9.

[rcmaehl]

I could understand if the fingerprint was setup AFTER the screen protector was installed due but not before...

[yolosnail]

This is why fingerprint scanners should stay where they belong, on the back!

[williamcll]

Should start investing hearbeat sensors for mobile phones.

[Touch My Hamm]

This isnt a Samsung thing this is any under screen finger print reader. If you have a screen protector it can mess up the under screen finger print reader. Since alot of the protectors have almost a glue like substance this could reflect light and interfere with the scanner. So if they had the protector on before they scanned their finger print it could cause an issue. Since the scanner is scanning the screen protector substance and its not changing according to the phone its always correct so as far as I see the scanner is working? 

 

Example of glue like substance that could easily interfere 

This is what BestBuy uses (as far as I am aware) where there is a fluid that keeps the plastic to the screen. 

[DrMacintosh]

I doubt it’s as big of a deal as it seems. Most, if not all of these minor security concerns go untouched by the public. But I do feel obligated to plug TouchID which is only fooled by forensics. 

[Master Disaster]

47 minutes ago, williamcll said:

Should start investing hearbeat sensors for mobile phones.

Ever watched the Mythbusters? They once managed to break a multi thousand dollar fp lock which had moisture, temperature and heartbeat sensing.

 

They did it by creating an analog print out of ballistic gel then attaching it to a real finger and licking it for moisture.

 

No system is ever fool proof.

[TechyBen]

2 hours ago, GodSeph said:

This isnt a Samsung thing this is any under screen finger print reader. If you have a screen protector it can mess up the under screen finger print reader. Since alot of the protectors have almost a glue like substance this could reflect light and interfere with the scanner. So if they had the protector on before they scanned their finger print it could cause an issue. Since the scanner is scanning the screen protector substance and its not changing according to the phone its always correct so as far as I see the scanner is working? 

 

Example of glue like substance that could easily interfere 

This is what BestBuy uses (as far as I am aware) where there is a fluid that keeps the plastic to the screen. 

Ah, so not only a risk of sticking an old print in place on the screen (grease/dirt imprint) but also registering the protector AS yourprints. XD

[Jito463]

2 hours ago, yolosnail said:

This is why fingerprint scanners should stay where they belong, on the back!

I prefer my S7 Active, with the physical button for the scanner (not my actual phone, just a picture I found).

[Bacon soup]

I made a patch. Samsung can thank me in beer.

 

If(!finger.canRead()){ return REJECT_ACCESS; }

 

 

[Touch My Hamm]

1 hour ago, TechyBen said:

Ah, so not only a risk of sticking an old print in place on the screen (grease/dirt imprint) but also registering the protector AS yourprints. XD

I dont have a way to test and prove this is the case but as someone who has installed over 1000 of these for people that when you had covers for the back they always had a cutout for the finger print reader. Now that there are in screen finger print readers 1 could wonder if that gel with the plastic is having an affect on the scanner and its picking up hardend gel/plastic instead of your fingerprint. This would allow anyone to open the phone as the gel/plastic isnt moving and it technically correct according to the phone.  

[Nowak]

For those of you who want a demonstration of this, a Twitter user recorded this using a Note 10:

 

 

[Curious Pineapple]

There is a chance that it is just a greasy print being trapped under the protector. The sensor is picking that up instead of the actual finger which is now further away.

[Nowak]

3 hours ago, DrMacintosh said:

 But I do feel obligated to plug TouchID which is only fooled by forensics.

Forgetting about something, Doc?