back to article Got a Samsung Galaxy S5? Crooks can steal your fingerprint – claim

Malware can snaffle fingerprints used to unlock Samsung Galaxy S5 smartphones thanks to a security blunder, researchers claim. The vulnerabilities, due to be discussed at the RSA security conference in San Francisco this week, may be present in non-Samsung Android mobiles, too. Today's smartphones recognize their owners' …

  1. Luiz Abdala Bronze badge
    Joke

    You can change your fingerprint 10 times...

    ...plus another 10 if you remember to wear flip-flops and take them off when reading it!

    1. DNTP

      Technically

      you can only CHANGE a fingerprint 9 times since you expended one digit initially. Then ten toe prints and if you're a guy, you get a free extra change if you're willing to shove your phone down the front of your pants to unlock it.

  2. edge_e
    Facepalm

    Didn't see this coming

    see title

  3. InfiniteApathy
    FAIL

    Fingerprints

    Are your identity NOT passwords.

    Ranted about this in various and sundry places before. I sincerely hope this practice of including finger print readers on phones is a quickly passing fad.

    1. Deltics

      Re: Fingerprints

      And worth bearing in mind that they aren't even your identity, at least not to the level of detail involved in these devices.

    2. heyrick Silver badge

      Re: Fingerprints

      I use the fingerprint sensor in my S5 Mini. It is quick to unlock, one of my "fingers" is a sideways thumb swipe so I can do it one-handed, plus the weakness with PINs/passwords/patterns is the fact that you may be seen and if you are seen enough or unlock carelessly in front of others, your secret may not be so secret. I can unlock my phone with others watching, my thumb is unique to me and this crowd isn't going to know how to fake a fingerprint...

      ...having said that, the standard rules apply here as a case of "business as usual". Malware and bad software carelessly installed can do bad things. Well. Duh. That predates mobile phone. Hell, it predates mobile computing.

      If somehow I do get malicious software that tries to auth purchases - well, good luck with that. Apple doesn't know my bank details. Google doesn't either. And I won't go within a hundred miles of eBay/PayPal with a real bank account, it's virtual credit cards all the way. My phone authorising payments? Not a desired feature. It's a little computer, not a credit card. Start to cross over realms like that, you KNOW who the small print in the contract stipulates will be burned. Hint - it's us. So...no thanks. "Fingerprint" for unlocking only. Nothing more.

  4. Khaptain Silver badge

    Are you sure that they read your fingerprints !!

    I have always understand that these devices can merely detect identifiable patterns within your fingerprints and then stock/store/cache these patterns. They do not actually read your fingerprint, ie they would be incapble of reproducing your fingerprint..

    I do agree though that they stock a pattern which can then be associated with a password. This pattern could then be used to identify purchases if the pattern could be injected into the identification process. Which is probably possible via a means of hooking an chaining similar to what could be done with interrupts as long as you have kernel level access.

    If this is not the case please give me a link to a worthy site which proves the contrary i.e. that these devices could actually reconstruct a fingerprint. At which point my tail will move quickly between my legs and I will scamper away into the darknass...

    1. Khaptain Silver badge

      Re: Are you sure that they read your fingerprints !!

      And when I am in the darkness, I will slow down and do some spell checking.

  5. Bloodbeastterror

    Bear...?

    When the pope is on one of his hunts in the woods, does he ever feel the need to defecate?

  6. Anonymous Coward
    Anonymous Coward

    So who's bright idea was this?

    "apparently, software running with system-level privileges and the TrustZone code both have access to the fingerprint sensor in the Samsung Galaxy S5."

    *facepalm*

    For all their cash, Samsung apparently still employ n00b programmers.

    1. heyrick Silver badge

      Re: So who's bright idea was this?

      I suppose the problem is that when you're running SVC mode (or some other priv mode), the world is your oyster, so to speak. If the fingerprint sensor is a hardware device that is connected to the processor, it is accessible. This is a hardware issue, not a software one.

      I suppose a better solution (that might load some cost on to the SoC/design) would be to have a completely isolated bus on to which security-related hardware can be attached, which connects directly to the TrustZone part of the chip and has no interrelation whatsoever with anything the ARM can access or control, other than via TrustZone.

    2. This post has been deleted by its author

    3. Antonymous Coward
      Holmes

      Re: So who's bright idea was this?

      Compliments of Google apparently. It's a flaw in Android <= 5.0 - which explains why the S6 (Android 5.0.2) isn't afflicted. Samsung just had the misfortune to be using the fingerprint facility of a borked Android release in the S5.

      http://www.bbc.com/news/technology-32429477

      1. censored

        Re: So who's bright idea was this?

        Android (at least Google's flavour) doesn't support fingerprint ID. This is something bolted on by Samsung.

  7. druck Silver badge
    Happy

    Hacking in is better than hacking off

    Quite frankly I'd rather there was a known vulnerability in the implementation, rather than miscreants thinking the only way to get in to your phone, was to lop a digit off.

    1. gnasher729 Silver badge

      Re: Hacking in is better than hacking off

      The problem that "lopping a digit off" gives the attacker is that their crime is now an armed robbery + armed assault, which means the police will be really after you, and if you are caught you serve serious time. That kind of crime is really rare because the risk / reward ratio is just too bad.

      1. druck Silver badge

        Re: Hacking in is better than hacking off

        I don't think you appreciate how cheap life is in most of the world.

  8. KjetilS

    Note 4?

    I wonder if this applies to the Note 4 as well, since they are pretty similar spec-wise.

  9. bigtimehustler

    They would have to do this multiple times, the finger print sensor only read a little part of your thumb or finger at once. Which is why you have to spend a while configuring it with different bits of your finger to build up a 100% match to start with. So to ensure a full print that could be used elsewhere and not just your phone, they would have to trick you into using this fake app to scan your finger many times and still hope you dont use that same part of your finger/thumb every time.

    1. gnasher729 Silver badge

      No, that's not right.

      In a good implementation, the sensor would be directly connected to the TrustZone, and the only thing that any software on the phone can detect is that a finger was detected or not detected.

      It seems that software can detect what the fingerprint sensor is reading, send it to the TrustZone, and check that it is detected or not. If the software stores that reading of the fingerprint sensor, it can send it to the TrustZone whenever it wants in the future, and the TrustZone will accept it.

      So an attacker cannot get your complete fingerprint, but they can get something that will be accepted as your fingerprint and use it. Which is enough for bad uses, for example if your banking software _on that phone_ is protected by your fingerprint.

  10. Cuddles Silver badge

    It's not about security

    I don't think I know a single person who actually makes an effort to keep their phone secure. The vast majority have a simple swipe to unlock; often a pattern but frequently just the basic "swipe left to unlock" thing. Even those that opt for something more secure rarely have anything more than a 4 digit PIN. And of course, any of these can be easily compromised in similar ways to fingerprint sensors, as well as much simpler ways such as looking at the pattern of grease marks on the screen. Most people aren't looking to lock down their phone from dedicated criminals with plenty of time on their hands, they're just trying to avoid accidentally calling anyone while it's in their pocket and stopping people posting random shit to Facebook when they leave their phone on the table.

    Sure, fingerprint sensors are not perfectly secure, but at the very worst they're no less secure than any of the other methods the vast majority of people use to lock their phones. If you're looking to protect valuable company secrets then blindly assuming you're safe because of fingerprints would be a bad idea, but the constant cries that fingerprint sensors are a terrible idea and should all be binned just because they're not the perfect security solution are just silly. They're more than good enough for the use of the vast majority of users. In fact, the biggest problem is that they're actually too secure - if I'm driving and want someone else to mess with the satnav or music I can tell them what swipe pattern to use, but I can't give them my fingerprint.

  11. ItsNotMe
    FAIL

    Not really an issue on my S5

    Being that the fingerprint reader on my S5 rarely works anymore, even if some crim were able to scam my fingerprint, they most likely wouldn't have any better luck unlocking the phone than I have had.

    In fact, it is so bad now that I don't even use it any more. Now use a long PIN.

    After having it fail to read the registered fingerprint, one has to wait 30 seconds before trying it again. Only to have it fail again and resorting to the backup PIN or password you have to include when registering a fingerprint.

  12. Jin

    Another loophole - fallback passwords.

    Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security. You may be interested to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at

    http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020