Samsung’s new Galaxy S10 handset appears to have a serious security vulnerability when used with certain third-party accessories.
That vulnerability appears to impact devices with an aftermarket screen protector, and it could let anyone unlock the device using the built-in fingerprint reader.
The Samsung ‘Security Breach’
One of the first reports about the vulnerability was published by UK media outlet The Sun. According to the publication, a 34-year-old woman found that anyone could access her Galaxy S10 with their own fingerprint, despite the fact that only her fingerprint was registered on the phone.
The problem appears to stem from the cheap, third-party case from eBay installed on the device. (While the report calls it a “screen protector,” it appears to be a case that covers both the front and back of the phone.)
After the woman put the case on and registered her fingerprint, it allowed anyone to bypass the lock screen — and even access sensitive banking and financial apps.
The vulnerability appears to be related to the ultrasonic technology that Samsung uses for its in-display fingerprint reader. Since the tech is completely incompatible with tempered glass screen protectors, third-party manufacturers have taken to producing gel-based solutions.
But those gel-based screen protectors appear to throw off the fingerprint reader. While this is just speculation, the ultrasonic system may be picking up the gel protector instead of an actual fingerprint — meaning that anyone can unlock the device as long as the gel protector is still on it.
On the flip side, that likely means attackers won’t be able to just slap a cover on the screen and get into your phone. This probably only works if the gel protector was installed during fingerprint registration.
While the vulnerability was spotted on a Galaxy S10, it’s presumably a problem for other Samsung devices with ultrasonic fingerprint readers.
Samsung, for its part, said that it is investigating the matter (which it called a “security breach”). In the meantime, the phone maker recommends that Samsung Galaxy owner only use Samsung-authorized products.
[UPDATE 10/17/19: In a statement to the BBC on Thursday, Samsung acknowledged the security vulnerability in its new devices. The company said it’ll soon issue a software update to mitigate it.]
If You Have an iPhone, Don’t Worry
This issue could provide a good example of why Apple decided to forego under-display fingerprint readers in favor of Face ID on its newer devices.
Face ID is much more secure than both fingerprint authentication and other facial recognition systems. Mostly, that’s because it uses an advanced suite of sensors to create accurate 3D “maps” of a user’s face. (It doesn’t just rely on a 2D image.)
It does have a couple of vulnerabilities, but they’re hard to pull off and require a lot of additional resources.
Back in 2017, a Vietnamese security firm illustrated that bypassing Face ID was possible, but only with a sophisticated, Hollywood-style 3D mask.
ThreatPost researchers also showed off a bypass using glasses and tape at Black Hat earlier this year, but that exploit still required using a victim’s actual face.
All of this is to say that iPhone users can probably rest a bit easier than owners of smartphones with less secure authentication methods.