Credit to Danny Bradbury of SOPHOS
A lone security researcher just gave Samsung’s mobile phone cybersecurity technology the finger. According to a video posted on the Imgur site on Friday, it’s possible to bypass the biometrics on the new Galaxy S10 range in just a few minutes, using a 3D-printed fingerprint.
Released in February, almost every phone in the Galaxy S10 range features a fingerprint reader under the screen, contrasting with the previous generation of Galaxy S phones which put it on the back of the device. The only exception is the S10 Essential, which has a capacitive resistor on the side of the phone.
Capacitive technology is what most modern non-display fingerprint sensors use. It measures the electrical resistance between the tiny ridges and valleys of your fingerprint as they contact the sensor, creating a 2D image of it.
Under-display sensors take a different approach, using ultrasonic technology to bounce sound waves off the user’s finger. This creates a 3D ultrasound image of your fingerprint, containing information about the depth of its ridges and valleys.
Cool, right? Not according to Darkshark, an anonymous researcher who appeared to show themselvesunlocking a Samsung S10 using a 3D printed-fingerprint.
In the description, Darkshark said that they photographed their finger on the side of a wine glass using their smartphone. Then they used Photoshop to increase the contrast and create an alpha mask (which is a fully-opaque version of an image). Using the 3DS Max 3D modeling software, they created a geometry displacement, which is a version of the alpha image with depth information from the original. Then, they used an Anycubic Photon resin-based 3D printer, which costs around US$500, to reproduce the print.
The whole process took around 13 minutes, and Darkshark said that it could take less time still:
If I steal someone’s phone, their fingerprints are already on it. I can do this entire process in less than 3 minutes and remotely start the 3d print so that it’s done by the time I get to it.
This isn’t something that would work with capacitive sensors, because a 3D print wouldn’t have the electrical resistance to mimic a human print. It’s also worrying because of the number of apps that are using fingerprint biometrics as a form of authentication, warned Darkshark:
Most banking apps only require fingerprint authentication so I could have all of your info and spend your money in less than 15 minutes if your phone is secured by fingerprint alone.
One such financial app? The cryptocurrency wallet that Samsung has released for its smartphones. The software, which supports at least Ethereum-related tokens, “features a secondary layer of authentication that includes PIN and fingerprint” according to Android Authority.
All of which tells us, more than ever, that one form of identification might not be enough. If you want to be extra careful, then defense-in-depth is a useful approach. It is possible to add a screen lock to your S10 that requires a PIN, password or pattern swipe for access.
Or you could just, um, wear gloves any time you touch anything?
Twelve US states are suing an electronic healthcare record provider who lost 3.9 million personal records in 2015. The Attorneys general of Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina, and Wisconsin clubbed together to file suit against Indiana-based Medical [...]
Video-sharing website Dailymotion is resetting the account passwords of an unknown number of users after being hit by a “large-scale” credential-stuffing attack.As is often the case with password reset announcements, the technical detail of what happened and how many users were affected remains sketchy. [ ... ]
The system came up with the technique by itself, after being trained on a battery of sample images.
It appears machines may already be catching up to humans, at least in the world of computational biology. A team of researchers at the MIT-based Center for Brains, Minds and Machines (CBMM) found that the system they designed to [...]
In a year in which facial recognition has made massive strides to invade personal privacy and settle in as a favored tool for government surveillance, Microsoft isn’t just open to government regulation; it’s asking for it. On Thursday, in a speech at Brookings Institution [...]
A lone security researcher just gave Samsung’s mobile phone cybersecurity technology the finger. According to a video posted on the Imgur site on Friday, it’s possible to bypass the biometrics on the new Galaxy S10 range in just a few minutes, using a 3D-printed fingerprint [...]
Here’s how two-factor authentication is supposed to work: You log in to your bank account or email inbox, and after correctly entering your password, you are prompted to confirm the login through an app on your cellphone, a one-time code sent to you via text message or email [...]