Ethical Hackers Crack Samsung Galaxy S5 Fingerprint Sensor

Researchers have shown how simple it is to bypass Samsung Galaxy S5 fingerprint authentication, less than a week after the device’s official release.

The researchers from Security Research Labs (SRLabs) re-used a fingerprint mould from their exploitation of the Apple iPhone 5S from last year, requiring “no additional effort whatsoever”. The fake print was based on a camera phone photo “of an unprocessed latent print on a smartphone screen”.

Samsung Galaxy S5 hacked

It appeared Samsung has allowed for unlimited attempts to access the device, meaning hackers could try numerous times to bypass the fingerprint authentication, without ever being locked out, the researchers said.

They showed how an attacker could hack a Samsung Galaxy S5 to gain access to a PayPal app to make purchases and unsolicited transfers.

When the Samsung Galaxy S5 was announced earlier this year, it was revealed a deal with PayPal would make it simpler to authenticate payments using fingerprints. But SRLabs has voiced concern over the decision to widen the application of biometrics, due to the apparent ease of exploitation.

“Samsung’s implementation of fingerprint authentication leaves much to be desired,”

“The fingerprint scanner in Samsung’s Galaxy S5 raises additional security concerns to those already voiced about conquerable implementations.”

Samsung had not responded to a request for comment at the time of publication.

A PayPal spokesperson said: “While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords and PINs. PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone.

“We can simply deactivate the key from a lost or stolen device, and you can create a new one. PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, your eligible transactions are covered by our purchase protection policy.”

See the video below for the SRLabs demonstration:

Love security? Try our quiz!

Samsung Galaxy S5 MWC 2014

Image 1 of 20

Samsung Galaxy S5
Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago