Bad biometrics: Samsung’s new S10 phone

When biometrics work properly, they can provide you with
an easy to use security solution with a reasonable level of assurance for most
types of information.  But, when they are not implemented properly, they
can leave important data unprotected and give us a false sense of security.

new Galaxy S10 phone is a case in point
– it offers a biometric face
recognition lock feature.  However, because Samsung chose to use a plain
old 2D camera for the biometric feature, it turns out that the phone can be
unlocked with pictures or videos of the authorized user.  In some cases,
siblings of the authorized user can unlock the phone with their mugs as well.

In order to do facial recognition properly, you need to use
a camera with special hardware, such as the ones in the iPhone.  Samsung
used to have this hardware on its phones (the Note 7, 9 and S9 are all equipped
with the proper hardware), but for some unknown reason, decided to cheap out on
the S10.  The S8 is also prone to this problem, but offers a more secure
Iris scanner based biometric function.

So what to do?

  • If you (or your loved ones) are using a Galaxy S8, make sure that you (or they) are using Iris Scanning and not facial recognition for unlocking.
  • If you (or your loved ones) are using a Galaxy S10, do not rely on the facial recognition feature to secure your phone.  Use fingerprint based security instead.
  • When choosing a new phone, if using biometric security is important to you, make sure that it is using a specialized 3D camera to do facial recognition.

Given the roles that our mobile phones play in our work, financial, and social lives, having someone gain unauthorized access to them can result in serious consequences. It seems to me that vendors have a responsibility to ensure that their implementations of biometrics can withstand these kinds of really simple attacks – better to not offer a broken biometric than offer a useless one!

*** This is a Security Bloggers Network syndicated blog from Al Berg's Paranoid Prose authored by Al Berg. Read the original post at: