Samsung Fingerprint Bug: Worse Than We Thought

Samsung phones with in-screen fingerprint readers will unlock using anybody’s finger. All you need do is add a screen protector.

At first it seemed the problem was in registering fingerprints with the protector in place. But it turns out it’s worse than that.

Cloud Native Now

Much, much worse. In today’s SB Blogwatch, we go back to PINs.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: VFDs.

Biometric FAIL

What’s the craic? Robin Perrie broke the story—“SECURITY SLIP-UP”:

 Lisa Neilson discovered anyone could access her Samsung phone when she fitted a [$3] screen protector. … With the screen on, Lisa set up her right thumb print to access the phone but later used her left, which unlocked it.

Any print unlocked the phone. … She got husband Wes … to try and both his thumbs were also able to open the phone.

A Samsung spokeswoman said: “We’re investigating this internally. We recommend all customers to use Samsung authorised accessories, specifically designed for Samsung products.”

Yikes. Jon Porter carries on—“Samsung says fingerprint security fix is coming”:

 The issue relates to some “silicone screen protecting cases,” according to Samsung, and affects the Galaxy S10, S10 Plus, … S10 5G … Note 10 and Note 10 Plus. [Samsung] says users should remove the cover, delete any previously-registered fingerprints, and then re-register them without the cover applied.

It couldn’t hurt to try and unlock your device with a non-registered fingerprint, just to check.

Déjà vu? Neil McAllister remembers:

 Issues with screen protectors have dogged the S10 from the beginning. Shortly before it shipped, Samsung announced that it would come with a built-in screen protector, because most current protector designs would interfere with the fingerprint scanner.

This built-in protector is basically a cheap piece of plastic, though. … It, too, seemed to interfere with the fingerprint reader for some people. For others, it would bubble up in places.

It was far more prone to scratches than any phone screen I’ve had in recent memory—so it might achieve the goal of preventing your phone from being scratched permanently, but in practice you’ll end up with a screen that has scratches all over it.

Ultimately, most people end up just peeling the damn thing off [or using] third-party replacement screen protectors.

Hence the issue? A Samsung PR drone issued this statement:

 This issue involved ultrasonic fingerprint sensors unlocking devices after recognizing 3-dimensional patterns appearing on certain silicone screen protecting cases as users’ fingerprints. … A software update is planned to be released as early as next week, and once updated, please be sure to scan your fingerprint in its entirety, so that the all portions of your fingerprint, including the center and corners have been fully scanned.

Huh? lhopki01 explains:

 My guess is that the screen protector is blocking the ultrasonics so when you ‘register’ a finger you’re actually registering the screen protector. This means that any finger will work as each time it see the same screen protector.

I think they’ve never bothered to really consider what a fingerprint actually looks like. This is fairly evidenced by how every single phone fingerprint read seems to readily accept many other body parts and I suspect also things that have similar conductivities to human skin.

But it seems worse than that. StaLight—@Sta_Light_—is lost in translation:

 I registered my fingerprint, then put on the case. It still unlocks with the wrong finger.

Wait, what? penagwin sounds horrified:

That is bad. How is that even possible?

It makes sense if you trained it with your finger with the faulty protector, but adding a faulty protector makes it work? Surely the sensor must be able to tell the difference (even if it’s currently doing it incorrectly).

And JustAnotherOldGuy reacts in his normal way:

 What. The. ****?

In other news, Schlage and Kwikset both acknowledged their new line of high-security locks can be opened with “any key.”

Meanwhile, BrainJunkie imagines Samsung is just aping Apple again:

 You’re protecting it wrong.

And Finally:

In praise of the vacuum fluorescent display

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Stux (Pixabay)

Richi Jennings

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 475 posts and counting.See all posts by richi

Cloud Capabilities Poll