Samsung Fingerprint Bug: Worse Than We Thought

Samsung phones with in-screen fingerprint readers will unlock using anybody’s finger. All you need do is add a screen protector.

At first it seemed the problem was in registering fingerprints with the protector in place. But it turns out it’s worse than that.

Much, much worse. In today’s SB Blogwatch, we go back to PINs.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: VFDs.


Biometric FAIL

What’s the craic? Robin Perrie broke the story—“SECURITY SLIP-UP”:

 Lisa Neilson discovered anyone could access her Samsung phone when she fitted a [$3] screen protector. … With the screen on, Lisa set up her right thumb print to access the phone but later used her left, which unlocked it.

Any print unlocked the phone. … She got husband Wes … to try and both his thumbs were also able to open the phone.

A Samsung spokeswoman said: “We’re investigating this internally. We recommend all customers to use Samsung authorised accessories, specifically designed for Samsung products.”

Yikes. Jon Porter carries on—“Samsung says fingerprint security fix is coming”:

 The issue relates to some “silicone screen protecting cases,” according to Samsung, and affects the Galaxy S10, S10 Plus, … S10 5G … Note 10 and Note 10 Plus. [Samsung] says users should remove the cover, delete any previously-registered fingerprints, and then re-register them without the cover applied.

It couldn’t hurt to try and unlock your device with a non-registered fingerprint, just to check.

Déjà vu? Neil McAllister remembers:

 Issues with screen protectors have dogged the S10 from the beginning. Shortly before it shipped, Samsung announced that it would come with a built-in screen protector, because most current protector designs would interfere with the fingerprint scanner.

This built-in protector is basically a cheap piece of plastic, though. … It, too, seemed to interfere with the fingerprint reader for some people. For others, it would bubble up in places.

It was far more prone to scratches than any phone screen I’ve had in recent memory—so it might achieve the goal of preventing your phone from being scratched permanently, but in practice you’ll end up with a screen that has scratches all over it.

Ultimately, most people end up just peeling the damn thing off [or using] third-party replacement screen protectors.

Hence the issue? A Samsung PR drone issued this statement:

 This issue involved ultrasonic fingerprint sensors unlocking devices after recognizing 3-dimensional patterns appearing on certain silicone screen protecting cases as users’ fingerprints. … A software update is planned to be released as early as next week, and once updated, please be sure to scan your fingerprint in its entirety, so that the all portions of your fingerprint, including the center and corners have been fully scanned.

Huh? lhopki01 explains:

 My guess is that the screen protector is blocking the ultrasonics so when you ‘register’ a finger you’re actually registering the screen protector. This means that any finger will work as each time it see the same screen protector.

I think they’ve never bothered to really consider what a fingerprint actually looks like. This is fairly evidenced by how every single phone fingerprint read seems to readily accept many other body parts and I suspect also things that have similar conductivities to human skin.

But it seems worse than that. StaLight—@Sta_Light_—is lost in translation:

 I registered my fingerprint, then put on the case. It still unlocks with the wrong finger.

Wait, what? penagwin sounds horrified:

That is bad. How is that even possible?

It makes sense if you trained it with your finger with the faulty protector, but adding a faulty protector makes it work? Surely the sensor must be able to tell the difference (even if it’s currently doing it incorrectly).

And JustAnotherOldGuy reacts in his normal way:

 What. The. ****?

In other news, Schlage and Kwikset both acknowledged their new line of high-security locks can be opened with “any key.”

Meanwhile, BrainJunkie imagines Samsung is just aping Apple again:

 You’re protecting it wrong.

And Finally:

In praise of the vacuum fluorescent display

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Stux (Pixabay)

Featured eBook
SANS 2019 Threat Hunting Survey: The Differing Needs of New and Experienced Hunters

SANS 2019 Threat Hunting Survey: The Differing Needs of New and Experienced Hunters

SANS threat hunting experts Mathias Fuchs and Joshua Lemon capture the different needs within organizations that are just starting their threat hunting journey, versus those who are honing their skills and programs. Read the report to help grow your program and improve threat hunting with: Definitions of threat hunting Methodologies of performing threat hunting Spending ... Read More
Authentic8

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 83 posts and counting.See all posts by richi