#cybersecurity | hacker #cybersecurity | #infosec | About that “Any fingerprint can unlock your Samsung Galaxy S10” report

Maybe you’ve already seen the many headlines today about a security problem with the Samsung Galaxy S10, which suggest that any fingerprint can unlock a Galaxy S10 phone.

The reports all stem from a story published a few days ago in The Sun, describing the experiences of 34-year-old Lisa Neilson.

As The Sun describes, Lisa bought a £2.70 case for her Samsung S10 to protect its screen.

With the screen on, Lisa set up her right thumb print to access the phone but later used her left, which unlocked it.

She found any print unlocked the phone.

Lisa, from Castleford, West Yorks, said: “Anyone can access it and could get into the financial apps and transfer funds.”

Samsung said people should only use authorised screen protectors.

She got husband Wes, 34, to try and both his thumbs were also able to open the phone through the gel cover.

When the Galaxy S10 was released in March 2019, Samsung bragged about its “next generation vault-like security” with an ultrasonic fingerprint scanner fused directly into its front screen, that could even work when your hand was wet:

“Using ultrasonic pulses, it detects the 3D ridges and valleys of your fingerprint, so only you can access your phone. It’s secure and convenient — even allowing you to unlock, drag and hold to open the app you want.”

(My emphasis)

So, how could this “next generation” fingerprint scanner be doing such a poor job of telling fingerprints apart? The answer, I suspect, lies in Lisa’s screen protector and that Samsung chose to use an ultrasonic fingerprint sensor rather than optical or capacitive sensors used by other devices.

Sound-based fingerprint sensors send an ultrasonic bounce against the finger pressed against the phone, and listen to the sound print based upon how the pulse bounces back from the ridges of your finger.

However, if you register your fingerprint on an ultrasonic fingerprint sensor which is behind the wrong type of screen protector that might – in the worst cases – be little better than trying to read a fingerprint through rubber gloves!

In short, the phone has “registered” a fingerprint which may look like any finger pressing through the screen protector.

Ultrasonic fingerprint scanners can have problems with some screen protectors, as they may register the sound of a “fingerprint” which is bounced back off the screen protector rather than the actual fingerprint’s ridges.

In other words – a fingerprint was not reliably registered in the first place.

My assumption is that Samsung’s own official screen protectors for the Galaxy S10 do not have this problem, but it’s likely there are many other third-party screen protectors which do not understand how Samsung’s ultrasonic fingerprint recognition works – and so introduce a security risk.

You can hardly blame the typical Galaxy S10 user to not realise that using the wrong kind of screen protection might put them at risk, and so they prefer to buy one from eBay for £2.70 instead.

That is, however, a rather different problem than what’s suggested by a headline saying “any fingerprint can unlock a Galaxy S10 phone.”

BBC News says that the problem has been acknowledged by Samsung, and a software patch has been promised – although is not clear to me how a software update could fix this problem.

By the way, it’s not as though concerns haven’t been raised with the Samsung Galaxy S10’s fingerprint scanner in the past.

Shortly after the Galaxy S10’s release, for instance, it was demonstrated that it was possible to unlock phone with a 3D copy of a fingerprint, captured from a photograph of a print left on a wine glass.

Maybe Samsung would be wiser to recognise that the reason why the Galaxy S10 was so unique in using ultrasonic fingerprint sensors was that the technology simply isn’t the ideal solution.