Samsung Galaxy S5 Fingerprint Sensor Security Already Hacked And Compromised (Hot Hardware) — Our perspective on this sort of thing hasn’t changed since we wrote this heavily linked post in response to the same demonstration on Apple hardware a few months back.
Long story short: It’s not that easy to do, and convenient fingerprint security is way better than not doing anything at all, which is what many of us are doing now.
UNITED STATES: Feds Begin Fingerprinting ‘High Risk’ Medicare Providers and Suppliers (Weekly Standard)
PayPal launches Galaxy S5 fingerprint-based payments in 25 countries (Android Authority)
Customers can use their finger to pay with PayPal from their new Samsung Galaxy S5 because the FIDO Ready software on the device securely communicates between the fingerprint sensor on their device and PayPal’s service in the cloud. The only information the device shares with PayPal is a unique encrypted key that allows PayPal to verify the identity of the customer without having to store any biometric information on PayPal’s servers”
It’s not bulletproof security, but it’s more secure than existing methods, he says. Despite the risks, Bennett says he sees potential. — “If it results in more people locking their phone,” he says, “it improves security.”
This time it’s the port of Paranaguá (Portuguese – Folha de S. Paulo)
A Federal Police (PF) operation Monday at the port of Paranaguá found “silicone fingers” that were used by employees to forge their attendance and receive credit for days not worked.
The 25 “fingers” were tailor-made, reproducing the fingers of 14 employees. They were stored in desks at the port, labeled with the name of each worker. Even a tray (ed. mold?) was found.
Each of the workers have worked there for at least eight years, according to PF.
Federal Police are investigating whether there are other people involved in the fraud.*
According to their site, the port at Paranaguá is the largest bulk port in latin America.
 |
|
Paranaguá port ©Digital Globe & Microsoft Corporation
|
See Brazilian ghost doctors have rubber fingers for a more in-depth analysis of why forcing time-and-attendance fraud into the realm of rubber fingers is actually a good thing.
Long story short, every person who participated in creating a facsimile of their fingerprint has also had to create a lot of evidence that they participated in a conspiracy to defraud their employer.
The fraud kit in this most recent case can be seen at the Folha link.
*Translation from Google & Bing translation services with an assist by me. For now, robots still have a hard time with Brazilian Portuguese. I sympathize.
Spain, February 24, 2014 – Samsung Electronics today announced the fifth generation of the Galaxy S series, the Galaxy S5, designed for what matters most to consumers. The new Galaxy S5 offers consumers a refined experience with innovation of essential features for day-to-day use.
Essential device protection
The Galaxy S5 is IP67 dust and water resistant. It also offers a Finger Scanner, providing a secure, biometric screen locking feature and a seamless and safe mobile payment experience to consumers. The Ultra Power Saving Mode turns the display to black and white, and shuts down all unnecessary features to minimize the battery consumption.
The device will be available globally through Samsung’s retail channels, e-commerce and carriers on April.
More information is available at the Samsung site here.
See also this video.
The fingerprint scanner comes in for a couple of mentions in the first half.
See also:
Apple’s Competitors Are Preparing Their Next iPhone Killers (The Motley Fool)
Windows Phone 8.1 with fingerprint support, UI customizations — A new WP 8.1 SDK leak points to fingerprint scanner support in the next OS update, which should put Windows Phone level with iOS and Android. (GSM Arena)
Samsung’s next flagship phone will feature a swipe fingerprint scanner embedded in the home button (uSwitch)
April 22, 2014: LG G3 specs leak points to integrated fingerprint scanner (Trusted Reviews)
The prediction to which this post’s title refers can be found here.
Will Samsung’s Galaxy S5 Come with TouchID Rival for Easy Log-In? (GottaBeMobile)
Samsung is reportedly chasing Apple’s iPhone 5s’ TouchID biometric authentication sensor with its own version, which is said to debut in 2014.
Apple Reveals More Details of Touch ID for iPhone, iPad & beyond (Patently Apple)
Generally, capacitive fingerprint sensors may be used to determine an image of a fingerprint through measuring capacitance through each capacitive sensing element of a capacitive sensor. Thus, fingerprint ridges provide a higher capacitance in an underlying capacitive sensing element than do fingerprint valleys.
Capacitive fingerprint sensors come in at least two varieties, namely active and passive. Active capacitive sensors are often used in electronic devices to provide biometric security and identification of users.
A long discussion, based on Apple patent filings, of what Apple’s future fingerprint technology may look like follows.
The FIDO Alliance suggests six Android mobiles over the next six months (Mobile Commerce Neds)
HTC just announced that the Android-powered One Max includes a fingerprint scanner (BBC)
…and Samsung, too. (Smart Company)
Apple’s integration of a fingerprint sensor in its iPhone has put other handset makers under pressure to follow suit.
But news that Samsung had bought Swedish company Fingerprint Cards &8212; promptly denied by both companies &8212; seems to have been a hoax, possibly perpetrated as part of a securities fraud scheme. See: The curious case of Samsung’s ‘purchase’ of biometrics company Fingerprint Cards, at NDTV Gadgets.
Let’s change the language of biometrics (Human Recognition Systems blog)
“The consumer market will not suit the current market leaders in the biometrics industry of today as they are geared towards direct sales to a limited number of large customers. The consumer market will demand innovation in small packages, readily integrated with existing technology and in a totally hassle-free format. It will require collaboration, an understanding of current technology convergence trends and most of all, a foolhardy bravery to go where no other company has gone before.”
We couldn’t agree more.
FIDO looking to bring Touch ID to Android in 6 months (IntoMobile) — All is proceeding as we have foreseen.
NIGERIA: Lagos Begins Biometric Verification Of Pensioners (PM News)
Biometric plan to track entry, exit of foreign visitors won’t be ready until 2015 (Newspaper Tree – El Paso, Texas)
M2SYS BLOG: Why Apple’s use of Fingerprint Biometrics is Boon to Industry, not the Modality
Why I Hacked Apple’s TouchID, And Still Think It Is Awesome. (Lookout)
Despite being hacked, TouchID is an exciting step forwards for smartphone security and I stand by our earlier blog on fingerprint security. Hacking TouchID gave me respect for its design and some ideas about how we can make it strong moving forward. I hope that Apple will keep in touch with the security industry as TouchID faces its inevitable growing pains. There is plenty of room for improvement, and an exciting road ahead of us if we do this right.
Read the whole thing. It’s good.
Our post on the CCC hack are here.
UPDATE:
Touch ID was hacked, but no one cares (ITWeb)
Here’s what you need to know about the Apple TouchID “hack” (GigaOM)
So for most people this won’t be a problem. And indeed, if you’re the type who forgoes passcodes because they slow you down, it’s better to use TouchID than to use no security at all. Also, it’s not like we’re talking about someone hacking into the phone’s secure A7 chip.
But do remember that, compared with passcodes, the inclusion of biometric access can in certain circumstances make it just that little bit easier for someone to get into your phone. And if that phone carries secrets that others really want to steal, you may want to bear this new risk in mind.
Apple’s stated purpose for installing a fingerprint reader on its new iPhone is to give people who aren’t currently protecting their mobile hardware at all a more convenient way than passwords to do so.
Great, right? The number of mobile devices left unprotected will go down, sparing some non-trivial number of individuals the heartache of having their devices accessed in a way they didn’t authorize. Hooray Apple!
Not so fast!
The Chaos Computer Club thinks that’s a really “stupid” way to look at things. They think that because it was so “easy” for them to create a rubber finger (likely with the full participation of the user) in a matter of (at least) hours, that only a moron would use the technology.
Chaos Computer Club breaks Apple TouchID.
The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple’s TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.
…
“We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can’t change and that you leave everywhere every day as a security token”, said Frank Rieger, spokesperson of the CCC. “The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.” Fingerprint biometrics in passports has been introduced in many countries despite the fact that by this global roll-out no security gain can be shown. [ed. bold emphasis added]
While both of the parts above in bold type are false, they are false in different ways. The first part, “using easy everyday means” is only a fib. The process described is “easy and everyday” kind of like manufacturing dentures is easy and everyday. Sure, it happens every day, but it isn’t like making brownies.
The second bolded part is indistinguishable from the ranting of a conspiracy theorist.
There’s something vaguely embarrassing about people who claim to know a lot about technology, but who display no understanding of its use or appreciation for its context. When they also presume to tell everyone else what to do, it begs a response.
It’s one thing to point out how new technologies are fallible. All technologies are and it is important that consumers understand how that is the case. It’s another thing to try to scare people away from adopting security techniques that will leave them safer than they are now and are convenient to use.
Apple’s implicit point is that when it comes to protecting access to the device, fingerprint access is better compared to doing nothing, which is the option many people currently choose. It’s not a question of perfect security, it’s a question of security that is convenient enough that it actually gets adopted.
Other posts where the question “…compared to what?” arises:
The old Gummi Bear trick
Visa to drop signatures on credit card purchases by 2013
Unisys Poll: 63% of credit card users would prefer fingerprint
German gov downplays biometric ID card hack
UPDATE:
Marco Tabini at Macworld seems to agree. Apple’s Touch ID may not be bulletproof, but it’s still useful.
Sense and Nonsense About Biometrics (Techpinions)
“Apple’s Touch ID fingerprint scanner seems to have fueled an important but ill-informed and ultimately nonsensical debate about biometrics and privacy.”
Insight: Trigger Finger – Apple fires biometrics into the mainstream (Reuters)
By adding a fingerprint scanner to its newest mobile phone, Apple Inc is offering a tantalizing glimpse of a future where your favorite gadget might become a biometric pass to the workplace, mobile commerce or real-world shopping and events.
Read the whole thing. I think this piece gets things about right.
It’s easy to overestimate and underestimate the importance of what Apple has just done. The fingerprint functionality itself is pretty shallow. The fingerprint sensor allows users to unlock the phone and buy stuff from Apple. That is all. But that also reflects that, of course, Apple wants to get things right “in captivity” before releasing the fingerprint sensor “into the wild.” And further, I think that means that fingerprint sensors on mobile devices are here to stay. Samsung, Microsoft/Nokia, etc. will follow suit.
Japan, U.S. law enforcement to share fingerprint databases online (Japan Today)
Japan and the United States have agreed to provide mutual access to online fingerprint databases to aid criminal investigations.
According to the arrangement, each nation will have instant access to fingerprint data for the purpose of investigating individuals suspected of involvement in terrorism or other serious crimes such as murder, Japanese officials said.
*The preceding paragraph was revised on 24 Sept. 2013 it originally read, “Even if they don’t, Apple’s addition of fingerprint a sensor probably foreshadows their inclusion by all sorts of handset manufacturers. Motorola already has a history there and Samsung certainly won’t be left behind as mobile ID surges forward. “
