A security flaw in Samsung’s Galaxy S10 ultrasonic biometric fingerprint scanner can be bypassed by just having the duped 3D Printed Fingerprint of the mobile owner.
The ultrasonic fingerprint scanner comes with S10 and S10+ models, it offers additional security and it captures a 3D image when the traditional security scanners capture only a 2D one.
Samsung claims this won’t let anyone compromise that smartphone ever they have a 3D map of your fingerprint. But now the researcher’s proven that fingerprint scanner can be fooled by using a 3D-printed fingerprint.
How Fingerprint Scanner Hacked
An Imgur user, go by name
He took a photograph of his fingerprint from the side of a wine glass with his smartphone. He then uses Photoshop to remove the areas and leave only the Fingerprint.
Then to create a 3D model of the fingerprint, he imported the image to 3DS Max software to create a 3D model and printed it on a piece of resin with the AnyCubic Photon LCD printer.
This resulted in a square piece of resin containing a 3D model of the fingerprint that successfully opened the Samsung’s Galaxy S10.
In order to execute the attack all you need is to have the physical access to phone and the fingerprint of the owner. The attack scenario poses a lot of security concerns, if someone steals the phone then they can unlock the device as the Fingerprints are already present.
“As most of the banking apps only require fingerprint authentication, all the information can be stolen and the money can be spent in less than 15 minutes if the phone is secured by fingerprint alone.” says darkshark.
Threat to viability of Samsung’s
In a post about the Scanner, Samsung says
that “With the new ultrasonic fingerprint ID technology, there are no
tradeoffs! but it also mentions that you
don’t have to sacrifice user experience for security”.
To contrast, Samsung also claims in the same post that it uses “a machine learning algorithm to help detect the differences between real fingerprints and forged 3D replicas.”
But the method described by darkshark casts
doubts on the viability of Samsung’s ultrasonic fingerprint scanner as a method
of protecting the data.
Hopefully this will be addressed in future versions of these scanners or through software updates; for now, if your phone contains sensitive data, you should probably use a password instead.