Samsung issues patch for Galaxy S10 fingerprint sensor problem
Following confirmed accounts that the Galaxy S10's fingerprint sensor can be defeated with a cheap screen protector, Samsung says it has issued a software patch to resolve it.
Samsung Galaxy S10
Samsung says that it has issued a software update to resolve problems with the fingerprint scanner on both the Galaxy S10 and Note 10. It's recommending that users update their phones to the latest software version.
Previously, users had discovered that the security fingerprint scanner could be entirely bypassed if a cheap screen protector was fitted to a phone.
According to Reuters, Samsung says that the issue was to do with patterns from the protectors being recognized alongside the legitimate fingerprints. While Samsung has not explained how this could result in phones being unlocked, AppleInsider consulted with the Department of Defense.
The exact mechanism of failure is not yet known. However, it didn't even require a finger to fool the fingerprint sensor -- any similarly shaped object functioned as an ersatz digit, and would trigger the unlock through the screen protector.
It took Samsung seven days to issue the patch from the first wide and public reports of the problem. Based on the account originally published, it appears the company knew about the flaw for about a week before press got wind of the matter.
It isn't clear how pre-release testing missed the flaw. While Samsung hasn't commented on that in particular, it has issued an apology over its phone app.
"Samsung Electronics takes the security of products very seriously and will make sure to strengthen security through continuing improvement and updates to enhance biometric authentication functions," the company said on the app.
Since the failure, multiple banks and other apps relying on the authentication have removed support for the feature.
Samsung Galaxy S10
Samsung says that it has issued a software update to resolve problems with the fingerprint scanner on both the Galaxy S10 and Note 10. It's recommending that users update their phones to the latest software version.
Previously, users had discovered that the security fingerprint scanner could be entirely bypassed if a cheap screen protector was fitted to a phone.
According to Reuters, Samsung says that the issue was to do with patterns from the protectors being recognized alongside the legitimate fingerprints. While Samsung has not explained how this could result in phones being unlocked, AppleInsider consulted with the Department of Defense.
The exact mechanism of failure is not yet known. However, it didn't even require a finger to fool the fingerprint sensor -- any similarly shaped object functioned as an ersatz digit, and would trigger the unlock through the screen protector.
It took Samsung seven days to issue the patch from the first wide and public reports of the problem. Based on the account originally published, it appears the company knew about the flaw for about a week before press got wind of the matter.
It isn't clear how pre-release testing missed the flaw. While Samsung hasn't commented on that in particular, it has issued an apology over its phone app.
"Samsung Electronics takes the security of products very seriously and will make sure to strengthen security through continuing improvement and updates to enhance biometric authentication functions," the company said on the app.
Since the failure, multiple banks and other apps relying on the authentication have removed support for the feature.
Comments
Having said that, this defect is more ridiculous that any Apple bug/oversight than I can think of.
My assumption is that this can't be as bad as the article implies. Surely I can't walk up to your Samsung phone, add a screen protector and now I can unlock your fingerprint-protected phone, right? It's gotta be that if you have a certain type of protector on when you enroll your fingerprint any finger thereafter will unlock it. Which means that I can't use this vector to attack any phone that didn't start with a bad screen protector. That seems plausible, right?
They ship an "approved" screen protector with the phone. What phone maker has ever done that? They knew about this issue beforehand and were *really* hoping nobody else would figure it out.
I still don't understand why anyone uses a screen protector in the first place. It degrades the experience.
If one were to weight a smartphone fingerprint issue vs a root password, I'd say Samsung's bug is less severe.
You don't get it here.
Say Granny Alice got a "shiny new iPhone" (she thinks it's an iPhone) and puts a screen protector on it (maybe even an iPhone screen protector!). Now any scumbag can unlock her phone. She doesn't read Apple Insider because she's too busy watching the cooking channel.
https://arstechnica.com/information-technology/2017/11/macos-bug-lets-you-log-in-as-admin-with-no-password-required/
According to them, a patch was out the next day.
Also, access to the Macs was required. Note we’re talking about Macs here, not smartphones. Huge difference in number of people potentially impacted.
Nice try on equating the two. No cigar.
There are so many more reasons why normal people wouldn’t read Apple Insider... I’m not even insulting AI.
Uhm, I wasn't trying to equate the two, merely giving my opinion that I think the fingerprint issue (requiring physical access) being less severe than the root password bug (requiring physical access). And yes, they released a fix the next day, which caused more problems:
If you experience issues with authenticating or connecting to file shares on your Mac after you install Security Update 2017-001 for macOS High Sierra 10.13.1, follow these steps to repair file sharing:
Thanks for reading!
- A non-smoker
But you said they screwed up again by “not fixing it with their patch”. They did fix it with their patch. The above was about a possible file sharing problem, which is not not-fixing the root password bug.
https://arstechnica.com/gadgets/2017/12/updating-macos-can-bring-back-the-nasty-root-security-bug/
(in all, there were other problems in that very week, with multiple sites posting negative stories on Apple)