Wow, if iPhones did this, it would be the end of the world. But Samsung can even have a phone that blows up and it's just business as usual...
Really? because iOS 13 was found to have a lockscreen bypass issue that went pretty well under the radar as well as the Apple issue whereby when updating the credit card used for iTunes payments users had someone else's billing details exposed to them but sure, the world would end on an Apple security issue…
I missed that. Can you link to an article that shows that iOS 13 will give you bypass the security to give you full access to someone's iPhone?
A version of the original article I just read on the BBC website says this:
https://www.bbc.com/news/technology-50080586 "After buying a £2.70 gel screen protector on eBay, Lisa Neilson registered her right thumbprint and then found her left thumbprint, which was not registered, could also unlock the phone."
To me that implies she had yet to register a fingerprint until after the screen protector was applied.
Perhaps it registered a blank fingerprint? That's also a security concern but changes the story quite a bit.
Apple always recommended registering your prints before applying a screen protector or case but after removing the film that was on the phone at delivery.
At launch there's going to be a Pixel 4 Face Unlock omission that will attract a lot of hand wringing too.
For at least a short period it will not have the additional biometrics setting that iPhone's do requiring eyes open. (Eyes closed is an option) While I don't think it's a serious flaw, and Google does have a page showing the additional "eyes open" option thus indicating it is on the way, it really should be there and active at launch IMO.
At least the lock-down feature will be active so anyone truly concerned about being knocked unconscious or being locked up by the police and their phone being raped can in a matter of seconds disable biometrics and requiring a pass-code to unlock. Very similar to Apple's power button emergency screen lock and apparently just as quick to activate.
But yup, for now the iPhones FaceID will have the option of an additional security requirement that Pixels will not.
EDIT: I'm now seeing mentions of an "eye blink" requirement on shipping devices before proceeding with payment authorization and opening certain apps dealing in sensitive information? Will be curious to see what that's about.
If Apple released an iPhone with this flaw, Warren would hold a press conference and demand a total recall. It'll be front page news on the NYT, Bloomberg, WSJ.
That explanation is interesting but doesn’t explain how the same screen protector unlocked her friend’s phone.
Sure it does. Her friend's finger oil is on the fingerprint sensing area on her phone. After applying the screen protector, it too is entombed.
How does oil simulate ridges? The whole point of an ultrasonic sensor is that it isn’t supposed to be fooled by images since it can measure the depth of your ridges.
That is the point of any fingerprint sensor, yes. But yet, here we are.
The issue is that by using the screen protector the phone accepted a "flat" version of the user's fingerprint. The phone obviously doesn't verify that the registered fingerprint is in fact a valid fingerprint. It would be no different than inadvertently causing a facial recognition system that does a topographic map of the face to accept a picture of a face as a valid face. You'd imagine that a facial recognition that used a data model of a topographic image of a face would reject a picture of a face that is totally flat. It had better reject it. But Samsung obviously took an overly naive approach by accepting a flat fingerprint and once the flat fingerprint was impressed on the screen protector, the phone was always unlocked. Live and learn.
At launch there's going to be a Pixel 4 Face Unlock omission that will attract a lot of hand wringing too.
For at least a short period it will not have the additional biometrics setting that iPhone's do requiring eyes open. (Eyes closed is an option) While I don't think it's a serious flaw, and Google does have a page showing the additional "eyes open" option thus indicating it is on the way, it really should be there and active at launch IMO.
At least the lock-down feature will be active so anyone truly concerned about being knocked unconscious or being locked up by the police and their phone being raped can in a matter of seconds disable biometrics and requiring a pass-code to unlock. Very similar to Apple's power button emergency screen lock and apparently just as quick to activate.
But yup, for now the iPhones FaceID will have the option of an additional security requirement that Pixels will not.
EDIT: I'm now seeing mentions of an "eye blink" requirement on shipping devices before proceeding with payment authorization and opening certain apps dealing in sensitive information? Will be curious to see what that's about.
I am literally laughing out loud right now. This is a security breach and "fail" of EPIC proportions. It may be the absolute worst vulnerability I have ever seen with a technology product. It would be like getting root access to your Mac by putting a piece of tape over the camera, or saying "bloody mary" three times to defeat voice recognition. The worse part is until Samsung can figure out a patch, ALL owners of the devices are vulnerable. Any person with malicious intent can buy a gel protector and grab the phone. It sounds like it's almost guaranteed to unlock. And why wouldn't it? You're going to put your finger over the fingerprint area, ESPECIALLY if you don't have protector.
Good lord.
I don't think they we have a enough information on this to say how EPIC the Fail is. At the moment, it could be anywhere between a fail the size of a mountain, and a fail that spans galaxies.
Does it work with all screen protectors, or just the one that the lady in question happened to buy? If it falls flat with every screen protector then the Fail is so big then the light from its centre will take generations to reach Earth. If it falls over with a handful then the Fail is much smaller. I wouldn't expect Samsung to be able to test all of them. However, if Samsung knew that it broke with a few protectors and crossed its fingers, then it would take some sort of Star Trek type device to cross the Fail within the planet's lifetime.
If they can genuinely fix it in software then it's probably just a bug.
I am literally laughing out loud right now. This is a security breach and "fail" of EPIC proportions. It may be the absolute worst vulnerability I have ever seen with a technology product. It would be like getting root access to your Mac by putting a piece of tape over the camera, or saying "bloody mary" three times to defeat voice recognition. The worse part is until Samsung can figure out a patch, ALL owners of the devices are vulnerable. Any person with malicious intent can buy a gel protector and grab the phone. It sounds like it's almost guaranteed to unlock. And why wouldn't it? You're going to put your finger over the fingerprint area, ESPECIALLY if you don't have protector.
Good lord.
I don't think they we have a enough information on this to say how EPIC the Fail is. At the moment, it could be anywhere between a fail the size of a mountain, and a fail that spans galaxies.
Does it work with all screen protectors, or just the one that the lady in question happened to buy? If it falls flat with every screen protector then the Fail is so big then the light from its centre will take generations to reach Earth. If it falls over with a handful then the Fail is much smaller. I wouldn't expect Samsung to be able to test all of them. However, if Samsung knew that it broke with a few protectors and crossed its fingers, then it would take some sort of Star Trek type device to cross the Fail within the planet's lifetime.
If they can genuinely fix it in software then it's probably just a bug.
Fails with a good number. Our sources have now tested 15 different brands, and got it to fail with 11 of them.
What this shows is that companies such as Samsung can mimic Apple technology with copycat tech, that only appear to be the same. In reality, they are cheap, pretend versions, that are just an illusion of technology that doesn’t really exist in the hardware.
I am literally laughing out loud right now. This is a security breach and "fail" of EPIC proportions. It may be the absolute worst vulnerability I have ever seen with a technology product. It would be like getting root access to your Mac by putting a piece of tape over the camera, or saying "bloody mary" three times to defeat voice recognition. The worse part is until Samsung can figure out a patch, ALL owners of the devices are vulnerable. Any person with malicious intent can buy a gel protector and grab the phone. It sounds like it's almost guaranteed to unlock. And why wouldn't it? You're going to put your finger over the fingerprint area, ESPECIALLY if you don't have protector.
Good lord.
I don't think they we have a enough information on this to say how EPIC the Fail is. At the moment, it could be anywhere between a fail the size of a mountain, and a fail that spans galaxies.
Does it work with all screen protectors, or just the one that the lady in question happened to buy? If it falls flat with every screen protector then the Fail is so big then the light from its centre will take generations to reach Earth. If it falls over with a handful then the Fail is much smaller. I wouldn't expect Samsung to be able to test all of them. However, if Samsung knew that it broke with a few protectors and crossed its fingers, then it would take some sort of Star Trek type device to cross the Fail within the planet's lifetime.
If they can genuinely fix it in software then it's probably just a bug.
Fails with a good number. Our sources have now tested 15 different brands, and got it to fail with 11 of them.
What this shows is that companies such as Samsung can mimic Apple technology with copycat tech, that only appear to be the same. In reality, they are cheap, pretend versions, that are just an illusion of technology that doesn’t really exist in the hardware.
You have a point tho this is reporting on a technology that Apple hasn't used before, perhaps with good reason.
What this shows is that companies such as Samsung can mimic Apple technology with copycat tech, that only appear to be the same. In reality, they are cheap, pretend versions, that are just an illusion of technology that doesn’t really exist in the hardware.
We don't know true cause AFAIK. If that is the case, it doesn't show anything, and to be honest, there is a fair amount of tech popping up on Apple phones that Samsung and others have had earlier. That brings into focus the 'copycat' claim. Even the ultrasonic fingerprint tech isn't implemented on any Apple phones.
What this shows is that companies such as Samsung can mimic Apple technology with copycat tech, that only appear to be the same. In reality, they are cheap, pretend versions, that are just an illusion of technology that doesn’t really exist in the hardware.
This is a case of Samsung trying to be "Unique" which got them into trouble on multiple fronts - reliability, security. Other Android OEMs are NOT using the solution that Samsung is using, for good reasons (reliability being the chief among them). So, no, the copycat claim is pure nonsense in this scenario.
I don’t buy the excuse I’ve seen about a gel screen protector somehow getting an “imprint” built up over time such that the print becomes part of the gel. There’s no way people put their finger on in exactly the same location every time. If anything, the gel should have a mish-mash of random fingerprint lines all over the place.
Does anyone else see an issue with Sansung tech being able to log into the phone and take control of it and modify setting. It looks like Samsung/Andriod has backdoors into the phone similar to a PC.
You mean software and operating system updates? Heck Apple does those. I believe in a worst case scenario Apple can still access your personal phone and remove a particularly egregious piece of malware masquerading as an app. What's the issue?
From the article , "The man in customer services took control of the phone remotely and went into all the settings and finally admitted it looked like a security breach." - this is more than just an automatic software update; it's a remote user have access to the settings of the phone. Apple can remotely delete software but that's it. They can't log onto your phone and access settings.
Yeah, on his own I don't think that's what's happened. Something was lost in translation.
Not sure how the service works, but assume there is some acknowledgement by the user to give permission to access like PC remote support.
I don’t buy the excuse I’ve seen about a gel screen protector somehow getting an “imprint” built up over time such that the print becomes part of the gel. There’s no way people put their finger on in exactly the same location every time. If anything, the gel should have a mish-mash of random fingerprint lines all over the place.
I am literally laughing out loud right now. This is a security breach and "fail" of EPIC proportions. It may be the absolute worst vulnerability I have ever seen with a technology product. It would be like getting root access to your Mac by putting a piece of tape over the camera, or saying "bloody mary" three times to defeat voice recognition. The worse part is until Samsung can figure out a patch, ALL owners of the devices are vulnerable. Any person with malicious intent can buy a gel protector and grab the phone. It sounds like it's almost guaranteed to unlock. And why wouldn't it? You're going to put your finger over the fingerprint area, ESPECIALLY if you don't have protector.
Good lord.
I don't think they we have a enough information on this to say how EPIC the Fail is. At the moment, it could be anywhere between a fail the size of a mountain, and a fail that spans galaxies.
Does it work with all screen protectors, or just the one that the lady in question happened to buy? If it falls flat with every screen protector then the Fail is so big then the light from its centre will take generations to reach Earth. If it falls over with a handful then the Fail is much smaller. I wouldn't expect Samsung to be able to test all of them. However, if Samsung knew that it broke with a few protectors and crossed its fingers, then it would take some sort of Star Trek type device to cross the Fail within the planet's lifetime.
If they can genuinely fix it in software then it's probably just a bug.
Fails with a good number. Our sources have now tested 15 different brands, and got it to fail with 11 of them.
Mike, can you confirm that the unlock occurs with a finger registered before application of the screen protection? This would make Samsung’s statement that they recommend not using a third-party screen protector pretty disingenuous since the issue would be an attacker applying the protector not the owner.
I’m seeing a lot of argument on other sites about whether it only works with a finger registered with the screen protector already applied.
Even thousands of beta devices will miss finding that flaw discovered when millions of devices get into the end-consumers hands. There's been several stories on AI in just the the past few months about various bugs/problems in Apple software or products that some members here will proclaim should have been caught in development.
As long as this Samsung one can be quickly addressed via an update rather than languishing as some bugs do it's really no different is it? (I'm probably no more Samsung fan than you are BTW)
Actually, beta testing will miss corner case which are unique to various user environment. however, this issue is not a corner case most people us a screen protector. You would hope Samsung testing team would have put a screen protector on and see how it perform, you would hope they also test with dirty screen and various use case.
I am not saying Apple is perfect, but Samsung has very poor track record on testing their hardware. We all seen their issue front and center which required a number of product recalls.
Comments
https://twitter.com/stroughtonsmith/status/1176221042211217409?ref_url=https%3a%2f%2f9to5mac.com%2f2019%2f09%2f23%2fios-13-potential-payment-method-security-flaw%2f
https://9to5mac.com/2019/09/23/ios-13-potential-payment-method-security-flaw/
https://www.bbc.com/news/technology-50080586
"After buying a £2.70 gel screen protector on eBay, Lisa Neilson registered her right thumbprint and then found her left thumbprint, which was not registered, could also unlock the phone."
To me that implies she had yet to register a fingerprint until after the screen protector was applied.
Perhaps it registered a blank fingerprint? That's also a security concern but changes the story quite a bit.
Apple always recommended registering your prints before applying a screen protector or case but after removing the film that was on the phone at delivery.
For at least a short period it will not have the additional biometrics setting that iPhone's do requiring eyes open. (Eyes closed is an option)
While I don't think it's a serious flaw, and Google does have a page showing the additional "eyes open" option thus indicating it is on the way, it really should be there and active at launch IMO.
At least the lock-down feature will be active so anyone truly concerned about being knocked unconscious or being locked up by the police and their phone being raped can in a matter of seconds disable biometrics and requiring a pass-code to unlock. Very similar to Apple's power button emergency screen lock and apparently just as quick to activate.
But yup, for now the iPhones FaceID will have the option of an additional security requirement that Pixels will not.
EDIT: I'm now seeing mentions of an "eye blink" requirement on shipping devices before proceeding with payment authorization and opening certain apps dealing in sensitive information? Will be curious to see what that's about.
If Apple released an iPhone with this flaw, Warren would hold a press conference and demand a total recall. It'll be front page news on the NYT, Bloomberg, WSJ.
Good job!
Does it work with all screen protectors, or just the one that the lady in question happened to buy?
If it falls flat with every screen protector then the Fail is so big then the light from its centre will take generations to reach Earth.
If it falls over with a handful then the Fail is much smaller. I wouldn't expect Samsung to be able to test all of them.
However, if Samsung knew that it broke with a few protectors and crossed its fingers, then it would take some sort of Star Trek type device to cross the Fail within the planet's lifetime.
If they can genuinely fix it in software then it's probably just a bug.
This is a case of Samsung trying to be "Unique" which got them into trouble on multiple fronts - reliability, security. Other Android OEMs are NOT using the solution that Samsung is using, for good reasons (reliability being the chief among them). So, no, the copycat claim is pure nonsense in this scenario.
You are protecting it wrong!
I am not saying Apple is perfect, but Samsung has very poor track record on testing their hardware. We all seen their issue front and center which required a number of product recalls.