Samsung issues patch for Galaxy S10 fingerprint sensor problem

Posted:
in General Discussion
Following confirmed accounts that the Galaxy S10's fingerprint sensor can be defeated with a cheap screen protector, Samsung says it has issued a software patch to resolve it.

Samsung Galaxy S10
Samsung Galaxy S10


Samsung says that it has issued a software update to resolve problems with the fingerprint scanner on both the Galaxy S10 and Note 10. It's recommending that users update their phones to the latest software version.

Previously, users had discovered that the security fingerprint scanner could be entirely bypassed if a cheap screen protector was fitted to a phone.

According to Reuters, Samsung says that the issue was to do with patterns from the protectors being recognized alongside the legitimate fingerprints. While Samsung has not explained how this could result in phones being unlocked, AppleInsider consulted with the Department of Defense.

The exact mechanism of failure is not yet known. However, it didn't even require a finger to fool the fingerprint sensor -- any similarly shaped object functioned as an ersatz digit, and would trigger the unlock through the screen protector.

It took Samsung seven days to issue the patch from the first wide and public reports of the problem. Based on the account originally published, it appears the company knew about the flaw for about a week before press got wind of the matter.

It isn't clear how pre-release testing missed the flaw. While Samsung hasn't commented on that in particular, it has issued an apology over its phone app.

"Samsung Electronics takes the security of products very seriously and will make sure to strengthen security through continuing improvement and updates to enhance biometric authentication functions," the company said on the app.

Since the failure, multiple banks and other apps relying on the authentication have removed support for the feature.
«1

Comments

  • Reply 1 of 22
    wood1208wood1208 Posts: 2,905member
    It's Samsung. Throw something half backed to users than buy time to fix it.
    jbdragoncoolfactorAppleExposedapres587watto_cobra
  • Reply 2 of 22
    wood1208 said:
    It's Samsung. Throw something half backed to users than buy time to fix it.
    Yes, I think it is this
    edited October 2019 AppleExposedolschasmwatto_cobra
  • Reply 3 of 22
    I say this when Apple does it, and I'll say it now:  going from learning of a hardware defect to releasing a fix in 2 weeks is pretty darn impressive.  

    Having said that, this defect is more ridiculous that any Apple bug/oversight than I can think of.

    My assumption is that this can't be as bad as the article implies.  Surely I can't walk up to your Samsung phone, add a screen protector and now I can unlock your fingerprint-protected phone, right?  It's gotta be that if you have a certain type of protector on when you enroll your fingerprint any finger thereafter will unlock it.  Which means that I can't use this vector to attack any phone that didn't start with a bad screen protector.  That seems plausible, right?  
    SpamSandwichwatto_cobra
  • Reply 4 of 22
    I say this when Apple does it, and I'll say it now:  going from learning of a hardware defect to releasing a fix in 2 weeks is pretty darn impressive.  

    Having said that, this defect is more ridiculous that any Apple bug/oversight than I can think of.

    My assumption is that this can't be as bad as the article implies.  Surely I can't walk up to your Samsung phone, add a screen protector and now I can unlock your fingerprint-protected phone, right?  It's gotta be that if you have a certain type of protector on when you enroll your fingerprint any finger thereafter will unlock it.  Which means that I can't use this vector to attack any phone that didn't start with a bad screen protector.  That seems plausible, right?  
    Yes, that seems plausible. If that's the issue, Samsung's problem was in not requiring some minimum quality level for enrollment of a fingerprint. That's not a hardware defect, that's a rookie level error in important security software. In the past, Apple has fixed software security problems in well under two weeks from discovery. I am not impressed by Samsung in this instance.
    AppleExposedwatto_cobra
  • Reply 5 of 22
    netmagenetmage Posts: 314member
    Nope - saw a video that showed exactly that in detail. Enrolled a new set of fingers, saw them work, saw wrong fingers not work, put piece of film over reader/screen, wrong finger works.
    edited October 2019 jbdragonrandominternetpersonMacQcdysamoriaStrangeDayswatto_cobra
  • Reply 6 of 22
    lkrupplkrupp Posts: 10,557member
    bsimpsen said:
    I say this when Apple does it, and I'll say it now:  going from learning of a hardware defect to releasing a fix in 2 weeks is pretty darn impressive.  

    Having said that, this defect is more ridiculous that any Apple bug/oversight than I can think of.

    My assumption is that this can't be as bad as the article implies.  Surely I can't walk up to your Samsung phone, add a screen protector and now I can unlock your fingerprint-protected phone, right?  It's gotta be that if you have a certain type of protector on when you enroll your fingerprint any finger thereafter will unlock it.  Which means that I can't use this vector to attack any phone that didn't start with a bad screen protector.  That seems plausible, right?  
    Yes, that seems plausible. If that's the issue, Samsung's problem was in not requiring some minimum quality level for enrollment of a fingerprint. That's not a hardware defect, that's a rookie level error in important security software. In the past, Apple has fixed software security problems in well under two weeks from discovery. I am not impressed by Samsung in this instance.
    Wait, wait, I thought Apple has a monopoly on QA issues.
    AppleExposedStrangeDayswatto_cobra
  • Reply 7 of 22
    lkrupp said:
    Wait, wait, I thought Apple has a monopoly on QA issues.
    Statements like that could blowup in your face (or pocket).
    muthuk_vanalingamStrangeDayswatto_cobra
  • Reply 8 of 22
    netmage said:
    Nope - saw a video that showed exactly that in detail. Enrolled a new set of fingers, saw them work, saw wrong fingers not work, put piece of film over reader/screen, wrong finger works.
    Wow.  If Apple did that it would be a story on the national network news and a joke on Jimmy, Jimmy, and Steven that night.
    MacQcAppleExposedStrangeDayswatto_cobra
  • Reply 9 of 22
    coolfactorcoolfactor Posts: 2,239member

    It isn't clear how pre-release testing missed the flaw.

    They ship an "approved" screen protector with the phone. What phone maker has ever done that? They knew about this issue beforehand and were *really* hoping nobody else would figure it out.

    I still don't understand why anyone uses a screen protector in the first place. It degrades the experience.
    AppleExposeddysamoria
  • Reply 10 of 22
    philboogiephilboogie Posts: 7,675member
    I say this when Apple does it, and I'll say it now:  going from learning of a hardware defect to releasing a fix in 2 weeks is pretty darn impressive.  

    Having said that, this defect is more ridiculous that any Apple bug/oversight than I can think of.  
    Surely you haven't forgotten the "macOS bug lets you log in as admin with no password required". And their follow-up screw-up by not fixing it with their patch.

    If one were to weight a smartphone fingerprint issue vs a root password, I'd say Samsung's bug is less severe.


    muthuk_vanalingamavon b7dysamoria
  • Reply 11 of 22
    AppleExposedAppleExposed Posts: 1,805unconfirmed, member
    I say this when Apple does it, and I'll say it now:  going from learning of a hardware defect to releasing a fix in 2 weeks is pretty darn impressive.  

    Having said that, this defect is more ridiculous that any Apple bug/oversight than I can think of.

    My assumption is that this can't be as bad as the article implies.  Surely I can't walk up to your Samsung phone, add a screen protector and now I can unlock your fingerprint-protected phone, right?  It's gotta be that if you have a certain type of protector on when you enroll your fingerprint any finger thereafter will unlock it.  Which means that I can't use this vector to attack any phone that didn't start with a bad screen protector.  That seems plausible, right?  

    You don't get it here.

    Say Granny Alice got a "shiny new iPhone" (she thinks it's an iPhone) and puts a screen protector on it (maybe even an iPhone screen protector!). Now any scumbag can unlock her phone. She doesn't read Apple Insider because she's too busy watching the cooking channel.
    apres587watto_cobra
  • Reply 12 of 22
    I say this when Apple does it, and I'll say it now:  going from learning of a hardware defect to releasing a fix in 2 weeks is pretty darn impressive.  

    Having said that, this defect is more ridiculous that any Apple bug/oversight than I can think of.  
    Surely you haven't forgotten the "macOS bug lets you log in as admin with no password required". And their follow-up screw-up by not fixing it with their patch.

    If one were to weight a smartphone fingerprint issue vs a root password, I'd say Samsung's bug is less severe.


    Here’s the story on Ars Technica:

    https://arstechnica.com/information-technology/2017/11/macos-bug-lets-you-log-in-as-admin-with-no-password-required/

    According to them, a patch was out the next day.

    Also, access to the Macs was required. Note we’re talking about Macs here, not smartphones. Huge difference in number of people potentially impacted.

    Nice try on equating the two. No cigar.
    StrangeDayswatto_cobra
  • Reply 13 of 22
    dysamoriadysamoria Posts: 3,430member
    lkrupp said:
    bsimpsen said:
    I say this when Apple does it, and I'll say it now:  going from learning of a hardware defect to releasing a fix in 2 weeks is pretty darn impressive.  

    Having said that, this defect is more ridiculous that any Apple bug/oversight than I can think of.

    My assumption is that this can't be as bad as the article implies.  Surely I can't walk up to your Samsung phone, add a screen protector and now I can unlock your fingerprint-protected phone, right?  It's gotta be that if you have a certain type of protector on when you enroll your fingerprint any finger thereafter will unlock it.  Which means that I can't use this vector to attack any phone that didn't start with a bad screen protector.  That seems plausible, right?  
    Yes, that seems plausible. If that's the issue, Samsung's problem was in not requiring some minimum quality level for enrollment of a fingerprint. That's not a hardware defect, that's a rookie level error in important security software. In the past, Apple has fixed software security problems in well under two weeks from discovery. I am not impressed by Samsung in this instance.
    Wait, wait, I thought Apple has a monopoly on QA issues.
    Uh, no, of course they don’t. They DID used to be BETTER, and we DID used to be able to rely on that fact.  Now they’re pretty much just like every other computer industry company, especially the ones on the stock market.
    muthuk_vanalingam
  • Reply 14 of 22
    dysamoriadysamoria Posts: 3,430member

    I say this when Apple does it, and I'll say it now:  going from learning of a hardware defect to releasing a fix in 2 weeks is pretty darn impressive.  

    Having said that, this defect is more ridiculous that any Apple bug/oversight than I can think of.

    My assumption is that this can't be as bad as the article implies.  Surely I can't walk up to your Samsung phone, add a screen protector and now I can unlock your fingerprint-protected phone, right?  It's gotta be that if you have a certain type of protector on when you enroll your fingerprint any finger thereafter will unlock it.  Which means that I can't use this vector to attack any phone that didn't start with a bad screen protector.  That seems plausible, right?  

    You don't get it here.

    Say Granny Alice got a "shiny new iPhone" (she thinks it's an iPhone) and puts a screen protector on it (maybe even an iPhone screen protector!). Now any scumbag can unlock her phone. She doesn't read Apple Insider because she's too busy watching the cooking channel.
    There are so many more reasons why normal people wouldn’t read Apple Insider... I’m not even insulting AI.
  • Reply 15 of 22
    philboogiephilboogie Posts: 7,675member
    sacto joe said:
    I say this when Apple does it, and I'll say it now:  going from learning of a hardware defect to releasing a fix in 2 weeks is pretty darn impressive.  

    Having said that, this defect is more ridiculous that any Apple bug/oversight than I can think of.  
    Surely you haven't forgotten the "macOS bug lets you log in as admin with no password required". And their follow-up screw-up by not fixing it with their patch.

    If one were to weight a smartphone fingerprint issue vs a root password, I'd say Samsung's bug is less severe.


    Here’s the story on Ars Technica:

    https://arstechnica.com/information-technology/2017/11/macos-bug-lets-you-log-in-as-admin-with-no-password-required/

    According to them, a patch was out the next day.

    Also, access to the Macs was required. Note we’re talking about Macs here, not smartphones. Huge difference in number of people potentially impacted.

    Nice try on equating the two. No cigar.

    Uhm, I wasn't trying to equate the two, merely giving my opinion that I think the fingerprint issue (requiring physical access) being less severe than the root password bug (requiring physical access). And yes, they released a fix the next day, which caused more problems:

    If you experience issues with authenticating or connecting to file shares on your Mac after you install Security Update 2017-001 for macOS High Sierra 10.13.1, follow these steps to repair file sharing:

    • Open the Terminal app, which is in the Utilities folder of your Applications folder.
    • Type sudo /usr/libexec/configureLocalKDC and press Return.
    • Enter your administrator password and press Return.
    • Quit the Terminal app.

    Thanks for reading!
    - A non-smoker

    muthuk_vanalingam
  • Reply 16 of 22
    Not sure what happened to my previous comment, so let me ask once again - why cover Samsung here?  
  • Reply 17 of 22
    I say this when Apple does it, and I'll say it now:  going from learning of a hardware defect to releasing a fix in 2 weeks is pretty darn impressive.  

    Having said that, this defect is more ridiculous that any Apple bug/oversight than I can think of.  
    Surely you haven't forgotten the "macOS bug lets you log in as admin with no password required". And their follow-up screw-up by not fixing it with their patch.

    If one were to weight a smartphone fingerprint issue vs a root password, I'd say Samsung's bug is less severe.
    The researcher posted his tweet to Apple about the root password on the 28th, and they had a fix the 29th. I’m not aware of it not working. 
    watto_cobra
  • Reply 18 of 22

    sacto joe said:
    I say this when Apple does it, and I'll say it now:  going from learning of a hardware defect to releasing a fix in 2 weeks is pretty darn impressive.  

    Having said that, this defect is more ridiculous that any Apple bug/oversight than I can think of.  
    Surely you haven't forgotten the "macOS bug lets you log in as admin with no password required". And their follow-up screw-up by not fixing it with their patch.

    If one were to weight a smartphone fingerprint issue vs a root password, I'd say Samsung's bug is less severe.


    Here’s the story on Ars Technica:

    https://arstechnica.com/information-technology/2017/11/macos-bug-lets-you-log-in-as-admin-with-no-password-required/

    According to them, a patch was out the next day.

    Also, access to the Macs was required. Note we’re talking about Macs here, not smartphones. Huge difference in number of people potentially impacted.

    Nice try on equating the two. No cigar.

    Uhm, I wasn't trying to equate the two, merely giving my opinion that I think the fingerprint issue (requiring physical access) being less severe than the root password bug (requiring physical access). And yes, they released a fix the next day, which caused more problems:

    If you experience issues with authenticating or connecting to file shares on your Mac after you install Security Update 2017-001 for macOS High Sierra 10.13.1, follow these steps to repair file sharing:

    • Open the Terminal app, which is in the Utilities folder of your Applications folder.
    • Type sudo /usr/libexec/configureLocalKDC and press Return.
    • Enter your administrator password and press Return.
    • Quit the Terminal app.
    But you said they screwed up again by “not fixing it with their patch”. They did fix it with their patch. The above was about a possible file sharing problem, which is not not-fixing the root password bug. 
    watto_cobra
  • Reply 19 of 22
    philboogiephilboogie Posts: 7,675member
    But you said they screwed up again by “not fixing it with their patch”. They did fix it with their patch. The above was about a possible file sharing problem, which is not not-fixing the root password bug. 
    Well, actually they brought on a different bug, the file sharing thing. But when they rolled those two patches into a newer patch, the root bug came back.

    https://arstechnica.com/gadgets/2017/12/updating-macos-can-bring-back-the-nasty-root-security-bug/

    (in all, there were other problems in that very week, with multiple sites posting negative stories on Apple)


    muthuk_vanalingam
  • Reply 20 of 22
    Mike WuertheleMike Wuerthele Posts: 6,858administrator
    Not sure what happened to my previous comment, so let me ask once again - why cover Samsung here?  
    This is addressed in the commenting guidelines, conveniently linked at the bottom of every forum page.
    edited October 2019 philboogiewatto_cobra
Sign In or Register to comment.