[Update 4: Fix rolling out now] Samsung will fix Galaxy S10 flaw that let anyone bypass fingerprint unlock
Back in March, when Samsung launched the Galaxy S10, they described its fingerprint scanner as “revolutionary.” The in-screen scanner uses ultrasound to detect the ridges of users’ fingers and match it to stored data. Previous versions of in-screen fingerprint scanners tended to use optical scanners, which projected light under the screen and read your fingerprint that way. But it turns out that the only revolutionary thing about the ultrasound sensor is how easy it is to bypass it.
A British couple recently discovered the flaw after a woman fitted her Galaxy S10 with a gel screen protector she found on eBay for £2.70. After registering her thumbprint with the new protector fitted, she discovered that her other thumbprint – which wasn’t registered – also unlocked the device. When her husband tried to unlock it, it opened for both his thumbs. The same screen protector caused the same issue when fitted to another S10.
Samsung – for their part – said that users should only use Samsung-authorised screen protectors. They later followed up and said that they were investigating the issue internally. The smartphone giant also said that it would soon issue a software patch. It’s possible that this is linked to previous reports that other unofficial screen protectors caused issues with the fingerprint sensor because they left a small air gap, which interfered with the ultrasound.
While it’s encouraging that Samsung is working quickly to fix this, the underlying issue is somewhat more worrying. Obviously, ultrasound fingerprint scanning is still a very nascent technology, and it’s likely that this issue has been around since day one. With that in mind, it’s not difficult to imagine that there are other Day Zero attacks like this that simply haven’t come into mainstream knowledge yet.
In the meantime, if you have a Galaxy S10, follow Samsung’s advice and only use Samsung-authorised screen protectors. Hopefully, the software patch comes sooner rather than later.
Update: Samsung’s statement
Samsung has issued a statement on the Galaxy S10 fingerprint scanner flaw. The company is advising anyone who uses a silicone screen protector on their Galaxy Note 10 or Galaxy S10 to remove the cover and delete all registered fingerprints. Samsung is also recommending people keep the covers off until a software patch has been issued.
The company is planning the release of a software update next week to address the problem. Once your device has received the update, they say you should make sure to scan the entirety of your fingerprint.
This issue involved ultrasonic fingerprint sensors unlocking devices after recognizing 3-dimensional patterns appearing on certain silicone screen protecting cases as users’ fingerprints.
To prevent any further issues, we advise that Galaxy Note10/10+ and S10/S10+/S10 5G users who use such covers to remove the cover, delete all previous fingerprints and newly register their fingerprints.
If you currently use front screen protective covers, to ensure optimum fingerprint scanning, please refrain from using this cover until your device has been updated with a new software patch.
A software update is planned to be released as early as next week, and once updated, please be sure to scan your fingerprint in its entirety, so that the all portions of your fingerprint, including the center and corners have been fully scanned.
Update 2: Banking apps temporarily removing fingerprint login support for Galaxy S10 and Note 10 devices
The fingerprint security flaw appears to be much more serious than initially envisaged. According to multiple reports, users can trick the ultrasound fingerprint scanner by simply placing a TPU cutout over it while attempting to unlock it with an unregistered finger, even if the original fingerprint registration was done without any screen protectors in place. This essentially means that anyone can unlock any Samsung Galaxy S10 and Galaxy Note 10 series smartphone, completely defeating the authentication process. Here is a video demonstrating the same:
While Samsung is working on a software update to fix this bug, several banking apps have realized the gravity of the situation. Consequently, banking apps have either removed support for fingerprint login options for the Samsung Galaxy S10 series and Samsung Galaxy Note 10 series, or completely barred these phones from accessing their apps and/or Play Store listing. Banks which have taken action so far are Nationwide Building Society and NatWest in the UK, Bank of China in China, KaKao Bank in South Korea, and Hapoalim Bank in Israel. We expect many others to follow suit. But even if they don’t, we advise Galaxy S10 and Galaxy Note 10 users to disable fingerprint unlock and revert to using password/pin/pattern unlocking solutions until Samsung rolls out their update.
Story Via: GSMArena
Update 3: Fix Issued
Samsung has issued an update to its Galaxy S10 and Note 10 smartphones which it claims will fix the issue with the fingerprint sensors.
The Korean-based company also offered an apology via its customer support app Samsung Members, as well as advising customers to update their software to the latest version. No word yet on the update hitting devices, but we’ll keep an eye out.
Update 4: Fix rolling out now
Yesterday, Samsung said they had resolved the fingerprint bypass issue and an update would be rolling out soon. Just about 24 hours later, customers are receiving that update. The screenshot above is from a Verizon Galaxy Note 10+. The update details instruct users to remove registered fingerprints after the update and register them again without using a screen cover. The update is only 7.1MB and it should be rolling out to all Galaxy S10 and Note 10s in the coming weeks.