Samsung Galaxy S10 Fingerprint Scanner Hacked

If you or someone you know owns this phone, this is an interesting article for you.

One of the big new feature announcements with the launch of the Samsung Galaxy S10 smartphone was the all new ‘in-display’ fingerprint scanner for the S10 and S10+ models. It wasn’t just the convenience of having the scanner built into the screen that was being pushed by Samsung, but the additional security offered by the ultrasonic fingerprint sensor rather than a traditional optical reader. This was, we were assured, capable of creating an intricate 3D map of your fingerprint which meant only you, and you alone, could unlock your phone. Now it appears that Samsung has just been proven wrong as a security researcher demonstrated how he fooled the fingerprint scanner with a 3D-printed copy.

How does the ultrasonic fingerprint work?

The difference with the ultrasonic fingerprint scanner in the Galaxy S10 and S10+ smartphones compared to the more traditional capacitive scanners is that it can capture a 3D image rather than a 2D one. By using very high-frequency ultrasonic soundwaves, the scanner can map a fingerprint in quite astonishing detail which includes things like ridges and pores as well as just the ‘flat’ patterns we are more used to seeing. It does this by transmitting a pulse of ultrasonic sound against your finger and then analyzing the pressure of the pulse that gets bounced back from it. This will be different for everyone as each fingerprint will absorb differing amounts of the wave pressure, for want of a simpler way of describing the process, and so a unique 3D map will be created. A map that captures depth data across different points on the scanner, making the resulting map very detailed in all dimensions. So far, so good. So, what went wrong?

How did the hacker break the scanner?

The truth is that nothing went wrong as far as the scanner is concerned, it did its job as intended. Unfortunately, the researcher (going by the name of darkshark9) was able to use a photograph of his fingerprint from a wine glass and, using Photoshop, create an alpha mask from it. This mask was then exported to 3ds Max software in order to create a geometry displacement to get a highly-detailed and raised 3D model. It was then just a matter of printing that model from his AnyCubic Photon LCD resin printer which has an accuracy-level down to 10 microns. This ensured all the ridges of the fingerprint were properly rendered. The time to print was 13 minutes, after which the resulting fake fingerprint opened the Galaxy S10 every time. I said earlier that the hacker had fooled the scanner, but actually this isn’t really the case as the cloned fingerprint is exactly the same as the original so the scanner was recognizing that which it had been instructed to.

And the real-world risk to me is?

Well, that really depends who you are, what data is on your phone and just how much someone wanted to access it. While darkshark9 states that “there’s nothing stopping me from stealing your fingerprints without you ever knowing” and further that “if I steal someone’s phone, their fingerprints are already on it” the truth is that this would require a perfect alignment of circumstances. For some very high-profile individuals then there is, indeed, a risk from such an attack scenario. However, for the average Jo(anne) there’s not a real lot to worry about here. Sure, if someone stole your phone they could in theory get access not only to your personal data but also your bank account, as most of these now rely upon fingerprint ID to authenticate the user to the app. That is assuming the person who stole it also has the 3D printer and technical skills to create the clone fingerprint, along with the desire so to do, which is quite the assumption to make.

Should I stop using my fingerprint?

No, that would not be advisable in my never humble opinion. There is always going to be a trade-off between convenience and security, which is why most folk don’t use a PIN or password. Both authentication methods are generally thought more secure than fingerprint biometrics by most security experts, but both are also more hassle in terms of remembering and inputting the code. Which is why many people have their phones unlocked all the time, requiring no such authentication in the first place. Biometrics such as face and fingerprint recognition overcome this by being ‘secure enough’ for most people, without adding any user-inconvenience into the mix. “The whole biometric authentication movement at consumer level of electronics is never going to be very secure” Ian Thornton-Trump, head of cybersecurity at AmTrust Europe agrees, telling me “I’m not a fan of facial recognition, voice recognition or fingerprint authentication but consumers are and that’s not a bad thing.” I’d certainly always recommend a fingerprint protected device to one with no protection. That advice stays the same in the light of the Galaxy S10 hack. In fact, even darkshark9 himself says that the ultrasonic fingerprint scanner of the S10 is probably safer than the optical or capacitive sensors of other smartphones. “Optical sensors can be tricked with a simple scan and paper printout of a fingerprint” he notes, “ultrasonic can’t.” As reported here at Forbes last month, the fingerprint scanner is certainly more secure than the facial recognition which can be beaten by a video of the owner placed in front of the smartphone.