Samsung Admits Major Security Flaw in Galaxy S10 Under-Screen Fingerprint Sensor

[mi7chy]

According to the original source article and video they fitted a 360 degree gel case which causes a gap over the in-screen fingerprint sensor and the phone to accept a null fingerprint scan hence why it works with unscanned fingers. Software patch will prevent null fingerprint scans.

https://www.thesun.co.uk/tech/10127908/samsung-galaxy-s10-screen-protector-ebay/

 

[m4mario]

Why wont they do it? People have been giving credit to Samsung for rushing with hardware first, rather than doing it with a reasonable quality. That has worked very well for them. As long as people keep saying Samsung is innovative, this non sense will continue. They are not innovative. They just have very low standards to release a product.

 

[dojoman]

So isn't payment system on Android completely compromised by this flaw or do you need to enter passcode for it?

 

[Gilligan's last elephant]

Thing is: Now that we know a screen protector gel renders the scanner inoperable, someone will find an even more ubiquitous material that will do the same, like a bit of spittle, for instance. I would bet that the alternative for Samsung software is to lock the user out completely, when using the fingerprint sensor, and reverting to pin-only access.

The problem occured when a NEW fingerprint was set up AFTER the case was fitted, and the original fingerprint was no longer recognised.

 

[jimmirehman]

Samsung is repeatedly trying to one up Apple by beating them to market with new tech that they aren't field testing long enough to approve for production.

 

[macfacts]

Samsung is repeatedly trying to one up Apple by beating them to market with new tech that they aren't field testing long enough to approve for production.

So what is the excuse for apple releasing so many point releases of iOS 13? Looks like apple rushed iOS 13 for the new iPhone release. Zero testing.

 

[ElectricPotato]

Behold, the new Easy Access (tm) feature of S10!

 

[I7guy]

Apple recalled those batteries in the spring, less than 6 months new.

Really tough to spin this into anything positive.

 

[mannyvel]

Any finger will do as long as there's a gap. Given that the sensor is ultrasonic it seems the air gap causes weird input, and the software treats "weird input" as a positive match.

Anyone can fingerprint unlock a Galaxy S10—just grab a clear phone case

Samsung says it is developing a fix for “malfunctioning” fingerprint reader.

arstechnica.com

[automerge]1571336257[/automerge]

The problem occured when a NEW fingerprint was set up AFTER the case was fitted, and the original fingerprint was no longer recognised.

no.

 

[coolfactor]

wow, major f-up. Almost like when relatives who resemble you can unlock iPhones with face-ID, or when taped-up glasses unlock face-ID, or when masks unlock face-ID etc. etc. The morale of the whole debacle: phones are NOT SECURE. They're not a safe place to keep your personal crap. Face-ID seems to be slightly more secure than Samsung's crappy (it's crappy without the security info already) in-screen fingerprint solution, but let's not kid ourselves here: none of that alleged super-secure login crap is super-secure, no matter the manufacturer.

While I can't personally confirm the Note 10 problem (tried with 3 different silicone cases), it's shameful that a company like Samsung manages to f-up that badly. Time to re-introduce their iris-scanning tech, which was slow but secure.

You're oversimplifying how FaceID works. It gets stronger over time. If you just initialized it and then try to fake it with a mask/glasses/etc, it may be forgiving and let you in. But the more you use it, the stronger its assessment becomes so faking it would no longer work (as well).

Two faces that look similar = success. This is by design.

Here we have Samsung where ANY fingerprint is unlocking the screen, and this is a software flaw? Totally different thing!

 

[I7guy]

So what is the excuse for apple releasing so many point releases of iOS 13? Looks like apple rushed iOS 13 for the new iPhone release. Zero testing.

Im all for Apple releasing as many releases as necessary. Don’t see what is the problem. You’re assuming zero testing, in continued attempts to press FUD. But admit you don’t know what Apple did as far as why release a point update.

 

[coolfactor]

So what is the excuse for apple releasing so many point releases of iOS 13? Looks like apple rushed iOS 13 for the new iPhone release. Zero testing.

This is normal branch-driven software development. Each of these point releases is the amalgamation of "bugfix" and "feature" branches. As they become stable, they merge them into the master branch and issue a release. The fact that they are coming out like `bang-bang-bang` is actually a good thing, not a bad thing. It means they have a very agile development process, and know how to prioritize which features and bugfixes make it into the master branch for release.

 

[ersan191]

Did you read the story or just the headline? When the user placed the screen protector on, she setup/registered her finger and the scanner scanned the screen protector, not her finger. So the screen protector is there all the time, so of course it would unlock.

This is completely incorrect.

 

[Gilligan's last elephant]

According to the original source article and video they fitted a 360 degree gel case which causes a gap over the in-screen fingerprint sensor and the phone to accept a null fingerprint scan hence why it works with unscanned fingers.

https://www.thesun.co.uk/tech/10127908/samsung-galaxy-s10-screen-protector-ebay/

The article in MacRumors needs to be corrected as it implies that simply fitting the phone case onto any phone results in any fingerprint be authenticated. A NEW fingerprint needs registered with the case in place.

Original article on the Sun web page

"With the screen on, Lisa set up her right thumb print to access the phone but later used her left, which unlocked it".

 

[coolfactor]

Ultrasonic is "sound", so I fail to see how this tech can be compatible with ANY screen protector. The ultrasonic waves would be blocked from reaching the skin.

The scanner needs to recognize an actual fingerprint-like scan before it accepts it during setup. Sounds like it's not doing that (pun intended).

 

[GregJohn]

Why wont they do it? People have been giving credit to Samsung for rushing with hardware first, rather than doing it with an reasonable quality. That has worked very well for them. As long as people keep saying Samsung is innovative, this non sense will continue. They are not innovative. They just have very low standards to release a product.

this is so true, even if you look at the random phones they release all the time they each just have a gimmick or two and they see what sticks. Problem is most don’t because it’s done so poorly. Apple May be late on SOME features (still innovates many that no other company does) but they do it right, safe and much better. Samsung fans in particular will make fun of that but they just need any validation they can find for paying a bunch of money for their device.

 

[Timothy Leo Crowley]

At least it's not catching fire. Big improvement for Samsung.

 

[a.gomez]

Samsung actually said not to use unapproved screen protectors at the time of launch

I did not even know that. There you go... Buy a licensed Samsung product.

Same thing Apple keeps saying till they Blue in the face 🙄

 

[I7guy]

I did not even know that. There you go... Buy a licensed Samsung product.

Same thing Apple keeps saying till they Blue in the face 🙄

With respect to screen protectors and unauthorized entry into phone?

 

[Techwatcher]

And this is why Apple always waits folks. Much rather have a "late" but nicely functioning feature than a rushed "I'm first" one.
[automerge]1571338212[/automerge]

Samsung actually said not to use unapproved screen protectors at the time of launch

Ok? What's your point? If you lose your S10 and the person that finds it knows about this security flaw all then all they have to do is apply one of those screen protectors and boom they're in your phone.

 

[a.gomez]

With respect to screen protectors and unauthorized entry into phone?

With respect to $2 products that make your $999 piece of tech Glitch out. And Again, not even my original post that not like Apple not had security issues either.

And not like people stop buying iphones each time. They just wait for the fix

 

[mi7chy]

I did not even know that. There you go... Buy a licensed Samsung product.

Same thing Apple keeps saying till they Blue in the face 🙄

Samsung S10 series come with Samsung approved screen protector preinstalled. So, either the seller or the couple removed it.

https://mashable.com/article/samsung-galaxy-s10-s10-plus-pre-installed-screen-protector/

 

[mannyvel]

The article in MacRumors needs to be corrected as it implies that simply fitting the phone case onto any phone results in any fingerprint be authenticated. A NEW fingerprint needs registered with the case in place.

Original article on the Sun web page

"With the screen on, Lisa set up her right thumb print to access the phone but later used her left, which unlocked it".

No, you are incorrect. See the ars article for more info.

 

[coolfactor]

I did not even know that. There you go... Buy a licensed Samsung product.

Same thing Apple keeps saying till they Blue in the face 🙄

Very different thing. Apple wants you to buy only authorized Apple-approved "cables" and "power adapters". Why? Because the market is filled with cheap, low-quality and UNSAFE alternatives, so the best choice is to buy Apple-approved (Made For iPhone) to be safe.

Apple does not tell you to buy only approved screen protectors. But nice try. 😄
[automerge]1571338988[/automerge]

Samsung S10 series come with Samsung approved screen protector preinstalled. So, either the seller or the couple removed it.

https://mashable.com/article/samsung-galaxy-s10-s10-plus-pre-installed-screen-protector/

I BET you that Samsung was aware of this issue with third-party soft/gel protectors and wanted to minimize the problem by offering one up-front. This would keep the number of people buying third-party protectors to a lower number thereby reducing the risk threshold.

If so, this is a very dishonest move by Samsung. They released a product with a known vulnerability.

 

[I7guy]

With respect to $2 products that make your $999 piece of tech Glitch out. And Again, not even my original post that not like Apple not had security issues either.

And not like people stop buying iphones each time. They just wait for the fix

Which accessories are that the Apple tells you to buy that make the tech glitch out. I’ll wait for the answer.

And saying it’s not like “Apple has security issues” is a false equivalency. They don’t have biometric security issues.