Samsung Issues Software Patch to Fix Screen Protector Flaw in Galaxy S10 Fingerprint Sensor

[MacRumors]

Samsung has issued a software patch for its Galaxy S10 smartphone to fix a flaw in the under-screen fingerprint sensor that allowed anyone to unlock the device with the help of a cheap screen protector (via Reuters).

The problem was brought to light last week, when a British user who applied a gel screen protector to her Galaxy S10 subsequently discovered that unregistered fingerprints could be used to unlock the device.

Samsung later admitted the issue can happen when patterns appearing on certain protectors that come with silicon cases are recognized along with fingerprints.

On Wednesday, Samsung issued an apology via its customer support app Samsung Members and told Galaxy phone owners to update their biometric authentication to the latest software version.

"Samsung Electronics takes the security of products very seriously and will make sure to strengthen security through continuing improvement and updates to enhance biometric authentication functions," the company said via the support app.

The Galaxy S10 is the latest in Samsung's flagship S series, which is updated each year and regarded as the iPhone's main rival, but the fingerprint recognition problem in its latest smartphone has already caused reputational damage, with some banks pulling their apps from the Play store in response to the security flaw.

Good morning Robert, We've removed the app from the Play Store for customers with Samsung S10 devices. This is due to reports that there are security concerns regarding these devices. We hope to have our app available again shortly once the issue has been resolved. SY - NatWest (@NatWest_Help) October 20, 2019

Samsung originally aimed to bring an under-display fingerprint sensor to its smartphone line-up in 2018, but canceled the feature at the last minute due to similar technical issues surrounding the use of screen protectors.

In March, the Korean company launched the S10 with much fanfare and promoted its first commercial under-screen fingerprint recognition solution as "revolutionary" at the time.

Article Link: Samsung Issues Software Patch to Fix Screen Protector Flaw in Galaxy S10 Fingerprint Sensor

 

[farewelwilliams]

kind of makes you wonder how exactly an air gap can fool the sensor. doesn’t the sensor need to read certain values to check against the saved fingerprint to see if they match?

 

[I7guy]

Samsung got that patch out with Apple like speed.

 

[jimothyGator]

If I were an S10 user, I’d still be leery. It’d make some sense if a screen protector prevented the phone from recognizing a valid fingerprint, but to make it accept any fingerprint? That suggests a pretty lax system. It’s as if the software is saying, ah heck, I can’t read this fingerprint at all! Come on in!

Yes, they’ve issued a patch and maybe this really does fix things. But to get something so critical so wrong makes me skeptical. Press releases aside, that doesn’t demonstrate they take security very seriously.

We’ll see what third party testing demonstrates, but for now, I’d be cautious

 

[csurfr]

kind of makes you wonder how exactly an air gap can fool the sensor. doesn’t the sensor need to read certain values to check against the saved fingerprint to see if they match?

It’s not an air gap that is fooling the sensor.

Just as some (most) clear cases have a texture to prevent the phone from having that wet bubble look, the “screen protector” in question has the same thing. The fingerprint sensor is reading that texture as the fingerprint during registration, not the users’ actual fingerprint. So, with the texture being read anyone can unlock the phone, as that pattern is what was actually registered.

 

[apolloa]

An embarrassing mess up that should never have happened... amateur your for Samsung.

 

[Sasparilla]

An embarrassing mess up that should never have happened... amateur your for Samsung.

And don't forget Google with their faceID without eye focus. Good thing Apple never does things like that and then drags their feet fixing them (if only I could get my MacBook keyboard keys to all work...).

 

[JohnApples]

Can you imagine if an iPhone had this flaw? People here would be demanding Tim’s head on a platter, news sites would be reporting non-stop on the “biggest security flaw in the past decade”, and there would be droves of people vowing to boycott Apple until Steve was resurrected from the dead.

 

[TopherMan12]

Good news that they fixed the problem. Still seems strange that the sensor would register the underside of the screen protector plastic texture as a valid fingerprint.

 

[sinsin07]

Can you imagine if an iPhone had this flaw? People here would be demanding Tim’s head on a platter, news sites would be reporting non-stop on the “biggest security flaw in the past decade”, and there would be droves of people vowing to boycott Apple until Steve was resurrected from the dead.

You forget two things:
1: Class Action
2: Letters to Apple demanding an explanation from some random Senators/Congress Person/Oversight committee who have no idea about technology but want to make a splash in the news.

 

[hortod1]

At the rate Samsung needs to address major flaws they should just come up with form letter

Dear User:
We are sorry for ____________. A fix will be available soon. We apologize for the inconvenience.

Sincerely,
Samsung

 

[realtuner]

It’s not an air gap that is fooling the sensor.

Just as some (most) clear cases have a texture to prevent the phone from having that wet bubble look, the “screen protector” in question has the same thing. The fingerprint sensor is reading that texture as the fingerprint during registration, not the users’ actual fingerprint. So, with the texture being read anyone can unlock the phone, as that pattern is what was actually registered.

Your missing the example where the fingerprint was registered without a screen protector and placing a case on the phone allowed a different finger to unlock it.

How do you explain that?

 

[1144557]

I mean at least they didnt go boom? 🔥📱

 

[Krizoitz]

"Samsung Electronics takes the security of products very seriously

So seriously we didn’t even bother testing our product before releasing it...

 

[AppleTO]

But this is Android, so isn’t it up to the carriers, and not Samsung directly, whether or not the phones actually get this patch? I mean they would be stupid not to. Or is this something in the Play store? Or Samsung’s store?

 

[csurfr]

But this is Android, so isn’t it up to the carriers, and not Samsung directly, whether or not the phones actually get this patch? I mean they would be stupid not to. Or is this something in the Play store? Or Samsung’s store?

No. Patches such as this are pushed directly from Samsung to the devices. Just like the patch that prevented the Note 7 from charging.
[automerge]1571926139[/automerge]

Your missing the example where the fingerprint was registered without a screen protector and placing a case on the phone allowed a different finger to unlock it.

How do you explain that?

If you are referring to the one random video on the internet, I don't explain it, and well, don't feel that I need to. Much like people were putting out videos of FaceID being fooled.

 

[realtuner]

No. Patches such as this are pushed directly from Samsung to the devices. Just like the patch that prevented the Note 7 from charging.
[automerge]1571926139[/automerge]

If you are referring to the one random video on the internet, I don't explain it, and well, don't feel that I need to. Much like people were putting out videos of FaceID being fooled.

View attachment 872140

OK, here's another one which shows what a massive fail this is for Samsung.

One word: Stitching

On both Samsung and Apple devices you're required to move your finger/thumb around when registering your fingerprint. This is because the sensor is smaller than peoples fingers, and you can't expect a person to put their finger in exactly the same spot every time.

So what they do (and this is obvious if you think about it when registering) is they get you to press your finger on the sensor multiple times and to move your finger position slightly each time so they can capture your entire fingerprint by stitching all these smaller "snapshots" of your finger together.

This is why the excuse of the screen protector having some sort of latent image or pattern is pure BS. The screen protector doesn't move, so what is Samsung doing when the user presses their finger down multiple times to register and it sees the same pattern over and over?

There's no way to spin this. It's a massive screwup for Samsung.

 

[csurfr]

OK, here's another one which shows what a massive fail this is for Samsung.

One word: Stitching

On both Samsung and Apple devices you're required to move your finger/thumb around when registering your fingerprint. This is because the sensor is smaller than peoples fingers, and you can't expect a person to put their finger in exactly the same spot every time.

So what they do (and this is obvious if you think about it when registering) is they get you to press your finger on the sensor multiple times and to move your finger position slightly each time so they can capture your entire fingerprint by stitching all these smaller "snapshots" of your finger together.

This is why the excuse of the screen protector having some sort of latent image or pattern is pure BS. The screen protector doesn't move, so what is Samsung doing when the user presses their finger down multiple times to register and it sees the same pattern over and over?

There's no way to spin this. It's a massive screwup for Samsung.

Here is where you’re mistaken. You are thinking of the “screen protector” as something that has an adhesive that keeps it on the phone (as most of us do). These are not causing the problem. The problem is with cases that cover the screen such as an otter box that has the clear part that “protects the screen” as part of the case. Samsung is calling these “screen protectors” as well, even though they differ from the traditional sense. They are not referring to an actual film protector that is glued to the device, which doesn’t move.

The words are being used interchangeably, even though they are different in their application.

edit: As far as size of fingerprint scanners go, the Samsung one is thinner and wider (it’s rectangular) than those found on an iPhone or most other devices that use circular ones. Have you see it under the glass? Your entire finger most likely won’t cover the sensor unless you place it horizontally.

 

[TopherMan12]

Samsung's patch doesn't describe the issue correctly, so is this actually fixed?

Ars Technica is casting doubt on whether this patch will fix the problem.

 

[csurfr]

Samsung's patch doesn't describe the issue correctly, so is this actually fixed?

Ars Technica is casting doubt on whether this patch will fix the problem.

¯\_(ツ)_/¯

I guess time will tell.

 

[qwertzuiop.98]

So seriously we didn’t even bother testing our product before releasing it...

This is a special usecase.

 

[realeric]

Can you imagine if an iPhone had this flaw? People here would be demanding Tim’s head on a platter, news sites would be reporting non-stop on the “biggest security flaw in the past decade”, and there would be droves of people vowing to boycott Apple until Steve was resurrected from the dead.

The more the company is famous, the more reactions arise. If I made a phone with a serious security flaw, nobody would care about it. It happens because Samesung is not famous as much as Apple.

 

[csurfr]

So seriously we didn’t even bother testing our product before releasing it...

Can be said about any product ever. Not much out there is perfect. Remember those 2016 - Current MacBook Pro keyboards?
[automerge]1571928969[/automerge]

Can you imagine if an iPhone had this flaw? People here would be demanding Tim’s head on a platter, news sites would be reporting non-stop on the “biggest security flaw in the past decade”, and there would be droves of people vowing to boycott Apple until Steve was resurrected from the dead.

Sounds like most users on here already every time Apple releases a product that doesn’t meet their every whim and desire.

 

[realtuner]

Here is where you’re mistaken. You are thinking of the “screen protector” as something that has an adhesive that keeps it on the phone (as most of us do). These are not causing the problem. The problem is with cases that cover the screen such as an otter box that has the clear part that “protects the screen” as part of the case. Samsung is calling these “screen protectors” as well, even though they differ from the traditional sense. They are not referring to an actual film protector that is glued to the device, which doesn’t move.

The words are being used interchangeably, even though they are different in their application.

edit: As far as size of fingerprint scanners go, the Samsung one is thinner and wider (it’s rectangular) than those found on an iPhone or most other devices that use circular ones. Have you see it under the glass? Your entire finger most likely won’t cover the sensor unless you place it horizontally.

Not mistaken at all. It’s irrelevant as to whether it’s a case or simple screen protector. The fact it gets “learned” as a fingerprint because it has some sort of pattern is the issue.

You said:

The fingerprint sensor is reading that texture as the fingerprint during registration, not the users’ actual fingerprint.

The sensor on the Samsung is tiny. I have an S10 and Note 10 and have seen it by shining a light on the screen at the right angle. Do you own either of these devices? Have you ever learned a fingerprint on them? The instructions tell you to move your finger around to capture your entire fingerprint. It even shows the same animation Apple uses for TouchID that shows your fingerprint being “filled in” with subsequent touches.

It’s a huge flaw that Samsung sees a pattern in any type of screen cover and isn’t smart enough to realize it’s the same pattern over and over during registration. I guess Samsung was lying when they tell users to “move your finger to capture the edges of your print”. So what’s Samsung doing when they “fill in” your print during registration when all they see is the same pattern over and over? Lying?

 

[qwertzuiop.98]

To some people of MacRumors. Appreciate more, complain less.