A Reddit user claims to have used a 3D printer to clone a fingerprint and then use the fake fingerprint to beat the in-display fingerprint reader on a Samsung Galaxy S10.
Fingerprint Scanner
The Galaxy S10 and S10+ phone models have an Ultrasonic Fingerprint Scanner embedded into the screen that uses soundwaves to create a 3D map of the owner’s fingerprint, and the recognition sensor at the bottom centre of the screen can then be used by the owner to gain entry to the phone by placing their fingerprint on it.
Made Fake Finger
The Reddit user is known only as ‘darkshark9’ claimed in a proof-of-concept uploaded to Imgur that they had been able to unlock their own Galaxy S10 phone using a fake finger that had been made using a photograph (taken using the Galaxy S10’s camera) of their own fingerprint on a wine glass. The mystery ‘darkshark9’ claimed that they had used Adobe Photoshop and Autodesk 3ds Max to work on the photograph and had then used an AnyCubic Photon LCD resin 3D home printer (costing less than £400) to make a physical replica of the fingerprint.
It has been reported that it took ‘darkshark9’ less than 15 minutes to make the fake fingerprint that opened the phone.
Fingerprint Fear
This means that a person with same equipment who could obtain a photo of a fingerprint from an object such as a glass or phone at close distance, or using a higher-quality DSLR camera (from perhaps even across the room) could have the potential to quickly break into anyone’s biometric security protected phone and steal personal data, access apps, etc.
What Does This Mean For Your Business?
Many security experts agree that using biometric security as a primary unlock method is less secure than a password or PIN, although it offers convenience and is liked by many users. In the case of the Galaxy S10, although it was supposedly fooled with the fake finger model, its fingerprint scanner uses ultrasonic sound waves to map the user’s fingerprint in the first place which is more secure than the optical sensors used by some other phones that can be fooled by a paper printout of a fingerprint.
Having a fingerprint scanner/sensor on the phone is better than having nothing at all, as is the case with many people who leave their phones unlocked all the time rather than having to type in a PIN or password.
This is not the first time that phone biometric security measures have been defeated. For example, it is also claimed that the S10’s facial recognition (because it uses cameras rather than infrared sensors) can be fooled by another phone playing a video of the S10’s owner face.
Also, in a Twitter thread, Manchun Wong claimed that she was able to fool her brother’s S10 facial recognition scanner using her own face, presumably because of the similarity of family and sibling resemblance. This is reminiscent of a case back in 2017 when BBC ‘Click’ reporter Dan Simmons reported that he had been able to fool HSBC’s biometric voice recognition system by passing his brother’s voice off as his own.
Biometric security on phones clearly has some way to go before the effectiveness lives up to the promise, and for the time being, although less convenient, password and PIN may be safer as the primary unlock method.