Galaxy S5 Fingerprint Scanner Spoofed

[Rogifan]

I'm waiting for senator Al Franken's letter to Samsung about this. My guess is I'll be waiting a long time.

http://arstechnica.com/security/201...ated-by-whitehat-hackers/?comments=1&start=40

 

[Switchback666]

Saw tweet early today, bad news for Samsung.

 

[Che Castro]

why is this not front page news anywhere

 

[Lloydbm41]

Oh brother.

These articles are click-bait. Simply put, if I know I want to steal your phone and have the resources and/or skill to hack it, nothing is going to save your info. These articles make it seem like Bobby Joe Dumpling finds your phone and can then hack it with his room temperature IQ. Sorry, just ain't gonna happen.

And BTW, all these 'hacks' require physical access to your phone.

 

[The Game 161]

Well happened to Apple too. It's why I would never have it for that kind of thing

 

[kuroe]

"Spoofed" with a high resolution image coupled with a wood resin replica...

So all we need to do is take a photo of our finger with a high enough resolution that they can make a mold using wood glue. I don't think the average, everyday person will have to worry about this.

Also, Apple's iPhone 5s implementation has also suffered from similar "hacks"

In other words, the issue is not Samsung or Apple itself, but the fingerprint-scanning technology used. The technology is flawed, thus the issue exists.

 

[Robster3]

Another.

http://www.cnet.com/news/samsung-galaxy-5-fingerprint-scanner-thwarted-by-hack/

 

[Rogifan]

So all we need to do is take a photo of our finger with a high enough resolution that they can make a mold using wood glue. I don't think the average, everyday person will have to worry about this.

Also, Apple's iPhone 5s implementation has also suffered from similar "hacks"

In other words, the issue is not Samsung or Apple itself, but the fingerprint-scanning technology used. The technology is flawed, thus the issue exists.

When it happened to Apple it was front page news everywhere. And you had a US Senator writing to Apple with his concerns. Now it happens to Samsung and it's minor news. Even though the security firm that spoofed it says it was much easier to spoof than Touch ID and more dangerous because Samsung doesn't have all the passcode requirements Apple does and Apple's implementation (so far) is more limited.

 

[Lloydbm41]

When it happened to Apple it was front page news everywhere. And you had a US Senator writing to Apple with his concerns. Now it happens to Samsung and it's minor news. Even though the security firm that spoofed it says it was much easier to spoof than Touch ID and more dangerous because Samsung doesn't have all the passcode requirements Apple does and Apple's implementation (so far) is more limited.

Because Apple is a significant player in both the US Congress/Senate (Apple is a major lobbyist) and it is a US company that effects the Dow Jones with ever little move it makes. Additionally, Apple made claims of how great the fingerprint scanner was for security reasons and when it was found not to be true (hell a cat's paw worked to unlock phones), it was news.

And let's face it, Samsung and every other OEM just don't make as much media hype when they falter compared to Apple. It's just a fact of life.

 

[kupkakez]

I think the only reason the Apple Touch ID fiasco was blasted everywhere is because there are some people out there that want to see Apple fail. They want to see them fall again.

Where as with Samsung no one cares.

 

[DeathChill]

Because Apple is a significant player in both the US Congress/Senate (Apple is a major lobbyist) and it is a US company that effects the Dow Jones with ever little move it makes. Additionally, Apple made claims of how great the fingerprint scanner was for security reasons and when it was found not to be true (hell a cat's paw worked to unlock phones), it was news.

And let's face it, Samsung and every other OEM just don't make as much media hype when they falter compared to Apple. It's just a fact of life.

Did Apple do that? I thought Apple pointed out how it was a solution to the problem of people not wanting to bother with a password. They explained how it worked and all that, but I don't recall Apple saying it was the ultimate security solution that was unhackable. Perhaps I'm misremembering.

The cat's paw was registered to unlock the phone. I'm not sure how that's a bad thing. Maybe I'm misunderstanding?

 

[kdarling]

why is this not front page news anywhere

I think it's partly because people now know about spoofing. When it happened before, they didn't know.

It's the first time that almost always makes the news. After that, it's a yawner.

 

[lazard]

When it happened to Apple it was front page news everywhere. And you had a US Senator writing to Apple with his concerns. Now it happens to Samsung and it's minor news. Even though the security firm that spoofed it says it was much easier to spoof than Touch ID and more dangerous because Samsung doesn't have all the passcode requirements Apple does and Apple's implementation (so far) is more limited.

Apple is an US company. Americans care about US stuff.

 

[Lloydbm41]

Did Apple do that? I thought Apple pointed out how it was a solution to the problem of people not wanting to bother with a password. They explained how it worked and all that, but I don't recall Apple saying it was the ultimate security solution that was unhackable. Perhaps I'm misremembering.

The cat's paw was registered to unlock the phone. I'm not sure how that's a bad thing. Maybe I'm misunderstanding?

Here ya go. Read all about it from Apple's homepage. It's also significantly mentioned in Apple's keynote from the iPhone 5S/C event:

Link: http://support.apple.com/kb/ht5949

A small portion of the page:

Secure Enclave

Touch ID doesn't store any images of your fingerprint. It stores only a mathematical representation of your fingerprint. It isn't possible for your actual fingerprint image to be reverse-engineered from this mathematical representation. iPhone 5s also includes a new advanced security architecture called the Secure Enclave within the A7 chip, which was developed to protect passcode and fingerprint data. Fingerprint data is encrypted and protected with a key available only to the Secure Enclave. Fingerprint data is used only by the Secure Enclave to verify that your fingerprint matches the enrolled fingerprint data. The Secure Enclave is walled off from the rest of A7 and the rest of iOS. Therefore, your fingerprint data is never accessed by iOS or other apps, never stored on Apple servers, and never backed up to iCloud or anywhere else. Only Touch ID uses it, and it can't be used to match against other fingerprint databases.

 

[DeathChill]

Here ya go. Read all about it from Apple's homepage. It's also significantly mentioned in Apple's keynote from the iPhone 5S/C event:

Link: http://support.apple.com/kb/ht5949

A small portion of the page:

Yeah that quote has absolutely nothing to do with the fingerprint scanning security. That's specifically talking about how the fingerprint information is stored. No one has hacked that, so they are very right to tout that security. Two separate things.

EDIT: Also, I watched the keynote and they specifically said they did research and that half of smartphone owners do not use a passcode and that Touch ID was designed to make it easy and simple to provide some form of security. They didn't say anything about it being the best security ever or that it could never be spoofed.

People seem to constantly attribute things to Apple that they never said.

 

[Lloydbm41]

Yeah that quote has absolutely nothing to do with the fingerprint scanning security. That's specifically talking about how the fingerprint information is stored. No one has hacked that, so they are very right to tout that security. Two separate things.

Not surprised by your response. Won't matter what you are shown, you'd disagree. I could say the sky is blue, and you would argue that it is green.

EDIT: They didn't say anything about it being the best security ever

People seem to constantly attribute things to Apple that they never said.

Ironic. You have attributed words to me that I never said.

 

[Tarzanman]

I'm waiting for senator Al Franken's letter to Samsung about this. My guess is I'll be waiting a long time.

http://arstechnica.com/security/201...ated-by-whitehat-hackers/?comments=1&start=40

Maybe you should keep your politics off of the android board. There's no shortage of forums where people like to troll each other back and forth over party. This is not one of those places.

 

[DeathChill]

Not surprised by your response. Won't matter what you are shown, you'd disagree. I could say the sky is blue, and you would argue that it is green.

That's not fair at all. I'm absolutely correct in reference to the secure enclave of Touch ID. Maybe I misinterpreted something you said in this post, so I'll explain my thought process. You said:

Additionally, Apple made claims of how great the fingerprint scanner was for security reasons and when it was found not to be true (hell a cat's paw worked to unlock phones), it was news.

I interpreted this post as you saying that it made it seem as if Apple had said that the fingerprint scanner was the best security method. Apple specifically said that at least half of people don't bother with a passcode because it is cumbersome to type in multiple times a day. Touch ID provides at least some form of security for those people who would never use a passcode otherwise.

The cat's paw portion threw me off as well. I wasn't sure if you were implying that a cat's paw could unlock any phone because of a Touch ID failing or that you didn't understand that cat's paws have unique 'fingerprints' like humans so setting up Touch ID with it works just like it does for us.

Maybe I completely misunderstood your post. I'm not trying to argue for the sake of it.

Ironic. You have attributed words to me that I never said.

Sorry about that. I wasn't trying to, but the general feel of your initial post to me made it seem as if you (partially) thought that it wasn't news when it happened to Samsung but is news when it happened to Apple was because of all the security Apple had touted. Apple's message (to me at least) was that Touch ID is the solution for those who didn't want to use a passcode. They explained how it worked in the page you linked and the security implications, but I didn't get the impression that Apple said it was any more secure than Samsung had implied.

Truly I'm not arguing just to argue. I just thought it was kind of an unfair comparison where Apple was being blamed for something they never actually said.

EDIT: Regardless, I think that no matter what we can agree to disagree. I'm definitely not arguing just because, nor do I think you are.

 

[easytake123]

i am thinking to buy S5 .but now i have to think over again .

 

[jamezr]

Maybe you should keep your politics off of the android board. There's no shortage of forums where people like to troll each other back and forth over party. This is not one of those places.

yep....you can always find someone's true motivation when you look at their posting history..........when out of the blue they post something in the alternative section that happens to paint Android in a negative light......well they become really transparent.

 

[0000757]

Because everyone has the resources to create a fingerprint the quality required.

 

[jrswizzle]

So all we need to do is take a photo of our finger with a high enough resolution that they can make a mold using wood glue. I don't think the average, everyday person will have to worry about this.

Also, Apple's iPhone 5s implementation has also suffered from similar "hacks"

In other words, the issue is not Samsung or Apple itself, but the fingerprint-scanning technology used. The technology is flawed, thus the issue exists.

Hence why Apple has yet to allow TouchID to be used for anything outside unlocking the device and iTunes purchases (after entering your password).

The key to this article is not that the sensor was spoofed, but that Samsung doesn't require any password after failed attempts, has no failsafe to prevent these things from happening (i.e. if you haven't logged into your iPhone for an extended period of time - I believe 24 hours, you're required to enter a passcode), and its directly connected to your PayPal which is then likely directly connected to your bank account and/or credit cards.

The technology needs more time to become safe enough to be used widely. Apple is taking it slow and making sure that any safeguards that can be implemented, are being implemented.

Samsung....well, didn't.

----------

Not surprised by your response. Won't matter what you are shown, you'd disagree. I could say the sky is blue, and you would argue that it is green.



Ironic. You have attributed words to me that I never said.

Lloyd, I've got a lot of respect for you and feel you generally post some great stuff....but here, you're just plain wrong. The poster you argued with has done nothing of the sort, and has explained his thought process rather rationally.

Honestly, talking about how the fingerprint data is stored is an entirely different issue. There are really four key components in my mind:

(1) Fingerprint Sensing capabilities - proven to be hackable with the right amount of time, know how and tools.

(2) Failsafes - how many fail attempts before you're locked out, time limit on leaving an phone idle and being able to use fingerprint sensor, requiring passcode after restart etc

(3) Features/Info attached to fingerprint login - Apple's taken flak for not opening TouchID up, whereas Samsung has been praised. Now?

(4) Storage of fingerprint data - both very secure from my knowledge and neither has been hacked yet.

 

[Dontazemebro]

I would expect no less from Rogifan, just curious why you weren't as vocal on the Touch ID spoof thread lolzers.

 

[Lloydbm41]

Lloyd, I've got a lot of respect for you and feel you generally post some great stuff....but here, you're just plain wrong. The poster you argued with has done nothing of the sort, and has explained his thought process rather rationally.

I don't feel as though I was arguing with him. He put words in my mouth, which I never said and then proceeded to expound on his interpretations of my original post. And while his information is not wrong, from his standpoint, it was tangential to what I had posted.

You are right though, I should have just left it alone and not responded. I think this boils down to a lost in translation moment. My apologies.