Only a few hours after the release of the hotly-anticipated Galaxy S5 this morning, researchers from a small outfit in Germany called Heise Security have posted video proof of a way to crack through its biometric scanner with a simple dummy fingerprint.
You’ll probably recognize this same method from a few months back when the iPhone 5S was released, when another team in Germany was were able to use a high resolution printer to create a “fingerprint” on a piece of low gloss paper.
This effectively fooled the scanner into believing what it was seeing was a real human hand, and unlocking its secrets contained inside. As of now, the only real app at risk (besides the other valuable data people like to store on their phones) is PayPal, who has poured millions into becoming the first digital wallet to offer biometrically signed payment systems on as many mobile devices as possible.
The difference here however is, unlike the iPhone which was quickly patched to deal with a similar threat upon its initial launch, Samsung has no game plan or answer to what could be a gaping hole in their strategy to become the number one encrypted smartphone provider of the 21st century.
Even if reviewers were somewhat tepid in their excitement about the future of the Galaxy line (the S5 received mediocre reviews across the board), many were still hopeful to see the only other real competitor to the iPhone step up and take the security of their flagship smartphone seriously.
Samsung has been on a security tear lately, reportedly courting big contracts like the United States Department of Defense in an attempt to encroach on one of the only sectors Blackberry has still been able to turn a profit in. If previous reports are to be believed, Samsung has been having issues getting their Knox encryption platform sealed up to the standards that US intelligence agencies depend on to keep their own secrets safe for themselves.
Glossing over the unmistakeable irony of members of the DoD who are concerned about the privacy of data on their cell phones, the loss of the fingerprint scanner on this year’s iteration of Samsung’s “best and brightest phone” means yet another setback in a long line of bureaucratic roadblocks that at this point are basically the only thing standing between Blackberry and their inevitable slow crawl to eventual doom.
A spokesperson for PayPal confirmed with BGR that although the fingerprint scanner could be tricked with the same method on both the iPhone 5s or Samsung Galaxy S5, the fact of the matter is that the person who’s hacking it needs to physically have your phone in hand in order for the system to work. They still can’t access any of that information over the air, and as long as you know when to call PayPal and tell them you lost your device, they can remotely wipe anything that might put your financial accounts at serious risk.
“While we take the findings from Security Research Labs very seriously, we are still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards. PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one.”