Posted on April 8, 2019 at 3:04 PM
While Samsung has been extolling the virtues of its 3D fingerprint scanner with sonic technology, a hacker has gone and broken it.
Samsung’s Galaxy S10 was one of the most hotly anticipated phones in the last year. It not only showed that market that you don’t need a notch but also because of the in-display fingerprint scanner. While it’s true that it was not the first phone with an in-display fingerprint scanner, it was the first to have a properly secure one.
Most of the in-display fingerprint scanners that were released before the Samsung Galaxy S10 were optical. These fingerprint scanners have long been known to be suspect from a security standpoint. When Samsung announced its ultrasonic scanner, people got excited. An ultrasonic scanner works by sending high-frequency ultrasonic soundwaves to map your fingerprint. Every pore, every ridge, and all flat patterns are mapped in detail. This means that hacks such as using a printout of your thumb cannot work. You need to use your fingerprint and only your fingerprint. Nothing else would do. The soundwaves that bounce back from your particular fingerprints will always be the same, right?
That was the theory, at least.
Now, thanks to the ingenuity of a security researcher called darkshark9, this security has been disabled and overcome. The Samsung Galaxy S10 is no longer totally safe, at least not in the way it was marketed. The researcher managed to unlock his Samsung Galaxy multiple times without using his fingers.
How the hack works
The ingenious thing is that he didn’t even hack the scanner itself. The scanner is doing its job perfectly. What the researcher did was take a picture of his fingerprint from a wineglass. He then created a so-called alpha mask from it using Photoshop. Once he had done that, he imported the alpha mask of his fingerprint into Autodesk 3Ds Max. This is a 3D rendering software popular with the maker community. He used the software to create a geometry displacement. This allowed him to get a detailed 3D raised profile of his picture.
The above process allowed the researcher to get his ridges, lines, and patterns perfectly rendered. He then 3D printed this fake fingerprint. Those who think this took an extraordinarily long time would be mistaken. It took all of 13 minutes for the researcher from taking the picture to printing out a fake fingerprint.
Who is at risk?
The researcher stated that there was nothing stopping people like him from stealing fingerprints. No one would even know they had been stolen. A glass at a restaurant would be enough. He went on to say that no matter how careful you are, your phone will always have your fingerprint. A side effect of touch screens coming to dominate the phone landscape in the last 10 years.
However, the truth is less scary than it first seems. It would actually be quite difficult for someone to do this to an average person. The circumstances would need to align perfectly for it to be completely viable. High profile people are of course the main targets. If you don’t know anyone who has the required tools and knowledge, you are more or less safe. These types of hacks are more for targetted attacks and in that case there are several other avenues of attack besides getting a fingerprint.
The messy truth is that every system has an opening, no matter how secure. Having multiple layers is the best security. A fingerprint and a facial scan might look cool, but a 5 digit passcode is much more secure. A traditional password more so.