Samsung's Galaxy S10 Fingerprint Sensor Fooled By 3D Printer (theverge.com)

← Back to Stories (view on slashdot.org)

Samsung's Galaxy S10 Fingerprint Sensor Fooled By 3D Printer (theverge.com)

Posted by BeauHD on Monday April 8, 2019 @11:00AM from the April-fools dept.

A Samsung Galaxy S10 user has managed to fool the in-display fingerprint reader on his smartphone using a 3D print of his fingerprint. The Verge reports: In a post on Imgur, user darkshark outlined his project: he took a picture of his fingerprint on a wineglass, processed it in Photoshop, and made a model using 3ds Max that allowed him to extrude the lines in the picture into a 3D version. After a 13-minute print (and three attempts with some tweaks), he was able to print out a version of his fingerprint that fooled the phone's sensor.

The Galaxy S10's fingerprint sensor doesn't rely on a capacitive fingerprint scanner that's been used in other versions of the phone, using instead an ultrasonic sensor that's apparently more difficult to spoof. darkshark points out that it didn't take much to spoof his own fingerprint. A concern, he notes, is that payment and banking apps are increasingly using the authentication from a fingerprint sensor to unlock, and all he needed to get into his phone was a photograph, some software, and access to a 3D printer. "I can do this entire process in less than 3 minutes and remotely start the 3d print so that it's done by the time I get to it," he writes.

42 comments

Min score:

Reason:

Sort:

it is easier than that by FudRucker · 2019-04-08 11:13 · Score: 1

this guy unlocked an S10 with the video of himself on another phone
https://www.youtube.com/watch?...

--
Politics is Treachery, Religion is Brainwashing
1. Re: it is easier than that by Anonymous Coward · 2019-04-08 11:31 · Score: 0
  
  Oh noes!! Someone is gonna see what the gmail app thinks I should buy for dinner!
2. Re: it is easier than that by Anonymous Coward · 2019-04-08 11:42 · Score: 0
  
  This reminds me of the time I sucked myself off.
3. Re:it is easier than that by Anonymous Coward · 2019-04-08 16:17 · Score: 0
  
  Using the fingerprint scanner? That's impressive!
scary stuff by Anonymous Coward · 2019-04-08 11:19 · Score: 0

instantly opens up access to 2FA, and draining all your savings and retirement accounts while you are worried about your lost phone
1. Re:scary stuff by Anonymous Coward · 2019-04-08 11:57 · Score: 0
  
  instantly opens up access to 2FA, and draining all your savings and retirement accounts while you are worried about your lost phone
  If someone can "drain" your savings and retirement accounts with your smartphone, you obviously lost all common sense long ago.
  A lost phone isn't gonna fucking matter.
And yet, I am unmoved. It doesn't matter by mschuyler · 2019-04-08 11:22 · Score: 3, Insightful

Any key and lock can be broken. All any lock does is keep most of the people out most of the time. It's a first level of security that is perfectly adequate for most people. It's not like my Samsung contains nuclear launch codes. In fact, it contains nothing at all very useful, even to me. I'm not too concerned that someone with a 3D printer will take the trouble to find my fingerprint (1 in 10 chance there, buddy) and do the necessary transformations to be able to unlock my phone for no good reason. That's a whole lot of work for nothing gained.

--
How about a moderation of -1 pedantic.
1. Re: And yet, I am unmoved. It doesn't matter by Anonymous Coward · 2019-04-08 11:30 · Score: 1
  
  So you are unimportant and nobody cares about you. And you do not care about your privacy.
  Seems like I summed that up well.
2. Re:And yet, I am unmoved. It doesn't matter by XArtur0 · 2019-04-08 11:35 · Score: 3, Insightful
  
  >Any key and lock can be broken.
  That's why, as broken as it is, passwords are still king.
  You can create a secure Password, you cant create a (more) secure fingerprint.
  You can optimize the detection mechanism, but that's about it.
  Retinal scan still the best if you want a biometric authentication method.
  Face and finger print are a joke.
  (and retinal scan is only better because you don't leave your retinal pattern on every surface you see, but still vulnerable to high-resolution photography).
  The problem with passwords is that you never know what the backend is doing with the plain-text version.
  (And stupid people who use stupid passwords)
3. Re:And yet, I am unmoved. It doesn't matter by Anonymous Coward · 2019-04-08 11:44 · Score: 0
  
  Don't have anything worth stealing, any relationships worth ruining, any pride to blackmail, or no desire to not end up in prison due to some vindictive person. Don't need security.
  But is that really a life worth living?
4. Re: And yet, I am unmoved. It doesn't matter by Anonymous Coward · 2019-04-08 11:52 · Score: 0
  
  It's not like my Samsung contains nuclear launch codes.
  
  It didn't before I unlocked your phone.
  Now you're DefCon 3.
5. Re:And yet, I am unmoved. It doesn't matter by Anonymous Coward · 2019-04-08 11:59 · Score: 0
  
  The chances are likely better than 1 in 10. I find it highly unlikely that the same number of people use their right pinky (probably no one) to unlock their phone as use the left index finger(probably most people).
6. Re:And yet, I am unmoved. It doesn't matter by Anonymous Coward · 2019-04-08 12:05 · Score: 0
  
  To paraphrase a comment you made on Sunday: "Then it isn't about you."
7. Re: And yet, I am unmoved. It doesn't matter by Anonymous Coward · 2019-04-08 12:27 · Score: 0
  
  I started drinking every night at karaoke bars recently and I couldn't remember which finger to use to unlock (in reality I just had double vision and I would try and try to out the correct finger on the reader but I would always miss) so I programmed all my fingers, all the fingers of the bartenders, the homeless guy by dumpster, and the meter maid. Now as long as I can find one of these people, I can always unlock my phone. Sadly, it's hard to read such a small screen with double vision so for my next phone I have decided to tape an iPad to my wrist and tell everyone (in a slur) it's an iWatch** and I'm sure someone will think I'm really cool maybe someday in the right dive bar.
8. Re:And yet, I am unmoved. It doesn't matter by religionofpeas · 2019-04-08 18:32 · Score: 3, Insightful
  
  You can create a secure Password, you cant create a (more) secure fingerprint.
  Also, if your password is compromised, you can pick a new one.
  And, most critically, you can pick a different password for each application.
9. Re:And yet, I am unmoved. It doesn't matter by Anonymous Coward · 2019-04-09 01:25 · Score: 0
  
  'you can pick a different password for each application"
  Because everybody wants to remember 43 passwords.
10. Re:And yet, I am unmoved. It doesn't matter by Anonymous Coward · 2019-04-09 02:08 · Score: 0
  
  2-3 variation of base password with salting. and don't use base from your leisure accounts' password as base for your important account passwords. e.g. for /. i'd use "Pa$$w0rd/." whereas for my Chase account I'd use "Soop3r$3curePa$$w0rdCe" and for Bank of America i'd use "Soop3r$3curePa$$w0rdBa".
  That way even if someone manages to get hold of your plaintext/decrypted leisure account password, they cannot get into your important accounts. Assuming that the important account passwords are stored as one-way hash and with random salt generated by the back-end on top of your own salt. If you find that's not the case, then take your business elsewhere.
11. Re:And yet, I am unmoved. It doesn't matter by Anonymous Coward · 2019-04-09 04:20 · Score: 0
  
  Still too complicated to remember once you have a dozen or so variations. Also it goes to hell once you get to that new login that suddenly requires 12 characters at minimum rather than 8 (or 14 rather than 12, whatever.)
In other words... by Livius · 2019-04-08 11:41 · Score: 4, Insightful

He fooled a fingerprint reader using... an exact reproduction of his fingerprint. On the fourth try.
That seems incredibly unsurprising.
1. Re:In other words... by Anonymous Coward · 2019-04-08 13:19 · Score: 0
  
  how did this get past firehose we've seen PoCs on fucking scotch tape
  guess there's some other reason
  we'll leave that to the reader as an exercise in perceptibility
2. Re:In other words... by iggymanz · 2019-04-08 13:56 · Score: 2
  
  and in organic chemistry most of us have fooled with polymer making that could duplicate our fingertip from a clay impression in 1/6 the time as a 3D printer
  3D printing plastic, the most expensive and time consuming way to make something out of plastic....
3. Re:In other words... by Anonymous Coward · 2019-04-08 16:26 · Score: 0
  
  That seems incredibly unsurprising.
  It's actually only unsurprising if you don't know how "fingerprint" scanners on cell phones usually work.
  They don't actually scan your fingerprint at all; they typically use an infrared sensor that scans the blood vessels inside your finger. It's not impossible to fool, but you're not going to be able to do it just by having a picture or a scotch tape imprint of somebody's finger.
  This is surprising because it turns out that the S10's ultrasonic scanner is worse than the previous generations.
4. Re: In other words... by Aristos+Mazer · 2019-04-08 21:00 · Score: 1
  
  The ultrasonic sensor was claimed to be immune to this kind of spoof. Supposedly they could tell if the print had layers to it (the way human skin does and a 3D print does not). The news here is that the sensor does not do what Samsung claims.
5. Re:In other words... by Daralantan · 2019-04-09 01:30 · Score: 1
  
  and all he needed to get into his phone was a photograph, some software, and access to a 3D printer
  So basically nothing! He's more powerful than the mythic techniques of McGuyver!
Re:In other words... AntMan! by retroworks · 2019-04-08 12:59 · Score: 1

When I'm someday a reclusive billionaire, someone will do this by extracting my fingerprints from doorknobs with tape. It's just a matter of time and lottery tickets.

--
Gently reply
Amputation by kenai_alpenglow · 2019-04-08 13:58 · Score: 2

So, since it doesn't care if the finger is live or dead unlike the newer fingerprint readers, wouldn't it be quicker & easier to just cut off the owner's finger like we used to?
1. Re:Amputation by Anonymous Coward · 2019-04-08 18:00 · Score: 0
  
  So, since it doesn't care if the finger is live or dead unlike the newer fingerprint readers, wouldn't it be quicker & easier to just cut off the owner's finger like we used to?
  Yes, it's probably quicker but I have a hunch the owner will notice it.
2. Re: Amputation by Aristos+Mazer · 2019-04-08 21:01 · Score: 1
  
  Infect them with leprosy. Theyâ(TM)ll think the cutting was natural. You just have to intercept their trash bags when they leave them at the curb. :-)
Too bad it was using biometrics like old scanners by kriston · 2019-04-08 15:49 · Score: 2

Too bad it wasn't using biometrics like old so-called "fingerprint" scanners do. They say "fingerprint" but what they really meant was "biometrics" including electrical measurements, not the actual, physical fingerprint.
Using the measurements, like oxygen saturation (which the phones have been doing for over a decade) in addition to the fingerprint were the right idea then.

--
Kriston
Not exact, plastic by Anonymous Coward · 2019-04-08 15:58 · Score: 0

Not exact, only plastic ridges made from a wine glass fingerprint. The point being that the previous generation of readers rejected this attack, and you'd have to fake finger capacitance too. So this is a step backwards.
Do you think a security system should get *BETTER* with new generations or *WORSE* with new generations?
The surprise here is that its worse.
Buy a Galaxy S10, pay 5 times the price and it worse worse than a Galaxy A30 with the capacitive fingerprint reader simply to move the fingerprint reader from the back to under the front. SURPRISE!
1. Re:Not exact, plastic by Anonymous Coward · 2019-04-08 16:19 · Score: 0
  
  It's worse on one measure, but is it worse overall?
Re:In other words... AntMan! by religionofpeas · 2019-04-08 18:34 · Score: 2

When I'm someday a reclusive billionaire, someone will do this by extracting my fingerprints from doorknobs with tape
Or they will find a way to steal fingerprint info from a database. With more applications using fingerprints, it is unavoidable that your fingerprint info will be stored in multiple locations, and it is a single breach away from ending up in the wild. For eternity.
Re:Too bad it was using biometrics like old scanne by religionofpeas · 2019-04-08 18:41 · Score: 1

Once someone has a 3D model of your finger, I wouldn't count on oxygen saturation or impedance to save your ass. I'm sure that clever hackers can figure out a way to fool those too.
Don't forget that it is a Samsung, after all... by LordHighExecutioner · 2019-04-08 18:45 · Score: 1

...if you hack the login autentication method, the device self-destroys.
1. Re:Don't forget that it is a Samsung, after all... by Anonymous Coward · 2019-04-09 02:03 · Score: 0
  
  And well on form for American tech, since that fingerprint reader was designed and manufactured by Qualcomm.
Oh shit by Daralantan · 2019-04-09 01:28 · Score: 1

Welcome to "spy tricks you see in movies all the time." Who could have imagined this possible?!
/s
Not Samsung's fault, but Qualcomm's by Anonymous Coward · 2019-04-09 01:59 · Score: 0

They're the ones who manufactured and sold this broken piece of tech. But of course American tech media is reluctant to mention that.
Why is S10 in the headline at all by Anonymous Coward · 2019-04-09 04:02 · Score: 0

Fuck all you media fucks!
The headline should be. Fingerprint scanner unlocked with replica of users finger.
This is not even news worthy. It is click bait sensationalism at it's finest.
Shut the fuck up.
why this specific phone? by SuperDre · 2019-04-09 04:47 · Score: 1

You can fool any phone's fingerprint sensor with a simple rip of a fingerprint. So what would be so special about this one?
This isn't anything special, except the media needing some nice story which seems sensational, even though it isn't.
So nothing to see we already didn't know.. And I'm pretty sure it didn't take him 3 minutes to do it.
1. Re:why this specific phone? by tlhIngan · 2019-04-09 05:17 · Score: 1
  
  You can fool any phone's fingerprint sensor with a simple rip of a fingerprint. So what would be so special about this one?
  This isn't anything special, except the media needing some nice story which seems sensational, even though it isn't.
  So nothing to see we already didn't know.. And I'm pretty sure it didn't take him 3 minutes to do it.
  Easy, because this phone has the sensor underneath the screen. So instead of most Android phones having the sensor on the back of the phone, you can place your thumb on the screen and it'll read the fingerprint and unlock it right there.
  The technology behind the through screen fingerprint reader was supposed to be more advanced than the fingerprint pads on existing phones and immune to common fingerprint spoofing techniques.
2. Re:why this specific phone? by Yosho · 2019-04-09 07:34 · Score: 1
  
  You can fool any phone's fingerprint sensor with a simple rip of a fingerprint.
  
  Actually, you can't. Most phone "fingerprint scanners" are actually capacitive sensors that measure electrical responses in your fingertip. They're not impossible to fool, but you can't do it with just a picture of somebody's finger.
  That's why it's noteworthy that the S10, Samsung's latest and greatest phone, is using an ultrasonic sensor, which is apparently much easier to fool than previous-generation tech.
  
  --
  Karma: Terrifying (mostly affected by atrocities you've committed)
3. Re:why this specific phone? by SuperDre · 2019-04-09 07:46 · Score: 1
  
  No, but you can do it with a simple tape with the copy of the fingerprint attached to your finger...