To my knowledge, Apple is the only vendor that actually made in-depth claims about the security of their face unlock solution. They’re the only vendor that assumed anyone cared.
Android OEMs are working off a feature checklist and that’s about it.
Sure but this sounds like a software bug. There isn’t any way the screen protector makes the returned “ultrasounds” look like the one it’s expecting, it just confuses the reader which should result in rejected authentication. Seems sloppy.
> In fact there are already articles showing how the unlock feature works while you’re asleep
Hah, this was the first thing I tested with Face ID when I got my iphone 10. If you look at it with your eyes closed then it won't unlock. Open your eyes and it instantly unlocks. It spent about five minutes playing peek-a-boo with it.
Although in that last case, as-in the case of Government respecting your rights but the court order you to give access, password still allows you to have the ability to block/brick/wipe the phone.
All of this of course is if you have a good password hygiene, but if you don't I don't think you have a claim to complain about weak security models.
Biometrics are not secure to use for both a username and password combined.
At best, biometrics are good as a username to identify who you are, but not that you consent to login.
At best, todays biometrics are a trade off in security for convenience, partially because most can be faked.
I look to modern banking startups for biometrics use because money and personal data are similarly valuable and sensitive. If they aren't using it, it's not secure, or ready.
We are somehow ok with touch and faceid without some form of 2FA.
A fingerprint reader can also be operated while the victim is asleep, unconscious, and even after you sever the thumb off (remote attack!!). Does that mean a fingerprint reader cannot be ever be called secure?
Forbes article has slightly more information, including the fact that the Note10 should have the same vulnerability, and it explains that it's not just any screen protector, but a particular type of wraparound screen protector that manages to confuse the sensor.
Samsung's reaction (a recommendation to only use authorized accessories) is completely off the mark considering that the real problem is someone could steal your device and then use an unauthorized accessory to access your info.
I read that differently -- that the scanning of a working finger leaves an imprint in the gel, and this is what is read from the subsequent scan. This would mean that you couldn't just grab somebody's S10, put a gel screen protector on, and get into the device. You need to have them successfully unlock the device first.
With this in mind, they would not be completely off the mark.
S10 5G user here, with an IQ shield protector (wet application/ very soft yet strong gel type).
Scanned fingers with the original protector, didn't rescan with the IQ shield which I only put on a few weeks ago.
Can only unlock with my scanned fingers, so will leave my scans as is until a fix eventuates (if it does).
Is it an issue if the fingerprint is registered without a screen protector on?
I could imagine it's possibly like putting foggy privacy tint on a window. You can see through clearly before, but after the tint is applied, everybody looks pretty much the same.
A bit of background on this (I am involved in the ultrasound industry):
- The chip Samsung uses is by Qualcomm. Their big claim is that their ultrasound fingerprint scanner is the only US government approved non-optical way of electronically scanning a fingerprint (those sensors they have at airports use basically the same technology)
- It's supposed to be more secure than the capacitive technology Apple used to use since it grabs a true image of the fingerprint and not just a low-res representation
- Given this, it's probably a problem with the software on Samsung's part, not Qualcomm
- However, it's interesting that adding the screen protector is what broke it. It suggests that there could be any number of unintentional biometric security holes
- It demonstrates that consumer tech companies (with possible exception of Apple) don't really have the expertise or motivation to properly implement biometric authentication
Can you elaborate on the operating principle behind the ultrasonic sensor what makes its output a "true image" vs. Touch ID's "low-res representation"?
Biometric authentication on Android phones has always seemed to be hit-or-miss: companies looking to add it to their feature checklist either come up with fundamentally flawed designs (storing a fingerprint as an unencrypted image file, etc.) or you have bugs like these. There really needs to be some sort of realignment that incentivizes companies to get this right rather than slap together something broken and try to sell it as “iPhone may have x feature, but we have y (which is buggy, but you don’t know that)”.
This sentence from the NY Times review of the Galaxy Note 8 has always stuck with me.
>Some of the biometrics, including the ability to unlock your phone by scanning your face or irises, are so poorly executed that they feel like marketing gimmicks as opposed to actual security features.
Some sort of certification would be useful. We can compare cameras with megapixels, but fingerprint reader is like boolean: it's either present or not. There are obvious metrics like false positive rate, false negative rate, but I have no idea where to find those metrics for any phone.
Reminds me of a funny story:
A few years back on a visit to Beijing, was hustled on a street corner to purchase what appeared to be a brand new iPhone (a 7, if memory serves), for a ridiculous price.
The seller handed it to me to play with, and proudly demoed the fingerprint unlock feature. The interface looked flawless (given that it was Chinese).
Naturally, it was a fake. Doing a hard reboot brought the green Android bucket at boot.
As for the unlock feature, it took the user through all steps of fingerprint setup only to work with any finger (or anything else warm toughing it, for that matter).
It looks like this works with the fingerprint set up before the screen protector is added. The catch here, I believe, is that the screen protector needs to have some sort of gel adhesive and it only unlocks if you've pressed a valid finger against the screen protector prior to using the invalid finger.
Pressing the valid finger against the protector leaves an imprint in the gel, and this is what is read when it reads the invalid finger. I don't think that this is a bug in Samsung's code but rather a flaw in the technology that they chose to use.
Is there any indication of whether this only happens if the screen protector was present prior to training the fingerprint?
> After buying a £2.70 gel screen protector on eBay, Lisa Neilson found her left thumbprint, which was not registered, could unlock the phone.
This suggests that an attack of "put a malicious screen protector on phone to unlock" is possible. I'm curious whether there was any re-training after applying the protector.
Ah, here's a video of a note 10, which has the same fingerprint sensor as an s10, being fooled by a gel _case_ after being trained with a fingerprint normally.
Long pins and passwords make you a lot more susceptible to casual attackers, as they can be gotten from shoulder surfing and casual video, like e.g. surveillance footage.
Fingerprint replicas (or your actual fingers) are obtainable by targeted attackers of some sophistication. But if you're targeted by attackers willing to go that length for you, you have other problems. IMO, fingerprints provide the best practical security.
Fingerprints were never supposed to replace passwords, they're more analogous to usernames.
I like fingerprint scanner as a quick way to unlock my phone, it's at least more secure than the 4 digit passcodes or patterns I used before that, and more convenient than that or face recognition. But I wouldn't want to use fingerprint to replace entering a password for making payments or accessing any secure data.
U2F doesn't feel like a natural fit for securing a phone because the core "factor" in U2F is "Something you have" and well, you "have" the phone too already. The fingerprints are "Something you are" but as we see _implementation_ may be lacking. So as you realise that leaves requiring a passphrase, "Something you know".
It's awkward, but I think if you care about security that's still really the most practical solid option. Fingerprints were only ever "better than nothing" here and should not have been sold as more than that (Biometrics _can_ be very secure but they need human supervision, e.g. when police take a DNA sample you can't give them somebody else's DNA but nobody is supervising you when you press what may or may not be your actual finger up against the sensor on a stolen phone).
I have a passphrase and a relatively short screen timeout for my phone, it certainly is less convenient than most people's zero authentication strategy, I noticed this when my closest place to buy groceries announced I could use the phone instead of needing a cashier.
For a regular person you just wander around, bagging anything you want and scanning it with the phone, then obviously you pay at the end. But for any time I spent more than 30 seconds or so browsing the phone locked and I needed to re-enter my passphrase to scan an item, cumbersome. There are tweaks I could do to let the scanning app stay active when the screen locks, but ultimately I just won't bother, there are hand scanners for people who don't have a phone or don't want to use it like me. I'll only use the phone if I pop in to get a single item so that unlocking the phone is faster than swiping to get a scanner.
I switched to my first Fingerprint phone a year ago, and I can't imagine going back to passcode unlocking for convenience reasons.
Which is the most secure? It depends on the threat model. With an NFC sensor, I suppose it should be possible to unlock a phone from a physical key, but is it really convenient?
The only downside of a fingerprint is that there is no key rotating. If your fingerprint pattern is compromised, you are screwed. This doesn't have to be a security vuln in the device itself. A determined attacker can take your fingerprints off the screen surface or back fit eh phone.
[[It's not 100% clear but it seems that the problem only occurs if you put the screen protector on before recording your fingerprint. If you record the fingerprint and then add the protector it does not allow you to unlock the phone as it sees a vastly different print.
In other words, a screen protector is not a "master key" for any S10!
Please correct me if I am wrong.]]
Edit: On second reading of the article it looks like a screen protector might actually be a master key for any S10 phone. That's a really big design flaw! (Thanks to computerex for making me read the article more critically.)
From what it seems, it records a "flat" fingerprint, because the screen protector is obviously a flat layer on top of the device. So any haptic touch only activates this flat fingerprint
It should be noted that the S10E does not suffer from this flaw, as its thumbprint sensor is a hardware button on the side of the phone that doubles as the power button. Just picked one up a week ago and very pleased with it.
Assuming the flaw hasn't been discovered because no one logically puts a protective cover over that button. What if you did place the same protective cover over that button and try? Could it be hijacked in that manner?
I’m astounded at how little testing companies do with their products. Most high school students with nothing better to do could have hypothesized this problem and tested for it if only somebody had bothered to ask them.
Given that people report this works with a protector added AFTER registering the print...I'd love to see how Samsung reckons they can fix this with software. Because that sounds very much like a physical issue
It's clear that Samsung and Google are scrabbling to catch up with Apple, and I don't see why tbh. I don't think the general public dislike traditional fingerprint readers nearly as much as they do finding out the unlock mechanisms aren't secure.
Seeing how bad fingerprint scanner is on S10 even with correct fingers and no protectors I can only wish luck to the thieves who'll try to do this trick. I sometimes can't unlock damned thing in five tries and have to enter password.
You can also show a video or a photo of a phone owner and it will be unlocked. It’s a joke of a security and most people don’t Understand that and this it’s as secure as IPhone’s face unlock, which is a totally different beast
[+] [-] dangus|6 years ago|reply
It just says “simply look at your phone to securely unlock it.” They make no claims about how secure it is.
In fact there are already articles showing how the unlock feature works while you’re asleep: https://9to5google.com/2019/10/16/pixel-4-tidbits-face-unloc...
To my knowledge, Apple is the only vendor that actually made in-depth claims about the security of their face unlock solution. They’re the only vendor that assumed anyone cared.
Android OEMs are working off a feature checklist and that’s about it.
[+] [-] tbrock|6 years ago|reply
[+] [-] theclaw|6 years ago|reply
Hah, this was the first thing I tested with Face ID when I got my iphone 10. If you look at it with your eyes closed then it won't unlock. Open your eyes and it instantly unlocks. It spent about five minutes playing peek-a-boo with it.
[+] [-] nolok|6 years ago|reply
Random person tries to get in (eg phone was stolen in the subway, ...): biometrics work, password works.
Close person tries to get in (significant other, coworker, ...): biometrics is flawed, password works.
Government respecting your rights tries to get in: biometrics is completly broken, password works.
Government that don't respect your rights tries to get in: https://xkcd.com/538/
Although in that last case, as-in the case of Government respecting your rights but the court order you to give access, password still allows you to have the ability to block/brick/wipe the phone.
All of this of course is if you have a good password hygiene, but if you don't I don't think you have a claim to complain about weak security models.
[+] [-] j45|6 years ago|reply
At best, biometrics are good as a username to identify who you are, but not that you consent to login.
At best, todays biometrics are a trade off in security for convenience, partially because most can be faked.
I look to modern banking startups for biometrics use because money and personal data are similarly valuable and sensitive. If they aren't using it, it's not secure, or ready.
We are somehow ok with touch and faceid without some form of 2FA.
[+] [-] ahbyb|6 years ago|reply
[+] [-] zuminator|6 years ago|reply
https://www.forbes.com/sites/gordonkelly/2019/10/15/samsung-...
[+] [-] fullstop|6 years ago|reply
With this in mind, they would not be completely off the mark.
[+] [-] sundvor|6 years ago|reply
Can only unlock with my scanned fingers, so will leave my scans as is until a fix eventuates (if it does).
[+] [-] SkyPuncher|6 years ago|reply
I could imagine it's possibly like putting foggy privacy tint on a window. You can see through clearly before, but after the tint is applied, everybody looks pretty much the same.
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] tompccs|6 years ago|reply
- The chip Samsung uses is by Qualcomm. Their big claim is that their ultrasound fingerprint scanner is the only US government approved non-optical way of electronically scanning a fingerprint (those sensors they have at airports use basically the same technology)
- It's supposed to be more secure than the capacitive technology Apple used to use since it grabs a true image of the fingerprint and not just a low-res representation
- Given this, it's probably a problem with the software on Samsung's part, not Qualcomm
- However, it's interesting that adding the screen protector is what broke it. It suggests that there could be any number of unintentional biometric security holes
- It demonstrates that consumer tech companies (with possible exception of Apple) don't really have the expertise or motivation to properly implement biometric authentication
(edit - newlines)
[+] [-] theclaw|6 years ago|reply
[+] [-] criddell|6 years ago|reply
I'm not sure I want any tech company storing high resolution scans of my biometrics.
[+] [-] vernie|6 years ago|reply
[+] [-] Havoc|6 years ago|reply
I suspect Samsung can muster a fair bit of expertise if they feel the need. We're not exactly talking about a fly-by-night tech startup here...
[+] [-] nolok|6 years ago|reply
[+] [-] saagarjha|6 years ago|reply
[+] [-] GeekyBear|6 years ago|reply
>Some of the biometrics, including the ability to unlock your phone by scanning your face or irises, are so poorly executed that they feel like marketing gimmicks as opposed to actual security features.
https://www.nytimes.com/2017/09/05/technology/personaltech/s...
[+] [-] vbezhenar|6 years ago|reply
[+] [-] guyromm|6 years ago|reply
As for the unlock feature, it took the user through all steps of fingerprint setup only to work with any finger (or anything else warm toughing it, for that matter).
[+] [-] droopyEyelids|6 years ago|reply
[+] [-] fullstop|6 years ago|reply
Pressing the valid finger against the protector leaves an imprint in the gel, and this is what is read when it reads the invalid finger. I don't think that this is a bug in Samsung's code but rather a flaw in the technology that they chose to use.
[+] [-] robinson-wall|6 years ago|reply
> After buying a £2.70 gel screen protector on eBay, Lisa Neilson found her left thumbprint, which was not registered, could unlock the phone.
This suggests that an attack of "put a malicious screen protector on phone to unlock" is possible. I'm curious whether there was any re-training after applying the protector.
[+] [-] robinson-wall|6 years ago|reply
https://twitter.com/Sta_Light_/status/1184475413252210688
[+] [-] laktak|6 years ago|reply
[+] [-] Multicomp|6 years ago|reply
Are long pins and passwords still the most secure way to control access to your phone? Is there U2F for phones as a 2nd factor?
[+] [-] DCKing|6 years ago|reply
Fingerprint replicas (or your actual fingers) are obtainable by targeted attackers of some sophistication. But if you're targeted by attackers willing to go that length for you, you have other problems. IMO, fingerprints provide the best practical security.
[+] [-] wjoe|6 years ago|reply
I like fingerprint scanner as a quick way to unlock my phone, it's at least more secure than the 4 digit passcodes or patterns I used before that, and more convenient than that or face recognition. But I wouldn't want to use fingerprint to replace entering a password for making payments or accessing any secure data.
[+] [-] tialaramex|6 years ago|reply
It's awkward, but I think if you care about security that's still really the most practical solid option. Fingerprints were only ever "better than nothing" here and should not have been sold as more than that (Biometrics _can_ be very secure but they need human supervision, e.g. when police take a DNA sample you can't give them somebody else's DNA but nobody is supervising you when you press what may or may not be your actual finger up against the sensor on a stolen phone).
I have a passphrase and a relatively short screen timeout for my phone, it certainly is less convenient than most people's zero authentication strategy, I noticed this when my closest place to buy groceries announced I could use the phone instead of needing a cashier.
For a regular person you just wander around, bagging anything you want and scanning it with the phone, then obviously you pay at the end. But for any time I spent more than 30 seconds or so browsing the phone locked and I needed to re-enter my passphrase to scan an item, cumbersome. There are tweaks I could do to let the scanning app stay active when the screen locks, but ultimately I just won't bother, there are hand scanners for people who don't have a phone or don't want to use it like me. I'll only use the phone if I pop in to get a single item so that unlocking the phone is faster than swiping to get a scanner.
[+] [-] Ayesh|6 years ago|reply
Which is the most secure? It depends on the threat model. With an NFC sensor, I suppose it should be possible to unlock a phone from a physical key, but is it really convenient?
The only downside of a fingerprint is that there is no key rotating. If your fingerprint pattern is compromised, you are screwed. This doesn't have to be a security vuln in the device itself. A determined attacker can take your fingerprints off the screen surface or back fit eh phone.
[+] [-] fulafel|6 years ago|reply
[+] [-] OJFord|6 years ago|reply
[+] [-] jcadam|6 years ago|reply
[+] [-] isodude|6 years ago|reply
[+] [-] johnday|6 years ago|reply
In other words, a screen protector is not a "master key" for any S10!
Please correct me if I am wrong.]]
Edit: On second reading of the article it looks like a screen protector might actually be a master key for any S10 phone. That's a really big design flaw! (Thanks to computerex for making me read the article more critically.)
[+] [-] computerex|6 years ago|reply
> After buying a £2.70 gel screen protector on eBay, Lisa Neilson found her left thumbprint, which was not registered, could unlock the phone.
This suggests that the issue started happening after putting on the screen protector, and after recording the fingerprint.
[+] [-] env123|6 years ago|reply
[+] [-] andrew_|6 years ago|reply
[+] [-] deaps|6 years ago|reply
[+] [-] tjpnz|6 years ago|reply
[+] [-] johnday|6 years ago|reply
[+] [-] jammygit|6 years ago|reply
[+] [-] Havoc|6 years ago|reply
[+] [-] repler|6 years ago|reply
[+] [-] CivBase|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] Mindwipe|6 years ago|reply
It's clear that Samsung and Google are scrabbling to catch up with Apple, and I don't see why tbh. I don't think the general public dislike traditional fingerprint readers nearly as much as they do finding out the unlock mechanisms aren't secure.
[+] [-] Yizahi|6 years ago|reply
[+] [-] usaphp|6 years ago|reply