“The biggest thing that can be learned from this break-in is that for the sake of public image, and also the peace of mind of potential biometric tech consumers, manufacturers of this technology need to put anti-spoofing and liveness detection on the top of their lists of things to develop.”
Less than a week after its public consumer release, the Samsung Galaxy S5 smartphone has had its fingerprint sensor technology spoofed using the same method that is used by the hacking group who fooled their way past the iPhone 5S Touch ID feature last September.
The process is the classic wood glue spoof, in which a fingerprint is lifted off of the device, etched onto a copper plate which has glue applied to it to create a fake fingerprint with enough capacitive properties to fool a sensor.
Unlike its iPhone competitor, the Galaxy S5 fingerprint sensor authenticates payments through the PayPal app instead of just on iTunes. Therefore, the risk in losing a new Samsung phone that is set up for its biometric mCommerce payment feature is greater, making this spoof a tad bit more concerning than the Touch ID predecessor.
The most concerning aspect of this attack – as the hacker in the video mentions – is that it appears that Samsung has not taken the precautions telegraphed by its main competitor’s public embarrassment. Providers of biometric security alternatives in the form of software are particularly taking advantage of this, advertising advanced anti-spoofing capabilities in addition to platform agnosticism as leverage.
Here is why this is not too big of a deal:
Yes, security on the two most publicly visible fingerprint sensor sporting smartphones can be compromised by a spoof (which can be called simple only in terms of the art of spoofing, which is complicated at best) and yes, on one of them this means that they have access to the owner’s PayPal account, but there are some key things to keep in mind.
First of all, in order for the spoof to even be of relevant concern to the average user, their phone must first be stolen and have on its surface a usable fingerprint. Smartphone biometrics benefit from being device mutli-factor by design, no device equals no spoof. A forged fingerprint is useless if there is no sensor to even fool. Easy fix: keep your phone safe and authenticate only with your off-hand (the one you don’t use to interface with the touch screen).
Secondly, the economics don’t seem to make much sense in terms of practical thievery. Stealing a Galaxy S5 and forging a fingerprint in order to gain access to a PayPal account that the victim has already had time to flag as compromised seems to make much less sense than stealing a credit card – many of which can be used to make payments with contactless features like PayPass that require no authentication at all. Criminals simply have better ways to spend their time than spoofing smartphones.
Finally, as Michael Barrett of the FIDO Alliance pointed out in the Mobile ID Word webinar The Password is Dead!, a wood glue spoof (or any kind for that matter) is not scalable. Hacking can be monetized on the principle that every password and PIN can be broken into in the same virtual method. Though a fingerprint sensor spoof is shown to be relatively simple in that it doesn’t require too much MacGyvering to perform, it is still in no way to run a cyber crime racket.
The biggest thing that can be learned from this break-in is that for the sake of public image, and also the peace of mind of potential biometric tech consumers, manufacturers of this technology need to put anti-spoofing and liveness detection on the top of their lists of things to develop. The hacking community has made it loud and clear that if you present a post-password solution it will be put to the test, and they will broadcast any failures they find.