Samsung’s Galaxy S5 is surely a device to behold, packing tons of features and a fingerprint scanner to facilitate security. While fingerprint scanners have been used in smartphones before, such as the iPhone 5S, the scanners may not be as secure as we think. Security Research Labs has used a pretty simple method of fingerprint spoofing to bypass the GS5′s fingerprint scanner, allowing him to not only sign in and control the device with a fake fingerprint but to utilize PayPal’s new app as well. The company was able to access all of PayPal’s features, including the ability to access the account to send money or even make purchases.
As Research Labs points out, it’s not necessarily the fingerprint scanner that is the problem, but more of how Samsung has implemented it. Apparently the GS5 allows users unlimited login attempts, allowing the fake fingerprint to be scanned as many times as need to unlock the device. Also, once a user has unlocked the GS5 with a fingerprint, the device gives unfettered access to security sensitive apps like PayPal. Yikes.
Apple’s implementation of the iPhone 5S’s fingerprint scanner is a bit different. Users that sign in using TouchID must also enter a password to activate TouchID, and asks for the password upon reboot. Using this method, a hacker would need to use the traditional fingerprint spoofing method as well as have access to said user’s numerical or text passcode.
Surely these vulnerabilities can be fixed, but it is alarming that Samsung would heavily market software on a device which clearly isn’t up to par when it comes to security standards. Sure, sometimes hackers need to get their hands on the device and software before vulnerabilities are found, but this security flaw is one that Samsung should have found right off the bat.
We’ll keep you updated once Samsung responds to he news. In the meantime, check out the hack in action below!