Tuesday, October 29, 2019

Samsung Galaxy 10 fingerprint unlock is hopelessly broken

It's not just Google's Pixel 4 biometric system that's a security nightmare:
Samsung is reportedly rolling out fixes for a glitch that allowed anyone to dupe its Galaxy S10 fingerprint authentication sensor.

Samsung has reportedly started rolling out a software patch for the Galaxy S10 and Note10, addressing glitches in both phone models that allow the bypass of their built-in fingerprint authentication sensors.
The problem for Android users is that you don't get the security updates from the phone manufacturer, you get them from your telephone carrier.  This means that even though a fix is available from Samsung, it likely will get delayed as the carrier reviews and authorizes the fix.

Note: Apple iPhone users do NOT have this problem - security fixes come directly from Apple.

So just how bad is this fingerprint problem?  Banks are removing the Samsung mobile banking app from Google Play:
A security vulnerability that allows anyone to unlock a Samsung Galaxy S10 protected with a fingerprint has convinced banks that it’s time to enforce new protection rules, at least for this particular model. 
As a result, some banks removed their mobile banking apps for Samsung Galaxy S10, while others released updates to disable fingerprint support when apps are installed on this Samsung smartphone.
Banks do not mess round with security.  This is pretty embarrassing to Samsung, and exposes a pretty big weakness in the Android ecosystem (delayed security patch availability).

If you have a Samsung Galaxy 10 you should disable the fingerprint reader right now.  Oh, and don't use the facial recognition to unlock the phone either.

2 comments:

Eagle said...

I don't buy my phones from T-Mobile. I buy them directly from the manufacturer. I get the SIM from T-Mobile and plug it into the phone myself.

Yes, I own a Galaxy S10 - and I get regular security updates from Samsung. I think I got one just a few weeks ago. And by buying the phone directly from Samsung (via my employer's company discount purchase program), there's no T-Mobile crapware permanently loaded in the ROM.

No, I don't use fingerprint login. And if you don't use a compatible screen overlay, you can't use Samsung's fingerprint scanner anyway.

Yes, I use MalwareBytes - on my Windows systems and on the phone.

No, you can't completely protect yourself... but you can take some precautions...

Old NFO said...

Snerk... So much for 'security' as you said... Poor things have to remember passwords! Oh my...