recommended reading

It Took Just Four Days to Hack the Samsung Galaxy S5's Fingerprint Scanner

A man uses his smartphone in front of an advertisement for Samsung's Galaxy S5 smartphones in Seoul, South Korea.

A man uses his smartphone in front of an advertisement for Samsung's Galaxy S5 smartphones in Seoul, South Korea. // Ahn Young-joon/AP

It took German "researchers" at SRLabs just four days to created a fake fingerprint using wood glue that can bypass the scanner on the brand new Samsung Galaxy S5. which was released last Friday. The iPhone 5S fingerprint scanner was hacked by Chaos Computer Club in only 48 hours using a very similar method.

Unlike the iPhone, the Samsung Galaxy S5 is integrated with PayPal, and the fingerprint scanner is used to authorize transactions and money transfers in the device. So there is a lot more at stake if the scanner is hacked. PayPal issued a statement in regards to the security scare: “PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5. The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one."

Also unlike the iPhone, the Galaxy S5 does not require a regular passcode after a certain number of incorrect fingerprint attempts. The hacker has an unlimited number of attempts to break into the device, and plenty of time to create a fake fingerprint if necessary. 

Brett McDowell, head of ecosystem security at PayPal, believes that this hack proves only a very minor threat: “This is not something you can do on any number of devices. This is not like a massive phishing scam where you can get millions of passwords quickly. This is limited to one device, one victim at a time.” 

Samsung was careful to add other security features to the newest device in the event that it is stolen and has touted "Find My Mobile" and "Reactivation Lock" among the device's biggest upgrades. Both of these features already exist in the most recent iOS, but then again, so does the fingerprint hack. 

This security hack comes just after Apple, Samsung, Huawei, AT&T, T Mobile, Verizon and Sprint came together to create the “Smartphone Anti-Theft Voluntary Commitment”. This measure will ask that all new smartphones after July 2015 come preloaded with an anti-theft tool, commonly known as a "kill switch." There is pending legislation in Congress on a similar kill switch idea, however, with constant security bugs such as the S5 fingerprint hack, mobile providers are taking it upon themselves to prevent theft.   

While the hack and security mandate may shake some users, it is unlikely that it will affect S5 sales. The much faster hack of the iPhone 5S certainly did not stop its popularity. Furthermore, Malik Saadi, practice director at ABI Research, believes security is far from a dealbreaker for shoppers: “The majority of consumers aren’t at this stage very aware of smartphone security issues. When they go to buy a new smartphone, it isn’t the first question that comes to their mind.” 

Threatwatch Alert

Network intrusion / Stolen credentials

85M User Accounts Compromised from Video-sharing Site Dailymotion

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.