Fingerprint locks have been touted as a whole lot better than passwords in protecting smartphones. Not anymore.
A German security research firm has broken into both the iPhone 5S and Samsung Galaxy S5, today's top-of-the-line biometric smartphones, by using a trick often seen on TV and in Hollywood cops 'n robber movies: a fake fingerprint.
The vulnerability of the Galaxy S5 was proven in a dramatic fashion on a video produced by SR Security Research Labs GmbH, a German security research firm based in Berlin, which was uploaded on YouTube.
The video makes for unbelievable viewing and illustrates the effectiveness of this technique called "fingerprint spoofing."
Security Research Labs penetrated the Galaxy S5's fingerprint sensor a scant four days after the smartphone began being sold worldwide last week. This firm in September 2013 used the same fingerprint spoofing technique to trick Apple's iPhone 5S fingerprint sensor into allowing unauthorized access to the phone.
The company said it used a photo of a fingerprint taken by a camera phone to create a "fake finger" made from wood glue. Using the wood glue "finger," a company researcher was able to access Samsung S5's home screen. He then sent money via a PayPal app, which also requires fingerprint authentication, and which he also fooled using the fake fingerprint.
Security Research Labs said that Samsung seems to not have learned anything from the mistakes of others. The firm pointed out that fingerprint authentication is very vulnerable to unauthorized access. Since PayPal apps and other financial applications employ fingerprint access, cybercriminals are more encouraged to use fingerprint spoofing.