Pixel Envy

Written by Nick Heer.

Samsung Is Working to Patch a Flaw With Their Under-Display Fingerprint Reader, Which Can Be Defeated With a Screen Protector

Ju-min Park, Reuters:

Samsung Electronics Co Ltd said on Thursday it will soon roll out a software patch to fix problems with fingerprint recognition on its flagship Galaxy S10 smartphone.

A British user told the Sun newspaper this week that a bug on her Galaxy S10 allowed it to be unlocked regardless of the biometric data registered in the device.

After she bought a third-party screen protector, her husband was able to unlock her phone using his fingerprint, even though it was not registered.

This is shockingly trivial. Methods for bypassing Touch ID that involved etching a PCB generated alarmist headlines about it being “no challenge at all”; circumventing Face ID was said to be accomplished in “less than 120 seconds” — assuming, of course, that you were able to get a jerry-rigged pair of glasses onto the iPhone owner’s face without resistance.

This is nothing like that; it is exactly as easily-defeated as reported. That’s embarrassing, sure, but where Samsung really loses me is its explanation for why this is happening:

The issue can happen when patterns of some protectors that come with silicone phone cases are recognized along with fingerprints, the South Korean tech giant said in a notice on its customer support app.

I could be reading this wrong, but what I’m understanding is that Samsung is blaming the screen protector for introducing a pattern that appears to the sensor to be a fingerprint. But if that were the case, this flaw would only exist if fingerprint registration was completed with the screen protector in place.

However, according to a video from Twitter user StaLight, that must an inadequate explanation because the fingerprint reader can be bypassed after a fingerprint has been registered without a screen protector with Samsung’s own screen protective film, as clarified later. In this example, the user completes a registration process without a screen protector, then successfully unlocks the phone with a different finger after putting a clear phone case between the display and their finger.

I would love to know what this flaw is, and how a software update may apparently fix what seems, to me, to be a critical hardware problem.

The Galaxy S10 also has facial recognition, but that’s defeated by a photo.

Update: The patch has rolled out.