The heavily marketed fingerprint sensor in Samsung's new Galaxy 5 smartphone has been defeated by whitehat hackers who were able to gain unfettered access to a PayPal account linked to the handset.
The hack, by researchers at Germany's Security Research Labs, is the latest to show the drawbacks of using fingerprints, iris scans, and other physical characteristics to authenticate an owner's identity to a computing device. While advocates promote biometrics as a safer and easier alternative to passwords, that information is leaked every time a person shops, rides a bus, or eats at a restaurant, giving attackers plenty of opportunity to steal and reuse it. This new exploit comes seven months after a separate team of whitehat hackers bypassed Apple's Touch ID fingerprint scanner less than 48 hours after it first became available.
"We expected we'd be able to spoof the S5's Finger Scanner, but I hoped it would at least be a challenge," Ben Schlabs, a researcher at SRLabs, wrote in an e-mail to Ars. "The S5 Finger Scanner feature offers nothing new except—because of the way it is implemented in this Android device—slightly higher risk than that already posed by previous devices."