Owners of Samsung’s flagship Galaxy S10 devices are being warned about a serious potential “security breach” with the phone’s innovative in-display fingerprint reader when certain accessories are attached. How serious a breach? Well, according to media reports, it seems to allow anyone to access the device, totally defeating the fingerprint security, opening the device and all its data to an unauthorised user.
The S10’s in-display fingerprint reader was heralded as an “amazing” piece of kit when it arrived. But, not unusually when it comes to technology innovation, the laws of unintended consequences soon kicked in. One of those consequences appears to be this potentially disastrous security issue. Owners of the flagship devices have now been warned that this serious flaw requires no clever trickery to access devices when one of those dangerous accessories is applied.
One of the primary issues with the S10’s in-display reader is that it makes it difficult for screen protectors to operate. As reported by Android Central in February, when a protector is positioned over the Qualcomm ultrasonic fingerprint reader, it appears to be in direct contact with the display, but “the adhesive used to keep it all together creates a very thin gap that is just thin enough to throw off the ultrasonic scanner.”
The issue is that the reader “uses sound pressure waves to read the 3D surface area of your finger—but those sound waves are a big problem when it comes to tempered glass screen protectors because if there are any gaps between your screen protector and your display, the ultrasonic waves can’t get an accurate reading.”
Now it seems that one supplier of cheap after-market accessories has come up with a solution—and a very dangerous one at that. The manufacturer has developed a cheap gel protector that seems to record user fingerprints to ensure the device unlocks each time. The only challenge—this means anyone can access an S10 device with the protector attached.
Samsung has cautioned that customers should use “Samsung authorized accessories, specifically designed for Samsung products,” after one S10 owner discovered the issue with the gel protector and took it to the media. The protector had been purchased from eBay and essentially rendered the biometric security useless. The protector had opted for a brute force approach to resolving the issue with making the tech work.
With the $3 gel cover screen attached, the U.K. user initially discovered she could change fingers from the one registered and still unlock the device. That in itself was an issue. But then her family found they could do the same, unlocking her device. Samsung is now “investigating this internally.”
The security of fingerprint access to the Samsung S10 has been in the news before, as reported for Forbes by my colleague Davey Winder in April. But this latest issue doesn’t require any trickery. The screen protector had captured the authorised user’s fingerprint and then stored this ready for the next access attempt. This meant the device would open whenever pressure was applied.
Opening the device is one thing, providing access to all data and services. But the same biometric security is used for banking, financial services and other ostensibly secure applications. Lisa Neilson told the media that Samsung’s customer services “took control of the phone remotely and went into all the settings and finally admitted it looked like a security breach—they said someone in another department who could investigate would call us but we still haven’t heard anything from them.”
So, pretty simply, don’t buy cheap screen protectors from eBay or anywhere else that have overcome this issue by tweaking their engagement with the device to such an extent that any fingerprint will do. And as more device manufacturers look to new in-display readers to improve the security of devices while not eating into screen space, this issue is likely to apply to more than just the S10 in the future.