Someone managed to fool Samsung Galaxy S10’s ultrasonic fingerprint scanner – but went through a lot of trouble just to do so

One Imgur user broke into his Samsung Galaxy S10 with a 3D-printed model of his own fingerprint.
Imgur/darkshak

This article was last updated with Samsung’s statement on April 12, 2019.

Biometric sensors have made electronic gadgets more secure than ever before, but even at such an advanced stage, they’re not 100 per cent fool proof.

The question is: what lengths would a crook be willing to go to to get into your phone and steal your information? The answer probably depends on who you are and what you have on your phone.

Nonetheless, according to an Imgur user, a thief could easily gain access to your Samsung Galaxy S10 with the right resources – or 3D printer to be exact.

Read also: I used the new Samsung Galaxy S10+ for a week, and its five camera lenses are the reason I’d recommend it in a heartbeat

The user darkshark claimed on the photo sharing site that he had created a 3D model of his own fingerprint by simply taking a photo of the actual print on a wine glass, and then processing it on a photo-editing software.

He then 3D printed it, and after three attempts and a grand total of 13 minutes, he managed to get a model so life-like that it fooled the sensor on his Samsung Galaxy S10.

I attempted to fool the new Samsung Galaxy S10’s ultrasonic fingerprint scanner by using 3d printing. I succeeded.

What an ultrasonic scanner actually does

The S10 was in February the first-ever to be certified by the Fido Alliance’s new Biometric Component Certification Program. A Fido statement had said that the certification “validates that the new in-display fingerprint recognition system meets industry standards for user verification and detecting presentation (or ‘spoof’) attacks”.

Released in Singapore on March 8, the Samsung Galaxy S10 has been lauded for featuring the world’s first Dynamic AMOLED display with the first-ever in-display ultrasonic fingerprint scanner.

According to Samsung, this scanner provides “vault-like security ” by reading the 3D contours of a physical thumbprint, and not the 2D version of it.

When contacted, Samsung’s representative told Business Insider that the unlocking of its phone in this instance was only possible with professional software programmes, specific 3D graphic tools and a 3D printer. This “could only have been made under a very rare combination of circumstances”.

“If at any time there is a potential vulnerability identified, we will act promptly to investigate and resolve the issue,” Samsung said.

Who would go through that trouble?

So is darkshark’s break-in concerning? Many netizens are not convinced.

Not only are 3D printers an uncommon tool for ordinary thieves, the process of having a print processed and then 3D printed is probably too cumbersome for most of them.

One comment read: “This is really laborious. Call me old school, I prefer to directly sever someone’s finger.”

Another pointed out that the break-in was no surprise, as ultrasonic technology reads the 3D contours of fingerprints. “I mean, of course. Ultrasonic is clearly to detect ridges. Not heat or anything else ‘human’. Fun project but rather obvious and unnecessary,” the user said.

Over on Reddit, a commenter also pointed out how difficult it would be to obtain a clear and full fingerprint of a third party. “CSI makes it look easy, but it’s really not,” the commenter wrote.

Still a concern, expert says

While the likelihood of someone creating a 3D-printed version of your fingerprint is low, Matan Schaf, the senior security solutions manager of Synopsys Inc’s software integrity group, says there is still some cause for concern.

“This is a serious concern because as the adoption of biometric identification grows and expands, the level of interest in the hacker community follows. We can expect these issues to become much more prolific if fingerprints will be widely adopted as a form of payment,” Schaf said.

He added that biometric identification should be applied on a case-by-case basis, so that the appropriate application is coupled with the right method.

“In addition, the design of biometric solutions should be context-aware and include (biometric identification) where applicable to reduce the risk of misuse or fraud in order to make it as difficult as possible for malicious agents to complete fraudulent transactions,” he said.

Read also: