Samsung will release a software patch next week to address a bug in the ultrasonic-based fingerprint scanner on Galaxy S10 and Note 10 devices.
The bug came to light last weekend when British tabloid The Sun ran a story about a British woman who discovered that anyone’s fingerprint could unlock her Galaxy S10 smartphone.
The issue was tracked down to a $3 silicon screen protected that was applied to the phone to protect its screen.
“To prevent any further issues, we advise that Galaxy Note10/10+ and S10/S10+/S10 5G users who use such covers to remove the cover, delete all previous fingerprints and newly register their fingerprints,” Samsung said today in a first public statement about this issue after almost a week of silence.
“A software update is planned to be released as early as next week, and once updated, please be sure to scan your fingerprint in its entirety, so that the all portions of your fingerprint, including the center and corners have been fully scanned,” the South Korean phone maker said.
Cause of the bug
According to the company, the fingerprint authentication bypass only impacted recently-released devices that had been fitted with new ultrasonic-based fingerprint sensors.
These new sensors use ultrasonic sound waves to create a model of the user’s fingerprint and unlock devices.
Samsung said that the way the ultrasonic waves interacted with silicone-based screen covers created “3-dimensional patterns” that looked like users’ fingerprints.
When users registered their fingerprints, they didn’t actually register their fingerprints. Instead, the phone registered the silicon pattern underneath the finger. This explains why anyone pressing down on the silicone cover was able to unlock devices, because the sensor would see the same silicon pattern, rather than detect the actual fingerprint.
But the fingerprint sensor bypass wasn’t new. As ZDNet reported earlier today, other users had reported the same bug earlier this year.
A user uploaded a video on Imgur in April, showing how a 3D-printed fingerprint could bypass the same fingerprint sensor.
“This brings up a lot of ethics questions and concerns,” the user said at the time. “If I steal someone’s phone, their fingerprints are already on it. […] Most banking apps only require fingerprint authentication so I could have all of your info and spend your money in less than 15 minutes if your phone is secured by fingerprint alone.”
Samsung is not alone in dealing with an issue in its biometrics authentication system. Google is facing a similar thing after a BBC reporter revealed that the Pixel 4’s new Face Unlock feature works even when a owner’s eyes are closed — opening phone owners to situations when someone could unlock their devices when asleep or out cold.