One of the most anticipated announcements with the launch of Samsung's Galaxy S10 phone was its fingerprint scanner that is "in-display". This feature is available for the S10+ and the S10 models. It has the convenience of having the fingerprint scanner built into the phone screen that makes it enticing, that is why it is being pushed by Samsung. But aside from that, it promises additional security because it is upgraded to an ultrasonic fingerprint sensor instead of the usual optical reader. This feature is capable of creating a 3D map of your fingerprint, that means that it is only you who can unlock your phone.
However, recent news has proven that Samsung's security is not as stable as we think.
The difference with the fingerprint scanner that is added in the S10 and S10+ smartphones is that it can capture 3D images rather than the traditional 2D images. It uses high-frequency ultrasonic soundwaves so it can map the fingerprint of the user in detail that includes pores, ridges and the flat patterns.
It can do this by transmitting the pulse of the ultrasonic sound against your finger, it can then analyze the pressure of your pulse and it gets bounced back. This is of course different for everyone as each as a different fingerprint so it will absorb different types and amounts of wave pressure.
How did it get hacked?
As far as the scanner is concerned, nothing went wrong and its job was done perfectly. Unfortunately, a researcher was able to use a picture of his fingerprint from a wine glass and, by using Photoshop, he created an alpha mask from it. The mask that he created was exported to 3D Max software to create a geometry displacement so that he can get a detailed and raised model in 3D style. This then ensured all the ridges, lines and patterns of the fingerprint were properly rendered. It took him just 13 minutes after which the fake fingerprint opened his Galaxy S10 every time.
This is one way that hackers can fool the scanner.
What is the risk to the users?
The risk will depend on what kind of data is stored on your phone and in what lengths someone is willing to go through to open your phone. The researcher named darkshark9 said "there's nothing stopping me from stealing your fingerprints without you ever knowing" and further that "if I steal someone's phone, their fingerprints are already on it" the truth is that this would require a perfect alignment of circumstances.
For people who are considered high profiles,there is a risk from hackers. But for the average person, there is not much to worry about. If your phone gets stolen, they could access your personal data and other things such as your bank account. But for this to happen, you need to assume that the person who stole your phone has a 3D printer to begin with, and the technical skills to open your phone by faking a fingerprint.
Should you stop using your fingerprint?
The answer is no, you don't have to. There is always a loophole in security systems. It is just a matter of how much someone would want to open your phone. "The whole biometric authentication movement at consumer level of electronics is never going to be very secure" Ian Thornton-Trump, head of cybersecurity at AmTrust Europe agrees, "I'm not a fan of facial recognition, voice recognition or fingerprint authentication but consumers are and that's not a bad thing."
This stays true with Galaxy S10 and S10+. Even the researcher darkshark9 says that the ultrasonic fingerprint on Samsung phones are safer than the traditional optical or capacitive sensors. "Optical sensors can be tricked with a simple scan and paper printout of a fingerprint" he notes, "ultrasonic can't."