Samsung has spent millions to improve the security of its phones and to make sure customers know about this. You would think that all this money would be enough to protect you from the threat of a $ 2 silicone case. Apparently No.
A $ 2 phone box against a tech megacorporation
If there is ever a good time to call a giant tech conglomerate a "red face", it probably is now. In a brief statement released yesterday, Samsung acknowledged some clear cases and screen protectors could be used to bypass the Galaxy S10, Galaxy 10 Plus, Galaxy S10 5G, Galaxy Note 10 and Galaxy Note 10 Plus fingerprint sensors.
You do not need a 3D printer, a high resolution camera, latex shapes or all the crap and crap stuff. A cheap phone case is all you need to unlock Samsung's flagship.
이슈 가 되고 있는 10 S10, 노트 10 기종 실리콘 케이스 지문 뚫리는 현상 테스트 해봤습니다….
갤럭시 10 시리즈 사용자 분들 당장 지문 잠금 해제 푸 세요 pic.twitter.com/tbmzErrmkP
– StaLight (@Sta_Light_) Oct 16, 2019
T apologizing for this massive breach of trust, and it's even harder to understand why Samsung has so far failed to apologize to customers. Still, this uncomfortable abuse is not so surprising in the scheme of things.
Biometrics make poor security anyway
The truth is that fingerprints and other biometric identification methods are insufficient. You should not rely on them if you are actually interested in mobile security.
There are several reasons why old-fashioned password is preferred over fingerprint readers, face scanners, or retina / iris scanners.
For one, it's easier to get someone to unlock their device with a fingerprint or face than it is usually to get them to reveal a password or PIN. It's a lot easier to trick people into unlocking their device too – sometimes you just have to put the device in front of them while they're asleep (just ask Google Pixel 4 reviewers).
The old-school password is preferably a fingerprint reader, face scanner, or retina / iris scanner.
There are legal implications. In some jurisdictions, you may not be forced to enter a password for self-incrimination protection, but you may be forced to touch a sensor or look at your phone just as you may be forced to provide a DNA swab. Now, the number of people who will ever run into this problem is relatively small, but there are good reasons why you may want to avoid access by authorities to your device.
Then there is the problem of the many ways that sensors and scanners can be hacked. Sometimes it requires expensive equipment and a determined attacker. In other cases, a photo of the owner or a simple silicone case will work.
You can argue that fingerprints and face scanners are good enough for 99% of users. Of course, most people will never be bothered by authorities scampering through their messages or by some shady entities stealing fingerprints from their Facebook profile. It is also true that biometric sensors have improved security for millions of users who would otherwise not be able to enter their PIN code every time they unlock their phones.
How do you update your fingerprints or retina?
But the rates are getting higher. We now use our faces and fingerprints to unlock our bank accounts, authorize payments at stores, and gain access to password lockers like LastPass. For now, that means your digital identity. In a few years, smartphones will be your identity both online and in real life.
Finally, passwords have another huge advantage over biometric authentication methods: they are disposable. You can always change your PIN or password, but what happens when your fixed physical features expire? How do you update your fingerprints or retina?
What you can do
If you're worried about smartphone security, there are some simple things you can do to protect yourself:
- Choose a secure authentication method (PIN or password), but don't be lazy: The more characters you use, the more secure it is.
- Avoid locking patterns. They are easier to spy on and are less protected by a good PIN or password.
- Disable features like Smart Lock that keep the device unlocked when in defined areas or when a Bluetooth device is connected.
- Understand the difference between different face unlocking methods – those using a laser or infrared to scan your face are safer than those who rely on the front camera.
- Enable the lock mode available on Android Pie and later. This allows you to quickly disable all unlock methods except PIN or password.
- Get acquainted with the security features of your phone. Some devices offer options such as the ability to hide specific apps or content behind a specific fingerprint.
- Buy devices from reputable manufacturers that are more likely to receive regular security and system updates.
- In general, practice basic safety hygiene. The chances of being hacked remotely are much higher than anyone getting physical access to your device.
What is your preferred method of locking your phone?