Samsung Galaxy S10 flaw lets any fingerprint unlock the phone

Biometric security measures are billed as far more secure than the standard password or PIN. However, issues exist, as Samsung has recently discovered.

Update: Both Samsung and Google have fixes on the way. While Samsung had already confirmed a software update would fix the “bug” that allows any fingerprint to unlock a Galaxy S10 equipped with a particular screen protector, Google had to issue a follow up update after the initial report regarding its face unlock feature started making the rounds.

The Verge has the statement from Google, which states that a software update is coming in the next few months to add a requirement option for people’s eyes to be open for face unlock to work.

Here’s Google’s statement:

We’ve been working on an option for users to require their eyes to be open to unlock the phone, which will be delivered in a software update in the coming months. In the meantime, if any Pixel 4 users are concerned that someone may take their phone and try to unlock it while their eyes are closed, they can activate a security feature that requires a pin, pattern or password for the next unlock. Pixel 4 face unlock meets the security requirements as a strong biometric, and can be used for payments and app authentication, including banking apps. It is resilient against invalid unlock attempts via other means, like with masks.

The original article continues below.

The BBC is reporting that a British woman discovered that she was able to get her Samsung Galaxy S10 unlocked with any fingerprint — not just the one she registered to actually unlock the handset during setup. She first tried with a different fingerprint of her own (her left thumbprint, rather than her right), and then she tried using her husband’s. In each case, the Galaxy S10 unlocked just as it should if she were using the registered fingerprint.

The reason? A gel-based screen protector that, apparently, makes it possible for any fingerprint to unlock a Galaxy S10 equipped with the in-display fingerprint reader. The family actually installed a similar screen protector onto another Galaxy S10 and tried again. Sure enough the flaw was present on that handset, too.

Samsung, for its part, says the fingerprint sensor is actually “malfunctioning”, and, as such, plans on sending out a software update to all devices to make sure the flaw is not further utilized out in the wild. The company said in a statement that it is “aware of the case of S10’s malfunctioning fingerprint recognition and will soon issue a software patch”.

But wait, that’s not all!

Because it looks like the latest Pixel smartphones from Google, the Pixel 4 and Pixel 4 XL, are seeing a bit of less-than-great feedback regarding its brand new face unlock system. A separate report from the BBC indicates that the Pixel 4 can be unlocked even when the person’s eyes are closed. That means someone can unlock another person’s newest flagship smartphones from Google even if they are asleep, or if their eyes are closed in general.

To be fair, Google’s own website apparently makes this obvious, saying: “Your phone can also be unlocked by someone else if it’s held up to your face, even if your eyes are closed”. Google then states that the Pixel 4 owner can turn on a “lockdown” mode, which will disable the face unlock feature altogether.

So apparently if you want some added security while you sleep, you’ll need to lock down your Pixel 4. Which seems like it should be unnecessary.

But if the fear of the face unlock feature gaining access to your phone while you sleep sounds familiar, it’s probably because Face ID has been implicated in this sort of situation, too. However! That process was pretty extreme.

Researchers were indeed able to get Face ID to unlock a phone while someone was sleeping, but that person needed to be wearing a pair of specially-designed glasses while their eyes were closed. So while it was technically possible, it’s not really on the same level as the situation with the Pixel 4.

So, a couple of hits for biometric security measures in the same week. But it looks like Apple’s Face ID is still leading the pack here, even if it might not be as fast as Touch ID (yet) or even as quick as Google’s own face unlock feature in the Pixel 4.

How do you feel about this? Do you prefer more security over pure speed?