False alarm: Samsung's fingerprint sensor "issue" wasn't a security flaw after all.

False Alarm: Samsung’s Fingerprint Sensor “Issue” Wasn’t a Security Flaw After All

In Technology News by Olivier BlanchardLeave a Comment

False alarm: Samsung's fingerprint sensor "issue" wasn't a security flaw after all.

If you happen to be the proud owner of a Samsung Galaxy S10 or Note 10, you are probably aware of some drama concerning your device’s fingerprint sensor. Chances are that you were notified by Samsung that a patch was coming, and may have some questions about whether or not your device is secure, or whether or not you can trust its in-display fingerprint sensor ever again. I am here to answer those questions for you, since tech journalists have evidently decided to sensationalize a non-issue rather than dig into what the problem actually was. In some instances, the nature of the problem appears to have even been misreported, further adding to the confusion about what was happening and what it meant for Samsung and Samsung customers.

A good place to start is to confirm that yes, your device is secure, and yes, you can absolutely trust that fingerprint sensor. There was never a problem with the sensor in the first place, or the technology behind it. Both are solid. The issue was with some kinds of unapproved screen protectors interfering with the fingerprint scans – and therefore not a Samsung issue at all. We will get back to that in a moment.

Optical vs Ultrasonic fingerprint scanners 101: 

To better understand what happened, let’s briefly talk about what this sensor does and doesn’t do, and what the current market alternatives are. Basically, right now, in-display (built into your screen) fingerprint sensors mostly come in two different flavors: optical sensors and ultrasonic sensors. Optical sensors capture a 2D image of a user’s fingerprint – like a picture – and recognize the dark and light patterns of that user’s fingerprint. The process is similar to what you see in movies and crime shows when the police does a fingerprint match search in their database: It’s picture for picture, pattern for pattern, and it is essentially flat. 2-dimensional. That’s what an optical sensor does. An ultrasonic sensor is more like radar (or sonar if you prefer Naval analogies): Instead of taking a 2D image of a fingerprint, it captures a 3D image of it, and measures the “ridges and valleys” of a user’s fingerprint. This ability to map fingerprints in three dimensions instead of just two makes ultrasonic fingerprint readers considerably more secure and advanced than their optical counterparts, which is probably why Samsung chose to invest in that technology instead of the other for their new flagship phones. (I predict that ultrasonic sensors will replace optical scanners, since they are far more precise, advanced, and secure.)

This may be a good time to bring up that pretty much every other phone OEM still uses optical fingerprint scanners right now, and that Samsung is well ahead of the curve on that front.

And yes, since I brought up movies and TV shows, because they depend on a 2D image of a fingerprint rather than a 3D scan of a fingerprint, optical scanners can be fooled by high-resolution photos of a fingerprint, so long as you use the right kind of paper and contrast to present to the scanner. (What you see in spy movies isn’t far from the mark in this regard, and while optical fingerprint scanners are terrific for 99.999 percent of users, they do create a security vulnerability for individuals who might be worthy targets of espionage, blackmail, and theft.) Samsung decided to remove that vulnerability from its devices altogether by replacing optical fingerprint scanners with ultrasonic ones.

So what exactly happened here?

The simplest way to explain what happened, and why things went a little wrong for Samsung last week, is that while ultrasonic fingerprint scanners are vastly superior to optical ones, and extremely reliable, putting them inside the device’s display (the screen) exposes them to an annoying variable: Screen protectors.

In a perfect world, no one would use a screen protector or a cover on their beautiful, slick smartphones. But we live in an imperfect world, and phones get dropped and tossed into pockets and bags with keys and coins, and other objects with sharp edges, so a lot or people add a clear screen protector to their new phone. And that additional layer of material can interfere with an in-display ultrasonic fingerprint scanner. Now, Samsung understands that consumers like to put screen protectors on their devices, so the engineers who developed this solution designed it to work with screen protectors. In case you were suddenly worried about this, yes you can put a screen protector on your new S10 or Note 10. It’s just that if you do, you need to make sure that it is approved for use with these two phones – in other words, you need to make sure that the screen protector you use for either of those devices is compatible with the in-display ultrasonic fingerprint sensor before you buy it and apply it to your screen.

If you don’t, and just buy a random screen protector from some unapproved third party vendor, chances are that it might not allow the scanner to do its job properly, and that is precisely what happened this past week: Someone used an unapproved screen protector on a new Samsung phone, and the sensor was no longer able to properly read the ridges and valleys of fingerprints being presented to the display. Specifically, a silicone screen protector could trick the sensor into accepting a different 3D pattern rather than a  “fingerprint” scan – essentially a null fingerprint – which would be indistinguishable from anyone else pressing their fingerprint to the screen afterwards. Without ridges and valleys in the capture, all fingerprints would look the same to the scanner: featureless. And therefore, all featureless “scans” would unlock the phone. Because of a silicone screen protector that made all fingerprints look more or less featureless to the scanner.

This was a small software logic flaw inside the solution, not a cloud-based breach of fingerprint info, or a true security vulnerability. No one would ever be able to unlock an S10 or Note 10 with a random fingerprint unless the user had registered a “soft” fingerprint ID on setup because of a cheap screen cover, and that cover happened to remain on the phone afterwards. The scanner just hadn’t been taught to refuse silicone-softened fingerprint scans during the user setup process. That’s all.

So, did Samsung really fix the problem?

Yes.

What Samsung’s software patch does is essentially prevent that from happening.

Also, Samsung and its accessories partners are making it easier for consumers to identify for consumers which “approved” screen protectors for the S10 and Note 10 will not interfere with the in-display ultrasonic fingerprint scanner.

That’s it. Despite all of the panic and doom and gloom churned up by perhaps overzealous journalists and editors, the issue wasn’t really that bad, and has been fixed.

In closing, are ultrasonic fingerprint scanners safe and secure?

Yes.

In my opinion, more so than optical fingerprint scanners. So long as you don’t inhibit their ability to function by putting a cheap, unapproved screen protector over them, they are far better than alternative. On this point, Samsung really does offer a solid security feature that helps their flagship phones differentiate themselves from the rest of the field.

Futurum Research provides industry research and analysis. These columns are for educational purposes only and should not be considered in any way investment advice.

The original version of this article was first published on Futurum Research.

Senior Analyst at @Futurumxyz. Digital Transformation + Tech + Disruption. Author, keynote speaker + troublemaker. Opinions are my own. I like croissants.

Leave a Comment