Is Samsung's Galaxy S5 fingerprint scanner secure enough?
US Sen. Al Franken pens a letter to the smartphone maker raising concerns about the security and privacy of users' biometric data.
After researchers proved they could easily hack into Samsung's Galaxy S5 smartphone using the device's fingerprint scanner, a US senator is raising concerns about the device's security and privacy features.
US Sen. Al Franken (D-Minn.) wrote a letter (PDF) to Samsung on Tuesday saying he's worried the Galaxy S5 isn't secure enough and there's potential for serious privacy breaches for the smartphone's users.
"I am concerned by reports that Samsung's fingerprint scanner may not be as secure as it may seem," Franken wrote, "and that those security gaps might create broader security problems on the S5 smartphone."
The senator's letter comes after a group of researchers were able to hack their way past the Galaxy S5's fingerprint sensor last month. Security Research Labs showed it could bypass the phone's biometric security by using a "wood glue spoof" made from a mold that was taken from a photo of a fingerprint smudge left on the smartphone's screen.
In his letter, Franken emphasized that fingerprint scanners are often less secure than passwords and, unlike passwords, they stay with people for life.
"Fingerprints are the opposite of secret. You leave them on countless objects that you touch throughout the day: your car door, a glass of water, even the screen of your smartphone. And unlike passwords, fingerprints cannot be changed," Franken wrote. "If hackers get hold of a digital copy of your fingerprint, they could use it to impersonate you for the rest of your life, particularly as more and more technologies start relying on fingerprint authentication."
The senator raised similar concerns about Apple's iPhone 5S fingerprint scanner last fall. The hack that the researchers used on the Galaxy S5 was the same technique they used to hack past the fingerprint scanner on Apple's smartphone.
While the researchers could bypass Apple's sensor, Franken says that the Galaxy S5 raises more security concerns than the iPhone 5S for two reasons. The first is that the Galaxy S5's fingerprint scanner allows for unlimited incorrect attempts without a password prompt, while the iPhone 5S lets users try only five times. The second is that, unlike the iPhone 5S, the Galaxy S5 lets people use the fingerprint sensor to open secure apps and services -- this means someone can open an app such as PayPal with no further security or identification required.
Franken asked Samsung to respond to his letter by saying how it's addressing these issues. He also wants the company to assure users that it won't share their fingerprint data. Franken says that he isn't against using biometric data per se, he just wants to make sure it's used in a secure manner.
"I'm not trying to discourage adoption of fingerprint technology for consumer mobile devices," he wrote. "Rather, my goal is to urge companies to deploy this technology in the most secure manner reasonable."
CNET contacted Samsung for comment. We'll update the story when we get more information.